In late April, computer security researcher Moxie Marlinspike, renowned for creating secure messaging app and encryption protocol Signal, received a damning letter from the manager of CloudFront, threatening to suspend his use of Amazon’s famous content delivery network (CDN) service for intending to violate its Acceptable Use Policy. At the heart of the complaint was “domain fronting,” a technique that allowed Open Whisper Systems, Marlinspike’s company, to make its messaging service available across the world, even in countries where the government has banned it.
Without domain fronting, users in many countries will have a hard time using Signal and other similar messaging apps. And the news that has surfaced shows that Amazon and Google, two of the largest providers of CDN and hosting services, will indefinitely prevent their clients from using their platforms for domain fronting. This is bad news for digital privacy advocates and the users of secure messaging apps.
But what is domain fronting, how does it work, and why have large tech companies decided to block it? And what does this mean for the future of applications like Signal?
The censorship of secure messaging apps
In past years, secure messaging apps like Signal have become a favored method of communication for anyone who values privacy. They have especially become popular among activists, dissidents and journalists in countries where governments restrict free speech. These applications enable their users to evade surveillance and wiretapping by government agencies and to make sure that only they and their intended recipients see the messages they send.
In some countries, governments censor encrypted messaging apps and social media platforms to prevent users from communicating through channels they can’t control. They usually do this by ordering internet service providers (ISPs) to block access to IP addresses and domains associated with those services. Consequently, users must find other methods to gain access to those platforms, such as using virtual private networks (VPNs) or the Tor network or proxy servers to obfuscate their traffic and trick government censors into thinking they are accessing legitimate domains.
But things are a bit more complicated. Governments that block access to secure messaging apps also censor VPNs and Tor traffic. They can also compare the content of network traffic to the structure and footprint of secure messaging apps to discover proxies that simply redirect traffic without adding further layers of encryption to user traffic.
In effect, in these countries, the use of secure messaging apps has become a cat-and-mouse game between security-aware users and government censors. The complexities and technical requirements raise the barrier of entry and prevent a large number of users from ever accessing those services.
How does domain fronting work?
Domain fronting solves the censorship circumvention problem in a fundamentally different way that puts less strain on the end user. Basically, what domain fronting does is hide the host name of the site or web service with which your application communicates behind another domain.
When using the HTTPS protocol, applications encrypt everything they send except the domain name of the host they’re communicating with. Under normal circumstances, an application communicating with service A would enter host name (e.g. service_a.com) in all the packets it sends over the internet. This makes it easy for ISPs and government censors to identify and block traffic to banned web services.
When using domain fronting, the same application will send its packets to the domain of a CDN (e.g. cdnservice.com), but when the packet is decrypted, the real domain (service_a.com) is revealed. This is one of the features of several cloud environments such as Amazon and Google. Censors can no longer identify the packets that go to service A. They can still discover behind which domain the application is hiding its service by installing it and analyzing its traffic on a device.
But clever applications usually hide their traffic behind a high-traffic domain, which leaves government censors with only one choice: block all traffic that goes through the front domain.
For instance, Signal used the Google App Engine for domain fronting. This meant that ISPs would see the traffic of its application as destined for google.com. Countries like Egypt, Oman and Qatar, which had banned the use of Signal, had to block all traffic going to google.com in order to prevent users from communicating through Signal. But then they would also block most of Google’s services, which they couldn’t because of the many critical functions it fulfilled in their countries.
The main benefit of domain fronting is that the users don’t have to do anything beyond installing the application on their devices. The app developer and CDN services performing the domain fronting take care of the rest. This makes it possible for many more users with less technical knowledge and experience to continue using secure messaging apps like Signal.
Malicious uses of domain fronting
Not everything about domain fronting is good. The same way domain fronting can provide censorship circumvention to activists and journalists, it can enable hackers to hide and manipulate internet traffic and lure users to malicious websites where they can perform phishing attacks or infect them with malware.
With enough resources and information gathering, attackers can find a suitable host name and a CDN and pose as a legitimate website to users and the CDN. Whenever users want to access the targeted host through the CDN, they will be transferred to the malicious version that the hackers have presented to the CDN.
Performing domain fronting attacks isn’t easy, but it’s possible. And defenders will find it much harder to detect them. There’s a detailed post on the technicalities of domain fronting attacks on Medium.
Google and Amazon’s disabling of domain fronting
While domain fronting gives app developers a powerful tool to circumvent censorship, it still leaves them vulnerable to the whims and interests of CDN providers that provide them with the front. In early 2018, a number of organizations requested that Google make changes to its policies to make its App Engine available in Iran so that domain fronting would work for the users of Signal in the restive country.
But not only did Google refrain from making GAE accessible in Iran, but it also decided to alter its services to prevent domain fronting altogether, a real blow to Signal and all its users in the countries where it has been banned. Subsequently, the Signal developer community discussed using Amazon CloudFront as an alternative, but then came the warning letter to Moxie. Amazon eventually disabled domain fronting as well, following Google’s lead.
But why would big companies such as Google and Amazon prevent the use of their services for domain fronting? Google’s and Amazon’s moves to disable domain fronting came at a time where both companies where facing widespread blocking of their services in Russia, where the government was attempting to prevent applications such as Zello and Telegram to use their services for domain fronting. In the end, the tech giants decided to side with governments to avoid damaging their business interests.
As we’ve seen before, tech companies wont put their economic interests and their relations with nation states before their obligations to provide fair communication services to all their users. For example, last year, Apple complied with the Chinese government’s demand to remove all VPN applications from its App Store in China to avoid losing one of its biggest markets, accentuating the failures of centralized business models.
What does the disabling of domain fronting mean for secure messaging apps?
Users of secure messaging apps will still be able to use other traditional methods such as VPNs and proxies to access the service. But again, those methods are a lot more complicated and will make those platforms unavailable to a lot of users. But while the most recent moves by Google and Amazon come as a disappointment, the war over user privacy is far from over.
Already other messaging platforms are exploring alternative options to circumvent censorship without the need to rely on domain fronting through centralized services. Prominent among them is Telegram, which is developing a version of its application that is based on blockchain, the distributed ledger technology that supports bitcoin and other cryptocurrencies. One of the features of the new decentralized Telegram is that governments won’t be able to block it because it will not reside on any limited number of servers or computers and will instead be distributed across thousands and possibly millions of computers that constitute its community. Other organizations like Gladius are using blockchain to create fully decentralized CDNs, which will make it possible to circumvent censorship for any application or website they host without being vulnerable to the pressures of governments.
Whether other services will move forward to fill the gap left by Google and Amazon remains to be seen. Other large hosting services such as Cloudflare don’t support domain fronting, and blockchain projects have yet to show how much they can deliver on their promises. But what’s for sure is that privacy and security is becoming increasingly popular among all users, and at the end of the day, the real winner will be organizations that are willing to make sacrifices to protect their users.