31 May 2018
Bulletproof TLS Newsletter is a free periodic newsletter bringing you commentary and news surrounding SSL/TLS and Internet PKI, designed to keep you informed about the latest developments in this space. Received monthly by more than 50,000 subscribers. Written by Hanno Böck.
Two large cloud providers—Google and Amazon—have stopped the use of a technique called domain fronting, which was used by encrypted messengers and privacy tools to circumvent network blockades in some countries.
Technically, domain fronting is based on the fact that in an HTTPS connection, the hostname of the target host is transmitted in two ways: (1) as part of the Server Name Indication (SNI) extension in the TLS protocol and (2) as the “Host” header in the underlying HTTP connection. In many implementations, only the HTTP part really matters for forwarding the traffic. However, an outside observer of the traffic can only see the SNI field in the TLS connection.
Thus, the trick of domain fronting is to send a connection in which the SNI part is a different hostname, while only the HTTP header contains the real target hostname of the service being used. From a network observer perspective, such connections cannot be identified; therefore, blocking a particular service is hard, and blocking all connections to a cloud provider would block many other things as well.
The developers of Tor were the first to notice that domain fronting no longer worked with Google App Engine. This was later reported in an article at The Verge. Shortly thereafter, the developers of Signal received a notice from AWS warning them that they were not allowed to use an Amazon-owned domain for their connections, effectively indicating that they wouldn’t be able to used domain fronting with AWS. A blog post by the Tor project indicates that domain fronting is still possible with Microsoft Azure, but it also mentions rumors that this option may be shut down eventually as well.
The changes that stopped domain fronting may have been in response to efforts by the Russian government to block the Telegram-encrypted messenger. In trying to block Telegram, Russia also blocked access to various large cloud providers.
This subscription is just for the newsletter; we won't send you anything else.
Designed by Ivan Ristić, the author of SSL Labs, Bulletproof TLS and PKI, and Hardenize, our course covers everything you need to know to deploy secure servers and encrypted web applications.
Remote and trainer-led, with small classes and a choice of timezones.
Join over 2,000 students who have benefited from more than a decade of deep TLS and PKI expertise.