Amazon: Signal must stop domain fronting
Amazon has called on Signal to stop using domain fronting. If Signal doesn’t, Amazon threatens to toss Open Whisper Systems’ chat app from CloudFront, Amazon Web Services’ content delivery network.
According to Amazon, Signal uses the practice of domain fronting by using a domain name from Amazon, which is Souq.com. In an email Amazon sent to Signal, Amazon writes that Signal has no right to use this domain, including to mask internet traffic. According to Amazon, Signal’s practice violates Amazon Web Services’ terms and conditions.
Masking or hiding the internet traffic is in fact what domain fronting is all about and what is used by Signal, among others, to circumvent censorship and other blocks. Internet traffic then appears to have a different destination than it actually has. Domain fronting works by using a known domain in the dns request and the tls server designation and sending an https request to it. For example, a request on the ‘outside’ seems to be sent to Google or Amazon.
Open Whisper Systems previously used domain fronting via Google. After Signal was blocked in Egypt, Oman and Qatar, the chat app maker responded by applying domain fronting through the Google App Engine. That meant that these countries also had to block Google.com if they wanted to block Signal. As a result, the chat app continued to work in these countries. That changed, however, when Google announced in April that it would restrict domain fronting.
Signal then decided to move to popular domains that are on CloudFront in countries with a lot of censorship. That too now seems to be coming to an end: Amazon Web Services recently announced that it wants to end domain fronting, just like Google. That means Signal, according to Open Whisper Systems, is “largely unusable” in those countries where it previously functioned via domain fronting. According to the creator of the chat app, this policy change from Amazon and Google came very abruptly and it takes time to develop alternative, new techniques.