Amazon Joins Google In Making Censorship Easy, Threatens Signal For Circumventing Censorship Regimes
from the consequences dept
A couple weeks ago we wrote about the unfortunate decision by Google to stop enabling domain fronting on its AppEngine. As we explained at the time, this was an (accidental) way of hiding certain traffic by using the way certain large companies had set up their online services, such that censors in, say, Iran or China, couldn't distinguish which traffic was for an anti-censorship app, and which was for others. The two largest services that enabled this were Google and Amazon, and a variety of different anti-censorship tools made use of the ability to effectively "hide" within those sites such that an authoritarian government couldn't block their apps without blocking all of Google or Amazon or whatever. Some CDNs have admitted that they don't allow it out of a fear for how it could impact other users on the system, but on the whole it appeared to be a useful, if unintended, way for Google and Amazon to do good in the world.
However, when Google shut it down, the company just said that it was never supported, and the company had no plans to bring it back. Among the companies who relied on domain fronting is the popular encrypted communications app Signal. In a new blog post, Signal has explained why it believes Google suddenly decided to take action:
Direct access to Signal has also been blocked in Iran for the past 3+ years, but it was not possible to use the same domain fronting technique there. In an apparently unique interpretation of US sanction law, Google does not allow any requests from Iran to be processed by Google App Engine. Requests would get past Iranian censors, but then Google themselves would block them.
In early 2018, a number of policy organizations increased pressure on Google to change their position on how they were interpreting US sanction law so that domain fronting would be possible from Iran. Sadly, these lobbying efforts seem to have had the opposite effect. When Google’s leadership became more aware of domain fronting, it generated internal conversations about whether they wanted to put themselves in the situation of providing cover for sites that entire countries wished to block.
A month later, we received 30-day advance notice from Google that they would be making internal changes to stop domain fronting from working entirely.
That is... quite unfortunate. But, the story gets even worse. Because Signal then switched to Amazon, which resulted in the following chain of events:
With Google no longer an option, we decided to look for popular domains in censored regions that were on CloudFront instead. Nothing is anywhere near as popular as Google, but there were a few sites that used CloudFront in the Alexa top 50 or 100. We’re an open source project, so the commit switching from GAE to CloudFront was public. Someone saw the commit and submitted it to HN. That post became popular, and apparently people inside Amazon saw it too.
HN being Headline News. Amazon's response was even more stark than Google's. First, it sent Signal an email claiming that Signal was already violating its terms of service:
Yesterday AWS became aware of your Github and Hacker News/ycombinator posts describing how Signal plans to make its traffic look like traffic from another site, (popularly known as “domain fronting”) by using a domain owned by Amazon -- Souq.com. You do not have permission from Amazon to use Souq.com for any purpose. Any use of Souq.com or any other domain to masquerade as another entity without express permission of the domain owner is in clear violation of the AWS Service Terms (Amazon CloudFront, Sec. 2.1: “You must own or have all necessary rights to use any domain name or SSL certificate that you use in conjunction with Amazon CloudFront”). It is also a violation of our Acceptable Use Policy by falsifying the origin of traffic and the unauthorized use of a domain.
Signal points out, in response, that it's not actually violating Amazon's terms. It's not using security certificates from any other site, and it's not falsifying the origin of traffic when users get to Cloudfront (it's just tricking the censors in places like Iran). But, either way none of that matters much, because Amazon then announced that it was following Google's lead and killing domain fronting, claiming (again) that it doesn't want other Amazon cloud customers to find out that someone is effectively hiding behind their domain.
Signal admits that this more or less means the end of being able to use domain fronting to avoid censorship in heavily censored countries. It says it will look for alternative ideas, but in the meantime, this could do serious harm to people in those countries. There is, perhaps, a reasonable argument that we shouldn't have needed to rely on Google and Amazon as ways to hide traffic for important apps like Signal, but the fact that it was used for years this way really highlights how little damage domain fronting really seemed to do compared to the wider benefit.
