Domain fronting

Last updated
After TLS encryption is established, the HTTP header reroutes to another domain hosted on the same CDN. Domain Fronting letter illustration.svg
After TLS encryption is established, the HTTP header reroutes to another domain hosted on the same CDN.

Domain fronting is a technique for Internet censorship circumvention that uses different domain names in different communication layers of an HTTPS connection to discreetly connect to a different target domain than that which is discernable to third parties monitoring the requests and connections.

Contents

Due to quirks in security certificates, the redirect systems of the content delivery networks (CDNs) used as 'domain fronts', and the protection provided by HTTPS, censors are typically unable to differentiate circumvention ("domain-fronted") traffic from overt non-fronted traffic for any given domain name. As such they are forced to either allow all traffic to the domain front—including circumvention traffic—or block the domain front entirely, which may result in expensive collateral damage and has been likened to "blocking the rest of the Internet". [note 1]

Domain fronting is achieved by a mismatch of the HTTP Host header and the TLS SNI extension. The standard that defines the SNI extension discourages such a mismatch but does not forbid it. [2] Many large cloud service providers, including Amazon, Microsoft, and Google, actively prohibit domain fronting, which has limited it as a censorship bypass technique. Pressure from censors in Russia and China is thought to have contributed to these prohibitions, [3] [4] [5] but domain fronting can also be used maliciously.

A newer variant of domain fronting, domain hiding, passes an encrypted request for one resource (say, a website), concealed behind an unencrypted (plaintext) request for another resource whose DNS records are stored in the same cloud. It has much the same effect. [3] Refraction networking is an application of the broader principle.

Technical details

Basis

The basis for domain fronting is using different domain names at different layers of communication with the servers (that supports multiple target domains; i.e. Subject Alternative Names) of a large hosting provider or a content delivery network (CDN). CDNs are used due to idiosyncrasies in how they route traffic and requests, which is what allows fronting to work. [6] [7]

Obfuscating requests

In an HTTPS request, the destination domain name appears in three relevant places: the DNS query, the TLS Server Name Indication (SNI) extension, and the HTTPS Host header. Ordinarily the same domain name is listed in all three places. [8] :1

In a domain-fronted HTTPS request, one domain appears on the “outside” of an HTTPS request in plain text—in the DNS request and SNI extension—which will be what the client wants to pretend they are targeting in the connection establishment and is the one that is visible to censors, while a covert domain appears on the “inside”—in the HTTPS Host header, invisible to the censor under HTTPS encryption—which would be the actual target of the connection. [6] [8] :2

# wget sends a DNS query and connects to www.google.com but the HTTP Host header requests# the www.youtube.com webpage, which it is able to fetch and display. Here www.youtube.com# is essentially domain-fronted by www.google.com; that is, by blocking www.youtube.com# but allowing www.google.com, a censor may be trivially bypassed using a domain-fronted request wget-q-O-https://www.google.com/--header'Host: www.youtube.com'|grep-o'<title>.*</title>' <title>YouTube</title> 

Due to encryption of the HTTPS hosts header by the HTTPS protocol, circumvention traffic is indistinguishable from 'legitimate' (non-fronted) traffic. Implementations of domain fronting supplement HTTPS with using large content delivery networks (such as various large CDNs) as their front domains, [8] which are relied on by large parts of the web for functionality. [9] To block the circumvention traffic, a censor will have to outright block the front domain. [8] Blocking popular content delivery networks is economically, politically, and diplomatically infeasible for most censors. [9] [6]

When Telegram was blocked in April 2018 following a court ruling in Russia through ISP-blocking of the CDNs Telegram used as a front to evade blocks on its own IP addresses, 15.8 million IP addresses associated with Google and Amazon's CDN were blocked collaterally. This resulted in a large scale network outages for major banks, retail chains, and numerous websites; the manner of blocking was criticised for incompetence. [10]

