Amazon has made a small but important security change to its CloudFront content delivery network (CDN) that’s designed to prevent people from adding domains they don’t own to their CloudFront distributions and receiving some of the traffic meant for that domain.
Until yesterday, CloudFront customers could add an alternate domain name to their distributions without having to prove that they owned that domain. So someone could add a domain that he didn’t actually own to his distribution and then get a fraction of the traffic that should be going to the domain’s legitimate owner. On Monday, Amazon instituted a policy change that requires anyone adding an alternate domain to attach an SSL certificate for that domain to their distribution in order to prove that they have ownership of the domain.
“CloudFront’s process to validate a customer’s right to use an alternate domain name builds on the already established and trusted checks in place for obtaining a certificate. No one can obtain a valid SSL/TLS certificate without first proving that they own the domain by either entering a unique entry into their DNS records, or validating the request for the certificate via email to the domain owner. Rather than having customers go through a redundant process to re-validate their ownership, CloudFront will now simply require that a certificate be attached to that distribution when adding an alternate domain name to the distribution,” Woodrow Arrington, a senior product manager on Amazon’s CloudFront team, said.
“For example, let’s say you own the domain foo.com and want to receive your web traffic on a CloudFront distribution with the alternate domain name www.example.foo.com. Let’s also assume you obtained a new certificate from ACM. In order to add this alternate domain name to your distribution, your certificate would need to either list the exact match www.example.foo.com or *.example.foo.com. It is important to note that wildcards will only cover the alternate domain names at that same level and not anything at levels lower or higher than the wildcard.”
The change by Amazon follows on to a related move the company made last year when it ended the practice of domain fronting on CloudFront. Domain fronting is a technique that some app developers and domain owners use in order to hide the true hostname from anyone observing network traffic. Developers typically use CDNs for domain fronting, and the technique is often used to evade censorship in countries with repressive regimes where network-level surveillance is commonplace.
"CloudFront will now simply require that a certificate be attached to that distribution when adding an alternate domain name to the distribution."
But domain fronting wasn’t a technique that Amazon supported, so it changed the CloudFront settings in April 2018 to prevent it. Google made the same change on its AppEngine last spring, a decision that digital rights activists and some lawmakers criticized, saying it would place people in some countries in danger.
“Regrettably, your recent decision to ban the practice of domain fronting will prevent millions of people in some of the most repressive environments including China, Iran, Russia and Egypt from accessing a free and open internet,” a letter sent last July to Amazon CEO Jeff Bezos from Sens. Ron Wyden and Marco Rubio says.
“Governments with anti-democratic agendas may put significant pressures on technology companies to help enable their censorship and surveillance of the internet. American technology companies, which have flourished in our free and open society, must join the effort to resist such pressure. While this may seem like a reasonable business decision in the short term, it will ultimately do far more harm to your companies and the network of which you have been a core part.”
Domain fronting has remained off the table on these networks, but Arrington said the problem has been a bigger challenge than Amazon anticipated.
“The challenge came in the form of automatically distinguishing between legitimate and abusive uses of domain fronting, and doing so at the massive scale at which CloudFront operates with its global network and large customer base. Additionally, we knew we had to accomplish this without impacting the end viewer experience with increased latency,” Arrington said.
“Just a short while ago, CloudFront deployed its new code change for handling domain fronted requests. This new code ensures that the AWS account that owns the SSL/TLS certificate which established the secured connection via a SSL handshake is the same AWS account as the subsequent requests made over the secured HTTP protocol. If the two AWS accounts do not match, CloudFront will respond with a ‘421 Misdirected Request’ response to give the client a chance to connect using the correct domain. We believe that this will provide the flexibility that customers need to continue using this technique for legitimate use cases while also providing enhanced protection knowing that their domain cannot be touched by an unrelated AWS account.”