
Google disables “domain fronting” capability used to evade censors - okket
https://arstechnica.com/information-technology/2018/04/google-disables-domain-fronting-capability-used-to-evade-censors/
======
vatueil
Previous discussion:
[https://news.ycombinator.com/item?id=16868564](https://news.ycombinator.com/item?id=16868564)

As was brought up in the previous thread, though only briefly mentioned in the
linked article, domain fronting is used by malware as well. It was allegedly
exploited by Russian state-sponsored hacking group APT29.[0][1]

It's unfortunate that it can't be used to help avoid censorship either now,
but it was never an intended feature. As the article quotes, other CDNs such
as Cloudfront also do not support domain fronting.

[0]: [https://www.fireeye.com/blog/threat-
research/2017/03/apt29_d...](https://www.fireeye.com/blog/threat-
research/2017/03/apt29_domain_frontin.html)

[1]: [https://www.cyberark.com/threat-research-blog/red-team-
insig...](https://www.cyberark.com/threat-research-blog/red-team-insights-
https-domain-fronting-google-hosts-using-cobalt-strike/)

------
est
Another reason why Google/Amazon is too centralized to be a single point of
failure.

We need more decentralized Internet. Not more clever hacks.

~~~
Lionsion
> Another reason why Google/Amazon is too centralized to be a single point of
> failure.

> We need more decentralized Internet. Not more clever hacks.

IIRC, didn't domain fronting only work because Google/Amazon were thought to
be too big to block?

IMHO, what we need is a stronger consensus that Western companies shouldn't
let themselves be bullied by censorious regimes dangling the promise of
profits or access. They shouldn't be allowed to defend such decisions as
profit-seeking amorality.

------
tribby
awful news, but not the end just yet - hopefully amazon and azure stay viable
for meek.

------
breakingcups
What fortunate timing.

~~~
kome
What fortunate timing indeed. That's just a kind reminder about what the
interests of Google and Amazon are. Not those of their consumers for sure.

Also, especially Google have all the interest to let the Russians destroy
Telegram. At this point I would be very suspicious of all other messengers
that still work in Russia.

Edit: also Amnesty International is on it:
[https://twitter.com/amnesty/status/986955700550144002](https://twitter.com/amnesty/status/986955700550144002)

~~~
baybal2
>At this point I would be very suspicious of all other messengers that still
work in Russia.

That's a conjecture is rational, but I think you already have to be very
suspicious of anything that worked there for last 5 years, Telegram
inclusively.

It is unbelievable for me that they maintained legal presence in the country
up until now, while all others were indiscriminately blocked years ago, and
incompliant software authors were raided by 3 letter agencies and raped with
assault rifles.

~~~
nabc45
>while all others were indiscriminately blocked years ago

As far as I am concerned Telegram was blocked for 1) being used by terrorists
and 2) the Telegram staff refusing to turn in data to aid the investigation.
This has not happened to other messengers like WhatsApp and they are not
blocked. Am I wrong?

~~~
codedokode
Actually there are interesting legal details in the story.

Telegram should be blocked under the Russian court order for not providing
decryption keys, but that order doesn't contain ruling to block entire Amazon
or Google network - only IP addresses used by Telegram. Whole networks are
being blocked under the order by Prosecutor General from 2015 (yes, from 2015,
and recently they started to use new order from 2018). But the problem is that
Prosecutor's Office doesn't have authority to block messengers, so the order
is about discovering illegal content (extremist content or appeals for
organizing unapproved rally - not sure if I translated correctly) located on
all of those IP addresses which obviously is a lie.

So this is dubious even under russian laws.

Why are they blocking entire networks? Well, the problem is that there are
limits in ACL size so if Telegram starts using thousands of IP addresses the
tables can become too big. So they chose to block entire networks instead.
Also, finding out which IP addresses they are using takes time, distributing
and updating blocking rules by ISP takes time (on order of hours, up to a
day), so without this Telegram could change IPs faster than they are blocked.

There already are russian businesses that were using IP addresses from those
networks, that are suffering damages because of blocking. They are moving to
other datacenters in a rush. It is unlikely that they will try to recover
damages from the government.

~~~
nabc45
That's bad, especially that last paragraph, but I would lay the blame directly
on Amazon and Google. They should kick Telegram out if having them affects
other customers. That's standard practice in hosts, for example when a
specific website is receiving a DoS, the website is blackholed so other
customers don't see their service interrupted.

~~~
codedokode
No, they should not. They are not under russian jurisdiction and are not
obliged to comply with russian laws. Or should they comply with laws of
Thailand, Iran, China and North Korea too? Kick out sites that criticise
communist party?

~~~
nabc45
I did not say that. I said that Telegram moved to their clouds to evade the
sentence of a judge, which means Russian ISPs resorted to banning entire IP
ranges, which means law-abiding customers are now affected by it. This is,
because of the malicious actions of Telegram, now Russian citizens can't
access law-abiding websites hosted in Google and Amazon. That should bother
Google and Amazon, who should guarantee the connectivity of their law-abiding
customers by kicking out Telegram so the IP range bans are lifted.

In the end Google and Amazon will kick out Telegram, it's probably a matter of
days, so I don't understand what this fuss is about.

~~~
codedokode
Telegram has no authority to ban anything so it cannot be at fault. Trying to
make your service work cannot be called "malicious activity".

> That should bother Google and Amazon, who should guarantee the connectivity
> of their law-abiding customers by kicking out Telegram so the IP range bans
> are lifted.

This might increase an influx of complaints from other governments. If they
kicked out Telegram, why not kick out someone else?

~~~
amarkov
> Telegram has no authority to ban anything so it cannot be at fault. Trying
> to make your service work cannot be called "malicious activity".

Telegram knew the Russian government was trying to censor them. So they
disguised their traffic as Google traffic. Now, because Telegram did this and
Russia called their bluff, some Google clients who have nothing to do with
Telegram can no longer reach the Russian market.

Why isn't this just as malicious as any other denial of service attack? It
sucks for Telegram, but it's not reasonable or sustainable to let anyone who
needs to evade censorship impersonate Google.

------
etaioinshrdlu
This seems like something you could do yourself on a VM instance, no?

~~~
rocqua
It helps a lot more to masquerade as google.com than it does to masquarade as
etaioinshrdlu.com. The censors would need to think more about blocking
something as big a google than a single use-domain.

~~~
etaioinshrdlu
That explains it.

------
StavrosK
Would someone be able to block packets more easily or less easily if TLS
didn't have the domain name in the packet in plaintext? Presumably someone
couldn't tell where the packet was going, but that might mean you have to send
it to the right server in the first place.

~~~
icebraining
SNI is used to allow the frontend gateway to select the correct certificate;
it should be harder to block if the frontend gateway instead had a single
certificate with all the domains it proxied (obviating the need for SNI).

Of course, that means the gateway must terminate the TLS connection for every
site (and therefore be able to read its contents), whereas with SNI it could
redirect the TLS connection itself to the appropriate server, while being
unable to spy on it.

In practice what happened before SNI is that every SSL/TLS site used a
dedicated IP, which makes it quite easy to block.

~~~
StavrosK
I meant something more like encrypted SNI in TLS 1.3[1], but that has covering
as an explicit design goal, so I guess that answers my question.

Still, it's a matter of politics, and not of technology. Google here chooses
to stop covering for Telegram/Signal, even if the technology allows it.

[1]:
[https://www.ietf.org/proceedings/94/slides/slides-94-tls-8.p...](https://www.ietf.org/proceedings/94/slides/slides-94-tls-8.pdf)

------
chisleu
You can still use ELB's to hide behind amazon.com, right?

