Amazon has written to Signal threatening to kick the secure messaging app off its CloudFront web service unless it stops anti-censorship practice known as domain-fronting.
The technique has been used by the secure messaging app for the last couple of years as a means to combat censorship and government assaults on free of speech in countries such as Egypt, Oman, Qatar, and UAE. Known as domain-fronting, developers disguise web traffic to look like it’s coming from a different source, which provides a useful work-around for censorship.
Following Google’s lead, which claimed domain-fronting was simply a quirk in the software stack not an official feature or service, Amazon has also decided to pan the technique. In an email to Moxie Marlinspike, founder of Signal developer Open Whisper Systems, Amazon stated the app had two choices; drop domain-fronting, or get kicked off the service. As it stands, Marlinspike and Signal users will have to accept the censored fate for the foreseeable future.
“We are considering ideas for a more robust system, but these ecosystem changes have happened very suddenly,” said Marlinspike. “Our team is only a few people, and developing new techniques will take time. Moreover, if recent changes by large cloud providers indicate a commitment to providing network-level visibility into the final destination of encrypted traffic flows, then the range of potential solutions becomes severely limited.
“In the meantime, the censors in these countries will have (at least temporarily) achieved their goals. Sadly, they didn’t have to do anything but wait.”
In terms of how domain-fronting works, it’s all about hiding where the connection from an app comes from. Below we have copied Marlinspike’s explanation:
The theory here is that while a government might look to ban Signal it wouldn’t consider blocking the tech giants. In the beginning, Signal was using domain-fronting through the Google Apps Engine, meaning should a government want to ban Signal, it would have to ban all traffic coming from ‘Google.com’. Signal does not use Google services anymore, owing to Google’s interpretations of US trade sanctions, but Amazon has a similar work around.
One of the issues here is Marlinspike’s claim that domain-fronting does not violate the terms of service set forward by Amazon, therefore Signal is acting completely compliantly. Marlinspike has pointed to two reasons:
- The CloudFront distribution isn’t using the SSL certificate of any domain but Signal’s
- The company isn’t falsifying the origin of traffic when clients connect to CloudFront
Marlinspike might be correct, but these are loopholes. The service was not intended to be used in this manner, therefore Marlinspike is simply taking advantage of an oversight. As in the Google case, Amazon is simply making alterations to remove an unintended use of its assets.
There has been little reaction from the ecosystem thus far, though following Google’s decision to remove domain-fronting there was certainly backlash.
“As a repository and organizer of the world’s information, Google sees the power of access to knowledge. Likewise, the company understands the many ingenious ways that people evade censors by piggybacking on its networks and services,” said Peter Micek, General Counsel at Access Now. “There’s no ignorance excuse here: Google knows this block will levy immediate, adverse effects on human rights defenders, journalists, and others struggling to reach the open internet.
“To issue this decision with a shrug of the shoulders, disclaiming responsibility, damages the company’s reputation and further fragments trust online broadly, for the foreseeable future.”
As with many of the tech firms, there is a balance to be made at Amazon. Ideals and principles need to be weighed up against the commercial nature of the digital economy, with features such as domain-fronting having a direct or indirect impacts on different cogs in the profit-making machine. It looks like cash won this time around.