This content is part of the Essential Guide: How best to secure cloud computing in this critical era

Domain fronting: Why cloud providers are concerned about it

Domain fronting is a popular way to bypass censorship controls, but cloud providers like AWS and Google have outlawed its use. Expert Michael Cobb explains why.

Amazon Web Services recently made a major decision to prohibit domain fronting, which some organizations use to conceal the locations and destinations of encrypted traffic. This affects companies like Signal, which used domain fronting to bypass government censors. AWS follows a similar move to outlaw domain fronting by Google.

Domain fronting is a popular technique used to circumvent internet censorship controls, and it is easy to deploy and use. Domain fronting works at the application layer and uses different domain names to hide the true endpoint of a connection. This enables a user to connect to a blocked service over HTTPS while appearing to communicate with an entirely different site.

In an HTTPS request, the destination domain name is transmitted in three places: in the domain name system (DNS) query, in the TLS Server Name Indication (SNI) extension and in the HTTP Host header. Normally, the same domain name appears in all three places; but in a so-called domain-fronted request, the DNS query and SNI contain the front domain name, but the actual destination domain appears only in the HTTP Host header. The front domain is usually a legitimate site, and this is the domain that is used to initialize the connection.

The front domain name is sent in clear text in the DNS request and the SNI, but the HTTP Host header is only sent once an encrypted HTTPS connection has been established. This means the actual destination domain name cannot be read by any censorship or security tools, but it is still visible to the front-end server receiving the HTTPS request, which uses the Host header internally to route the request to its intended covert destination.

Domain fronting works well with content delivery networks (CDN) because when a CDN's front-end server receives a request for a resource that isn't already cached, it forwards the request to the domain found in the Host header. Browsers can use domain fronting to reuse persistent connections for domains listed on the same SSL certificate to speed up page loading times, but it has also become a simple yet effective technique to circumvent restrictions and blocks that can be imposed at the TLS/SSL layer.

Due to the popularity of CDNs and other services that use this infrastructure -- such as Google App Engine, Microsoft Azure and Amazon CloudFront -- there are plenty of opportunities for those wishing, for whatever reason, to circumvent network controls.

Domain fronting for censorship workarounds

Companies like Signal and Telegram have built services based on domain fronting to offer censorship circumvention tools, such as encrypted phone and messaging apps in countries such as Russia, Iran and Egypt. Internet traffic going to their sites is routed through other proxies and domains.

Because censors are typically unable to differentiate circumvention traffic from legitimate traffic, they have to either allow all the traffic to the front domain or block the domain entirely. Signal's use of Google App Engine to run proxies for several Middle Eastern countries that censor direct access to Signal made it impractical for those countries to block Signal without also blocking all of Google.

Due to concerns that cybercriminals can use domain fronting to hide their malware and command-and-control infrastructures, Google disabled domain fronting in April of 2018. For example, according to a FireEye report, the Kremlin-linked APT29 used domain fronting to smuggle information for at least two years. Other reasons for the decision may well include possible political pressure and fears that its IP addresses may be blocked in some countries.

As a result, Signal moved to the Amazon-owned domain, the largest e-commerce site in the Arab world, hoping to continue concealing traffic bound for Signal. However, Amazon has said it will cancel Signal's CloudFront account if the service continues to attempt to evade censorship using Amazon sites as cover.

Fronting has always been a violation of the AWS terms of service and, now, Amazon Web Services is integrating checks directly into its CloudFront global content delivery network API and content distribution service. This means the future looks rough for any apps or services that rely on domain fronting to avoid censorship.

As the internet becomes increasingly centralized and dominated by a few major players, the game of cat and mouse between censors and those looking to avoid censorship has swung in favor of the cat -- at least for now.

Dig Deeper on Threats and vulnerabilities

Enterprise Desktop
Cloud Computing