Leveraging request forwarding

Domain fronting works with CDNs as—when served with two different domains in one request—they are (or historically speaking—they were; see §Disabling) configured to automatically fulfill a request to view/access the domain specified in the Hosts header even after finding the SNI extension to have a different domain. This behaviour was and is not universal across hosting providers; there are services that validate if the same domain is used in the different layers of an HTTP request. A variation of the usual domain fronting technique, known as domainless fronting may work in this case, which leaves the SNI field blank. [11]

If the request to access the Hosts header domain succeeds, to the censor or third parties monitoring connections, it appears that the CDN has internally forwarded the request to an uninteresting page within its network; this is the final connection they typically monitor. In circumvention scenarios, the domain in the Hosts header will be a proxy. The Hosts header domain, being a proxy, would be blocked by the censor if accessed directly; fronting hides its address from the censor and allows parties to evade blocks and access it. No traffic ever reaches the front domain specified in the DNS request and SNI extension; the CDN's frontend server is the only third-party in this interaction that can decrypt the Hosts header and know the true destination of the covert request. It is possible to emulate this same behaviour with host services that don't automatically forward requests, through a "reflector" web application. [8] :2

As a general rule, web services only forward requests to their own customers' domains, not arbitrary ones. It is necessary then for the blocked domains, that use domain fronting, to also be hosted by the same large provider as the innocuous sites they will be using as a front in their HTTPS requests (for DNS and STI). [8] :2

Domain hiding

Common secure internet connections (using TLS) have an unencrypted initial message, where the requesting client contacts the server. Server and client then negotiate an encrypted connection, and the actual content sent between them is encrypted. This conceals the content of the communication, but not the metadata: who is connecting to whom and when and how much they are communicating. [12] [13] A variant of domain fronting, domain hiding, passes an encrypted request for one resource (say, a website), concealed behind an unencrypted (plaintext) request for another resource. If both resources have their DNS records hosted in the same cloud, internet servers reading the plaintext address will forward the request to the correct recipient, the cloud. The cloud server will then negotiate an encrypted connection, ignore the unencrypted address, and deliver the message to the (different) address sent over the encrypted channel. A third party spying on the connection can only read the plaintext, and is thus misled as to what resource the requester is connecting to. [3]

Usage

Internet censorship circumvention

Lantern

Lantern (software) was affected. [14]

Signal

Signal, a secure messaging service, deployed domain fronting in builds of their apps from 2016 to 2018 to bypass blocks of direct connections to their servers from Egypt, Oman, Qatar and the United Arab Emirates. [15] [9]

Tor Browser

The Tor anonymity network uses an implementation of domain fronting called 'meek' in its official web browser to bypass blocks to the Tor network. [7] [9] [6]

Telegram

Telegram used Amazon Web Services as a domain front to resist attempts to block the service in Russia. [16]

Telex

Telex was affected. [14]

Tor

Tor was affected, including pluggable transports obsf4, ScrambleSuite, meek, and meek_lite. [14]

GreatFire

GreatFire, a non-profit that assists users in circumventing the Great Firewall, used domain fronting at one point. [9]

Cyberattacks

Domain fronting has been used by private, and state-sponsored individuals and groups to cover their tracks and discreetly launch cyberattacks and disseminate malware. [9] [6]

Cozy Bear

The Russian hacker group Cozy Bear, classed as APT29, has been observed to have used domain fronting to discreetly gain unauthorised access to systems by pretending to be legitimate traffic from CDNs. Their technique used the meek plugin—developed by the Tor Project for its anonymity network—to avoid detection. [17] [18] [19]

Disabling

The endurance of domain fronting as a method for censorship circumvention has been attributed to the expensive collateral damage of blocking. To block domain fronting, one must block all traffic to and from the fronts (CDNs and large providers), which by design are often relied on by countless other web services. [9] The Signal Foundation drew the analogy that to block one domain fronted site you "have to block the rest of the Internet as well." [20]

Russia faced such a problem when they attempted to block Telegram (a messaging app using domain fronting), by blocking all Google and Amazon servers. This blocked many unrelated web services (such as banking websites and mobile apps) that used content from the Google and Amazon clouds. [21] [22] It did not succeed in blocking Telegram. [23] The ban and blocks began on April 13, 2018. [24]

