What is Domain Fronting and Why Did Google & Amazon Disable It

Domain fronting is a technique that hides the true endpoint of a connection, i.e., it allows a user to connect to a service while appearing to communicate with an entirely different one. Naturally, this method, which disguises their traffic to evade network blocks, is employed by both criminals and cyber activists.

Domain fronting is a relatively new technique; it gained popularity recently after Google and Amazon decided to block it on their cloud hosting platforms.

Developers were able to forward traffic to their own servers through a Google.com domain, for instance, so all the data requests would look as if they were headed for Google.com. This is particularly effective because domains like Google.com are too big to be blocked. And with encryption, censors were unable to look into the data itself.

At the time, Google claimed that domain fronting had never been intentionally supported by Google – it was the result of a quirk of their software stack – and that its elimination was part of a planned software update. Amazon on its part said that the move was motivated by its attempt to combat malware.

It just so happens that these moves coincided with pressure from the Russian government to block Telegram; an encrypted messaging platform that uses both of the cloud provider’s services and for whom domain fronting was a tried and true procedure to evade censorship.

But to be fair to Google and Amazon, there are valid reasons to shut down the practice. It is equally useful to cybercriminals and online privacy crusaders. Plus, no sensible online business owner would ever accept for any other person or entity to impersonate his service.

When There’s a Will, There is a Way

It’s just that the timing was suspicious, and, in theory, there is a way out that both Google and Amazon chose to ignore.

Simply, Amazon and Google could have singled out trusted anti-censorship actors and allowed them to use their own domains and their domains alone. But alas.

Aside from Telegram, services that have been affected include the walkie-talkie-like chat app Zello, Signal, an encrypted communications app, and Tor, a software that enables anonymous communication.

Tor announced that they shifted to Microsoft’s Azure cloud, but it’s unclear whether Microsoft will or won’t soon follow suit.