A couple of days ago Amazon Web Services made some changes aimed at ending domain fronting – the act of using the architecture of the content delivery network to hide encrypted internet traffic’s actual destination. Developers of the encrypted messaging application known as Signal were consequently notified that the app’s CloudFront account would be cancelled in the event that the service continued its attempts of evading censorship using the sites of Amazon as a cover. Signal makes use of CloudFront for the purposes of handling the load balancing of servers. These servers normally don’t possess IP addresses that are permanent.
Initially Signal was using Google’s services but then shifted to Amazon after the online search giant made some network changes which put an end to a domain-fronting scheme which had assisted users in certain countries to evade the blocking of network addresses.
Transport Layer Security
“Google and Amazon built their [Transport Layer Security] termination layer separately from their request processing layer, such that it was possible to create what looked like a TLS connection for domain A with a request that would actually be received and processed by domain B,” wrote the founder of Signal, Moxie Marlinspike,in an online post after the move by Amazon.
Signal Foundation stopped using Google App Engine as a proxy in a couple of countries in the Middle East which were blocking direct access to the messaging app earlier in the year. These countries included United Arab Emirates, Qatar, Oman and Egypt. In all those countries Signal was employing domain fronting. The exception was in Iran since the search engine of Google is already blocked there. Google also doesn’t allow App Engine traffic emanating from Iran as a result of the way the tech giant interprets the sanctions the United States has imposed against the Middle Eastern nation.
The domain-fronting scheme of Signal was broken after Google.com was put in a different content delivery network segment from that of the App Engine servers. Once this happened Signal was moved to Amazon where the plan was to hide traffic using the Souq.com, the e-commerce website of Amazon for the UAE, as a front. Amazon however realized this soon enough.
This comes in the wake of both Google and Amazon’s services being widely blocked in Russia after the federal communications authority of the country ordered that encrypted chat apps Telegram and Zello be blocked. The two U.S. tech companies are being blocked alongside other domain-fronting proxies.