Hacker News new | comments | show | ask | jobs | submit login
Amazon threatens to suspend Signal's AWS account over censorship circumvention (signal.org)
1224 points by jboynyc 7 months ago | hide | past | web | favorite | 496 comments



They're spoofing identity of non-consenting parties. The cause is noble, but it isn't what the headline would imply. Amazon isn't saying "You can't host encrypted services on our platform", they are saying "You can't use TLS and load balancing hacks to pretend to be us in oppresive countries".

And

>The idea behind domain fronting was that to block a single site, you’d have to block the rest of the internet as well. In the end, the rest of the internet didn’t like that plan.

That they interpret AWS and Google as "the rest of the Internet" is pretty sad, too.


> "They're spoofing identity"

That's the entire point. By making it impossible for censors to distinguish Signal traffic from other web traffic going to AWS, domain fronting forces the government censors to either 1) stop censoring, or 2) censor many important websites that people rely upon. The associated economic cost has the tendency to discourage censors, and as shown by Signal, is actually quite an effective deterrent against many oppressive regimes. This concept is known as collateral freedom.[1]

Instead of shutting this down, Amazon could have let Signal continue. In fact, all companies should collaborate to make censorship as expensive as possible. Someone here at HN pointed out that it is very difficult for someone under an oppressive regimes to speak out; this makes it all the more important for those of us who can to assist dissidents and support freedom of expression.

[1] https://en.wikipedia.org/wiki/Collateral_freedom


Isn't the first problem that mr Marlinspike has been holding off federation of the Signal protocol? If anyone could run a server and join the Signal network (like Riot/Matrix, who got it right), the problem of circumventing censorship would be a lot easier.

Any one of these federated servers could use whatever tricks they like to circumvent censorship, and yes they'd risk getting banned themselves if their circumvention measures are violating TOS of where they're hosted, but they wouldn't have to demand special treatment in the light of that, like Moxie Marlinspike did, because it doesn't happen to block the entire Signal network at once.

Their lack of federation is their censorship weak spot. I haven't heard a single reason for holding off federation from Moxie (and the "best" reason I currently can come up with is that he has issues letting go of "his baby", other reasons being more nefarious). There's a lot of strongly principled wording about why Signal should or should not do certain things, because Signal doesn't want to rely on anything but the protocol itself to guarantee its security, privacy and censorship resistance.

But really, what are these principles worth if Signal is in fact reliant on a third party (Amazon) closing their eyes to violation of their own TOS? They shouldn't be, and federation allows for that property.

And to add one more reason, it's not entirely fair to Amazon. By using the load balancing trick, the only thing that Signal risks is getting banned from Amazon, they can rent another server from someone else and set up shop there. However, by allowing Signal to continue to use their load balancing service in this manner, Amazon is risking having their entire service banned by an oppressive regime. It's not really cool of Signal/Moxie to ask Amazon to take this risk for them.


> I haven't heard a single reason for holding off federation from Moxie (and the "best" reason I currently can come up with is that he has issues letting go of "his baby", other reasons being more nefarious).

I mean, there's no need to speculate here. There's an entire blog post on signal written about why they chose not to federate just a quick google search for 'signal federation' away, and the reasons, whether you agree with them or not, are pretty solid and sound.

https://signal.org/blog/the-ecosystem-is-moving/


For completeness a counterpoint from one of prominent XMPP developers: An Objection to ‘The ecosystem is moving’: https://gultsch.de/objection.html


Thank you for posting this. I hadn't come across it and it's a great counterpoint.


Federation significantly complicates usability, and Signal's approach tends to prioritize usability. This is probably its most significant difference from other open source crypto tools.

Your argument is that Signal should erase its differences and become like other open source crypto tools. But as you pointed out, the tool you're asking for already exists! If Matrix is already doing it right, then what's the problem? Surely everyone will switch over to the superior infrastructure and not look back.

I have a different explanation: Signal is successful specifically because of controversial decisions like refusing federation, and the reason other tools do not enjoy the same success is because of the usability compromises they have made.


My first thought is "How is it in the interest of Amazon's stockholders to prevent censorship in countries ruled by dictatorial regimes?" and secondly, "How does consenting to being a front for services that are strictly forbidden in certain countries benefit our company?"


Perhaps it's not. AMZN is a for-profit entity. Their shareholders come first. Profit comes first.

The more interesting question is, how does this influence our engagement with Amazon, as members of the tech community and the business community? From hackers to founders to dev leads to CEOs we're all individuals with some degree of influence. Most of us hopefully value the idea of a free society to a great degree, because without one our industry wouldn't exist.

I have no problem with saying that the business I own will think twice about making further investments in AWS because of this. I'm less likely to recommend AWS to our customers because of it.

Businesses which host hate speech get punished by advertisers who don't want to be associated with that kind of drivel. I'd like to see businesses which enable dictators be punished in a similar way.

By the market and this community. I'd like to see more hackers and founders say hey, this company enables dictators so we are re-evaluating/freezing/reducing our investment in their products. (Pick whatever level presents an acceptable cost to you.)


> Perhaps it's not. AMZN is a for-profit entity. Their shareholders come first. Profit comes first.

The good news is that that's a myth, apparently: https://www.nytimes.com/roomfordebate/2015/04/16/what-are-co...


You can apply this idea to everything, though.

"How is it the interest of Github stockholders to not censor certain projects when China starts DDoSing the whole site?"

or even

"How is it in the interest of Cloudflare to raise the prices for all of its customers, just to protect a site Russia doesn't like?"

It can't all be about money. Companies that think only about money fail in the long term. If you don't believe that, then I urge you to watch this Simon Sinek video:

https://www.youtube.com/watch?v=qp0HIF3SfI4


Shareholders still come first if they do the right thing here. Letting reputable people do good with your product rises the tide for the ecosystem. Good for the Internet is good for AWS.


What if souq.com is blocked instead ? How is that good for AWS or the internet ?


> Good for the Internet is good for AWS.

Isn't it begging the question to parent's point?


This an abhorrent chain of logic. By this rationale everything should be permissible if it’s profitable and legal in the country it’s done in. Ethics be damned.

Slavery?[1] Fine. Assisting with genocide?[2] Ok. Human trafficking. Sure, as long as we’re making money. Now consider the likes of Facebook or Google. If Iran wanted to purge an ethnic minority from their country and offered a government contract to Facebook to help identify said minority, how is it in the interests of Facebook stockholders to prevent genocide in countries ruled by dictatorial regimes?

Finally, if what you say is correct - that in the current system the wealth of the shareholders is what matters most - I think the broader question becomes: “Why should western democracies continue to permit Laisser-faire capitalism if it refuses to impose any ethical or moral boundaries on itself?”

[1] https://www.quora.com/To-what-degree-has-Dubai-been-built-by...

[2] https://en.m.wikipedia.org/wiki/IBM_and_the_Holocaust


Stomping on the rights of one party, to obtain rights for another, is not ethically permissible. This is about consent as much as it's about censorship.


You've posted this (wiki page that you wrote) several times in this thread... but the issue is that all the unblocked companies are already unblocked. What do they stand to gain from this other than a near-term disruption (at best)? The only way collateral freedom works is when there is mutual need for everyone to be included, otherwise why take the risk to carry the designated targets? Also I wouldn't underestimate the economic power of regimes and nation-states that know what they're doing.


The mutual need should be considering the freedom of communication that everyone should have as a human right. Like a lot of things when you think of it purely in terms of dollars you end up with an opressive authoritarian system like in China.


On one hand I agree with you, but on the other... why is this Amazon’s place? I don’t agree with how China censors, but what gives a private US entity the right to try and override that in this way? Their place is to choose to, or not to do business with China, not what amounts to a political operation. I think it’s fair to say that it’s the job of governments and intelligence agencies, and some things shouldn’t be privatized.


A lot of companies have to bend to China, Brazil and others. They want to make money, they have to follow by their rules.

Google was ballsy to exit from China, but I doubt others are the same.

Wall Street judges a company by how much money it makes. GDP is how countries and govts are judged. The metric is delivering the result.


I think it is disingenuous to say that countries are judged by persons and other nations by GDP alone.


It's also disingenuous to suppose Google exited China because of principles...


That doesn't make sense. Lots of places think in terms of dollars, in fact the West/capitalism is all about it, and yet we don't have the same issues.


You are literally posting on an article where Signal's attempt to aid people speaking out against authoritarian regimes are being quelled by entities due to protecting their bottom line.


We don't have oppressive regimes in the West (where Amazon is based) because capitalism encourages freedom and economic prosperity. A company not helping you doesn't mean they're against you. AWS does not want a customer breaking their terms of service, especially when it affects all of their other paying clients.

