Amazon Web Services Starts Blocking Domain-Fronting (theverge.com) 27
Earlier this month, Google announced it is discontinuing domain fronting, a practice that lets developers disguise their traffic to evade network blocks. Now, Amazon Web Services has announced a similar move to implement a new set of enhanced domain protections specifically designed to stop domain fronting. The Verge reports: In the post, Amazon characterized the change as an effort to stamp out malware. "Tools including malware can use this technique between completely unrelated domains to evade restrictions and blocks that can be imposed at the TLS/SSL layer," the post explained. "No customer ever wants to find that someone else is masquerading as their innocent, ordinary domain." Domain-fronting works by using major cloud providers as a kind of proxy, making a data request seem like it's heading to a major service like Google or Amazon only to be forwarded along to a third party once it reaches the broader internet. Unfortunately for circumvention tools, neither Amazon nor Google will let them pull that trick anymore. Amazon will still allow domain fronting within domains owned by the same customer (or more specifically, listed under the same SSL certificate), but customers can no longer use the technique to disguise where data is going, making it far less useful for blocked apps.
Re: (Score:2)
Earlier this month was Google. Now it's Amazon. If you're in a faraway time zone, note that it's still April 30th in the US.
Re: (Score:2)
Does this break any gov firewall bypass tools? (Score:3)
Granted it's double-plus-ungood for the USER to think he's talking to a particular far end when he's actually talking to something else, and that this is, indeed, much of the POINT of the TLS/SSL layer.
But I seem to recall that some tools for evading governmental censorship/surveillance firewalls (such as the Great Firewall of China) relied on creating encrypted tunnels that SEEMED, to a pipe-tapping observer, to be normal encrypted traffic to a service, such as Google or Amazon, which the state-level actor would be loath to block. These tools exist specifically to "evade restrictions and blocks that can be imposed at [among other places] the TLS/SSL layer".
Does this pair of moves by Google and Amazon break any such tools?
Re: (Score:1)
For quite some time now, this has been the recommended way to connect to the Tor network from China.
(For the time being, it looks like both of the remaining 'meek' bridges are still working. It's a little sad and a little funny to think that Microsoft will be the last one standing.)
Tor supports a few other censorship-evasion protocols, but as far as I'm aware, all of them require you to connect to the bridge's public IP address, so it's comparatively easy for a determined adversary to discover those addres
Yes, yes, and yes. (Score:2)
https://www.accessnow.org/goog... [accessnow.org]
Telegram (Score:5, Interesting)
So the reason for this I bet is the latest fight that is happening between Telegram and ROSKOMNADZOR - a Russian government agency that is trying to block this service.
You can surely find all the information you want/need on this topic but what I want to add is that it is amazing how quickly these companies folded to pressure applied by the Russian government Mafia.
Re: (Score:2)
What's amazing is how quickly the russian trolls downvoted your comments. Can't believe they care about sites like this.
Are you trying to make a funny here or did you not check the moderation history on his comment? Roman posts at -1 because he has a habit of starting religious flamewars and showing no tolerance for those who are not adherents to his preferred religious movement. His comment was not moderated down at all; to the contrary it was only moderated up. In this rare case of him not writing a comment as a recruitment tool for his faith, he was duly up-moderated (some would call this karma-whoring).
Re:Telegram (Score:5, Interesting)
Very interesting. Telegram seems the most likely ultimate cause. If Russia is threatening to block all of AWS, I can imagine this happening.
I can't figure this one out. (Score:2)
Is this parent post a Russian pretending to be an American? Or an American pretending to be a Russian pretending to be an American?
I'm thinking perhaps the latter, b/c I think the Russians are better at astroturfing that that.
Re: (Score:2, Insightful)
Cost is not an issue. Amazon's customers pay for the bandwidth their services consume.
(In case it wasn't clear - because TFS is pretty badly worded - Amazon is not, in fact, operating an open proxy. They're simply operating a CDN that lets users connect to services hosted on Amazon's infrastructure, services operated by organizations that are paying Amazon for the privilege.)
As for the motivation, though, TFS seems pretty clear: their goal is specifically to prevent users from being able to access service
Would the actual cause be (Score:3)
This? http://www.wired.co.uk/article... [wired.co.uk]