With Google Cloud and AWS out of the picture, it seems that domain fronting as a censorship circumvention technique is now largely non-viable in the countries where Signal had enabled this feature. The idea behind domain fronting was that to block a single site, you’d have to block the rest of the internet as well. In the end, the rest of the internet didn’t like that plan.
We are considering ideas for a more robust system, but these ecosystem changes have happened very suddenly. Our team is only a few people, and developing new techniques will take time. Moreover, if recent changes by large cloud providers indicate a commitment to providing network-level visibility into the final destination of encrypted traffic flows, then the range of potential solutions becomes severely limited.
In short, this isn't a particularly good look. Google and Amazon made these moves so that people don't call them out for "protecting" apps like Signal by hiding their traffic behind the domains of totally uninvolved third-parties. Which certainly leaves both companies to being called out for favoring the interests of their customers over the interests of the public -- especially those in countries with authoritarian regimes. And, again, the "cost" to Google and Amazon was not high. No one was free riding, they were just doing a bit of misdirection to get around a censor's block. And now that's gone.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: censorship, circumvention, domain fronting, signal
Companies: amazon, google, open whisper systems, signal
Reader Comments
Subscribe: RSS
View by: Time | Thread
It's not quite that simple
As I understand it, what Google and Amazon were really worried about is malware using domain fronting to disguise its traffic and then they end up getting blamed for it or caught up in it, which, in the age of the Internet Of Broken Things, is a quite reasonable thing to worry about. More benevolent things like Signal getting the shaft is just collateral damage.
from the this-is-why-we-can't-have-nice-things dept
[ link to this | view in chronology ]
Re: It's not quite that simple
Now what will happen is many more SSL certificates for domain.com will have to be published for the freak attack on domain.com, because they will need not only to analyze on the outer header, but also the inner request.
Expect prices to increase for everyone on most CDNs, except maybe Google since they run their own CA.
[ link to this | view in chronology ]
Circumvention of national blocks
1. Block IPv4 address(es) or ranges of addresses and disallow your users to reach those "unwanted" servers providing those "harmful" services.
2. Enable deep packet inspection (DPI), forged certificates, decrypt everything having performed a man in the middle (MITM) attack, and remove traffic you don't like.
The former is easy and is why it's the preferred option. Domain fronting doesn't making this difficult... it makes it impossible to identify "harmful" traffic from "all of e.g. google cloud" in real time if at all.
Google and Amazon are wrong to do this, and it is their right to do so, but it shows short-sightedness to do so absent any overarching reason for it.
Signal, WhatsApp, etc. should re-engineer their protocols to not be dependent on ONE provider, ONE cloud, or even ONE identifiable communication "stream". They can learn a lot from TOR, from spread spectrum, from anycast IP addresses, and lastly from thepiratebay.org and remain vibrant, reachable, and well from all countries.
E
[ link to this | view in chronology ]
Re: Circumvention of national blocks
[ link to this | view in chronology ]
Well...
[ link to this | view in chronology ]
Clickbait headline?
This is kinda akin to finding the undocumented API in some SDK. Sure, go ahead, use it. There is no guarantee that the SDK provider is not going to completely rip that undocumented API out from under you though because it is not a part of the documented contract they have given you. When they decide to do that, are they being malicious?
Said another way, domain fronting was an implementation detail of how these cloud providers worked. They could have decided to change this implementation detail at any time because they came up with a better way to implement, irregardless of who was taking advantage of the unintended consequence of that implementation detail. If that were the case would we still have this headline?
Signal is doing great work. They tried to piggy back on a hack and the hack ran out. That's part of the risk of piggy backing on a hack. I think it's a bit disingenuous to call out Amazon on this as being "supportive of censorship" though.
[ link to this | view in chronology ]
Re: Clickbait headline?
[ link to this | view in chronology ]
Re: Re: Clickbait headline?
Signal was doing basically the same thing, they were potentially causing Google reputation and maybe even legal issue and they weren't even a Google customer. Is it "evil" to protect your own good name?
