Amazon has made a small but important security change to its CloudFront content delivery network (CDN) that’s designed to prevent people from adding domains they don’t own to their CloudFront distributions and receiving some of the traffic meant for that domain.

Until yesterday, CloudFront customers could add an alternate domain name to their distributions without having to prove that they owned that domain. So someone could add a domain that he didn’t actually own to his distribution and then get a fraction of the traffic that should be going to the domain’s legitimate owner. On Monday, Amazon instituted a policy change that requires anyone adding an alternate domain to attach an SSL certificate for that domain to their distribution in order to prove that they have ownership of the domain.

“CloudFront’s process to validate a customer’s right to use an alternate domain name builds on the already established and trusted checks in place for obtaining a certificate. No one can obtain a valid SSL/TLS certificate without first proving that they own the domain by either entering a unique entry into their DNS records, or validating the request for the certificate via email to the domain owner. Rather than having customers go through a redundant process to re-validate their ownership, CloudFront will now simply require that a certificate be attached to that distribution when adding an alternate domain name to the distribution,” Woodrow Arrington, a senior product manager on Amazon’s CloudFront team, said.

“For example, let’s say you own the domain foo.com and want to receive your web traffic on a CloudFront distribution with the alternate domain name www.example.foo.com. Let’s also assume you obtained a new certificate from ACM. In order to add this alternate domain name to your distribution, your certificate would need to either list the exact match www.example.foo.com or *.example.foo.com. It is important to note that wildcards will only cover the alternate domain names at that same level and not anything at levels lower or higher than the wildcard.”

The change by Amazon follows on to a related move the company made last year when it ended the practice of domain fronting on CloudFront. Domain fronting is a technique that some app developers and domain owners use in order to hide the true hostname from anyone observing network traffic. Developers typically use CDNs for domain fronting, and the technique is often used to evade censorship in countries with repressive regimes where network-level surveillance is commonplace.