Amazon, Google Block Trick That Let Encrypted Chats FlowBut 'Domain Fronting' Was Also Used to Mask Cybercriminal Activity
Following in Google's footsteps, Amazon has closed a technical loophole that helped some online services evade censorship filters, but which was also abused by cybercriminals.
The technique, known as "domain fronting," can be used to mask censored services by hiding them within an infrastructure provider's vast network.
Using the technique, a party monitoring someone's internet traffic might see a request for a domain within Amazon Web Services - the so-called "front" domain - but not be able to trace the true destination of the traffic, which could be funneled invisibly to a different service that's on the same network.
The result is that services like Signal, the encrypted messaging app, could run unimpeded in countries where it had been blocked, including Egypt, Oman, Qatar and UAE. In December 2016, Signal said it would use domain fronting to evade censorship. If someone launched Signal, it would appear to traffic filters to only be reaching out to a Google domain.
"The idea behind domain fronting was that to block a single site, you'd have to block the rest of the internet as well. In the end, the rest of the internet didn't like that plan."
—Moxie Marlinspike, Signal
Countries that wanted to continue to block access to censored sites regardless had to take the drastic step of completely blocking Google or any of the other large infrastructure providers. That scenario proved to be powerful enough leverage to keep Signal running, as countries were unlikely to block the IP ranges of the largest companies on the internet.
But that scenario is now changing. In mid-April, Google disabled domain fronting, and Amazon has now followed suit. Cloudflare, another large content delivery network, also doesn't support the practice.
"The idea behind domain fronting was that to block a single site, you'd have to block the rest of the internet as well," writes Moxie Marlinspike, the cryptographer behind Signal, in a blog post on Monday. "In the end, the rest of the internet didn't like that plan."
Domain fronting wasn't an intended feature, but rather a sly trick that became widely used. It came with great benefits for services that often get censored.
When someone navigates to a website using HTTPS, the destination website is listed in three requests: the DNS query, the TSL Service Name Indication (SNI) extension and in the HTTP host header, according to a 2015 academic paper on "blocking-resistant communication through domain fronting."
But a domain-fronted request is crafted to only send the "front" domain for the DNS query and the SNI extension. The HTTP host header is encrypted by TLS, making it invisible.
"The front-end server uses the host header internally to route the request to its covert destination; no traffic ever reaches the putative front domain," according to the paper.
Domain fronting has been used by many services and projects, including the anonymizing browser known as Tor - short for The Onion Router. But it can also be useful for cybercrime and online espionage.
Unfortunate for this use case, but you can't really blame Amazon and Google for disallowing and disabling domain fronting. It wasn't an intended "feature" and is being leveraged by malicious actors. https://t.co/pmZiyeE2Nh— Wesley McGrew (@McGrewSecurity) May 1, 2018
A suspected Russian hacking group dubbed APT29 has used domain fronting, cybersecurity firm FireEye said in March 2017.
APT29 used it to mask outbound connections from organizations it had compromised. When the group exfiltrated data, the connections looked no different to normal traffic. That's why some security experts have mixed feelings about the collateral damage to projects such as Signal that blocking domain fronting will have.
"Unfortunate for this use case, but you can't really blame Amazon and Google for disallowing and disabling domain fronting," writes Wesley McGrew, director of cyber operations at Horne Cyber. "It wasn't an intended 'feature' and is being leveraged by malicious actors."
Others see the clampdown on domain fronting as a sign of a much broader problem. Sarah Jane Lewis, executive director of the Vancouver, Canada-based Open Privacy Research Society, writes that domain fronting is a "hack around a badly designed internet."
"We need better censorship resistant tactics," Lewis writes. "However, it is such a shame, but not surprising, that corps like Google and Amazon are refusing to help the tiniest bit to bridge the gap."
No Workarounds Yet
Google and Amazon's moves leaves Signal with few options. After Google ended domain fronting, Signal switched to Amazon's CloudFront service. Then, last week, Marlinspike received a warning from Amazon that using domain fronting was a violation of the company's terms of service.
With Amazon no longer an option, Marlinspike writes that "it seems that domain fronting as a censorship circumvention technique is now largely non-viable in the countries where Signal had enabled this feature."
Signal is studying ways to engineer a more robust system but doesn't have an immediate alternative, Marlinspike writes. Furthermore, if large network providers decide that there will always be network-level visibility into the final destination of someone's browsing, workarounds remain limited.
"In the meantime, the censors in these countries will have (at least temporarily) achieved their goals," he writes. "Sadly, they didn't have to do anything but wait."
Increasing Government Pressure
The domain-fronting wrinkle comes at a time when some governments are exerting more pressure than ever on technology companies that have incorporated hard-to-break encryption to protect content and individuals.
The United States, United Kingdom and Australia have that alleged encrypted communications are making it more difficult to fight terrorism and conduct law enforcement organizations.
All three countries, however, have said they do not want to pass laws that would require mandatory backdoors in communication products. Security experts have long advised that any attempt to "backdoor" - aka weaken - crypto systems in this manner would make it child's play for cybercriminals, nation-states and others to steal consumer and business data en masse.
In 2016, the U.K. passed legislation that puts new legal pressure on companies to help in decrypting communications, and Australia is weighing similar legislation. The U.S. has not passed any such legislation, but FBI officials have frequently warned that encrypted communications could pose a danger to public safety (see Crypto in Europe: Battle Lines Drawn).
Other governments have been much more aggressive in their anti-encryption efforts. In mid-April, Russia began blocking the Telegram messaging product. On Monday, Iran also blocked Telegram, contending the application endangered national security, The New York Times reports.