[ link to this | view in chronology ]
Re: Re: Re: Clickbait headline?
When trying to explain things, analogies help take something we don't understand and put it in terms we do understand. In this case it took things you didn't understand and put it in terms that were not correct.
Ehud
[ link to this | view in chronology ]
Re: Clickbait headline?
Signal didn't ask them to make it a "supported" feature. It was already working, and Amazon wouldn't be claiming a ToS violation if that was the problem. It would just break one day, Signal might complain, Amazon would say "we never said it would work".
[ link to this | view in chronology ]
Analogies
Here's a more apt analogy:
They discovered they can use the heavily discounted smart TV for a PC monitor and all that resolution and high refresh rate is a lot cheaper than a normal "monitor only" solution! In response the smart TV vendor says "No no no, we sold you this set at a discount so we can track your viewng behavior and make money on you in other ways. No more using it as a dumb monitor."
There's no violation of terms or of using undocumented features, and nobody "piggy back on a hack" as there's no hack. I think it's disingenuous to suggest it's disingenuous to call out Amazon as that is EXACTLY the right thing to do.
Best regards to JB,
Ehud
[ link to this | view in chronology ]
Re: Analogies
[ link to this | view in chronology ]
Re: Re: Analogies
[ link to this | view in chronology ]
Re: Re: Re: Analogies
No you wouldn't. This makes no sense at all. At no point is any client fooled into thinking they are speaking to Amazon. The only ones in the dark are the ISPs and censors who only see the DNS request and initial TLS handshake.
This makes no sense whatsoever. What the hell. Do you not know the difference between 'domain fronting' and 'phishing' or a 'man in middle attack'?
[ link to this | view in chronology ]
Re: Re: Re: Re: Analogies
What? How do you think APT29 ex filtrated the DNC emails from the server, they exported them to a google.com domain which then tunneled through tor on a meek relay...
The DNC wasn't blocking google.com, and thus couldn't stop the loss of information.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Analogies
They could have stopped the loss of information by preventing the installation of the malware in the first place.
[ link to this | view in chronology ]
Re: Re: Re: Re: Analogies
Since the valid url and SSL is pointing to Google/Amazon, it's very likely to go unnoticed. Do you know how many phishing emails use this?
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Analogies
[ link to this | view in chronology ]
Re: Analogies
[ link to this | view in chronology ]
Re: Analogies
Do you have any evidence for that, i.e., a link to Google or Amazon documentation describing the feature?
The people who publicized (and named) domain fronting thought they had discovered it.
[ link to this | view in chronology ]
Re: Re: Analogies
E
[ link to this | view in chronology ]
Re: Re: Re: Analogies
Here's the orginal paper from 2015 explaining domain fronting.
http://www.icir.org/vern/papers/meek-PETS-2015.pdf
It was discovered by the University of California Berkley researches and not published documentation on any CDN. It's a by product of lack of IPv4 space in all honesty and thus using SNI to secure sites on the CDNs.
Most infamous use of it was APT29 (Russian Hackers) which hacked the DNC mailserver. https://threatpost.com/apt29-used-domain-fronting-tor-to-execute-backdoor/124582/
Some of the actual code, packet capture samples and analysis is located here: https://contagiodump.blogspot.co.id/2017/03/part-ii-apt29-russian-apt-including.html
[ link to this | view in chronology ]
Generation [CENSORED]
That's so sad, given that the web was supposed to make the free exchange of ideas easier.
[ link to this | view in chronology ]
No reason?
And that's before you start pondering what other kinds of shenanigans can occur.
(I work for Google but don't know any specifics on why this decision was made)
[ link to this | view in chronology ]
HN
or
HN being Hacker News (https://news.ycombinator.com)?
[ link to this | view in chronology ]
That sounds like typical Moxie apologese. The "rest of the internet" didn't do a thing, it was just a bunch of powerful assholes dictating that the gap be closed.