On April 14, 2018, Google silently blocked domain fronting in their cloud, and on April 27, Amazon announced they were blocking it. [25] Cloudflare, another major cloud, also blocked it. [4] [5] Akamai was also affected. [26] [25] Initially Microsoft (whose cloud is needed for Microsoft cloud services and live updates, among other things) did not follow, [25] but in March 2021, Microsoft announced an intention of banning domain fronting in the Microsoft Azure cloud. [27]

Cloudflare had disabled domain fronting in 2015. [28]

In April 2018, Google and Amazon both disabled domain fronting from their content delivery services by removing the idiosyncrasies in redirect schemes that allowed fronting to happen. [29] Google broke domain fronting by removing the ability to use 'google.com' as a front domain by changing how their CDN was structured. [30] When requested to comment they said domain fronting had "never been a supported feature" and that the changes made were long-planned upgrades. [31] [30] [32] Amazon claimed fronting was "already handled as a breach of AWS Terms of Service" and implemented a set of changes that prohibited the obfuscation that allowed sites to masquerade as and use CloudFront domains of other websites as fronts. [33] [20] [34]

Reactions

Various publications speculated that the effort by both Google and Amazon was in part due to pressure from the Russian government and its communications authority Roskomnadzor blocking millions of Google and Amazon domains, in April 2018 as well, due to Telegram using them as fronts. [35] [30] [36] [37] [4] [5]

Digital rights advocates have commented that the move undermines people's ability to access and transmit information freely and securely in repressive states. [38]

According to Signal's founder, Moxie Marlinspike, Google management came to question whether they wanted to act as a front for sites and services entire nation states wanted to block as domain fronting gained popular attention with apps like Signal implementing it. He called using fronting in a circumvention tool "now largely non-viable" in the countries it was needed. [20] It is, however, still used by some services, such as Tor and Lantern.

See also

Notes

  1. Quotes by Moxie Marlinspike, creator of Signal. [1]

Related Research Articles

The Domain Name System (DNS) is a hierarchical and distributed name service that provides a naming system for computers, services, and other resources on the Internet or other Internet Protocol (IP) networks. It associates various information with domain names assigned to each of the associated entities. Most prominently, it translates readily memorized domain names to the numerical IP addresses needed for locating and identifying computer services and devices with the underlying network protocols. The Domain Name System has been an essential component of the functionality of the Internet since 1985.

<span class="mw-page-title-main">HTTPS</span> Extension of the HTTP communications protocol to support TLS encryption

Hypertext Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP). It uses encryption for secure communication over a computer network, and is widely used on the Internet. In HTTPS, the communication protocol is encrypted using Transport Layer Security (TLS) or, formerly, Secure Sockets Layer (SSL). The protocol is therefore also referred to as HTTP over TLS, or HTTP over SSL.

<span class="mw-page-title-main">Denial-of-service attack</span> Type of cyber-attack

In computing, a denial-of-service attack is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to a network. Denial of service is typically accomplished by flooding the targeted machine or resource with superfluous requests in an attempt to overload systems and prevent some or all legitimate requests from being fulfilled. The range of attacks varies widely, spanning from inundating a server with millions of requests to slow its performance, overwhelming a server with a substantial amount of invalid data, to submitting requests with an illegitimate IP address.

<span class="mw-page-title-main">Proxy server</span> Computer server that makes and receives requests on behalf of a user

In computer networking, a proxy server is a server application that acts as an intermediary between a client requesting a resource and the server providing that resource. It improves privacy, security, and possibly performance in the process.

The Great Firewall is the combination of legislative actions and technologies enforced by the People's Republic of China to regulate the Internet domestically. Its role in internet censorship in China is to block access to selected foreign websites and to slow down cross-border internet traffic. The Great Firewall operates by checking transmission control protocol (TCP) packets for keywords or sensitive words. If the keywords or sensitive words appear in the TCP packets, access will be closed. If one link is closed, more links from the same machine will be blocked by the Great Firewall. The effect includes: limiting access to foreign information sources, blocking foreign internet tools and mobile apps, and requiring foreign companies to adapt to domestic regulations.

