SoylentNews is people
SoylentNews
Submitted via IRC for Fnord666
The team behind secure messaging app Signal says Amazon has threatened to drop the app if it doesn't stop using an anti-censorship practice known as domain-fronting. Google recently banned the practice, which lets developers disguise web traffic to look like it's coming from a different source, allowing apps like Signal to evade country-level bans. As a result, Signal moved from Google to the Amazon-owned Souq content delivery network. But Amazon implemented its own ban on Friday. In an email that Moxie Marlinspike — founder of Signal developer Open Whisper Systems — posted today, Amazon orders the organization to immediately stop using domain-fronting or find another web services provider.
Amazon has said that it's banning domain-fronting so malware purveyors can't disguise themselves as innocent web traffic. But Signal used the system to provide service in Egypt, Oman, and the United Arab Emirates (UAE), where it's officially banned. It got around filters by making traffic appear to come from a huge platform, since countries weren't willing to ban the entirety of a site like Google to shut down Signal.
Source: https://www.theverge.com/2018/5/1/17308508/amazon-web-services-signal-domain-fronting-ban-response
Also at TechCrunch and TechRepublic.
See also: A Google update just created a big problem for anti-censorship tools
APT29 Domain Fronting With TOR
Previously: Encrypted Messaging App Signal Uses Google to Bypass Censorship
Related: Open Whisper Systems Releases Standalone "Signal" Desktop App
(Score: 0) by Anonymous Coward on Wednesday May 02 2018, @08:37PM (5 children)
Honest question. Can anyone explain to me how this domain fronting works, and why it's supposedly needed? What's the difference between the app having a list of hundred innocent looking domains to contact, or an equal length list of ip addresses? I presume both could easily get blocked if the regime is able to do traffic analysis or reverse engineering. What's the advantage of using these domains over simple ip addresses to their proxies all over the globe?
(Score: 1, Interesting) by Anonymous Coward on Wednesday May 02 2018, @08:45PM
It costs money to maintain a bunch of innocuous looking domains; forcing that cost onto people is itself a kind of censorship.
You pay government to pay agents to find those innocuous domains and then ban them.
"fronting" works by running your service in someone's "cloud"; if your service is running via Google's cloud, then presumably you have the ability to make your traffic look like it's coming from Google's CDN, or whatever.
This works, because most governments just can't get away with censoring Google like that can get away with censoring your many innocuous domains
(Score: 3, Informative) by DannyB on Wednesday May 02 2018, @09:53PM (3 children)
I'll give it a try.
Suppose CloudFront hosts a lot of popular content which BadCountry simply does not want to block, such as GoodService. Even if some people in BadCountry get to read about scary ideas! OMG!
Suppose a privacy app (eg, Signal) also has their server behind Cloudfront.
All of these servers use HTTPS.
In the "first part" of an HTTPS connection, BadCountry can see who you are connecting to. But during a "later part" of the HTTPS connection setup, BadCountry cannot see the actual web site name you want to connect to. By "later part" of the HTTPS connection, everything is already end-to-end encrypted, and so BadCountry cannot see it.
So to BadCountry, they see that you are connecting to GoodService that is simply too important to block. But at a later part of the HTTPS setup, information is sent that causes CloudFront to direct your connection to Signal.
During the first part of the connection setup, you use GoodService to obtain an IP address belonging to CloudFront for both Signal and GoodService. After the encryption is active, your connection indicates the "virtual host" name of the site you are connecting to -- but it is encrypted so BadCountry cannot see it.
This only works because both BadCountry and Signal happen to be CloudFront users.
Now replace CloudFront with Google's similar offering, or Amazon's similar offering.
I'm sure I've over simplified it, but you probably get the idea.
I'd be happy if someone points out any errors.
The lower I set my standards the more accomplishments I have.
(Score: 0) by Anonymous Coward on Wednesday May 02 2018, @10:01PM (1 child)
I remember back in the day of Geoshitties, when China didn't mess around and blocked all of its IP addresses, because someone put up a "Free Tibet" site.
(Score: 2) by tangomargarine on Thursday May 03 2018, @03:55PM
You mean, like they're currently still doing to GitHub?
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 2) by legont on Wednesday May 02 2018, @11:53PM
Let me try to give an illustration to this. For two weeks already Russian government has been engaged in an all out Internet war against Telegram. The law requires Telegram to submit keys that Telegram obviously does not have. I guess they refused to build a backdoor so the department of communications or whatever it is called decided to stop it. The results? Telegram works, but many services, such as major banks and retail networks, were blocked in the process. At some point the department responsible for blocking Telegram blocked itself; yes, I've seen it down myself..
"Wealth is the relentless enemy of understanding" - John Kenneth Galbraith.