Photo : Getty

A recent change to Google’s App Engine will discontinue a practice called domain-fronting, an essential technique used by dozens of internet freedom tools designed to allow users to work around state-level internet censorship.


The update in Google’s network architecture, first spotted by developers of privacy-minded web browser Tor and reported by The Verge, removes an approach counted on by services like encrypted messaging platform Signal, anti-Chinese censorship tool GreatFire.org, and VPN services offered by Psiphon.

Domain fronting is used to bypass censors by hiding the true endpoint of a connection. Instead of allowing a service to directly communicate with a server, allowing for the potential that state-level internet censors might identify and block the connection, the request is forwarded through an innocuous domain or IP address range—in this case, Google App Engine. This allows services that would otherwise have their traffic blocked skate under the censors by appearing to come from Google.


Peter Micek, General Counsel for Access Now, told Gizmodo domain fronting “kind of turns your internet traffic into a corn dog.” According to Micek, the process makes it appear to a censor that you’re eating fried dough on a stick but on the inside, “you know it’s a different story, because you’re enjoying a much tastier, protein-packed delight that may be illicit in your jurisdiction.”

A spokesperson for Google told Gizmodo that domain fronting has never explicitly been allowed on its platform. “Domain fronting has never been a supported feature at Google, but until recently it worked because of a quirk of our software stack,” the spokesperson said. “We’re constantly evolving our network, and as part of a planned software update, domain fronting no longer works. We don’t have any plans to offer it as a feature.”

The decision to close the loophole that allowed anti-censorship tools to operate leaves the services searching for a new provider to work with. Micek said domain fronting should still be possible through other platforms that redirect traffic, but noted “censors innovate, and the list of blocked services grows, along with suspicion of the big Western internet platforms. There will be fewer big platforms left for the open internet tools to piggyback on.”



The number of viable options are already dwindling. Ars Technica reported Cloudflare also does not support domain fronting. Company CEO and co-founder Matthew Prince told Ars Technica allowing the technique would “put our traditional customers at risk as it would mask banned traffic behind their domains.”


Criticisms of the workaround are not without basis. While domain fronting has been adopted by dozens of tools used to mitigate state-sponsored internet blockers and was described in the journal Proceedings on Privacy Enhancing Technologies as “a versatile censorship circumvention technique,” it is a technology that can also be used by malicious actors. A report last year by cybersecurity firm FireEye found the Kremlin-linked hacker group Cozy Bear used domain fronting to steal data from Tor users.

Despite the possibility of abuse, digital rights organizations are pushing for Google to reverse its decision and once again allow domain fronting.




“Google could end online censorship everywhere, in the blink of an eye, if it wanted,” the operators of anti-censorship group GreatFire.org said on Twitter. “It’s frustrating to see half-hearted efforts come out of Jigsaw and now this.”

“Google knows this block will levy immediate, adverse effects on human rights defenders, journalists, and others struggling to reach the open internet,” Micek said in a statement. “To issue this decision with a shrug of the shoulders, disclaiming responsibility, damages the company’s reputation and further fragments trust online broadly, for the foreseeable future.”


It seems unlikely that Google would go back on its decision at this point. Domain fronting used to be a “quirk” of the company’s services. To reinstate it would essentially make it a feature. That would be welcomed by the many invaluable tools that help keep the internet open for people operating under oppressive governments but would open Google up to scrutiny from those same regimes, as well as from services that could be harmed by malicious domain fronting operations. It’s not clear the company has any interest in taking up those fights.

Update, April 19, 8:20pm: This post has been updated to include additional information from Access Now.




[The Verge, Ars Technica]

