Domain fronting and the limits of relying on big commercial technology companies to support an open internet

For a number of online service providers with an interest in reaching users struggling to bypass censorship, a technical delivery method called domain fronting has offered a relatively simple and effective method to bypass the blockades and reach the people.

Domain fronting uses different domain names at different layers. At the plaintext layers visible to the censor?the DNS request and the TLS Server Name Indication?appears the front domain allowed.example. At the HTTP layer, unreadable to the censor, is the actual, covert destination forbidden.example.
Domain fronting uses different domain names at different layers. At the plaintext layers visible to the censor?the DNS request and the TLS Server Name Indication?appears the front domain allowed.example. At the HTTP layer, unreadable to the censor, is the actual, covert destination forbidden.example.

There are a lot of ways for a state to block a service, and fronting is a form of “pluggable transport” that can make traffic to a specific service seem more mundane and generic, by funnelling it through a large content delivery network (CDN) such as cloud environments owned by Amazon, Google, Microsoft or others. So the filtered network sees whatever your actual activity is as just sending and receiving data from Amazon or Google.

It could be costly for a state to block a service using fronting at the domain level, because it might then block an entire network full of other things it relies on. To understand how blocking may backfire, see what happened when Russia tried to shut down access to the Telegram app.

The free market capitalists out there may have been seeing this as an example of how corporations can actually save the world from tyranny: Look, by letting loosely regulated companies do what they want, they’re too big to block! Let freedom reign! Not quite. Both Amazon and Google seem to have calculated that getting on with a government of a vast user base is more profitable than aggravating it. Both have shut down fronting, in what’s now being described as “fixing an unintended loophole“.

This effects more than just Telegram, and more than just Russia. Secure encrypted app Signal’s use of Amazon AWS domain fronting, which would have shuffled traffic behind souq.com was scuppered with a warning letter from Amazon. The Tor Network also observed that it’s use of Google’s App Engine had stopped working.

To understand the usefulness Domain Fronting can provide, and get an idea of how to set it up, here’s a post on using Alibaba’s CDN for it. To see how and why the practice quickly caught on as a building block to a more open internet, the Tor Blog has that covered.

There are various technical and legal issues around whether a large CDN provider might want to either allow or forbid its network to be used to funnel censored services to users, but as the world marks the 200th birthday of Karl Marx, it might be good to point out that domain fronting’s downsides are both rooted in capitalist systems: The first, listed in the Pluggable Transports website is fairly obvious: “Using these services can quickly become very costly.” The second reason isn’t mentioned there yet, but is basically that the large corporate cloud services provider may shut off the spicket at any time.

Corporate interests are primarily in keeping markers open. Aside from being consumers, there aren’t many other freedoms a commercial enterprise is interested in for the people it reaches. For companies that sell basically everything, it can make good sense to allow some things to be blocked to allow other things to be sold. Free speech, open access or the right to privacy may not be required in this business model, and can could even be seen as damaging to profits if supporting them causes the company to lose access.

Marx wasn’t very good about predicting online sales, or the various unintended uses of corporate cloud internet services for content delivery networks to bypass nation-state internet filters. But his theory on capitalism’s crisis still works within this mess.

In short: Country X is small and really repressive. Country Y is huge and semi-repressive (add your countries and types of repression as you will). to keep Country Y happy, LARGE CORPORATION blocks its services from being used to bypass censorship. LARGE CORPORATION doesn’t even care about Country Z’s leaders, but it has just handed both governments’ ability to crack down on dissent huge victories in the name of selling stuff in County Y.

And this is the problem of a quickly centralising, and increasingly commercially controlled internet. Solutions?


CDN graphic at top adapted from the one by Chinacache [CC BY-SA 3.0 or GFDL], from Wikimedia Commons

Leave a Reply

Your email address will not be published. Required fields are marked *

You can encrypt your comment so that only yours truly can read it.

WordPress Anti-Spam by WP-SpamShield

This site uses Akismet to reduce spam. Learn how your comment data is processed.