What does that have to do with other nations and their laws? The censoring issue here is in a foreign state and not caused by capitalism but a lack of it. AWS is not international police so you should focus on government if you want to see political changes.


The parent poster might take issue with the idea of capitalism not implicitly meaning oppression. ;)


you hit on the most important part. If an oppressive country's options are to block a bunch of stuff that's not all frowned upon, or allow something they really don't want, they choose the former.

I'm not saying Amazon is evil or anything, but if a bunch of hugely important customers started getting their traffic blocked by huge geographic segments due to another unrelated customer.... business is business.


And in case anyone here doubts this is true, try using Google, Facebook or Twitter in China. It is absolutely possible for countries to block these services, including AWS or parts of it. Amazon has a duty to it's other customers to protect them from that sort of impact caused by the frankly unethical action of another AWS user.

This is a real shame and I wish there was a viable option open to Signal, it's an important app that provides a valuable service, but they really should have seen this coming.


> Collateral freedom

Wow. Is this not but a new form of political asylum[1]?

[1]: https://en.wikipedia.org/wiki/Right_of_asylum


> Instead of shutting this down, Amazon could have let Signal continue. In fact, all companies should collaborate to make censorship as expensive as possible.

Amazon's general stance seems to be "spoofing is bad and makes the internet less reliable, so we're opposing it even here". It's understandable, but I think also thoroughly unjustified. If the objection is "Signal plans to impersonate us without our permission for a good cause", one obvious response is "so let's give them permission".

(Not coincidentally, this is a reasonable alternative to a lot of corporate heavy-handedness. Fighting trademark erosion by slapping down small businesses falls into much the same category - an alternative to coercing harmless-but-unauthorized users is to authorize them.)


But isn't Amazon risking that Souq itself might get banned in these countries if they allow this to happen? Or am I understanding it wrong?


Exactly, free countries (or those who consider themselves as such) should make it fully illegal for private companies to aid in any kind of censorship in behalf of oppressive countries. But what we see in reality is the opposite, all companies trying to make it as cheap and as simple as possible to censor anything every government dislikes; meaning the liberal fantasy of allowing every private company to do as it pleases is not going to cut it in a world where every important event you can't find in Google for all practical matters never happened.


As you note, private companies are typically free to do as they please in free countries...that's kinda the point. You have no right to use AWS, so this is not censorship in the legal sense. And free governments also tend to have strong laws respecting the sovereignty of other nations, whether or not their laws are similar. Your frustration is noble, but it's also internally inconsistent.


> "private companies are typically free to do as they please in free countries ... free governments also tend to have strong laws respecting the sovereignty of other nations"

Not always. For example, the Foreign Corrupt Practices Act prohibits U.S. companies from bribing foreign officials, even if the practice is accepted or prevalent in a foreign nation.[1] Just because another country has a particular policy does not mean we have to allow our companies to play along.

[1] https://en.wikipedia.org/wiki/Foreign_Corrupt_Practices_Act


I don't think this is the counterexample that you intend. The prohibition is where this bribery is illegal in the foreign countries, even if it happens to be commonplace. Bribery is never "policy", else it would be called something else (as in the U.S., where we call it "campaign contributions").


It applies even when bribery is legal and does not distinguish whether bribery is legal or illegal.


After reading the linked Wikipedia page, if it's accurate then you seem to be correct. The act prohibits influencing foreign officials by giving them things of value, and doesn't mention whether that would be illegal in the foreign country. So it would seem that a U.S. corporation would be in violation of this law for doing in a foreign land what they routinely do within the U.S. (essentially all large U.S. businesses make, or aggregate, "campaign contributions" with the intent to influence lawmakers and other elected officials).


A very good point about the hypocrisy of the American system. Campaign contributions do look very much like bribery.


> private companies are typically free to do as they please in free countries...that's kinda the point

Er, no; in every "free" country, trade/export restrictions are still a thing. US corporations can't sell to North Korean citizens, or even Cuban citizens, despite not being in a state of war against either. And "munitions" (e.g. what encryption algorithms used to be) can be traded hardly anywhere. Just call censorship-enabling technologies "munitions" and it neatly solves the problem of who exactly US corporations can give them to.


> And "munitions" (e.g. what encryption algorithms used to be) can be traded hardly anywhere.

That regulation is only in place to protect the established players ... and to ensure the CIA decides who gets the weapons.


That kind of reductionism is not helpful. It's not so simple as "private companies are free to do as they please". In fact many restrictions and regulations can and must be made to ensure that those private entities don't: poison rivers, murder people, manipulate children, steal from costumers, and countless other things. In principle at least, because we know that there are innumerable examples of companies doing just that when it profits them.

Nonetheless, among such regulations, designed to make private companies somewhat work for the general public interest, we can include not aiding censorship.


>You have no right to use AWS, so this is not censorship in the legal sense.

I guess you meant "duty" instead of "right"; and respecting the sovereignty of other nations means they can block any site they like or even internet itself if they desire, but it doesn't mean we have to allow local companies to comply with laws from those countries.

>As you note, private companies are typically free to do as they please in free countries...that's kinda the point.

That's not the point at all; lets put it this way, companies are NOT free to poison the water we drink or even poison the water of other countries drink just because their governments tell them to do so.


No, I mean right. You have no right to use AWS and thus if they restrict/prevent your usage of said service, on grounds that would otherwise infringe your rights, this is not illegal per se. I might have a right to free speech, but so does Amazon.


> And free governments also tend to have strong laws respecting the sovereignty of other nations

This nearly made me cough my lunch over my keyboard.

Countries tend to have the habit of respecting other countries sovereignty right up until they don’t, at which point they will invade and occupy the other. Or carry out a proxy war, etc.

Even that is too generous. Which country of any influence doesn’t at least a few spies getting about doing their spying. Which major players aren’t subverting the course of things in at least a handful of regions at any time.


Sure, but they do maintain an official public stance of non intervention which is what's at hand here, because companies must abide by that official public stance, not by off the record spy activity.


Ah, yep, sorry, I was going off in another direction there. Thanks for pointing that out.


Private companies are not entirely free to do as they please in free countries. There's always some degree of non-free-ness. It's not at all unreasonable, and it would be at all surprising, to find free states forbidding cooperation with non-free states' oppression. Indeed, it happens all the time in some way or another.


"in a world where every important event you can't find in Google for all practical matters never happened"

Except Google isn't in China, and least I heard important events still happen there...the world isn't as FANG centric as western media would want us to believe.


> FANG

Stands for Facebook, Amazon, Netflix, Google, apparently.


Three companies I don't use, and one that has lost nearly all of my search traffic due to terrible results for really simple queries. It will be interesting to see in what form they persist over the next few decades!


> don't use

> nearly

So you do use it for search.

And two of these companies are probably hosting some of the websites you visit.


I haven't been using Google much as of late, basic queries come back with crap results. Its as though they've screwed up their indexing so bad that large chunks of forums and (fairly static) support docs just aren't showing up or are ranked multiple pages back.

Perhaps some of the sites I visit are hosted on Google, but since I stopped visiting reddit (the awful redesign was the last straw), I see very little traffic hitting AWS or GCP IP ranges. Part of that is probably uBlock Origin doing its thing though!


> I heard important events still happen there

where did you hear about this? :)


> all companies trying to make it as cheap and as simple as possible to censor anything every government dislikes

Not sure what you mean, I didn't see Napster fighting for censorship nor Craigslist fighting for FOSTA.


> the liberal fantasy of allowing every private company to do as it pleases

How is that a liberal fantasy? I thought the standard liberal belief is in heavy regulation of business?

Or do you mean "liberal" in the general "lots of liberty" sense and not "in the liberal political camp"?


in defense of the parent, it would have been helpful if the quoted phrase said "classical liberal" since the definition of liberal has drifted over the past 100 years, and there's a continental difference depending on if you're in north america vs europe.


A liberal fantasy isn't heavy regulation of business, it's regulations to prevent/punish corporate robbers from exploiting the public. It's only a fantasy because corporations are buying politicians to let them further chain the populace and siphon their money in as many ways as they can get away with (and no, just not buying their product is often not a good enough solution or is hardly even a choice, like private prisons or the electrical grid).


Why do you say that the standard liberal belief is in heavy regulation of business? Liberal economics emphasize minimal regulation.

https://en.wikipedia.org/wiki/Economic_liberalism



Liberal does not mean "left-wing". It is a political philosophy mainly informed by the work of John Locke. It places primacy on rights of individuals to basically to do as they like to the extent that it does not infringe on the rights of others to do the same.

This is a difficult bit. There are many different ideas about conflicting rights. Without going into these ongoing debates it is enough to say that liberalism is a big tent philosophy. It encompasses "left wingers" in one end where the state has many responsibilities to uphold individual liberties. At the other end are libertarians who say there is no need for government intervention for individuals to pursue their own ends. People can argue about rights and still be correct in calling themselves liberals.