<span class="mw-page-title-main">Content delivery network</span> Layer in the internet ecosystem addressing bottlenecks

A content delivery network or content distribution network (CDN) is a geographically distributed network of proxy servers and their data centers. The goal is to provide high availability and performance ("speed") by distributing the service spatially relative to end users. CDNs came into existence in the late 1990s as a means for alleviating the performance bottlenecks of the Internet as the Internet was starting to become a mission-critical medium for people and enterprises. Since then, CDNs have grown to serve a large portion of the Internet content today, including web objects, downloadable objects, applications, live streaming media, on-demand streaming media, and social media sites.

<span class="mw-page-title-main">Secure Hypertext Transfer Protocol</span> Web encryption method similar to HTTPS

Secure Hypertext Transfer Protocol (S-HTTP) is an obsolete alternative to the HTTPS protocol for encrypting web communications carried over the Internet. It was developed by Eric Rescorla and Allan M. Schiffman at EIT in 1994 and published in 1999 as RFC 2660</ref> Netscape's dominance of the browser market led to HTTPS becoming the de facto method for securing web communications.

Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) computer networking protocol by which a client indicates which hostname it is attempting to connect to at the start of the handshaking process. The extension allows a server to present one of multiple possible certificates on the same IP address and TCP port number and hence allows multiple secure (HTTPS) websites to be served by the same IP address without requiring all those sites to use the same certificate. It is the conceptual equivalent to HTTP/1.1 name-based virtual hosting, but for HTTPS. This also allows a proxy to forward client traffic to the right server during TLS/SSL handshake. The desired hostname is not encrypted in the original SNI extension, so an eavesdropper can see which site is being requested. The SNI extension was specified in 2003 in RFC 3546

<span class="mw-page-title-main">Cloudflare</span> American technology company

Cloudflare, Inc. is an American company that provides content delivery network services, cloud cybersecurity, DDoS mitigation, wide area network services, Domain Name Service, and ICANN-accredited domain registration services. Cloudflare's headquarters are in San Francisco, California. According to W3Techs, Cloudflare is used by more than 19% of the Internet for its web security services, as of 2024.

Internet censorship circumvention, also referred to as going over the wall or scientific browsing in China, is the use of various methods and tools to bypass internet censorship.

HTTP/2 is a major revision of the HTTP network protocol used by the World Wide Web. It was derived from the earlier experimental SPDY protocol, originally developed by Google. HTTP/2 was developed by the HTTP Working Group of the Internet Engineering Task Force (IETF). HTTP/2 is the first new version of HTTP since HTTP/1.1, which was standardized in RFC 2068 in 1997. The Working Group presented HTTP/2 to the Internet Engineering Steering Group (IESG) for consideration as a Proposed Standard in December 2014, and IESG approved it to publish as Proposed Standard on February 17, 2015. The initial HTTP/2 specification was published as RFC 7540 on May 14, 2015.

archive.today is a web archiving website founded in 2012 that saves snapshots on demand, and has support for JavaScript-heavy sites such as Google Maps, and Twitter. archive.today records two snapshots: one replicates the original webpage including any functional live links; the other is a screenshot of the page.

A public recursive name server is a name server service that networked computers may use to query the Domain Name System (DNS), the decentralized Internet naming system, in place of name servers operated by the local Internet service provider (ISP) to which the devices are connected. Reasons for using these services include:

Cloudbleed was a Cloudflare buffer overflow disclosed by Project Zero on February 17, 2017. Cloudflare's code disclosed the contents of memory that contained the private information of other customers, such as HTTP cookies, authentication tokens, HTTP POST bodies, and other sensitive data. As a result, data from Cloudflare customers was leaked to all other Cloudflare customers that had access to server memory. This occurred, according to numbers provided by Cloudflare at the time, more than 18,000,000 times before the problem was corrected. Some of the leaked data was cached by search engines.

