Building a slide deck, pitch, or presentation? Here are the big takeaways:
- Google and Amazon have both made technical changes to stop the practice of domain fronting, which Signal uses to circumvent censorship in certain countries.
- The technique has also been used by a Russian state-sponsored attack group.
Recent changes in the software stack of Google App Engine broke a technique called “domain fronting,” which had been used most notably by the privacy-focused messaging service Signal. The app had used the technique since 2016 to allow users in Egypt, Oman, Qatar, and the United Arab Emirates to continue using the app, despite apparent attempts to block Signal.
The technique, in essence, relies on a quirk of HTTPS and TLS to fool deep packet inspection systems. In a given connection scenario, a domain name appears three times, first as part of a DNS lookup, then for SNI, which is used to differentiate between multiple secure websites with heterogenous certificates, and finally for the HTTP host data. Under normal circumstances, the same domain would appear in all three places, though using domain fronting, the DNS and SNI portions use a different domain to masquerade as some other traffic, leaving only the HTTP host data as the real destination. Importantly, for HTTPS traffic, this real destination is encrypted, making it impossible to block the fronted traffic without blocking other services as well.
This technique works in situations where the fronted and real domains are on the same CDN. In the case of Signal, the domain used was simply google.com. This tactic, otherwise known as collateral freedom, made it impracticable for Signal to be blocked without also blocking all of Google, which Egypt, Oman, Qatar, and the United Arab Emirates apparently chose not to pursue.
SEE: Cybersecurity strategy research: Common tactics, issues with implementation, and effectiveness (Tech Pro Research)
When domain fronting was disabled by Google in April, a representative told The Verge that “Domain fronting has never been a supported feature,” and that “it worked because of a quirk of our software stack. We’re constantly evolving our network, and as part of a planned software update, domain fronting no longer works. We don’t have any plans to offer it as a feature.”
As a result of this capability being removed, Signal moved to AWS CloudFront, and used Amazon’s souq.com marketplace, which naturally uses AWS, for domain fronting. According to a post by Signal developer Moxie Marlinspike, “the commit switching from GAE to CloudFront was public. Someone saw the commit and submitted it to HN. That post became popular, and apparently people inside Amazon saw it too.”
Seemingly because of this visibility, an AWS representative informed Marlinspike that “[masquerading] as another entity without express permission of the domain owner is in clear violation of the AWS Service Terms,” and that the account would be suspended if Marlinspike failed to comply. Subsequently, Amazon announced similar changes to CloudFront that made domain fronting impossible, which Marlinspike characterized as part of a “time-honored tradition of sharing unpopular news late on a Friday afternoon.”
Amazon’s announcement notes specifically that domain fronting “can’t be used to impersonate domains.” There is, arguably, a security concern in allowing domain fronting as a practice, as security firm FireEye reported that a Russian state-sponsored group has used the technique in attacks. The potential for other cloud subscribers to be impacted does exist, in the event that Google or Amazon are blocked completely in an effort to block Signal. That said, Marlinspike chose the most popular domains possible to avoid any knock-on effect, though other users of domain fronting may not necessarily be acting so ethically.
Marlinspike noted that “The idea behind domain fronting was that to block a single site, you’d have to block the rest of the internet as well. In the end, the rest of the internet didn’t like that plan,” adding that a workaround to censorship to supplant the now “non-viable” domain fronting technique will take time.