Domain Fronting Shutdown Hits Hard
Amazon followed in Google's footsteps this week in banning domain fronting, a technique that allows app and site developers to evade censorship.
Two of the larger cloud services providers have made moves that will make it much more difficult for attackers to hide their malware control infrastructures. But the changes also are having a ripple effect among legitimate services, especially those that use a technique known as domain fronting to evade censors.
In recent days, both Google and Amazon have decided to eliminate the option for customers to use domain fronting, ostensibly for security reasons. Domain fronting is used by a variety of people for many different reasons, and for legitimate companies the most common use case is censorship evasion. Encrypted messaging apps such as Signal and Telegram have employed the technique as a way to get around blocks on their services in countries such as Russia, Iran, and Egypt. The technique essentially allows a domain operator to disguise the traffic going to its site by routing it through other proxies and domains.
“Domain Fronting is when a non-standard client makes a TLS/SSL connection to a certain name, but then makes a HTTPS request for an unrelated name. For example, the TLS connection may connect to ‘www.example.com’ but then issue a request for ‘www.example.org’,” said Colm McCarthaigh, a principal engineer at Amazon.
“In certain circumstances this is normal and expected. For example, browsers can re-use persistent connections for any domain that is listed in the same SSL Certificate, and these are considered related domains. But in other cases, tools including malware can use this technique between completely unrelated domains to evade restrictions and blocks that can be imposed at the TLS/SSL layer.”
What is Malware? A Definition & Tips for Malware Prevention
As MacCarthaigh noted, attackers use domain fronting in some situations, especially as a method for hiding the location of their C2 infrastructure. It’s an effective technique for them, and both Amazon and Google said they were removing domain fronting because it wasn’t really meant to be available in the first place. But the changes already are having an effect on apps that use domain fronting to serve users in countries with Internet censorship. Specifically, Signal officials said they likely will need to find another avenue after Amazon notified them of the new policy.
“With Google Cloud and AWS out of the picture, it seems that domain fronting as a censorship circumvention technique is now largely non-viable in the countries where Signal had enabled this feature. The idea behind domain fronting was that to block a single site, you’d have to block the rest of the internet as well. In the end, the rest of the internet didn’t like that plan,” Signal author Moxie Marlinspike wrote.
“We are considering ideas for a more robust system, but these ecosystem changes have happened very suddenly. Our team is only a few people, and developing new techniques will take time. Moreover, if recent changes by large cloud providers indicate a commitment to providing network-level visibility into the final destination of encrypted traffic flows, then the range of potential solutions becomes severely limited.”
Many users in countries where Internet censorship is a fact of life rely on apps such as Telegram and Signal to communicate privately. As more governments implement network-level blocks to stop this, developers will have to become more and more creative in order to deliver services in those countries.