DNS over HTTPS (DoH) is a protocol for performing remote Domain Name System (DNS) resolution via the HTTPS protocol. A goal of the method is to increase user privacy and security by preventing eavesdropping and manipulation of DNS data by man-in-the-middle attacks by using the HTTPS protocol to encrypt the data between the DoH client and the DoH-based DNS resolver. By March 2018, Google and the Mozilla Foundation had started testing versions of DNS over HTTPS. In February 2020, Firefox switched to DNS over HTTPS by default for users in the United States. In May 2020, Chrome switched to DNS over HTTPS by default.

EDNS Client Subnet (ECS) is an option in the Extension Mechanisms for DNS that allows a recursive DNS resolver to specify the subnetwork for the host or client on whose behalf it is making a DNS query. This is generally intended to help speed up the delivery of data from content delivery networks (CDNs), by allowing better use of DNS-based load balancing to select a service address near the client when the client computer is not necessarily near the recursive resolver.

DNS over TLS (DoT) is a network security protocol for encrypting and wrapping Domain Name System (DNS) queries and answers via the Transport Layer Security (TLS) protocol. The goal of the method is to increase user privacy and security by preventing eavesdropping and manipulation of DNS data via man-in-the-middle attacks. The well-known port number for DoT is 853.

1.1.1.1 is a free Domain Name System (DNS) service by the American company Cloudflare in partnership with APNIC. The service functions as a recursive name server, providing domain name resolution for any host on the Internet. The service was announced on April 1, 2018. On November 11, 2018, Cloudflare announced a mobile application of their 1.1.1.1 service for Android and iOS. On September 25, 2019, Cloudflare released WARP, an upgraded version of their original 1.1.1.1 mobile application.

<span class="mw-page-title-main">Snowflake (software)</span> Anti-censorship software

Snowflake is a software package for assisting others in circumventing internet censorship by relaying data requests. Snowflake relay nodes are meant to be created by people in countries where Tor and Snowflake are not blocked. People under censorship then use a Snowflake client, packaged with the Tor Browser or Onion Browser, to access the Tor network, using Snowflake relays as proxy servers. Access to the Tor network can in turn give access to other blocked services. A Snowflake node can be created by either installing a browser extension, installing a stand-alone program, or browsing a webpage with an embedded Snowflake relay. The node runs whenever the browser or program is connected to the internet.