Sorry I should have been clear I meant "anti-regulation advocates"


Liberalism is a school of philosophy dating from the 17th century which generally espouses freedom of speech and association, the separation of church and state, pluralism and religious toleration, state protection for property rights and enforcement of contracts, open markets, popular control of the government, separation of powers, etc.

It is the dominant overarching ideology in America (the American “founding fathers” were mostly devoted liberals) and Western Europe, and there are many disagreements among different sorts of liberals.


"Liberal" does indeed have tons of definitions and connotations. I would have called it more of a Libertarian fantasy (fully free, unregulated market and anti-censorship). That appellation too, though, is fraught with sometimes negative connotations; modern Libertarians in the political arena are derided as nothing more than neoconservatives hiding behind a Fawkes mask and stroking Nazi flags.

Edit for the downvoters: I'm not saying I agree with how Libertarians are seen, just reporting what I've observed. I tend to lean Libertarian on a lot of issues (freedom of movement, freedom of and from religion, live and let live, the right to be left alone, and so on), while also being a socially progressive liberal.


I suspect that parent meant "libertarian fantasy".

Terms like "liberal" and "conservative" are virtually meaningless.


Or, you actually get the whole internet shut off for people who need it. It's not unprecedented and nothing is "expensive" when shutting out Google entirely is not considered "expensive".


>You can't use TLS and load balancing hacks to pretend to be us in oppresive countries

They're not pretending to be Amazon, they're pretending to initiate a connection to an Amazon domain. The "conversation" goes like so:

Clear text request: "Hello, I would like to speak TLS with souq.com"

Clear text response: "Why yes, let us do that with these parameters"

Encrypted request: "Please give me the page for signal.org/api/whatever"

etc...


This important description of the actual implementation of domain fronting — namely that it’s implemented on the client side, and only as a cover for initializing the TLS channel — I think is very important and unfortunately missing from TFA.

There is nothing on the server side which is masquerading as Amazon or Google. There is no impersonation or spoofing whatsoever.

This is akin to making a DNS lookup for a different domain to find the IP of a service which you know is hosted on the same machine.

While it seems to me that this is clearly not actually violating Amazon ToS, I can understand why Signal must give up on this approach.

As an aside, I’m not sure why this doesn’t break SNI, or exactly when or how the certificate gets switched out over to Signal’s cert and private key. The whole point of putting the domain in the ‘Client Hello’ is to get hooked up to the right cert for the rest of the negotiation when there isn’t a 1:1 mapping of IP->Cert so to switch the GET domain/path later on would, I assume, require restarting the key agreement, which I’m surprised doesn’t blow up the TLS session and require a new clear text ‘Client Hello’.


> I’m not sure why this doesn’t break SNI, or exactly when or how the certificate gets switched out over to Signal’s cert and private key.

They way I understand it, the connection really _is_ using amazon’s cert+key, not Signal’s cert+key.

Is signal (the server side) using amazons’s cert+key? Not technically.


Interesting. Reading their developer guide [1] pg 293 - CloudFront servers have all the private keys anyway, so it hardly matters—from a security perspective—which key is used to establish the TLS connection to the CloudFront endpoint. The connection between CloudFront and Signal’s own severs would be encrypted with Signal’s key.

I also found this paper on domain fronting to be a very good read - Blocking-resistant communication through domain fronting [2]

[1] - https://docs.aws.amazon.com/AmazonCloudFront/latest/Develope...

[2] - https://www.bamsoftware.com/papers/fronting/


Exactly. This works because the point of TLS in this instance is for the Signal client to be sure it's talking to Amazon CloudFront. The certificate for an Amazon service also hosted on CloudFront is certainly good enough to prove this, provided the client knows to expect it, which it does.


That would mean that Amazon was supplying Signals content as authentic Souq traffic, something that I doubt was happening.


Amazon was supplying Signal's content as souq.com but with the request making it clear it was for Signal.

How might this be noticeable? Like so:

     - (irrelevant) the SNI and certificate presented by the server don't match the request -- only the hoster can see this, so what might they care?
     - (serious) metering: if the hoster uses SNI for metering... then Signal would be stealing the fronter's bandwidth
     - (mild) DNS metering: the fronter's domains will see more DNS lookups not related to serving the fronter's content
Nothing that couldn't be addressed contractually. Signal could pay the costs that would otherwise be unfairly born by the fronter, and whatever makes the hoster comfortable with the whole thing (if making the fronter good is insufficient for that).


The metering isn't based o he SNI header, so the second point doesn't apply. And since the frontier's domains are presumably using the CDN's DNS servers anyway, it's not an issue either.


2 is hypothetical as none of the fronts are doing this, and even if a front "could" that doesn't matter as the fronts in question do not. We can agree that if this was happening then it would be an issue.

3 seems just wrong. Where does the DNS lookup take place? Why would the fronting server look up the SNI entry?

Are you 100% confirming that the encryption takes place using Souq's cert? Obviously it isn't going to display in a browser, but I'd wonder if there was something else you could do with it.


A couple important things to note:

- This most definitely is against the CloudFront terms of service. See the linked article if you disagree - the ToS is quoted there.

- One direct impact to the owners of the SOUQ.COM domain is that their DNS query volume will increase drastically. They have to pay for those queries. Would you like it if your side project all of a sudden got a 6 figure DNS bill because Signal decided they want to piggy back on your domain to route around censorship?


> Would you like it if your side project all of a sudden got a 6 figure DNS bill because Signal decided they want to piggy back on your domain to route around censorship?

In this hypothetical example, is my side project doing $178,000,000,000 of annual revenue like Amazon.com? If so, I'd like to think I'd be honored help subvert censorship by oppressive regimes.


Except that amazon is not the one paying, it is quad.com (or some other domain they’re piggybacking on) who has to pay for the DNS traffic. If my $3 side project suddenly became a $1000 side project I’d be pissed too. I like what signal is doing but that should not be making others pay for it. Ideally amazon would help them do that but that don’t.


> Except that amazon is not the one paying, it is quad.com

It's souq.com, which is a wholly-owned subsidiary of Amazon. https://en.wikipedia.org/wiki/Souq.com It's an e-commerce site targeted at the middle east that Amazon bought as their play for that market.

Signal deliberately chose it because it's an Amazon domain, so governments would be reluctant to block it.


That may be true but Signal is purposely using high-profile domains, not someone's small side project.


Nothing stops the signal app from looking up that domain anyway. It's not abuse to genuinely look up an IP. It's the job of resolver caches to keep the traffic under control.


Since Signal is open source, presumably anybody can fork it with a version that implements domain fronting.


Except as the article points out, both Amazon and Google have or intend to make domain fronting not work, regardless of the domain being fronted.


Good point.


If the fronting is done on the client side, can we set up clients to perform the same trick on other services? E.g. make Amazon and Google think they use domain fronting, and thus have them reconsider ban?


They may not be impersonating Amazon, but they are using Amazon's services to circumvent the intent of policies (laws) that Amazon wants to comply with. Amazon has decided to stop be an unwitting participant in this particular mechanism of circumventing oppression.

For the record, I'm of the opinion that the US should insist that American companies not help dictators abroad in their censorship efforts. But it's hardly unreasonable for Amazon to say, "this type of stuff is illegal in Egypt. We don't want any trouble, so please stop using us as a means of circumventing Egyptian law."


It is perfectly understandable why Amazon did that and siding with oppressive regimes is of course not unreasonable at all.

Just unethical, hence the discussion.


AWS is not siding with oppressive regimes, what's with the misleading political slant?

They don't want customers breaking terms of service, whatever those terms are, and especially when it means the rest of their customers are affected. It's not a single company involved here and they're looking out for everyone else they serve.


In this case, enforcing their Terms of Service does constitute siding with oppressive regimes. You could argue that it's not AWS' goal to help oppressive regimes, but in the struggle against censorship, that is the side they have put themselves on in practice. On one side, there are people all over the world who want to communicate freely. On the other, there are authoritarians who want to suppress and surveil that communication. AWS policy used to help the former, and now helps the latter.

I think maybe you're trying to express that under a free market ethical framework, AWS has done nothing wrong here. Which is true, and an insightful indictment of the free market as an inherently liberatory force.


That's not what "siding with" means. AWS is remaining neutral to politics as a company, which is a very good thing. Why do you want multinational corporations to get more involved in geopolitics? Do you think that will somehow lead to a better outcome?

Signal had an strategy, but it involves breaking the terms of service, so that vendor has no reason to comply and put the other customers at risk. Signal just needs to figure out another option. It's a technical issue and nobody is stopping Signal itself. AWS will still host them just fine as long as they follow the terms.

