Domain fronting has a dwindling future



Written by

Getting around government censorship of the internet — like China’s “Great Firewall,” for instance — requires an arsenal of tricks.

One of the most common ways is known as “domain fronting,” which can mask internet traffic that would otherwise be blocked. However, the practice was recently banned by Amazon and Google, two cloud behemoths that run the underlying technology behind much of the world’s web traffic. While U.S. lawmakers are calling on tech giants to reconsider their bans, the practice may be soon a relic of the past.

Domain fronting uses HTTPS encryption to disguise internet traffic, so that a person who may be using a censored service or visiting a blocked website looks to be visiting a benign website like As this in-depth 2015 research paper lays out, it’s an easy technique that can be done without any explicit support from a cloud host. Its been used for years by developers and engineers, including those behind the secure messaging app Signal and the anonymization tool Tor.

Tor relies on many different ways to mask user’s true location, including domain fronting. The project’s developers previously relied on Google and Amazon’s clouds in order to beat censorship, but lost that capability earlier this year. They turned to Microsoft Azure, the biggest cloud provider to still allow domain fronting, as a result.

“Domain fronting is a critical tool to keep the web open for people who live in repressive regimes,” said Stephanie Whited, a Tor spokesperson. “We’re so glad Microsoft has not closed Azure to this important use, and we’ve moved all of our domain fronting to run on Azure.”

It’s not clear how long Microsoft will continue to allow the technique. The company did not respond to a request for comment.

While domain fronting helps users navigate around censorship, bad actors leverage the practice as well. Hacking groups often use domain fronting, Amazon pointed out in a blog explaining their decision to end the practice. FireEye reported that the Russia-linked hacking group APT29 used domain fronting to exfiltrate data from targeted networks. Other firms like CyberArk have detailed how malware utilizes the technique for command and control.

Michael Hull, president of Psiphon, which creates a censorship circumvention tool used around the world, told CyberScoop that his company’s product has never relied on domain fronting.

He described the practice as “a quick fix to a difficult problem.”

“Domain fronting on it’s own is not very effective,” he said. “One needs to combine obfuscation, HTTP header modification, transport fragmentation and a whole series of other techniques to defeat a sophisticated censor. The importance of a diversified circumvention toolbox cannot be overstated.”

Hull added that domain fronting “breaks the [content delivery network] design” which “is why Amazon and Google are stepping out.”

Tor’s Whited is less sympathetic to Amazon and Google’s decision, charging that the two companies “killed a very important means of communications for journalists and activists around the world with their thoughtless decision.”

The argument may in time be moot. At a recent meeting of the Internet Engineering Task Force (IETF), an independent group that designs internet standards, engineers from Apple, Cloudflare and Mozilla made progress on a new protocol called Encrypted Server Name Indication.

The protocol is meant to fix some of the fundamental issues in standards that allow for censorship, including the addition of encrypting traffic so server names are unreadable by eavesdroppers. Yet, it may be years before ESNI is a reality.

-In this Story-

Amazon, Amazon Web Services (AWS), Google, marco rubio, Microsoft Azure, Ron Wyden