[ link to this | view in chronology ]
Re:
"The rest of the internet" here was clearly used with a sense of humor, since to make the sentence before that factually accurate in an absolutely literal manner, you have to edit it to say "you'd have to block [the most popular domain names in existence, Google and AWS] as well."
[ link to this | view in chronology ]
2) give it a name (fake news)
3) drive issue to top of news cycle
4) promise to fix problem (but never do)
5) profit!
6) rinse, repeat
[ link to this | view in chronology ]
Wait, sorry ,wrong Artical. I meant to post that in a different Artical. THIS "artical" is one where I say Censorship? What about TECHDIRT "censorship"! Why you scaenors my "posts"! with your FLAGS and your "moderation"! and your "ZOMBIES"!
Every nation eats the Paint chips tit Deserves!
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
"We" (some of us) have the unreasonable expectation that corporations will forgo business in order to try to force good policy on other nations. They can't. They have a fiduciary duty to their stockholders to do whatever is in the best interest of profit.
This article, and the previous article about Google, are misdirected. In all probability, one or more nations said, "Stop doing this or we will block you," which would mean the end of business, the end of profit. (One of the countries did block one of the major companies, temporarily.)
But, even if these actions by Google and Amazon are unilateral, they were still inevitable; and laying blame on the corporations for a national policy that is bad is idiotic.
[ link to this | view in chronology ]
Re: Re:
I think the attitude being expressed is precisely (one part of) an objection to the idea that expecting an entity not to treat "profit" as its primary, indeed overriding, goal/motivation/etc. is unreasonable; if a human behaved that way we'd call them greedy, so why should we just accept the idea that a corporation is outright obligated to do so?
We're a long, long way from getting society (much less law, much less the global / international consensus about law) to redefine the duty of a publicly-traded corporation in some way other than "profit for stockholders", but there's nothing wrong with the idea of advocating for that to happen.
[ link to this | view in chronology ]
Re: Re: Re:
It's not exactly fair for all of these different obligations to be laid upon a company, and then expect the company to step up and be the big one in the room.
[ link to this | view in chronology ]
Re: Re: Re: Re:
As I understand matters, it is because A: American law requires it to, and B: the company is incorporated in America.
If US law gets changed to require something else instead of (or in addition to) profit as the overriding priority, and the company doesn't want to have to adhere to that even in other countries, it would seem reasonable to say "then don't incorporate in the US".
IOW, the thing which would place US law ahead of other countries' laws in the hierarchy of overrides would be the fact that the (primary / governing / parent) corporation is incorporated under US law.
As far as I know it's not possible for a single company to be incorporated in two different places at the same time, so that would seem to provide a reasonable tiebreaker.
(In theory, a genuinely communist / socialist government - as distinct from the generally totalitarian / authoritarian ones which have adopted the names of "Communism" and "Socialism" in actual historical practice - would probably object to giving "profit" such primacy, more than a capitalist government would. At which point we might see the same problem arise from the opposite direction.)
[ link to this | view in chronology ]
US Corporations and their objectives
A US Corporation isn't required to focus on GROWTH, PROFIT, REVENUE, or even HELPING THE WORLD. It is whatever its incorporators decided when they created it. Similarly, INVESTORS are not required to invest in any instrument (stocks, bonds, etc.) unless they feel the instrument will reward them in some way.
Put together, corporations that seek outside funding and stockholders often provide revenue forecasts and share revenue (dividends) or provide growth forecasts so that the market will drive share value (and price) up. Either way the investors are rewarded and they will invest.
Some corporations don't want these investors. They are typically also not going to go for an initial public offering (IPO) or list themselves on a major exchange (e.g. NASDAQ, AMSE, FOREX, etc.) because the traffic in their securities will be miniscule compared to the high-moving stocks with great dividends or growth.
So to say that this is a problem with US law is wrong. To say that this is a requirement of nonsocialism is wrong. It's merely looking a a microcosm (PUBLIC corporations and their investors) and analogize the rest to it.
