Follow Slashdot stories on Twitter


Forgot your password?
Google Censorship Network The Internet

Amazon Web Services Starts Blocking Domain-Fronting ( 27

Earlier this month, Google announced it is discontinuing domain fronting, a practice that lets developers disguise their traffic to evade network blocks. Now, Amazon Web Services has announced a similar move to implement a new set of enhanced domain protections specifically designed to stop domain fronting. The Verge reports: In the post, Amazon characterized the change as an effort to stamp out malware. "Tools including malware can use this technique between completely unrelated domains to evade restrictions and blocks that can be imposed at the TLS/SSL layer," the post explained. "No customer ever wants to find that someone else is masquerading as their innocent, ordinary domain." Domain-fronting works by using major cloud providers as a kind of proxy, making a data request seem like it's heading to a major service like Google or Amazon only to be forwarded along to a third party once it reaches the broader internet. Unfortunately for circumvention tools, neither Amazon nor Google will let them pull that trick anymore. Amazon will still allow domain fronting within domains owned by the same customer (or more specifically, listed under the same SSL certificate), but customers can no longer use the technique to disguise where data is going, making it far less useful for blocked apps.
This discussion has been archived. No new comments can be posted.

Amazon Web Services Starts Blocking Domain-Fronting

Comments Filter:
  • Granted it's double-plus-ungood for the USER to think he's talking to a particular far end when he's actually talking to something else, and that this is, indeed, much of the POINT of the TLS/SSL layer.

    But I seem to recall that some tools for evading governmental censorship/surveillance firewalls (such as the Great Firewall of China) relied on creating encrypted tunnels that SEEMED, to a pipe-tapping observer, to be normal encrypted traffic to a service, such as Google or Amazon, which the state-level actor would be loath to block. These tools exist specifically to "evade restrictions and blocks that can be imposed at [among other places] the TLS/SSL layer".

    Does this pair of moves by Google and Amazon break any such tools?

    • by Anonymous Coward

      For quite some time now, this has been the recommended way to connect to the Tor network from China.

      (For the time being, it looks like both of the remaining 'meek' bridges are still working. It's a little sad and a little funny to think that Microsoft will be the last one standing.)

      Tor supports a few other censorship-evasion protocols, but as far as I'm aware, all of them require you to connect to the bridge's public IP address, so it's comparatively easy for a determined adversary to discover those addres

  • Telegram (Score:5, Interesting)

    by roman_mir ( 125474 ) on Monday April 30, 2018 @10:52PM (#56534307) Homepage Journal

    So the reason for this I bet is the latest fight that is happening between Telegram and ROSKOMNADZOR - a Russian government agency that is trying to block this service.

    You can surely find all the information you want/need on this topic but what I want to add is that it is amazing how quickly these companies folded to pressure applied by the Russian government Mafia.

    • Re:Telegram (Score:5, Interesting)

      by Wolfier ( 94144 ) on Tuesday May 01, 2018 @01:17AM (#56534657)

      Very interesting. Telegram seems the most likely ultimate cause. If Russia is threatening to block all of AWS, I can imagine this happening.

  • by Wolfier ( 94144 ) on Tuesday May 01, 2018 @01:15AM (#56534651)

Life in the state of nature is solitary, poor, nasty, brutish, and short. - Thomas Hobbes, Leviathan