A recent change to Google’s App Engine will discontinue a practice called domain-fronting, an essential technique used by dozens of internet freedom tools designed to allow users to work around state-level internet censorship.
The update in Google’s network architecture, first spotted by developers of privacy-minded web browser Tor and reported by The Verge, removes a approach counted on by services like encrypted messaging platform Signal, anti-Chinese censorship tool GreatFire.org, and VPN services offered by Psiphon.
Domain fronting is used to bypass censors by hiding the true endpoint of a connection. Instead of allowing a service to directly communicate with a server, allowing for the potential that state-level internet censors might identify and block the connection, the request is forwarded through an innocuous domain or IP address range — in this case, Google App Engine. This allows services that would otherwise have their traffic blocked skate under the censors by appearing to come from Google.
“Domain fronting has never been a supported feature at Google, but until recently it worked because of a quirk of our software stack,” a spokesperson for Google told Gizmodo. “We’re constantly evolving our network, and as part of a planned software update, domain fronting no longer works. We don’t have any plans to offer it as a feature.”
The decision to close the loophole that allowed anti-censorship tools to operate leaves the services searching for a new provider to work with. Ars Technica reported Cloudflare also does not support domain fronting. Company CEO and co-founder Matthew Prince told Ars Technica allowing the technique would “put our traditional customers at risk as it would mask banned traffic behind their domains.”
Criticisms of the workaround are not without basis. While domain fronting has been adopted by dozens of tools used to mitigate state-sponsored internet blockers and was described in the journal Proceedings on Privacy Enhancing Technologies as “a versatile censorship circumvention technique,” it is a technology that can also be used by malicious actors. A report last year by cybersecurity firm FireEye found the Kremlin-linked hacker group Cozy Bear used domain fronting to steal data from Tor users.
Despite the possibility of abuse, digital rights organisations are pushing for Google to reverse its decision and once again allow domain fronting.
“Google could end online censorship everywhere, in the blink of an eye, if it wanted,” the operators of anti-censorship group GreatFire.org said on Twitter. “It’s frustrating to see half-hearted efforts come out of Jigsaw and now this.”
“Google knows this block will levy immediate, adverse effects on human rights defenders, journalists, and others struggling to reach the open internet,” Peter Micek, General Counsel at Access Now, said in a statement. “To issue this decision with a shrug of the shoulders, disclaiming responsibility, damages the company’s reputation and further fragments trust online broadly, for the foreseeable future.”
It seems unlikely that Google would go back on its decision at this point. Domain fronting used to be a “quirk” of the company’s services. To reinstate it would essentially make it a feature. That would be welcomed by the many invaluable tools that help keep the internet open for people operating under oppressive governments but would open Google up to scrutiny from those same regimes, as well as from services that could be harmed by malicious domain fronting operations. It’s not clear the company has any interest in taking up those fights. [The Verge, Ars Technica]