Domain fronting

Domain fronting is a technical process in which Internet censorship is circumvented by concealing the domain of an HTTPS connection. The process happens in the application layer and allows a connection to be established, even if the connection is blocked by technical measures such as deep packet inspection , IP or DNS queries.

Technical details

Domain fronting makes use of the SNI protocol, an extension of the Transport Layer Security . The basic idea is to use different hostnames on different package layers. In a request using domain fronting, the DNS query and the SNI contain an advanced domain, while the HTTP host header , which is hidden from the censor by HTTPS encryption, carries the domain actually desired. The HTTP host header is invisible to the censor, but not to the front-end server. The front-end server uses the host header internally to forward the request to its hidden destination.

The only way to prevent this type of censorship is to censor the frontend domain.

CDNs such as Cloudflare are suitable as Frontent domains , as this technology is deliberately used here to provide a website in the name of another website.

Prominent case of domain fronting

At the end of 2016, Egypt and the United Arab Emirates tried to censor the messenger signal . Signal then used the Google App Engine to protect itself from censorship.

The technology was only used on site, but they wanted to work on an update to automatically detect censorship and bypass it with the help of domain fronting.

Tougher approach at Amazon and Google

In April 2018 , a week after Google , Amazon announced that it was working on software solutions to prevent domain fronting. The reason they stated was that malware could use this technique to use independent domains, thereby circumventing the restrictions imposed by ISPs .

This joined Amazon Google, who made a change to the Google App Engine at the beginning of April to prevent domain fronting. Such a change was discovered by developers of the Tor project on April 15, 2018 . When asked, Google stated that domain fronting had never been a supported practice and that the loophole had been closed with a network update. There is no interest in offering such a feature in the future either.

Individual evidence

^ Network Traffic Obfuscation and Automated Internet Censorship. (PDF) Retrieved February 6, 2019 (English).
↑ Blocking-resistant communication through domain fronting. Retrieved May 13, 2019 .
↑ Encryption app 'Signal' Fights Censorship With a Clever Workaround. December 21, 2016, accessed May 13, 2019 .
↑ ^a ^b Messenger app Signal bypasses the lock in Egypt. December 22, 2016, accessed May 13, 2019 .
↑ Amazon Web Services starts blocking domain-fronting, following Google's lead. April 30, 2018, accessed February 6, 2019 .
↑ Domain fronting to App Engine stopped working. April 15, 2018, accessed February 6, 2019 .
^ A Google update just created a big problem for anti-censorship tools. April 18, 2018, accessed February 6, 2019 .

[1] Network Traffic Obfuscation and Automated Internet Censorship. (PDF) Retrieved February 6, 2019 (English).

[2] Blocking-resistant communication through domain fronting. Retrieved May 13, 2019 .

[3] Encryption app 'Signal' Fights Censorship With a Clever Workaround. December 21, 2016, accessed May 13, 2019 .

[netzpolitik-4] Messenger app Signal bypasses the lock in Egypt. December 22, 2016, accessed May 13, 2019 .

[5] Amazon Web Services starts blocking domain-fronting, following Google's lead. April 30, 2018, accessed February 6, 2019 .

[6] Domain fronting to App Engine stopped working. April 15, 2018, accessed February 6, 2019 .

[7] A Google update just created a big problem for anti-censorship tools. April 18, 2018, accessed February 6, 2019 .