References

  1. Marlinspike, Moxie (1 May 2018). "A letter from Amazon". Signal.
  2. Eastlake 3Rd, Donald E. (January 2011). "IETF RFC 6066 section 3".{{cite web}}: CS1 maint: numeric names: authors list (link)
  3. 1 2 3 Cimpanu, Catalin (August 8, 2020). "DEF CON: New tool brings back 'domain fronting' as 'domain hiding'". ZDNET.
  4. 1 2 3 "Why You Don't Need Google's Domain Fronting". Psiphon Project. April 24, 2018.
  5. 1 2 3 Dou, Eva; Barr, Alistair. "U.S. Cloud Providers Face Backlash From China's Censors". The Wall Street Journal.
  6. 1 2 3 4 5 "Privacy 2019: Tor, Meek & The Rise And Fall Of Domain Fronting". SentinelOne. 2019-04-15. Retrieved 2020-06-30.
  7. 1 2 "doc/meek – Tor Bug Tracker & Wiki". trac.torproject.org. Retrieved 2017-01-04.
  8. 1 2 3 4 5 6 Fifield, David; Lan, Chang; Hynes, Rod; Wegmann, Percy; Paxson, Vern (15 February 2015). "Blocking-resistant communication through domain fronting" (PDF). Proceedings on Privacy Enhancing Technologies. 2015 (2): 46–64. doi: 10.1515/popets-2015-0009 . ISSN   2299-0984. S2CID   5626265 . Retrieved 2017-01-03 via De Gruyter.
  9. 1 2 3 4 5 6 7 "The Death of Domain Fronting | What Lies Ahead?". Finjan Blog. 2018-06-11. Archived from the original on 2020-07-03. Retrieved 2020-06-30.
  10. Savov, Vlad (2018-04-17). "Russia's Telegram ban is a big, convoluted mess". The Verge. Retrieved 2020-08-10.
  11. "Proxy: Domain Fronting, Sub-technique T1090.004 - Enterprise | MITRE ATT&CK®". attack.mitre.org. Retrieved 2020-09-28.
  12. Ghedini, Alessandro (24 September 2018). "Encrypt it or lose it: how encrypted SNI works". The Cloudflare Blog. Retrieved September 24, 2018.
  13. Patton, Christopher (8 December 2020). "Good-bye ESNI, hello ECH!". The Cloudflare Blog.
  14. 1 2 3 White, Nathan (18 April 2018). "Google ends "domain fronting," a crucial way for tools to evade censors". Access Now.
  15. "Open Whisper Systems >> Blog >> Doodles, stickers, and censorship circumvention for Signal Android". whispersystems.org. Retrieved 2017-01-04.
  16. Brandom, Russell (2018-04-30). "Amazon Web Services starts blocking domain-fronting, following Google's lead". The Verge. Retrieved 2020-08-08.
  17. "APT29 Domain Fronting With TOR". FireEye. Retrieved 2020-09-28.
  18. "Domain Fronting, Phishing Attacks, and What CISOs Need to Know". Cofense. 2018-12-13. Retrieved 2020-09-28.
  19. Brandom, Russell (18 April 2018). "A Google update just created a big problem for anti-censorship tools". The Verge.
  20. 1 2 3 Marlinspike, Moxie (2018-05-01). "A letter from Amazon". Signal . Archived from the original on 2018-05-01. Retrieved 2020-09-16.
  21. Cimpanu, Catalin. "Russia Bans 1.8 Million Amazon and Google IPs in Attempt to Block Telegram". BleepingComputer.
  22. Cimpanu, Catalin (June 18, 2020). "Russia unbans Telegram". ZDNET.
  23. Burgess, Matt (28 April 2018). "This is why Russia's attempts to block Telegram have failed". Wired UK.
  24. MacFarquhar, Neil (13 April 2018). "Russian Court Bans Telegram App After 18-Minute Hearing". The New York Times. Archived from the original on 13 April 2018. Retrieved 13 April 2018.
  25. 1 2 3 Mates, Matan (15 April 2019). "Tor, Meek & The Rise And Fall Of Domain Fronting". SentinelOne.
  26. "Implementing Malware Command and Control Using Major CDNs and High-Traffic Domains". www.cyberark.com.
  27. Jones, Emma (26 March 2021). "Securing our approach to domain fronting within Azure". Microsoft Security Blog.
  28. "#14256 (Clarify whether Cloudflare's Universal SSL thing works with meek) – Tor Bug Tracker & Wiki". Tor Bug Tracker. Retrieved 12 May 2020.
  29. "Domain fronting: pros and cons | NordVPN". nordvpn.com. 2019-07-12. Retrieved 2020-09-16.
  30. 1 2 3 Gallagher, Sean (2018-05-02). "Amazon blocks domain fronting, threatens to shut down Signal's account". Ars Technica. Retrieved 2020-09-16.
  31. Brandom, Russell. "A Google update just created a big problem for anti-censorship tools". The Verge. Retrieved 2018-04-19.
  32. "Google ends "domain fronting," a crucial way for tools to evade censors - Access Now". 18 April 2018.
  33. "Enhanced Domain Protections for Amazon CloudFront Requests". 2018-04-27.
  34. "Amazon Web Services starts blocking domain-fronting, following Google's lead". 2018-04-30.
  35. "Amazon and Google bow to Russian censors in Telegram battle". Fast Company. 2018-05-04. Retrieved 2018-05-09.
  36. Bershidsky, Leonid (May 3, 2018). "Russian Censor Gets Help From Amazon and Google". Bloomberg.
  37. "Info". Tass.ru. Retrieved 2018-11-14.
  38. Dahir, Abdi Latif (3 May 2018). "Google and Amazon's move to block domain fronting will hurt activists under repressive regimes". Quartz Africa. Retrieved 2020-09-16.