By the way, the free market is what allowed companies like AWS and Signal to exist in the first place, and lets you contributed effort and money if you'd like, so perhaps you should widen your context before throwing around indictments.


Exactly! These countries may start blocking Amazon and Cloudfront domains. Amazon needs to put its foot down.


Amazon isn’t nesessarily against censorship. They just don’t want to provide this sort of spoofing service. Regardless of whether the spoofers are good or bad.


I believe this is the fundamental issue, from Amazons PoV: this altruistic project with nice goals is abusing a network nuance, but most other actors using this capability are likely to be bad actors.

I don't think Amazons reasoning was "oh, lets help dictators dictate", but more "hey, isn't this a potential security hole ripe for abuse that would make us look incompetent?".


Reasonable, but cowardly and disgusting.


Maybe point that anger towards the government and military then, instead of a private corporation with thousands of business customers and millions of consumers.


.... Because the US Military is responsible for changing a sovereign state's law if Americans don't like it? What the fuck?


Yes. It's called war. What's confusing here? If a citizen of a nation thinks that another nation is not behaving as they would like (whichever country or whatever behavior that is), the proper channels to enact change are through government action, either diplomatic or militarized.

Asking a private corporation to be international police is not good for anyone, as well intentioned as it may seem.


Military (or state in general) may have other, softer and more covert means of influencing other countries besides war, like “persuading” home corporations to act on their behalf. Thats not unheard of nowadays


Sure, even more of a reason why companies should not be in the business of politics on either side.


War is an ultimate and extremely costly measure. Just as inter-personal violence should be reserved for extreme cases - if you don't like a mayor in your city, you vote against him, campaign against him, write letters, go to protests - but you do not assassinate him. The same way, inter-national war is a measure of last resort and should not be resorted to due to mere disagreement about cultural norms and such.

> Asking a private corporation to be international police

This implies only police can and does enforce cultural and moral norms. This is the exact opposite of the correct order of things - the police should be preventing or punishing crimes, like theft, robbery, rape, murder, etc. - and people themselves - individually or in organized groups, like companies, NGOs, voluntary societies, etc. - should be creating and enforcing moral norms. You can not just delegate this to "the police", being it national or international.

Thus, asking Amazon to take part in helping to create an international norm of upholding free speech is reasonable. And their refusal is morally despicable.


Yea, that's why I said: "government action, either diplomatic or militarized". Any reasonable person will choose diplomacy first.

Nobody is talking about cultural norms here. The story is about Signal being used to help those in oppressive societies with active censorship, not some differing cultures. And "police" is a form of expression, not literally a police department.

Asking Amazon to do anything political is absurd because it's a corporation that should be focused on its paying customers, none of whom would appreciate unwillingly being affected by Signal intentionally breaking their terms of service. Do they suddenly not matter?

It's morally despicable to just expect and force others to help you in your causes, no matter how noble (you think) it is.


You say "proper" but what you're describing (at least the military option) is a war of aggression. This is not only illegal (both internationally, and, for example, in US Law), but described as "the supreme international crime."


It's an option, and if it comes to war then the legality of whether it should've been declared is usually not a priority. Also in the context of oppressive regimes, the "aggression" in this case wouldn't be unwarranted, nor is it unprecedented.

Regardless, what actually isn't proper is expecting major corporations to do police duty. That never ends well.


A war of aggression has nothing to do with whether or not it was declared (in fact, declaring such a war is, by itself, considered a war of aggression and is illegal and is a war crime).

Are you sure you still feel that committing a war crime and doing what philosophers and statesmen and lawyers consider the "supreme" crime is really worse than "expecting major corporations to do police duty" ?

I think part of your argument is reasonable to a point that two people could, in good conscious and respectfully, disagree. Maybe governments are better suited to handle this (via what is known as soft power).

But as long as you take such an extreme position that cannot be defended (it's better to wage of war of aggression than to have amazon stand up for Signal), you're just commenting for yourself. No one is going to engage you in meaningful discussion, because even when it gets pointed out that you're advocating for a war crime, you can't even say "well ya, maybe that was a bit extreme."


What? You've seemed to have lost all context here:

1) As noble as the cause may seem, it would be better for everyone if massive corporations just focused on business instead of politics. It's reasonable, predictable, and safer. Signal is not affected by this, it just means picking a better option than breaking terms of service.

2) The correct process for citizens of a country is through government diplomatic and military action, especially when concerning other foreign states. That's all I said, and another posted specifically asked about the military in which case the option is called war. This entire story is about oppressive powers, most of which are disabled through military action, so it's not a strange concept and nowhere is a war of aggression mentioned.

Perhaps take a step down from your moral high ground and try to comprehend the entire conversation before telling someone that they are advocating for war crimes, that would be much more helpful if you want a meaningful discussion.


You're being very nonchalant about going to war to make things easier for Amazon.

I find that chilling.


I find it surprising how these threads get so lost in a just a few posts.

What I said is that if someone has an issue with another country (oppressive or otherwise) then they should use political means to influence change through their (and foreign) governments. As the commenter specifically stated the military, war is how that change is done in that case.


Yes, but I don't think you're considering the significant direct cost to the owner of SOUQ.COM for DNS queries. If all of a sudden I get millions of extra DNS queries for my domain because Signal is using it to front their traffic to CloudFront, I might get a huge DNS bill.

Should any government coerce me into paying a large DNS bill just to sponsor freedom of speech? Even if it is a noble cause, we shouldn't coerce innocent 3rd parties into doing this.


It's not a significant direct cost. Millions of extra DNS queries amounts to single-digit dollars (route 53 pricing).


And the owner of souq.com isn't some random person; it's Amazon.


They're not pretending to be Amazon, but they are making their client pretend to talk to an Amazon host, and use the SSL keys of an Amazon-owned host rather than their own.

It's more like this:

Clear text request: "Hello, I would like to speak TLS with host souq.com and encrypt my connection with a key signed by souq.com"

Clear text response: "Why yes, let us do that with these parameters"

Encrypted request: "Actually I meant host signal.org, but please route my request anyway since both hosts are being routed by this service. Please ignore the fact that my symmetric key for this connection was encrypted and transmitted using the keypair of souq.com."

----

This is similar to buying a train ticket to a nearby stop, using it to get on the train, then getting off at a different stop because you know they won't check your ticket again.

Google and Amazon are now adding an additional ticket check.


Sure, as long as that "different stop" is no further down the line.

There's no need for the ticket to match. They're not traveling on any rail segments they weren't supposed to be on.


Except that you aren’t actually using an additional service that you’d otherwise have to pay for, so that analogy is bullshit.


Souq.com is owned by Amazon.


They're arguably impersonating Amazon on the server side by hosting their service behind Amazon's proxies and using a trick to pretend that they're talking to some Amazon service instead of their own.


The beauty of this is they are not doing anything on the server side to impersonate or spoof Amazon.


Right, it’s the _client_ side that’s tricking Amazon’s servers.

It seems to me Amazon should just close their loophole rather than threaten to kick signal out of the server side.


According to the article, that's exactly what they're doing.


You're right of course, my comment was too short and factually wrong. What I meant was that what they're doing is effectively renting office space in Amazon's building and then exploiting a loophole in the way mail is distributed to receive packages even though the outside envelope says "c/o amazon.com" (or c/o souq.com in this case).

So while they don't do anything fishy on the server side they still took care to put their servers there for a reason. And since they also write the client code it's not difficult to show that the intent is to impersonate Amazon to 3rd parties.

Interestingly it seems that amazon couldn't really complain if the people writing the client were independent from those maintaining the servers since the spoofing code is entirely in the client. Although in the end I'm sure if it turned out to be a problem for they they'd just enforce that the domains match the HTTPS query and remove the technical possibility of fronting altogether.


I agree. The intent is noble, but this headline makes Amazon look like the bad guy for disapproving unauthorized use of one of their domains, which is quite reasonable.


Amazon and Google are certainly within their rights to refuse this. Allowing domain fronting is likely to put quite a lot of their money at risk, so this outcome is unsurprising, but it's still the less ethical one.

This might be the only possible outcome given a corporation's legal responsibilities to its shareholders etc, I don't know all that well enough, but I think it's still justified to lower my opinion of Google and Amazon because of this.


I realized I glossed over the fact that this would put other AWS/GAE customers's money at risk too. This complicates matters somewhat, and some (I believe a negligible number of) customers might switch to an unblocked competitor.

Personally this weakens my view a little, but is not enough to change it substantially.


The ethical choice is for AWS and Google to collude and both allow signal to continue to using domain fronting.


Great PR opportunity for Cloudflare to pickup the torch.

EDIT: Not supported by Cloudflare.



Despite the use case for censorship circumvention, many malware command and control bots use domain fronting to bypass corporate web filters that otherwise might block their traffic. CloudFlare, being a security-focused CDN, most definitely does not want to help enable malware authors to bypass security.


