Google kills off domain fronting – and so secure comms just got tougher
Cloud tech tweaks end anti-censorship workaround
Google has made technical changes to its cloud infrastructure that have caused collateral damage to an anti-censorship technique called domain fronting.
The technique, more a workaround than a supported feature, has become popular on App Engine, Google's platform-as-a-service product, over the past year or so. And now makers of free speech tools have had to find other service providers or adopt alternative strategies for avoiding the scrutiny of authorities.
Domain fronting conceals the hostname from those observing network traffic by using one hostname in the DNS request and TLS negotiation and another in the HTTP header. While the hostname in the DNS request and Client Hello can be discerned – presumably a politically acceptable site – the hostname in the HTTP header – the controversial site – is concealed through the use of a content delivery network (CDN) as a proxy.
The technique can also be used to hide malicious activity and is also a popular tool with security researchers running penetration tests.
Secure messaging app Signal implemented the domain fronting in late 2016; it recently modified its Android app code to rely on the CDN of Souq, acquired by Amazon last year, instead of Google App Engine.
A variety of other privacy-oriented tools have been affected, according to advocacy group Access Now, including Psiphon, Lantern, Telex, Tor, obsf4, ScrambleSuite, meek, meek_lite, Collateral Freedom, and GreatFire FreeBrowser.
How 'parasitic' Google's 'We're journalists!' court defence was stamped into oblivionREAD MORE
"Domain fronting has never been a supported feature at Google, but until recently it worked because of a quirk of our software stack," a Google spokesperson explained in a statement emailed to The Register. "We're constantly evolving our network, and as part of a planned software update, domain fronting no longer works. We don't have any plans to offer it as a feature."
There's a coincidental benefit for the Chocolate Factory arising from its infrastructure changes: Doing so is less antagonistic toward countries hostile to free speech.
Russia, for example, has shown willingness to block network addresses associated with large service providers like Google and Amazon when trying to silence the opposition. Also, enabling malware probably isn't appealing for the search ad biz either.
Among other network service providers, it's clear domain fronting could be awkward. "Cloudflare does not support domain fronting," a Cloudflare spokesperson said in an email to The Register. "Doing so would put our traditional customers at risk as it would mask banned traffic behind their domains."
A source familiar with Google's server tweaks insisted the motivation was purely technical, without political or security considerations. In essence, IT resources that had been linked were separated and domain fronting broke as a result.
Access Now nonetheless condemned Google's stack fiddling for collapsing the network tunnel activists used for concealment.
"Google knows this block will levy immediate, adverse effects on human rights defenders, journalists, and others struggling to reach the open internet," said Peter Micek, general counsel at Access Now, in a blog post.
"To issue this decision with a shrug of the shoulders, disclaiming responsibility, damages the company’s reputation and further fragments trust online broadly, for the foreseeable future." ®