Telegram has been putting up an impressive fight against the governments of Russia and Iran in high-profile efforts to censor the messaging service over the last few weeks. But we’ve heard little about its fellow encrypted messaging app Signal. Both services have used an anti-censorship technique called “domain fronting” to get around tyrants – and now, Google and Amazon say that’s no longer an option.
Amazon officially announced it’s increased focus on stamping out domain fronting on Friday. The statement followed closely behind a similar move by Google. On Monday, Signal founder Moxie Marlinspike posted a communication from Amazon’s team informing the privacy-focused company that it must discontinue any sort of domain fronting practices if it wants to continue using Amazon Web Services. Marlinspike lamented the crackdown, saying that Signal is being censored in Egypt, Oman, Qatar, and United Arab Emirates. The technique has allowed Signal to circumvent those blocks and continue to provide service to citizens of those countries, according to Marlinspike, but for now, it will have to comply with Amazon’s demands.
“With Google Cloud and AWS out of the picture, it seems that domain fronting as a censorship circumvention technique is now largely non-viable in the countries where Signal had enabled this feature,” wrote Marlinspike. “The idea behind domain fronting was that to block a single site, you’d have to block the rest of the internet as well. In the end, the rest of the internet didn’t like that plan.”
In simple terms, domain fronting allows a service like Signal to hide the endpoint of internet traffic behind a domain that’s permitted by a censor. In this case, Amazon specifically pointed to Signal’s use of Souq.com, a domain owned by the online retail giant. A country that’s blocking Signal would see traffic going to Souq.com and allow it. On the other side of Amazon’s clean SSL certificate, the traffic would be routed to Signal. You can read more about how it all works here.
The big thing is, the technique has been effective because governments haven’t been willing to block tons of IP addresses and break crucial parts of the internet just to stamp out a single banned site using domain fronting. But the clash between Telegram and Russia is different. The Russian government has been all too willing to block millions of IPs in its quest to destroy Telegram founder Pavel Durov’s service. Both Google and Amazon were reportedly in direct talks with Russian authorities in recent weeks. Gizmodo reached out for comment to both services at that time. When asked if they had a statement regarding their work with the Russian government on resolving the issue, the only one to respond was Google. A spokesperson sent the single-line message: “We are aware of reports that some users in Russia are unable to access some Google products, and are investigating those reports.”
We’ve reached out to Amazon about its letter to Signal and will update when we receive a reply.
Neither Google nor Amazon is directly linking the issues in Russia with their sudden decision to crackdown on the practice of domain fronting. Google has specifically pointed out that the practice “has never been a supported feature” on its cloud service. The fact is, this was something that was overlooked for years at least in part because it’s used by so many services that fight censorship. And in fairness to the big evil corporate giants, domain fronting can be used by bad actors for spreading malware, and efforts to censor Telegram have likely brought the domain fronting practice to the forefront.
Still, the timing makes Google and Amazon’s motivations for shutting the practice down all too conspicuous. And regardless of their reasons for killing domain fronting now, the dictators have scored another victory.
[Signal]