Internet, globe

Two of today's biggest cloud service providers are now blocking a technique called "domain fronting" that has been used by websites and applications to avoid government-based censorship, but also by malware to secretly siphon stolen data to covert servers.

The first one to drop support for domain fronting was Google, at the start of April. Tor developers were the first ones to notice that Google App Engine had stopped working with domain-fronted services on April 13.

A Google spokesperson told the media at the time that Google never officially supported domain fronting in the first place, and that recent changes in its infrastructure had resulted in the feature ceasing to work.

Amazon follows Google and bans domain fronting as well

But last week, Amazon, too, announced that it would drop support for the same feature.

"Domain fronting" is a technique that app and website developers have used in the past to fool censorship tools. The technique relies on using an intermediary cloud server as a proxy for the real website. Connections are initiated for the proxy server, but the user is redirected to the actual website in a subsequent step.

But despite its simple scheme, domain fronting has allowed websites and apps to evade ISP-level censorship and traffic inspection tools for more than a decade.

Domain fronting has been used by apps like Signal, Tor-to-Web proxies, the GreatFire service to bypass China's Great Firewall, and lots of VPN providers to hide their servers' real locations.

Domain fronting became popular with malware operations

But despite the technique's use with legitimate apps trying to skirt government-based bans, the domain fronting had also slowly started to become quite popular on the malware scene, where cybercriminals had been using it to disguise the locations of command-and-control (C&C) servers and provide an extra layer of resiliency during law-enforcement takedown efforts.

The most famous use of domain fronting for a malware operation was by APT29, a cyber-espionage group suspected to be a branch of the FSB, one of Russia's intelligence agencies, according to cyber-security firm CrowdStrike.

APT29 use of domain fronting
APT29's use of domain fronting [Source: FireEye]

In fact, Amazon cited the popularity of the domain fronting technique among malware operations as the main reason it decided to block its use on its infrastructure.

Based on the statements issued by both Amazon and Google, the banning of domain fronting has nothing to do with Russia's recent attempts to ban Telegram, during which Russia's communications watchdog ordered ISPs to block nearly 20 million IPs belonging to Amazon and Google's cloud services.

UPDATE: Shortly after this article's publication, the Signal team has published a blog post revealing that Amazon has threatened to kick the IM app off its servers if it doesn't stop using domain fronting.

Related Articles:

Idle Android Phones Send Data to Google Ten Times More Often Than iOS Devices to Apple

Google Sued Over Misleading Location Tracking Setting

Google Testing Removal of WWW Subdomain from Search Results

Google's Removing the file:// Scheme from Chrome's Address Bar

CCleaner Disregarding Settings and Forcing Update to Latest 5.46 Version