As Google and AWS kill domain fronting, users must find a new way to fight censorship - TechRepublic
▻https://www.techrepublic.com/article/as-google-and-aws-kill-domain-fronting-users-must-find-a-new-way-to-fi
Google and Amazon have both made technical changes to stop the practice of domain fronting, which Signal uses to circumvent censorship in certain countries.
The technique has also been used by a Russian state-sponsored attack group.
Recent changes in the software stack of Google App Engine broke a technique called “domain fronting,” which had been used most notably by the privacy-focused messaging service Signal. The app had used the technique since 2016 to allow users in Egypt, Oman, Qatar, and the United Arab Emirates to continue using the app, despite apparent attempts to block Signal.
Blocking-resistant communication through domain fronting
▻https://www.bamsoftware.com/papers/fronting
Abstract
We describe “domain fronting,” a versatile censorship circumvention technique that hides the remote endpoint of a communication. Domain fronting works at the application layer, using HTTPS, to communicate with a forbidden host while appearing to communicate with some other host, permitted by the censor. The key idea is the use of different domain names at different layers of communication. One domain appears on the “outside” of an HTTPS request—in the DNS request and TLS Server Name Indication—while another domain appears on the “inside”—in the HTTP Host header, invisible to the censor under HTTPS encryption. A censor, unable to distinguish fronted and non-fronted traffic to a domain, must choose between allowing circumvention traffic and blocking the domain entirely, which results in expensive collateral damage. Domain fronting is easy to deploy and use and does not require special cooperation by network intermediaries. We identify a number of hard-to-block web services, such as content delivery networks, that support domain-fronted connections and are useful for censorship circumvention. Domain fronting, in various forms, is now a circumvention workhorse. We describe several months of deployment experience in the Tor, Lantern, and Psiphon circumvention systems, whose domain-fronting transports now connect thousands of users daily and transfer many terabytes per month.