Security news that informs and inspires

Wyden, Rubio Ask Google and Amazon to Restore Domain Fronting

When both Google and Amazon announced a couple of months ago that they would be eliminating the practice of domain fronting on their cloud networks, it caused a bit of a stir among app developers and digital rights advocates. The aftershocks of that move have reached Washington, and two prominent senators have asked the companies to reverse those decisions.

Domain fronting is a somewhat controversial technique that some app developers use for various reasons, one of which is to allow users to evade censorship and network-level blocks on traffic to specific sites. It allows a client to disguise traffic to a given site by hiding the actual destination hostname and putting a different hostname in the DNS request. The technique has been used by app developers to help users in countries where Internet traffic is censored to get around those restrictions, but it’s also sometimes used by malware authors to disguise connections to malicious domains.

In April, Amazon announced that it would eliminate domain fronting on its CloudFront service, saying that the practice violated the terms of service.

“To be clear, this technique can’t be used to impersonate domains. The clients are non-standard and are working around the usual TLS/SSL checks that ordinary clients impose. But clearly, no customer ever wants to find that someone else is masquerading as their innocent, ordinary domain,” Colm MacCarthaigh of Amazon said in a post at the time.

Google had made the same move about a week earlier. At the time, digital rights advocates expressed concern that the decisions would have a detrimental effect on users in countries with repressive regimes. On Tuesday, Sens. Ron Wyden (D-Ore.) and Marco Rubio (R-Fla.) sent a letter to Amazon CEO Jeff Bezos and Google co-founder Larry Page voicing similar concerns and asking the executives to consider restoring domain fronting on their services.

“Governments with anti-democratic agendas may put significant pressures on technology companies to help enable their censorship and surveillance of the internet."

“Regrettably, your recent decision to ban the practice of domain fronting will prevent millions of people in some of the most repressive environments including China, Iran, Russia and Egypt from accessing a free and open internet,” the letter says.

“Governments with anti-democratic agendas may put significant pressures on technology companies to help enable their censorship and surveillance of the internet. American technology companies, which have flourished in our free and open society, must join the effort to resist such pressure. While this may seem like a reasonable business decision in the short term, it will ultimately do far more harm to your companies and the network of which you have been a core part.”

In their letter, Wyden and Rubio also asked Bezos and Page to provide some details on what, if any, measures their companies took to mitigate the disruptive effects blocking domain fronting would have on users of anti-censorship tools and platforms. They also asked the executives to specify whether they looked for ways to stop malicious use of domain fronting while still allowing legitimate apps to make use of it.

One potential method for dealing with Google and Amazon ending domain fronting is a proposal called Encrypted Server Name Indication that’s in the IETF process right now. The technology would encrypt the name of the server the client is trying to reach during the initial TLS handshake.

“When a client wants to form a TLS connection to any of the domains served by an ESNI-supporting provider, it replaces the "server_name" extension in the ClientHello with an "encrypted_server_name" extension, which contains the true extension encrypted under the provider's public key,” the IETF proposal says.

Work on ENSI is in the early stages, but there are already a couple of working servers online.