Russia had no problem whatsoever blocking both of them when blocking Tether a couple weeks ago.


No problem? They crippled their own use of the internet, at huge financial cost.


Where do you get that from? The Russian government blocked lots of AWS and Google IPs, and had no problem keeping them blocked until they agreed to stop allowing this, which was the same thing Telegram was using. And it doesn't appear that they cared about the "huge financial cost".


the problem I'm having is that I'm not even sure this qualifies as 'use' really. sure they're putting the domain name in the tls handshake from the client side instead of their own. the handshake itself works the same, everything that happens after is the same. the tls enpoint on googles/amazons servers just makes sure the domain is in its list of known domains, nothing else depends on it.


Because they are the bad guy.


Hardly reasonable. Domains are (in reality, if not in legislative fantasy) property of ICANN and merely rented by everyone else.


So? If we qualify it to preventing unauthorized use of one of their rented domains does that make it any less reasonable?


The conceit here is that you must be "authorized" in order to write an app that puts the domain in question into the SNI field of a TLS connection that it initiates. I don't think that's reasonable.

It is of course up to Amazon what their servers then do when presented with such a connection, in particular whether they ensure the Host: header later presented matches the SNI data.


So have they obtained the permission of ICANN? I rent my home, but I still call the police if there's a trespasser.


> They're spoofing identity

This doesn't seem quite accurate to me. They are not making an assertion that they ARE Amazon or Cloudfront. They are avoiding making an assertion that they are anybody, by using a shared facility. It's a bit like using a public payphone to avoid being identified. When you use a public payphone, presumably the call originates from a line owned by the phone company, but nobody accuses you of attempting to impersonate the telephone company by doing that.

This may still be a violation of the TOS, but people should be clear about the actual intent of what is being done.


It is not that much of an interpretation. When us-east has problems a huge proportion of Internet sites that people actually use goes down.


Technically true, but this is not really about terms of service or about "spoofing identities of non-consenting parties." This is about Google and Amazon not wanting to become collateral damage and lose business in those countries.

Signal is/was connecting to Google or Amazon servers with an HTTP Host header of google.com or souq.com, respectively—and only in Egypt, Oman, UAE, and Iran! Google and Amazon could have easily allowed this or even looked the other way.

So basically censorship worked, albeit not how we thought it would. Sad for people in those countries who were relying on Signal for private communication. Who will stand up for us when we lose ours due to some business decision?


But effectively that is the case. If major providers like AWS and Google ban domain fronting, it is effectively dead - nobody needs domain fronting when you have three domains, three domains can be banned the same way as one.

AWS and Google could throw their considerable weight on the side of anti-censorship and openness. They instead chose - as businesses frequently do - to play along with oppressive dictatorial regimes so it won't cost them a couple of bucks extra. That is pretty sad.


Russia had no problem whatsoever blocking both Amazon and Google when it was blocking Telegram a couple weeks ago. What makes you think this would be any different? In other words, why is Signal being able to operate more important than all of the other people who pay AWS and Google for services?


AWS and Google are companies. It's not their job to push for societal changes really. In fact, I hope they don't push for those. I'd prefer them to steer clear of pushing for any higher objectives, that's best left to governments and lawmakers.


Maybe we should consider AWS differently than Google or FB?

"to be Earth’s most customer-centric company, where customers can find and discover anything they might want to buy online, and endeavors to offer its customers the lowest possible prices." - https://www.amazon.jobs/working/working-amazon

"Organize the world’s information and make it universally accessible and useful.” - https://www.google.com/about/our-company/

"Founded in 2004, Facebook's mission is to give people the power to build community and bring the world closer together. People use Facebook to stay connected with friends and family, to discover what's going on in the world, and to share and express what matters to them." - https://investor.fb.com/resources/default.aspx

Its interesting how these mission statements present vastly different goals.

At what point is something a public utility? If everyone abandons their servers for cloud providers you are at the whim of the corporate political stance of where your machine is hosted..


> It's not their job to push for societal changes really.

Somehow dozens of companies are discussing pushing for societal changes every day. Just recently a bunch of companies discussed severing ties with NRA (which didn't hurt a single living soul) and stopping selling firearms (which would not, indeed, lead to any societal change but at least the declared goal, even if unattainable, is to do exactly that). In another topic, there's a link on political manifesto by SO leadership. Social activism is everywhere in the business world. But when it's about something that may save somebody's life in Iran but cost some $$ to the company, it's suddenly "not their job". Nope, you can't do both. If companies avoided social activism altogether and were completely neutral and apolitical - I could accept that. They are not and haven't been for a long time. You can't just turn on one place and say "we do social activism everywhere but not where it can offend Iran". Or, you can, but that would be, as I said, cowardly and disgusting.


What do you think Google is doing on Youtube? It already has considerable skin in the game.

Even something seemingly innocuous like Google search's front page doodles are chosen and curated.


Also there's recent story of Google removing shopping results containing "gun" which went hilariously wrong (yes, you couldn't search for Burgundy for a while :) : https://news.ycombinator.com/item?id=16474102


> The cause is noble

The cause is noble, but the mechanism is dubious: it can be viewed as, in effect, saying to oppressive regimes “to harm me, you must harm a bunch of innocent bystanders, too”.


That's the entire point of domain fronting and collateral freedom: to make censorship as expensive as possible for oppresive regimes.


Collateral freedom is like using human shields. You unilaterally decide to involve other innocent people in your fight, and risk their well-being.


The name even hints at that: it's freedom that rests on the targets unwillingness to inflict collateral damage.

Which, questions of morality in the abstract and consent aside, seems to gamble pretty heavily on sensitivity the regimes of concern are decidedly not known for.


They are sensitive to collateral damage, though, otherwise they could just turn off internet access. It's actually pretty easy for a state-level actor.

Why do you think they don't?


But Signal was doing all of this without Amazon's consent. I don't care how noble you think your cause is, dragging other people into your fight against their will is wrong, full stop.


[flagged]


Don't you think that's a needlessly offensive analogy? Signal is not using children to shield themselves from rifle fire.


I think it's quite clear what the point is from Signal's attempt at implementation of the theory as well as your freshly minted wiki page.

That doesn't change the dubious nature of it. Putting other valuable services at risk for a single service's gain is clearly dubious.


> "your Signal"

Just to be clear, I am not affiliated with Signal in any way. I am just a user.

> "your freshly minted wiki page"

I am a regular contributor to Wikipedia, and I created the article on "collateral freedom" in January 2017[1] when I came across the topic because it satisfied Wikipedia's notability guidelines.[2]

[1] https://en.wikipedia.org/w/index.php?title=Collateral_freedo...

[2] https://en.wikipedia.org/wiki/Wikipedia:Notability


You posted that Wikipedia link 4 times in this thread. That's a bit much, and also kind of dodgy to do without mentioning that you wrote it.


> "4 times in this thread. That's a bit much"

Point taken, I'll be more careful in the future.

> "kind of dodgy to do without mentioning that you wrote it"

The article is completely neutral, cites reliable sources, has been reviewed by another editor[1], and abides by all Wikipedia policies. I do not personally gain anything from posting it here.

I didn't think the fact that I initially created the article was relevant to this conversation, because for all intents and purposes, it does not make a difference.[2] The article meets Wikipedia's standards, and anyone is free to edit it subject to the applicable content policies.

[1] https://en.wikipedia.org/w/index.php?title=Special%3ALog&typ...

[2] https://en.wikipedia.org/wiki/Wikipedia:Ownership_of_content


I see your point, though it still feels a bit dodgy to me, and I suspect to many other HN readers. Fortunately it's a rare and borderline case so we don't need to worry about it too much.


That was a typo (now fixed). Didn't mean to imply you were involved with Signal


What does "innocent" mean in this context? You seem to be using the word to distinguish between people who use the app and other people who don't, but that can't be right. Is it unethical to use a communications app?


> What does "innocent" mean in this context?

Innocent of whatever violation if local law the regime is targeting the app for.


It would be a very particular sort of autocratic state, which could censor communications apps on a blanket basis, but would have to go through some sort of charade with laws and courts for each particular app. Still, the app and its users are different parties.


Spot on. How about "Amazon threatens to suspend Signal's AWS account over CloudFront ToS violations".


Morally, it's still the right thing to do, even though I guess it's in amazon's best interests not to allow it.


How is it moral for Amazon to shirk their fiduciary duty to shareholders for the sake of a political battle it isn't theirs to wage?

I counter it would be more immoral to put, say, the retirement funds of firefighters and teachers arty risk to achieve what is the responsibility of, say, the State Department?


There is no fiduciary duty to shareholders of a public company. This is known as the shareholder value myth -- myth because it is false.