Now back to the original question... we know both Google and Amazon are publicly traded, and yes, their investors want growth and profit. If you want to use services of companies that aren't thus limited my I recommend you check out Whisper Systems (they make Signal), and of course the now-defunct Lavabit. There are PLENTY of non-public corporations whose goals are NOT profit and growth but rather providing a service and not screwing their customers.
Ehud
[ link to this | view in chronology ]
US Corporations and their objectives
There are no laws requiring profit or growth. Corporations that want outside investment on the open market CHOOSE to emphasize those in their Articles of Incorporation (AOI), to go have an initial public offering (IPO), and to publicly trade. When they do that, they provide incentives for investors to buy and hold the shares ("long position") through continued growth (share value goes up) or profit and distribution (dividends).
Nothing in the law requires this. Corporations exist that do not emphasize this. Typically they are non-public. Some are for profit and some are not for profit. (Not for profit doesn't mean they don't make a profit... merely that they reinvest it back into the corporation).
Amazon and Google are public corporations. If you don't like their corporate goals or their data sharing models, find private corporations (Open Whisper Systems? Lavabit? etc.) and use their services.
Ehud
[ link to this | view in chronology ]
Re: US Corporations and their objectives
In my initial comment, I qualified my comments as being specifically about publicly-traded corporations; my reference to understanding the law as requiring profit-seeking, in my second comment, was in that context and should be read as implicitly containing that same qualifier.
Bringing in corporations which do not choose to become publicly-traded is expanding the universe of discourse. The question is precisely why - indeed, whether - it's appropriate to require publicly-traded corporations to adopt a posture which would be labeled "greedy" if held by an individual.
[ link to this | view in chronology ]
Re: Re: US Corporations and their objectives
THERE IS NO SUCH LAW.
Perhaps I was too subtle and the point was missed.
THERE IS NO SUCH LAW.
Public corporations exist to further outside investors, and as I explained they do this via growth or profit. It has nothing to do wiht a law, nor greed, nor anti-communism, nor anything else you've espoused. It's simply to attract investment money over the next security.
E
[ link to this | view in chronology ]
Re: Re: Re: US Corporations and their objectives
If publicly-traded corporations do not have such an obligation, I'm befuddled as to why I've seen it mentioned so many times in so many places that I couldn't begin to tell you where I first got the idea from.
If they do, then there is a law which underlies that obligation.
The question is why "further (the profits of) outside investors" should be an obligation which comes along with being publicly traded - or, to put it another way, why we should not impose an obligation on such corporations to do things other than merely seek profit, if only to counter a naturally-existing incentive provided by the investment market. (I believe we already do that in some sectors and some areas; banks, for example, are apparently legally required to have community investment / improvement / etc. plans.)
[ link to this | view in chronology ]
Re: Re: Re: Re: US Corporations and their objectives
2. If a corporation has told its shareholders (through either their Articles or their annual 10K filings or the quarterly 10Q filings or other SEC filings) that it intends to do so THEN and ONLY THEN is it the fiduciary duty of management to adhere to those goals... that THEY THEMSELVES SET OUT in order to encourage investors. If they fail, CIVIL lawsuits ensue. (No pun intended).
3. "[w]hy should we not impose"... because YOU are NOT someone who gets to impose ANYTHING on ANYONE and neither am I. Corporations have specific goals and so long as they are operating within the law we don't get to tell them what to do.
Arguendo you may say "But they have to follow laws and we can pass laws that make them do these other things" and then they'll go incorporate in other countries that don't have your absurd ideas of forcing businesses to do what YOU want vs what THEY want.
Banks are not required to have community investment. I don't know where your ideas are coming from, but they are not United States corporate law. That's for sure.
Ehud
CEO - several US corporations
CTO - several US corporations (formerly one public)
Manager - several US LLCs
Helicopter Pilot Extraordinaire (FAA CPL-H)
[ link to this | view in chronology ]
Peer. To. Peer.
I see Briar has a release candidate on Google Play...
[ link to this | view in chronology ]
[ link to this | view in chronology ]