Amazon To Stop Signal From Using Domain Fronting On Its Infrastructure

After Google put an end to domain fronting on its own infrastructure, Amazon followed suit and blocked Signal from avoiding censorship in countries such as Egypt, Iran, Oman, Qatar, and UAE.

Big Tech Companies Kill Anti-Censorship Technique

A few weeks ago, the Russian government issued an order for its ISPs to block Telegram because it wouldn’t provide the encryption keys to the Russian intelligence services. The order wasn’t that successful, because Telegram made use of domain fronting, which is hiding behind other popular domains that wouldn’t normally be blocked by any government.

Russia called their bluff, or just didn’t care about the impact of its broad censorship, and blocked over 18 million IP addresses from Google, Amazon, Microsoft, and other cloud service providers. This led to thousands protesting in Moscow and online. However, Google was quick to put an end to the domain fronting technique on its infrastructure, before it gave the Russian government the chance to change its minds.

Signal was one of the first chat applications to make use of domain fronting. More than a year and a half ago, direct access to the service was blocked in Egypt, Oman, Qatar, and UAE. However, users there could still use it because those countries wouldn’t block Google’s services.

The Iranian government blocked direct access to Signal, too, three years ago. The domain fronting technique using Google’s infrastructure could not be used there due to Google’s interpretation of the U.S. government sanctions against Iran. Google was blocking all of its services from being access in Iran, which means Signal could not be used there using the domain fronting technique either.

Google leadership was made aware earlier this year that certain services were using its infrastructure to avoid censorship in certain countries, and then it decided to put an end to it. Signal got a 30 day notice, so the developers looked to Amazon to achieve the same thing.

As Amazon learned about this, it sent the Signal developers an email saying that Signal is violating its Terms of Services by “masquerading as another entity without express permission from the domain owner.”

Signal developers denied both of Amazon’s claims:

  1. Our CloudFront distribution isn’t using the SSL certificate of any domain but our own.
  2. We aren’t falsifying the origin of traffic when our clients connect to CloudFront.

Increase In Network Visibility Hurts Anti-Censorship Tools

Signal's developers complained that these recent moves by Google and Amazon to provide network-level visibility into the final destination of encrypted traffic flows have severely decreased the range of options for anti-censorship tools.

Additionally, we currently don’t have the technology to easily hide the hostnames in encrypted traffic. The TLS handshake fully exposes the target hostname in plaintext. This is the case even in the latest TLS 1.3 standard, which has recently been finalized. Signal developers believe that this is enough to give the censors all they need. The IETF has already committed to making the internet resistant to surveillance, so perhaps in the future it will commit to making it resistant to censorship, too.

The Signal team will work on more robust anti-censorship tools for the future as well. However, it’s a small team so it may take some time. The group recently got a significant infusion of cash from WhatsApp co-founder Brian Acton, and it’s now hiring, which should speed things along.

Before they figure it all out, users may be able to continue to use Signal, Telegram, and other censored applications through secure VPNs.