Better security may come at the expense of internet freedom

Free speech advocates voiced their concerns this week, as Google and Amazon moved to end the practice of domain fronting, which was permitting users to get around censorship laws.

Tor researchers recently noticed changes to the Google App Engine that meant websites or services could no longer pose as others in order to circumvent blocked access.

The technique allowed users to appear to connect to one of the many products found on the App Engine, while actually being linked to a banned service.

State censors, as a result, would see internet traffic that is allowed and would not severe its connection to any internet service providers (ISPs).

Google told The Verge: “Domain fronting has never been a supported feature at Google, but until recently it worked because of a quirk of our software stack.

“We’re constantly evolving our network, and as part of a planned software update, domain fronting no longer works.

“We don’t have any plans to offer it as a feature.”

Amazon then followed Google’s lead and announced that it would also be stopping the practice of domain fronting, saying that the change to its CloudFront infrastructure was aimed at enhancing security for legitimate domain owners.

Digital rights activists, however, took the announcement as a direct hit on anti-censorship efforts – in particular, on the encrypted messenger service Signal.

Signal, which is used widely by activists, journalists, and others living under repressive regimes, has domain fronting built into its app in order to automatically bypass ISP blocks in places where its use is banned such as Egypt, Oman, and the United Arab Emirates.

Responding in a blog post, Signal said: “With Google Cloud and AWS out of the picture, it seems that domain fronting as a censorship circumvention technique is now largely non-viable in the countries where Signal had enabled this feature.

“The idea behind domain fronting was that to block a single site, you’d have to block the rest of the internet as well. In the end, the rest of the internet didn’t like that plan.”

While both Google and Amazon aren’t known for their efforts in transparency and internet freedom, there are some legitimate security concerns when it comes to the use of domain fronting.

Cybercriminals or state-sponsored actors have been reported to leverage domain fronting in order to deploy malware due partly to the ability to hide malicious traffic or one’s original location.

Signal said that it was working towards “a more robust system” that will continue its use in countries where it is censored.