Amazon Joins Google In Making Censorship Easy, Threatens Signal For Circumventing Censorship Regimes
from the consequences dept
A couple weeks ago we wrote about the unfortunate decision by Google to stop enabling domain fronting on its AppEngine. As we explained at the time, this was an (accidental) way of hiding certain traffic by using the way certain large companies had set up their online services, such that censors in, say, Iran or China, couldn't distinguish which traffic was for an anti-censorship app, and which was for others. The two largest services that enabled this were Google and Amazon, and a variety of different anti-censorship tools made use of the ability to effectively "hide" within those sites such that an authoritarian government couldn't block their apps without blocking all of Google or Amazon or whatever. Some CDNs have admitted that they don't allow it out of a fear for how it could impact other users on the system, but on the whole it appeared to be a useful, if unintended, way for Google and Amazon to do good in the world.
However, when Google shut it down, the company just said that it was never supported, and the company had no plans to bring it back. Among the companies who relied on domain fronting is the popular encrypted communications app Signal. In a new blog post, Signal has explained why it believes Google suddenly decided to take action:
Direct access to Signal has also been blocked in Iran for the past 3+ years, but it was not possible to use the same domain fronting technique there. In an apparently unique interpretation of US sanction law, Google does not allow any requests from Iran to be processed by Google App Engine. Requests would get past Iranian censors, but then Google themselves would block them.
In early 2018, a number of policy organizations increased pressure on Google to change their position on how they were interpreting US sanction law so that domain fronting would be possible from Iran. Sadly, these lobbying efforts seem to have had the opposite effect. When Google’s leadership became more aware of domain fronting, it generated internal conversations about whether they wanted to put themselves in the situation of providing cover for sites that entire countries wished to block.
A month later, we received 30-day advance notice from Google that they would be making internal changes to stop domain fronting from working entirely.
That is... quite unfortunate. But, the story gets even worse. Because Signal then switched to Amazon, which resulted in the following chain of events:
With Google no longer an option, we decided to look for popular domains in censored regions that were on CloudFront instead. Nothing is anywhere near as popular as Google, but there were a few sites that used CloudFront in the Alexa top 50 or 100. We’re an open source project, so the commit switching from GAE to CloudFront was public. Someone saw the commit and submitted it to HN. That post became popular, and apparently people inside Amazon saw it too.
HN being Headline News. Amazon's response was even more stark than Google's. First, it sent Signal an email claiming that Signal was already violating its terms of service:
Yesterday AWS became aware of your Github and Hacker News/ycombinator posts describing how Signal plans to make its traffic look like traffic from another site, (popularly known as “domain fronting”) by using a domain owned by Amazon -- Souq.com. You do not have permission from Amazon to use Souq.com for any purpose. Any use of Souq.com or any other domain to masquerade as another entity without express permission of the domain owner is in clear violation of the AWS Service Terms (Amazon CloudFront, Sec. 2.1: “You must own or have all necessary rights to use any domain name or SSL certificate that you use in conjunction with Amazon CloudFront”). It is also a violation of our Acceptable Use Policy by falsifying the origin of traffic and the unauthorized use of a domain.
Signal points out, in response, that it's not actually violating Amazon's terms. It's not using security certificates from any other site, and it's not falsifying the origin of traffic when users get to Cloudfront (it's just tricking the censors in places like Iran). But, either way none of that matters much, because Amazon then announced that it was following Google's lead and killing domain fronting, claiming (again) that it doesn't want other Amazon cloud customers to find out that someone is effectively hiding behind their domain.
Signal admits that this more or less means the end of being able to use domain fronting to avoid censorship in heavily censored countries. It says it will look for alternative ideas, but in the meantime, this could do serious harm to people in those countries. There is, perhaps, a reasonable argument that we shouldn't have needed to rely on Google and Amazon as ways to hide traffic for important apps like Signal, but the fact that it was used for years this way really highlights how little damage domain fronting really seemed to do compared to the wider benefit.
With Google Cloud and AWS out of the picture, it seems that domain fronting as a censorship circumvention technique is now largely non-viable in the countries where Signal had enabled this feature. The idea behind domain fronting was that to block a single site, you’d have to block the rest of the internet as well. In the end, the rest of the internet didn’t like that plan.
We are considering ideas for a more robust system, but these ecosystem changes have happened very suddenly. Our team is only a few people, and developing new techniques will take time. Moreover, if recent changes by large cloud providers indicate a commitment to providing network-level visibility into the final destination of encrypted traffic flows, then the range of potential solutions becomes severely limited.
In short, this isn't a particularly good look. Google and Amazon made these moves so that people don't call them out for "protecting" apps like Signal by hiding their traffic behind the domains of totally uninvolved third-parties. Which certainly leaves both companies to being called out for favoring the interests of their customers over the interests of the public -- especially those in countries with authoritarian regimes. And, again, the "cost" to Google and Amazon was not high. No one was free riding, they were just doing a bit of misdirection to get around a censor's block. And now that's gone.
Filed Under: censorship, circumvention, domain fronting, signal
Companies: amazon, google, open whisper systems, signal