Bulletproof TLS Newsletter #41
Domain fronting: Cloud providers stop censorship-circumvention tool
31 May 2018
Author: Hanno Böck

This issue was distributed to 45,434 email subscribers.

Bulletproof TLS Newsletter is a free periodic newsletter bringing you commentary and news surrounding SSL/TLS and Internet PKI, designed to keep you informed about the latest developments in this space.

In this issue:

  1. Domain fronting: Cloud providers stop censorship-circumvention tool
  2. Short news

Domain fronting: Cloud providers stop censorship-circumvention tool

Two large cloud providers—Google and Amazon—have stopped the use of a technique called domain fronting, which was used by encrypted messengers and privacy tools to circumvent network blockades in some countries.

Technically, domain fronting is based on the fact that in an HTTPS connection, the hostname of the target host is transmitted in two ways: (1) as part of the Server Name Indication (SNI) extension in the TLS protocol and (2) as the “Host” header in the underlying HTTP connection. In many implementations, only the HTTP part really matters for forwarding the traffic. However, an outside observer of the traffic can only see the SNI field in the TLS connection.

Thus, the trick of domain fronting is to send a connection in which the SNI part is a different hostname, while only the HTTP header contains the real target hostname of the service being used. From a network observer perspective, such connections cannot be identified; therefore, blocking a particular service is hard, and blocking all connections to a cloud provider would block many other things as well.

The developers of Tor were the first to notice that domain fronting no longer worked with Google App Engine. This was later reported in an article at The Verge. Shortly thereafter, the developers of Signal received a notice from AWS warning them that they were not allowed to use an Amazon-owned domain for their connections, effectively indicating that they wouldn’t be able to used domain fronting with AWS. A blog post by the Tor project indicates that domain fronting is still possible with Microsoft Azure, but it also mentions rumors that this option may be shut down eventually as well.

The changes that stopped domain fronting may have been in response to efforts by the Russian government to block the Telegram-encrypted messenger. In trying to block Telegram, Russia also blocked access to various large cloud providers.

Short news