Yeah if this were the case the private jet market would crater.


Berkshire Hathaway could have never existed if it were actually a legal requirement. For decades they've constantly passed on doing things that could have easily juiced shareholder value, including hostile actions in regards to takeovers. It's why nearly all of their acquisitions come to them instead: an extraordinary reputation.

Further, the fiduciary myth is silly as a premise upon any inspection: legally who gets to decide what's the one right ideal path for optimizing shareholder value, such that if you don't follow The One True Path then you're failing shareholders. Any other path than the single best one, would be inherently defined as failing the fiduciary responsibility to maximize shareholder value (which is another way of saying: legally it's an impossible concept to implement; and logically it's stupid, it falls down instantly, no person could know the maximization path at all times). It doesn't pass even a minute of rational intellectual scrutiny.


Fiduciaries are allowed to differ in their advice and action taken in that role. I know what you're saying but it's a bit subtler than that.


To put it bluntly: fuck the shareholders. The question being asked shouldn't be "are the capital owners getting paid", but "is this company improving lives and delivering benefit". It's after all, what they're here for, not just to make money. No matter how much money I can make selling heroin, they're not gonna let me because, you guessed it, I'm doing damage by doing it.


What about countless of other, not censored, services delivered from the same network? Do they not "improve lives" and "deliver benefit"? Collateral freedom is akin to placing your guerilla command center in a hospital, in a gamble that the other side will leave you alone instead of risking extra harm to innocent civilians. In this case, the hospital decided to disallow guerillas to use it as cover.


This is either the worst possible example or the best.

Russia BTW bombs civilian targets like hospitals and they killed their own bank sites when they tried to block Telegram recently.


Which teaches you about effectiveness of "collateral freedom" against states that Just Don't Care.


This.

People don't realize doing stuff like this is just going to make lives worse once these regimes block Amazon/Google/whatever.


In theory, in some case, it could be like that.

In this case it's just like being in a city. They're not trying to take advantage of any particularly sensitive institution.


> They're not trying to take advantage of any particularly sensitive institution.

They are. Amazon. And previously, Google.

The worst-case consequence is not people losing access to Amazon store, but losing access to anything that's powered by Amazon cloud. People operating all kinds of services hosted on Amazon servers are the patients and hospital staff from my example.


Amazon servers are an entire city. There is a vast gulf between the equivalent of "being in a city that has a hospital" and the equivalent of "locating a base inside a hospital".


Then it's even worse, because the picture you're trying to paint implies that it's either leave guerillas alone, or nuke the entire city.

A ban of a cloud service affects everything else that depends on it. The more popular a service, the more damage. That's the point of "collateral freedom".

(Note the name of the term. It's no accident. It comes from "collateral damage".)


Block the road, not nuke the city.

But if they were going to nuke the city? Fuck them, don't negotiate, it is absolutely not the fault of any group that is merely located somewhere inside the city.


I feel we're talking past each other because of a spatial analogy.

My point is - by employing domain fronting against censorship, you bet that the adversary will not ban the service you're using as a front. But they very well might just do that. At this point, everyone else using the service suffers. So that service, by refusing to be used as a domain front, is not just protecting its own interest - it's protecting interests of all the others who depend on it. You, on the other hand, are unilaterally putting those other people at risk. This does not make you a hero, it makes you a villain (even if a lesser one).


"Putting them at risk" not by doing anything to them, but by being near them.

The domain fronting could be set up in a way that doesn't spoof domains, and the risks would be exactly the same. The spoofing is a red herring. The issue is the mere idea that a censor would be unable to tell what domain a connection is for. The actual thing that puts people at risk is ridiculous to attack on a moral basis. It's the same as just existing in a crowd. Not grabbing someone to be your shield.


In other words it's Amazon and Google who are willingly help censors to avoid a bit of collateral damage during strikes.

It's like helping Assad to find targets where people with opposing views live.


The mistake here is that they are not guerrillas and are not hurting anyone. It's censors that do. It's collateral damage only from the point of view of censors.


I don't know, was it moral for IBM to work with the Nazis to build their concentration camp databases? (yes, this happened)

I mean, that made the shareholders money, right?


They sold them mechanical calculators (?) IIRC.

"Databases" is maybe not the right word?

Not a historian.


It was their punchcard technology, which is more akin to databases than calculators.


So AWS finally lost enough money to the Russian blockade that they caved. Sad.


Russian economy is very very small.

Whatever Amazon's reason is it's not that they lost some Russian banks for a week.


The same technique is being used to prevent censorship in a host of countries, like UAE, that have giant piles of cash and influence, and where blocking AWS/Google would have unacceptable consequences. No one gives a damn about a few Russians.


Real work example would be a re-mailer. Outside of the envelope shows one address it goes to but inside where others cannot look actually has the true address?

Since the plain text has the fake address while the encryption has the true address, I see no issue with this.


A real world example would be an automated postal sorting/routing center with a bug that lets it be exploited as a remailer. By doing domain fronting, a single party is betting that this postal center is important enough not to get shut down/bombed. Obviously, the postal center isn't happy that you just put it at risk of getting shut down, because they deliver lots of other mail, none of which is obviously less important than your shenanigans. So instead, they opt to patch the bug that allows them to be unwittingly used as a remailer.

The core point being: Signal isn't using Amazon as a shield - it's using every single customer of Amazon as a shield.


Am I missing something, or is anyone using a CDN domain fronting?


An HTTPS connection sends the domain it wants to connect to in two layers: first unencrypted in the TLS headers, then encrypted in the HTTP header.

In a regular connection (even using a CDN), those two will match. Using domain fronting, you put a popular domain in the unencrypted part, and the real domain in a encrypted HTTP header.

Due to how they're implemented, the load balancers at Google and Amazon will ignore the first (unencrypted) layer, and will send the traffic to the correct server based only on the encrypted HTTP header.

Regular browsers always send the same domain in both layers, only a custom app like Signal can perform domain fronting.


What if Signal sent the correct domain by default, but made it user configurable? Users in oppressive regimes would figure it out pretty quickly.


My guess is that Amazon would say "we're not idiots" and shut down their Cloudfront account anyway.


> only a custom app like Signal can perform domain fronting.

Or curl, or openssl s_client. I'm still trying to understand domain fronting, and exactly what is being disallowed now. Do all of my CDN requests have to have identical Host headers and TLS server name indicators now? What if they're mismatched? Does the TLS handshake still succeed, and the traffic just doesn't get passed through the CDN server?


Or curl, or openssl s_client

Sure.

I'm still trying to understand domain fronting, and exactly what is being disallowed now. Do all of my CDN requests have to have identical Host headers and TLS server name indicators now? What if they're mismatched? Does the TLS handshake still succeed, and the traffic just doesn't get passed through the CDN server?

Well, the current conflict is with Amazon; your CDN might or might not object to domain fronting.

Amazon is not saying that they must match, they're saying that you can't use someone else's domain for domain fronting without their permission. That is, if the domains don't match, whoever owns the domain indicated in the TLS server name must give express permission to do that.

I don't think their infrastructure can actually block it, they just ban your Cloudfront account if they happen to know this is going on. So you can probably get away with it if you keep quiet and nobody finds out.


> Well, the current conflict is with Amazon; your CDN might or might not object to domain fronting.

Yeah, understood, I meant CloudFront specifically.

> I don't think their infrastructure can actually block it

If I terminate TLS at CloudFront they can certainly compare SNI with the Host header and block on any mismatches. This is silly of course, since there are legit reasons to do this.

You answered my question though. Thanks!


Sorry, I'm not on board with using an Amazon owned domain for this. That's got the potential to get Amazon itself blacklisted in some places, so they're absolutely not going to be okay with it.


Or it forces oppressive regimes to realize that they are being an oppressive regime.

Want to censor the internet, fine, send your citizens back to the dark ages; see how long it is until they protest or move.


I'm guessing you haven't spent much time looking into how oppressive regimes work.

They aren't going "to realize that they are being an oppressive regime" and have an epiphany where they realize, "Hey maybe I'm an evil dictator?"

If you are up for reading, I highly recommend Michael Malice's book, Dear Reader: The Unauthorized Autobiography of Kim Jong Il . After reading that you will completely understand why "see how long it is until they protest or move" is a silly thing to say.

[1] https://smile.amazon.com/Dear-Reader-Unauthorized-Autobiogra...


We don't need oppressive regimes to "realize" they're oppressive. We simply need to shift the incentives by making it financially expensive to censor. This is known as "collateral freedom"[1], and has been used to publish censored content in China.

[1] https://en.wikipedia.org/wiki/Collateral_freedom


This is a bloodless equivalent of using human shields or hiding your forces in a hospital - you involve lots of innocent civilians in hope that the government will not be willing to absorb the sacrifice.


