Are Tech Giants Making Internet Censorship Easier?

In the first half of 2018, Google and Amazon suddenly changed their stance on helping users bypass censorship through their cloud services, putting many websites and apps at risk.

Recently, Amazon sent a letter to the creators of the secure messenger Signal in response to their plans to use domain fronting as a way to circumvent internet censorship. This technique allows app traffic to be disguised as traffic to another website (in this case, Amazon’s own domain, Souq.com). In their letter, Amazon representatives stated that such use of Amazon Web Services directly violates their user agreement. If Signal did not stop this practice, Amazon threatened to deny the developers access to Amazon CloudFront services.

Direct access to Signal has been restricted in Egypt, Oman, Qatar, and the UAE for a year and a half. These countries have tried to block the messenger by requiring internet providers to block connections to Signal’s servers.

Like most modern services, Signal does not have a single static IP address that providers can easily filter. In cloud services, IP addresses can change over time due to load balancing and are not always tied to a specific location. For example, Amazon CloudFront can stop requests to the same IP address for any number of services distributing content via its CDN. This makes it harder for censors to identify banned traffic by IP address alone.

Unfortunately, TLS handshakes fully reveal the target host name in plain text, since the host name is included in the SNI header in unencrypted form. This is true even for TLS 1.3.

However, a number of cloud environments have been created with specific features to solve this problem. They allow you to create a TLS connection for domain A with a request that is actually received and processed by domain B. This technique is called domain fronting.

When access to Signal was restricted in the countries mentioned above, the messenger’s creators used this method with Google App Engine. As a result, to block Signal, these countries would also have had to block Google’s main search site, google.com. The principle behind domain fronting is that to block one site, you’d have to block a large part of the internet. The authorities were not ready to take such a drastic step, which undermined their efforts to block the messenger. Users didn’t have to do anything extra—they could simply download and use the app as usual.

Direct access to Signal has also been restricted in Iran for the past three years, but developers there could not use the above methods to bypass the block. Based on a controversial interpretation of sanctions law, Google does not allow the use of Google App Engine in Iran.

In early 2018, advocacy groups increased pressure on Google to change its position on this issue. Unfortunately, these efforts had the opposite effect. When Google’s management became more aware of domain fronting, they began considering restrictions on such circumvention methods in other countries as well. Recently, Google also informed Signal’s creators of their intention to start fighting domain fronting.

In response to Google’s statements, the messenger’s developers switched to using CloudFront. However, Amazon’s reaction was not long in coming.

This policy by the companies could make domain fronting an unviable method for bypassing censorship in all countries where Signal used it. The Signal team consists of just a few people, and finding a new solution to bypass blocks could take a long time. Moreover, if the recent policy changes by cloud service providers indicate a commitment to ensuring transparency of encrypted traffic destinations at the network level, then the range of potential solutions becomes very limited.

Internet censors in many countries may finally achieve their goals. Unfortunately, all they have to do is wait a little longer.