A little-known software feature called domain fronting has become the central issue in a worldwide dilemma now facing internet users wishing to gain access to websites and online resources that their governments have deemed off-limits.
Censorship of internet access and content has been very much in the news in recent months, as the global debate over data rights and privacy rages on. And the domain fronting mechanism, with its recent withdrawal, has forced a rethink regarding the methods now available for users around the world looking to work around the restrictions they face in visiting prohibited sites and retrieving online information.
How Domain Fronting Works
An incidental feature of Google’s App Engine, domain fronting provides a workaround for software developers to configure the Platform as a Service (PaaS) product to use major cloud providers as a kind of proxy connection. This causes a data request to appear as if it’s heading for a major service like Google or Amazon. But once it reaches the wider internet, the request is forwarded to a third party – typically on an internet domain that’s been restricted or blocked by the authorities.
The mechanics of domain fronting exploit a characteristic of the internet’s HyperText Transfer Protocol (HTTP), secure HTTP Web protocol (HTTPS), the Transport Layer Security (TLS) standard, and the functionality of content delivery networks (CDNs), to manipulate the way in which firewall rules and deep packet inspection are handled.
In a typical web request, domain names feature three times:
- As part of a Domain Name System (DNS) query for the IP address of the site.
- In the Server Name Indication (SNI) extension of Transport Layer Security.
- In the HTTP “host” header of the Web request.
For standard HTTP data traffic, all three instances of the domain name are visible to an internet / government censor’s machinery – and under the HTTPS protocol, the HTTP header is actually encrypted. This makes it possible for a developer to substitute the name of their chosen destination under the HTTP header – and this destination is typically a proxy server, Tor bridge, or VPN gateway which might otherwise be blocked.
To anyone monitoring the connection between the web client and the content delivery network (CDN), data appears to be streaming towards an approved site, while it’s actually being re-routed to another destination.
Governments and institutions hoping to prevent domain fronting face a difficult choice. In order to block a single website that uses this mechanism, it’s often necessary to block much of the rest of the internet as well – a prospect which could have severe economic, political, and diplomatic consequences for the regime. Quite appropriately then, the domain fronting technique is also known as collateral freedom.
Domain Fronting – The Good…
For political activists, free speech or human rights advocates, and those living under repressive regimes who simply wish to escape the shadow of censorship and surveillance, domain fronting has been a vital aspect of their lives online.
For internet users in Africa – where governments often hold a monopoly over the provision of cellular and internet services, and can impose shutdowns during political campaigns, elections, and other times deemed “sensitive” – the domain fronting workaround has been something of a lifeline.
The privacy-based encrypted messaging service Signal has been using the technique for some time now, to allow users of its app in heavily censored regions like Egypt, Oman, Qatar, and the United Arab Emirates to continue using their software, despite government efforts to block it.
The anti-Chinese censorship non-profit organization GreatFire, and the Tor anonymous browsing platform have made extensive use of domain fronting, which has also been deployed on Virtual Private Networks (VPNs).
Domain Fronting – The Bad…
As with all things in the digital realm, there’s a flip side to the coin. Domain fronting has been exploited by a state-sponsored group in Russia, to launch cyber-attacks. And it’s quite possible for other cyber-criminals to use the domain fronting technique as a delivery route and cover for the distribution of malware.
An official statement in a post by Amazon puts it this way:
“Tools including malware can use this technique between completely unrelated domains to evade restrictions and blocks that can be imposed at the TLS/SSL layer.”
And the Broken
Ironically, it wasn’t these negative uses of the mechanism which prompted Google to disable the domain fronting functions of its App Engine, in April of this year. The technical alterations made to Google’s cloud infrastructure have in effect broken the domain fronting mechanism, preventing its further use for good or ill.
A blanket statement issued by Google in response to queries about this policy change says that:
“Domain fronting has never been a supported feature at Google, but until recently it worked because of a quirk of our software stack. We’re constantly evolving our network, and as part of a planned software update, domain fronting no longer works. We don’t have any plans to offer it as a feature.”
Some have speculated that this move was influenced more by market forces, and the potential losses that Google might suffer if their services are blocked by major consumer nations offended by having banned internet traffic masked behind their domains.
Google’s actions were soon mirrored by Amazon, with AWS (Amazon Web Services) announcing that it would discontinue support for domain fronting services, and introduce what it calls “enhanced protections” to prevent applications from re-routing traffic through its cloud platform. Amazon’s justification for these moves is to ensure that domain fronting “can’t be used to impersonate domains.”
Other network services have followed suit, including Cloudflare.
The Wider Implications
The effective removal of domain fronting as an option in bypassing state and institutional censorship of the internet has left both legitimate and more illicit users of the technique out in the cold.
There have been some temporary moves made to keep the channels of free and anonymized speech open. For example, the Tor network has switched its domain fronting operations to Microsoft’s Azure cloud. But there are rumors of moves to shut down this avenue, as well.
Alternative mechanisms are actively being sought or developed – but there’s no guaranteed time-frame for when and how these may become operational or available.
For the foreseeable future, the death of domain fronting represents a serious blow to those who previously relied on it as the route to a freer internet.
Share this Post