Amazon blocks domain fronting, threatens to shut down Signal’s account

Last week, Amazon announced a change to an Amazon Web Service designed specifically to end the use of domain fronting—the exploitation of a content delivery network’s architecture to conceal the actual destination of encrypted Internet traffic. At the same time, Amazon issued a warning to the developers of the Signal encrypted phone and messaging application that their Amazon CloudFront account Signal uses CloudFront to handle load balancing of its servers, none of which has a permanent IP address.

Signal had moved to Amazon after Google made changes to its network that broke a domain-fronting scheme that had helped users in a number of countries evade network address blocking. As Ars has described previously, domain fronting uses an idiosyncrasy of how some content delivery networks (CDNs) used by major Internet services work. Fronting does so to conceal Transport Layer Security-encrypted traffic for one site within what appears to be a request for another domain within the same CDN. As Signal founder Moxie Marlinspike wrote in a blog post announcing Amazon’s move, “Google and Amazon built their [Transport Layer Security] termination layer separately from their request processing layer, such that it was possible to create what looked like a TLS connection for domain A with a request that would actually be received and processed by domain B.”

Until earlier this year, the Signal Foundation used Google App Engine to run proxies for several Middle Eastern countries that censor direct access to Signal—Egypt, Oman, Qatar, and the United Arab Emirates. Signal was using domain fronting for all of those countries but Iran, starting in 2016—hiding traffic by making it look like it was directed to google.com. Iran blocks the Google search engine, so Signal could not use domain fronting through Google to connect users there; Google also blocks App Engine traffic from Iran due to the company’s interpretation of US sanctions against Iran.

Google made changes to its content-management network last month (which the company claimed were long-planned upgrades) that put Google.com in a different CDN segment than App Engine servers. That broke Signal’s domain-fronting scheme, so the Signal team moved to Amazon with plans to conceal traffic by using Amazon’s Souq.com—an e-commerce site serving the United Arab Emirates—as a front for Signal traffic. But Amazon caught wind of the plans and sent Marlinspike an email threatening to shut down Signal’s Cloudfront account, published by Marlinspike:

Subject: Notification of potential account suspension regarding AWS Service Terms

Moxie,

Yesterday, AWS became aware of your Github and Hacker News/ycombinator posts describing how Signal plans to make its traffic look like traffic from another site, (popularly known as “domain fronting”) by using a domain owned by Amazon —Souq.com. You do not have permission from Amazon to use Souq.com for any purpose. Any use of Souq.com or any other domain to masquerade as another entity without express permission of the domain owner is in clear violation of the AWS Service Terms (Amazon CloudFront, Sec. 2.1: “You must own or have all necessary rights to use any domain name or SSL certificate that you use in conjunction with Amazon CloudFront”). It is also a violation of our Acceptable Use Policy by falsifying the origin of traffic and the unauthorized use of a domain.

We are happy for you to use AWS Services, but you must comply with our Service Terms. We will immediately suspend your use of CloudFront if you use third-party domains without their permission to masquerade as that third party.

Ars requested a comment from Amazon, but we have not yet received a response. Meanwhile, Amazon and Google have had to contend with widespread blocking of their services in efforts to stop the use of domain-fronting proxies and other cloud-proxy services, especially in Russia—where Roskomnadzor, Russia’s federal communications authority, has ordered the blocking of the encrypted chat applications Zello and Telegram and, in the process, blocked portions of Amazon’s and Google’s networks.

Amazon’s decision does not change the situation for would-be users of Signal in Iran. Amazon blocks access from Iran to 90 percent of its services, offering only one AWS-based service there, due to Amazon’s interpretation of current US sanctions against Iran.