Amazon and Google will no longer help Signal evade censorship
Both tech giants are banning domain frontingBy Rob Thubron
Telegram's battle with authorities in Russia and Iran might have hit the headlines recently, but another privacy-focused messaging service, Signal, is also having a rough time. Like Telegram, it used a common technique called domain fronting to circumvent censorship in certain locations, but Google and Amazon have stopped supporting the practice.
Domain fronting uses major cloud providers as a proxy, thereby disguising web traffic and making it appear as if it's coming from a different source. The practice is often used to avoid nationwide bans. Amazon Web Services defines it as "when a non-standard client makes a TLS/SSL connection to a certain name, but then makes a HTTPS request for an unrelated name. For example, the TLS connection may connect to 'www.example.com' but then issue a request for 'www.example.org'."
Amazon notes that Signal used Souq.com, a storefront for Middle Eastern markets that is owned by the tech giant. This allowed the app to evade bans in Egypt, Oman, and the United Arab Emirates (UAE).
Signal had been using domain fronting through the Google App Engine, which meant countries wanting to block the app would have had to block google.com. But Google shut down the function last month, which led Signal to Amazon's CouldFront. Now, however, Jeff Bezos' company has said it is also switching off domain fronting. AWS explained that "the new measures are designed to ensure that requests handled by CloudFront are handled on behalf of legitimate domain owners."
Signal founder Moxie Marlinspike wrote that "with Google Cloud and AWS (Amazon Web Services) out of the picture, it seems that domain fronting as a censorship circumvention technique is now largely non-viable in the countries where Signal had enabled this feature. The idea behind domain fronting was that to block a single site, you'd have to block the rest of the internet as well. In the end, the rest of the internet didn't like that plan."
Marlinspike added that the signal team is considering options for a more robust system, but developing new techniques will take time. "In the meantime, the censors in these countries will have (at least temporarily) achieved their goals. Sadly, they didn't have to do anything but wait."