The cool thing about this hack is that even in the TLS Server Name Indication (SNI) extension, the front domain name shows up, and only the (encrypted) HTTP Host header shows the true covert destination.
The paper "Blocking-resistant communication through domain fronting" (https://www.bamsoftware.com/papers/fronting/) is very interesting.
One thing that I'm left wondering is if the front domain owners will be at risk being blocked if domain fronting is being done with their domain.
If so they may ask the CDN companies to block this routing behaviour.
I believe the main point is that support is being integrated into Meterpreter, an exploit framework. The end result will be that even script-kiddie style attacks can spend $10 on a domain (or perhaps a free trial of GAE/Azure/AWS) to auto-magically use this technique to add another layer hiding their command & control servers from non-LEO/government defenders. (Meterpreter may be late to the party compared to similar tools.)
It is another step in the cat & mouse game, where techniques like this are usually first used by APT-level actors, someone rediscovers or documents it, it goes mainstream and eventually gains enough notoriety to be shut down.
There were a pair of discussions on the technqiue when Signal added support about a year ago: https://news.ycombinator.com/item?id=13245970,
- mentions a Tor pluggable transport implementing the technique first discussed in January 2014: https://trac.torproject.org/projects/tor/wiki/doc/meek
- also mentions effective mitigations done provider-side: https://news.ycombinator.com/item?id=13233720
>temprature: Cloudflare did this a few years back by requiring that SNI matches the host header [...] or suspend the server running the reflector (Google did this to the meek reflector running on Appspot that Tor Browser used).