For nearly two years, messaging app Signal beat censors in Egypt, Qatar, and the UAE through a technique known as domain fronting.
Telegram has used a similar approach to ensure its app remains accessible in Russia, despite heavy attempts to block it.
Thanks to the way modern online services are hosted, there is no single Internet Protocol (IP) address governments can force Internet service providers to block on their networks.
This hasn’t stopped Russia from blocking millions of IP addresses belonging to Amazon and Google, however, in an attempt to bring down Telegram.
Its attempts have disrupted the country’s banking and retail sectors, and prevented access to several Google services.
Telegram has remained mostly available in Russia, despite the multiple blocking attempts.
There is one weakness in the modern Internet which, had it not been for domain fronting, would have made it easy for censors to block apps like Signal and Telegram, however.
Vulnerability through encryption
A critical feature for Signal and Telegram is their ability to encrypt messages end-to-end. This is what makes them a target for governments.
In a twist of irony, the Transport Layer Security (TLS) protocol which is needed for secure communications exposes the name of the server with which an encrypted session is initiated.
This gives censors all they need to block a particular service.
Thanks to a peculiarity built into several cloud environments, , though, it was possible to work around the Server Name Indication handshake in TLS.
Dubbed “domain fronting”, the technique made a TLS request look like it came from a Google or Amazon server.
“When access to Signal was originally censored in Egypt, Oman, Qatar, and UAE, we responded by deploying domain fronting in those countries through Google App Engine,” stated Signal founder Matthew Rosenfield, known online as Moxie Marlinspike.
“This meant that to block Signal, those countries would also have to block google.com.”
That was not a step countries were willing to take, and as a result Signal was accessible – despite direct access being blocked.
Crucially, this required no new configurations from users, and they could simply install the app and use it as normal.
In recent weeks, however, Google and Amazon have blocked domain fronting on their App Engine and CloudFront services, respectively.
Microsoft’s Azure cloud is expected to follow suit.
“Domain fronting has never been a supported feature at Google,” said the company.
“Until recently, it worked because of a quirk of our software stack. We’re constantly evolving our network, and as part of a planned software update, domain fronting no longer works. We don’t have any plans to offer it as a feature.”
Amazon released a similar statement recently when it announced Enhanced Domain Protections for Amazon CloudFront Requests.
It said that in certain cases, tools such as malware can use domain fronting between unrelated domains to evade restrictions that can be imposed at the TLS layer.
“Clearly, no customer ever wants to find that someone else is masquerading as their innocent, ordinary domain,” said Amazon.
Bad news for activists
Rosenfield said that with the Google and Amazon clouds out of the picture, it appears that domain fronting is no longer a viable technique to circumvent censorship.
“The idea behind domain fronting was that to block a single site, you’d have to block the rest of the Internet as well. In the end, the rest of the Internet didn’t like that plan,” said Rosenfield.
He said Signal is considering ideas for a more robust system, but added that the changes in the cloud ecosystem happened very suddenly.
“Our team is only a few people, and developing new techniques will take time,” he said.
“Moreover, if recent changes by large cloud providers indicate a commitment to providing network-level visibility into the final destination of encrypted traffic flows, then the range of potential solutions becomes severely limited.”