Saying "we can't stop you from blockading, but we won't help you build regime-monitored passages through the blockade" is not sacrificing anyone.


To quote from the comment I replied to:

> We simply need to shift the incentives by making it financially expensive to censor. This is known as "collateral freedom"

In this context, "making it financially expensive" means "banning us would also mean banning lots of other unrelated services, which will have negative impact on both economy and morale of the population".

In the same way, in warfare, using civilians as human shields is "shifting incentives", making it PR-expensive to strike you down.

In both cases, an authoritarian government may be willing to eat the loss and deal with you anyway. And in both cases, you're the one putting innocent people in harm's way.


The adversary is going to shoot down all packets that don't have certain labels on them.

Refusing to put those labels on packets is not putting anyone in harm's way. It's a refusal to help them treat certain classes above others.


In your strategy you only have three choices - put your own label, put someone else's label, or just give up. The labels are necessary for routing. If you put someone else's label on your packets, you're turning them into a potential target.


> I'm guessing you haven't spent much time looking into how oppressive regimes work.

> They aren't going "to realize that they are being an oppressive regime" and have an epiphone where they realize, "Hey maybe I'm an evil dictator?"

Not to mention that, in a truly oppressive regime, people don't have the liberty to either move or protest.


They might not have reasonable freedom to move or protest, but people will always have the radical freedom to oppose an oppressive regime. It is just much more costly and requires the knowledge that you live in an oppressive regime and access to information in order to break it.


> After reading that you will completely understand why "see how long it is until they protest or move" is a silly thing to say.

I wonder if you could give TL;DR on this, assuming there is something else than the basic prisoner's dilemma going on?


I'd be happy to give a very brief TL;DR with the disclaimer that I recommend either the book for a full picture or the Michael Malice interview on Joe Rogan's podcast (WARNING: NSFW language) [1]

There are a few factors involved (and please bear in mind I'm leaving out a lot of detail here, and this is nowhere near a comprehensive list).

1. There is extensive "brainwashing" regarding the great leader. He is praised for everything. There's a famous story about a western optometrist that performs surgery routine every where else in the world, but rare in N Korea that restores eye sight. The first thing people often do after receiving their sight is not thank the doctor, but to praise a poster of the great leader, thanking him for restoring their sight (I think this was a Nat Geo thing but I don't remember exactly).

2. There is a culture of tattling that heavily incentivizes ratting out your friends and family to the authorities. You will be punished for even having unclean thoughts, let alone taking bad actions. The pervasiveness of this makes it such that people often self-report themselves for thought crimes due to feelings of guilt or concern over getting turned in by friends/family (you may do less time in the prison camp for self-reporting).

3. Families are harshly punished for actions taken by their family members. This means that if you escape, your family will be likely killed or sent to prison camp. If you die in camp, your son/daughter/father/mother will have to take your place to finish your sentence. Thus even suicide/death in prison camp is a betrayal of your family. There is no way out.

[1] https://www.youtube.com/watch?v=5B_idqiEoUE


Number 1 was in a Nat Geo documentary with an Asian American presenter (Lucy something?). Something like "Inside North Korea.

IIRC you couldn't tell if they were genuinely thanking the Dear Leader or putting on a show for the secret police.


Thank you. I think I will add the book on my reading list.


There is a difference when people have never had access to things and when you take away access.

A difference would be like America and North Korea and taking away the internet. The vast majority of Americans use the internet and it is an integral part to their lives. You take it away and they would riot in a heartbeat. On the other hand if you have a regime where the majority of people never had access to the internet (or any whatever), taking it away does not cause a riot. The small groups of people that had access won't have the critical mass needed to cause such a riot.

The point is not to make a dictator to realize "Hey, maybe I'm the baddie" but "If I take this away then someone will stage a coup." Dictatorships tend not to be very stable regimes. It is hard to balance the line of power and being overthrown.

TLDR: People care much more when you remove something that is already integral to their life. Not so much if it isn't.


> You take it away and they would riot in a heartbeat.

I'm not certain that this is true.

No American Dictator would just outright ban the internet, no they'd say they were protecting children and blocking terrorists, and require internet providers to block that content.

Anyone arguing that this is censorship would be branded as a supporter of child pornography and terrorists.

A few more steps along that line and what you have is no longer the internet as we know it, but PatriotNet(tm) (insert waving flag, anthem, etc).

Do it enough subtle steps and they'd get away with it without anything more than a few grumpy "libtards" complaining on TV.


You're right in that it can be done through a long process. But as freedomben notes (in response to my reply), Egypt is an example of what I'm talking about.


There's definitely some truth to this. In Egypt for example, the internet shutdown backfired massively. Good thoughts, thanks for sharing.


Amazon isn't in the business of forcing oppressive regimes to realize they are oppressive regimes, they are in the business of selling goods and services regardless of the oppressiveness of the regime governing the region where the currency comes from.

If you want Amazon to stop doing business with oppressive regimes, contact your politicians about sanctions.


The problem is deeper than that; even if Amazon doesn't sell stuff to oppressive regimes, they host the sites/services of companies who do.

And if the solution was to force Amazon to block any access from their servers to those oppressive regimes, that wouldn't help Signal at all, because they too would be blocked.


You're not wrong, it would certainly not be in shareholder's financial interest for amazon to take this stance.

For the record, U.S. politicians have voted on sanctions on Russia for cyber crimes and brought representatives to the UN raising the issue of their human rights records.


> For the record, U.S. politicians have voted on sanctions on Russia

Indeed, the US nearly destroyed Russia's largest aluminum company - Rusal - recently in a sanctions move against an oligarch close to Putin (Oleg Deripaska, who owns the majority of Rusal).

The best way to deal with oppressive regimes, is generally to go through powerful political bodies/groups, whether the UN, G7, or US Congress. The impact a company like Amazon (or Google, Facebook, etc) can make is very trivial. So trivial as to be meaningless to a typical oppressive regime. Congress, in tandem with large allies, can hammer eg Russia's primitive industrial economy, by comparison, with targeted sanctions on steel, aluminum, whatever.


Actually, this has changed:

"On April 23, however, the US government gave Rusal's American customers "more time to comply with sanctions", even saying it would "consider lifting them if United Company Rusal Plc’s major shareholder, Russian tycoon Oleg Deripaska, ceded control of the company." Department of the Treasury gave these clients until October 23, 2018 to comply with (wind down business) the Rusal sanctions."

https://www.reuters.com/article/us-usa-russia-sanctions-rusa...


> oligarch close to Putin (Oleg Deripaska ...)

For the record, Deripaska is no friend of Putin, who forced him to start paying tax and stay out of politics. Look at how Putin humiliated him several years ago during an industrial dispute, when Putin took the side of workers against Deripaska.

[0] - https://www.youtube.com/watch?v=0XfbWnDXCx8


For the record -- OF COURSE he's a friend/loyal to Putin, because in the Russian state all of the oligarchs owe fealty to the leader.

Look to Mikhail Khodorkovsky to see what happens to those that aren't Putin's friends.


Yep. He hates Putin so much he invited one of his ministers (?) to sail on his yacht with some escorts.

/s


You think oppressive regimes don't already realize what they are?

They simply don't care.


They would care if there are financial consequences.

https://en.wikipedia.org/wiki/Collateral_freedom


That premise has a very mixed bag of results historically. It works on some regimes, and fails entirely on others.

Cuba defied an aggressive embargo by the US for ~50 years, which is partially responsible for Cubans typically having present incomes of about $20 per month. [1] By contrast, Haiti, which is one of the poorest nations on earth, has a higher median income than Cuba. The Castro brothers were simply unmoved by the extreme financial consequences (and the people of Cuba also did not topple them across more than half a century).

Similarly it didn't work against North Korea across 60 years. Even while the North watched South Korea develop and grow into one of the 20 or so richest nations.

It also didn't work very well against the USSR. The West heavily limited its trade and economic cooperation with the USSR across the entire post WW2 era until their collapse. The West rapidly developed advanced technological economies, the USSR did not, their people suffered extraordinary poverty and backwardness. The regimes in Moscow didn't care. What finally brought down the USSR, was the collapse of the price of oil brought on by a strong dollar shock in the late 1980s (by contrast they were doing far better economically in the 1970s and early 1980s as the price of oil was very high).

[1] https://www.brookings.edu/blog/brookings-now/2015/07/17/10-e...


The collapse of the USSR HAS to be a bit more complicated than that.


One of the common characteristics of an oppressive regime is that they already suffer financial consequences for their actions; sanctions, overseas account seizures, trade embargoes.

Hoping that they'll throw their hands in the air and give-up instead of blocking AWS etc is naive. The people making the decision don't suffer the consequences as do their subjects.


You ignore the many times that financial pressure has worked. The best example is Iran and the Iran deal.


