Lawmakers call on Amazon and Google to reconsider ban on domain fronting
Amazon and Google face sharp questions from a bipartisan pair of U.S. senators over the tech giants’ decisions to ban domain fronting, a technique used to circumvent censorship and surveillance around the world.
Sen. Ron Wyden, D-Ore., and Sen. Marco Rubio, R-Fla., sent a letter on Tuesday to Google CEO Larry Page and Amazon CEO Jeff Bezos over decisions by both companies in April to ban domain fronting. Amazon then warned the developers of encrypted messaging app Signal that the organization would be banned from Amazon’s cloud services if the service didn’t stop using Amazon’s cloud as cover.
“We respectfully urge you to reconsider your decision to prohibit domain fronting given the harm it will do to global internet freedom and the risk it will impose upon human rights activists, journalists, and others who rely on the internet freedom tools,” the senators wrote.
The technique uses HTTPS encryption to communicate with a censored web host even though it looks like it’s communicating with another host like Amazon Web Services. One service is on the outside of the HTTPS request, the real domain is on the inside and censors are none-the-wiser from a technical point of view, unless they block the first domain entirely. It’s easy to do and doesn’t require any special cooperation — but a host like Google and Amazon always possessed the ability to end the practice from being used through their own products.
This 2015 research paper from Berkeley describes the technique in detail as well as how security and privacy-focused apps including Tor and Psiphon have utilized it for years.
Domain fronting was used by Signal on Google and Amazon’s cloud to circumvent censorship in countries like Egypt, Oman, Qatar and the United Arab Emirates. In those countries, the technique made it look like Signal’s traffic was actually going to Google.com. That means in order to block Signal, these countries would have had to block Google.com, which is generally a non-starter.
The technique has also been used by bad actors and malware, Amazon pointed out in a blog posted in April.
Domain fronting made front page news earlier this year when, in an attempt to ban the messaging app Telegram, the country of Russia ended up banning large swaths of Amazon and Google’s cloud networks.
Google banned Signal earlier this year and the organization moved to Amazon where it employed the same technique until Amazon followed suit.
Signal, developed by the nonprofit Signal Foundation, was created and funded in part with U.S. government funding.
Wyden and Rubio asked for written responses to two questions about Google and Amazon’s decision to end domain fronting:
- What steps did your companies take, prior to prohibiting domain fronting, to determine whether it was possible to prohibit its use by malicious actors, while still permitting positive uses, including U.S. government-supported internet freedom tools?
- After deciding to take action to limit the use of domain fronting, what efforts, if any did your companies take to minimize the disruption to U.S. government-supported internet freedom tools and platforms relied on by human rights activists, journalists, members of faith communities and civil society groups? What steps have your companies taken, or do you plan to take, to mitigate the effect that you decision to end domain fronting has had on internet anti-censorship tools and platforms?
Amazon and Google did not respond to requests for comment.
You can read the full letter below.
[documentcloud url=”http://www.documentcloud.org/documents/4609286-Wyden-Rubio-Letter-to-Amazon-Alphabet-Re-Domain.html” responsive=true height=500]