Why should Amazon be dragged into Signal's fight without their consent?


Sure, but the point being is that Amazon is not consenting to being a bargaining chip in this manner. If you're in control of a site, and you want to say, "If you block them, my site will be blocked too, in solidarity," that's just fine. But it would be pretty awful for you to involve me in that, as well, if I don't wish to be part of it.


Right, and them taking that stand isn't what most of their customers want from them. "We don't want to make political points in other countries, we're just here to sell ads" is the generic corporate position.


I think most of their customers don't know about the situation, and would prefer that their sites remain up.


I'm from the US, sometimes self referred as the land of free, and it's not easy for me to move to a different country.

Imagine how much worse it would be if it was under an oppressive regime, with strict internet censorship.


What country are you from and how old are you? I find it incredible anyone could be so naive about how oppressive organizations operate.


china did this and it just caused every major service to be recreated for chinese users on their side of the internet


China is huge compared to those other oppressive regimes out there.

Also, AFAIK, China hasn't been able to recreate GitHub. Since GitHub is HTTPS-only and China needs it enough to not block it, a lot of censorship circumvention tools are available in China through GitHub.


It also forces the poor domain owner who is being fronted, in this case SOUQ.COM, to absorb a huge Route 53 bill for all of the DNS queries that are originating from Signal users. Not fair at all.


Souq.com is owned by amazon


that's exactly why domain fronting works. it forces the blocker to block a major domai. that would be considered too much collateral damage.


Telegram has some pretty interesting ideas wrt censorship circumvention. I.e. you can still use Amazon, Google, Microsoft as an unblockable side channel to deliver proxy settings, same way domain fronting relies on them. And you can sponsor other people to setup proxies, making it hard to detect and suspend accounts used for censorship circumvention on Amazon and other hosting companies.

As a side channel dns over https still works even with tls to google.com and then putting Host: dns.google.com into the header. Frequent updates to applications and push notifications can be used as side channels too. You can also register a bunch of domain names ahead of time using hash of a current day, month, year and then let the app generate domains names to query on the fly and query them over normal dns. The censor would need to reverse engineer the app to figure out the domain generation algorithm.

To make proxies hard to enumerate you can shard the mapping of ids/phone_numbers to proxies in a such way, that each id receives multiple proxies using multiple different sharding schemes. This not only makes it harder to enumerate, but also lowers the chances of someone else obtaining the same set of proxies as the censor and rendering the app unusable. Changing IPs then forces the censor to chase you, but never really catch you to censor the app.

But I do think building peer-to-peer network instead of proxies is a better idea for circumvetion.


Given its an open source app, it should be reasonably easy for the censor to reverse engineer the algorithmically generated domains. Frequent tiny updates would be an interesting solution though. Now that most mobile apps can deliver just deltas to save bandwidth it'd be viable.


I realize now, that it's possible to even dynamically deliver a bytecode of a domain generating algorithm itself or pretty much any circumvention logic by embedding a tiny interpreter into the app.


You don't need to deliver bytecode, just a new seed for the algorithm. Even 64 bits is more than sufficient to ensure that they can't enumerate all possible seeds.


Seeds don't impose human costs of reverse engineering though. Which could be important in some cases, since we are up against state actors.

But yeah, having seeds sharded per id/phone_number same way I proposed above could make it pretty much unblockable.


Doesn't Apple explicitly get irritated when you do this kind of thing?


Apple prohibits certain things but interpreters are not one of those. See Pythonista and OpenTerm as examples:

https://itunes.apple.com/us/app/pythonista-3/id1085978097?mt...

https://itunes.apple.com/us/app/openterm/id1323205755?mt=8


Yeah, but as far as I know, loading code into said interpreters in a way that bypasses their code review process is a grey area.


This is nothing to do with censorship. AWS has many clients and does not want its network to be blocked because of a single customer. Tough for Signal but that's how it is when dealing with businesses (especially one that so many others rely on).

The same thing just happened with Telegram in Russia which explains the preemptive messages: https://arstechnica.com/information-technology/2018/04/in-ef...


Capitulating to foreign censors for business reasons has something to do with censorship.


Amazon has a ton of customers, at least a few of which like https://preemptivelove.org/ are also doing good things in these countries. It's not just Amazon that suffers, but Amazon's customers and everyone else downstream.


Preemptive Love is one of the most fearless organisations on the planet operating in the most dangerous places on the planet with little regard for their own safety. They constantly surprise me with the risks they are willing to take so that others might love.


Signal was hiding behind Souq.com which is owned by Amazon.


I'm sure Amazon will be ok. They'll probably have enough money even with the loss to run the servers for that site I think.


The point is that Signal isn't the only app being used for good in such countries. Amazon's bottom line will be ok, but the customers & users who live in the censored countries will no longer be able to access other important sites hosted by Amazon.


No, it doesn't. This is Amazon saying they don't wish to be a part of this dispute, which is entirely their right. It is not Signal's right to drag Amazon into the dispute against their will.


> they don't wish to be a part of this dispute,

Right, because of the risk of being blocked.

It is their right, but to say it's not motivated by a risk of censorship is pretty disingenuous.

(I have no horse in this race. I'm merely contextualizing the debate)


Amazon stepping away is literally the result of censorship working.

It's entirely their right of course.


They're not capitulating to anything... they're asking one of their customers to not break the terms of their service. Same scenario if someone was running crypto mining or bittorrent on the cloud.

It's not a single company here, thousands of businesses rely on AWS and don't want their service disrupted because of Signal.


The loss of domain fronting as a viable strategy means that it will be possible to censor Signal in areas where the service was previously working.


It's a warning to not break terms of service. The strategy still works, but it's against TOS of most hosts so it was never really viable.

Time to look for another option then, like any other technical challenge. I support Signal's work here but unfortunately we can't just enlist every other business to help (otherwise censorship wouldn't be much of a problem in the first place).


> "unfortunately we can't just enlist every other business to help"

But we should! Telex[1] and other solutions based on collateral freedom[2] have huge potential to disrupt censorship from the outside.

[1] https://telex.cc

[2] https://en.wikipedia.org/wiki/Collateral_freedom


Potential sure, but considering that unblocked companies already have access today, they effectively gain nothing by creating more friction, other than short-term disruption. It's not as simple as it sounds.


> Time to look for another option then

That's the plan. This is covered briefly in the second-to-last paragraph.

> so it was never really viable

Signal remained running for more than a year and a half in several countries that were actively trying to censor the service.


I wonder if that means AWS, Google, etc oppose measures like encrypted SNI, since it's more likely to get their entire IP range banned by authoritarian governments.


They are more likely to oppose encrypted SNI on the grounds it's not really possible.

How do you encrypt SNI for cold start? For a future connection, I could see how, but at that point you may as well simply do a resumption.


https://datatracker.ietf.org/doc/draft-ietf-tls-sni-encrypti...

... is the current state of work on this problem.

It's true that encryption (within the desirable parameters discussed in that ID) costs us a round trip, but it might be worth it for most of us most of the time.

Keep in mind the TLS you're using today for most sites has 2RTT setup, and we put up with that (if you have a modern browser and go to some major sites you end up using TLS 1.3 draft 23 and thus 1RTT)


Modern browsers (send ALPN) to sites with decent TLS 1.2 stacks (respond to ALPN, even if it's just to say http/1.1) get a 1RTT handshake on TLS 1.2 with TLS false start. TLS 1.3 is nice, but it's not required to get 1RTT.

The doc you sent is titled SNI encryption, but is really about tunneling a client hello through a proxy, and provides for the proxy to not send its own server hello, but only send the origin server's server hello. That's interesting, and should be useful for domain fronting and as a general purpose TLS proxy with fewer layers, but it's not really encrypted SNI.


In TLS False Start the client sends encrypted data to an unknown remote party. It hopes they're the intended recipient, but it won't actually know until it gets a reassuring Finished message which is too late. Now, if it isn't really the intended recipient the remote party doesn't have all the keys it should have. So cross fingers they can't decrypt the data they've been sent. But this is... less than ideal. It's a high price to pay for performance.

In TLS 1.3 that 1RTT completes the handshake so as the client we know who we're taking to.

That SNI draft is the result of interested parties coming up with a list of desirable properties for SNI encryption. If you have a better idea that satisfies those properties you absolutely should propose it.


I don't have a better idea, I don't think it's possible.

When a server has multiple identities to choose from, and the client has not previously communicated with (and has no no out of band information), as far as I can tell, either the SNI has to be in plain text, or it could be encrypted with an untrusted DHE key (which only eliminates passive detection).

Way upthread, bscphil wondered if [big companies] will oppose encrypted SNI to avoid having their IP ranges banned, but their business reasons don't really flow into a decision not to do impossible things.

More

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: