Bad Decisions: Google Screws Over Tools Evading Internet Censorship Regimes

from the who's-fronting-now? dept

Just as places like Russia are getting more aggressive with companies like Google and Amazon in seeking to stop online communications they can’t monitor, Google made a move that really fucked over a ton of people who rely on anti-censorship tools. For years, various anti-censorship tools from Tor to GreatFire to Signal have made use of “domain fronting.” That’s a process by which services could get around censorship by effectively appearing to send traffic via large companies’ sites, such as Google’s. The link above describes the process as follows:

Domain fronting works at the application layer, using HTTPS, to communicate with a forbidden host while appearing to communicate with some other host, permitted by the censor. The key idea is the use of different domain names at different layers of communication. One domain appears on the ?outside? of an HTTPS request?in the DNS request and TLS Server Name Indication?while another domain appears on the ?inside??in the HTTP Host header, invisible to the censor under HTTPS encryption. A censor, unable to distinguish fronted and nonfronted traffic to a domain, must choose between allowing circumvention traffic and blocking the domain entirely, which results in expensive collateral damage. Domain fronting is easy to deploy and use and does not require special cooperation by network intermediaries. We identify a number of hard-to-block web services, such as content delivery networks, that support domain-fronted connections and are useful for censorship circumvention. Domain fronting, in various forms, is now a circumvention workhorse.

In short, because most countries are reluctant to block all of Google, the ability to use Google for domain fronting was incredibly useful in getting around censorship. And now it’s gone. Google claims that it never officially supported it, that this was a result of a planned update, and it has no intention of bringing it back:

?Domain fronting has never been a supported feature at Google,? a company representative said, ?but until recently it worked because of a quirk of our software stack. We?re constantly evolving our network, and as part of a planned software update, domain fronting no longer works. We don?t have any plans to offer it as a feature.?

As Ars Technica notes, companies like Google may be concerned that it could lead to larger blocks that could harm customers. But, as Access Now points out, there are larger issues at stake, concerning individuals who are put at risk through such censorship:

?As a repository and organizer of the world?s information, Google sees the power of access to knowledge. Likewise, the company understands the many ingenious ways that people evade censors by piggybacking on its networks and services. There?s no ignorance excuse here: Google knows this block will levy immediate, adverse effects on human rights defenders, journalists, and others struggling to reach the open internet,? said Peter Micek, General Counsel at Access Now. ?To issue this decision with a shrug of the shoulders, disclaiming responsibility, damages the company?s reputation and further fragments trust online broadly, for the foreseeable future.?

?Google has long claimed to support internet freedom around the world, and in many ways the company has been true to its beliefs. Allowing domain fronting has meant that potentially millions of people have been able to experience a freer internet and enjoy their human rights. We urge Google to remember its commitment to human rights and internet freedom and allow domain fronting to continue,? added Nathan White, Senior Legislative Manager at Access Now.

Google doesn’t need to support domain fronting, and there are reasonable business reasons for not doing so. But… there are also strong human rights reasons why the company should reconsider. In the past, Google has taken principled stands on human rights. This is another time that it should seriously consider doing so.

Filed Under: , , , ,
Companies: google

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Bad Decisions: Google Screws Over Tools Evading Internet Censorship Regimes”

Subscribe: RSS Leave a comment
Anonymous Coward says:

The Upgrade Police

Perhaps somewhat related is having to use Google’s cache to read Twitter posts, because a few days ago Twitter started redirecting certain people who try to access the main site (but not mobile version) to a new landing page, basically anyone whose browser’s self-reported specs are deemed insufficient to view the site (yet can view Google’s cached copy of those same Twitter pages just fine)

It makes me wonder if there any tools that can enable someone to spoof ALL browser settings (plugins, javascript, screen size, etc – not just user-agent) so as to avoid being actively blocked out of fussy sites?

Anonymous Coward says:

Wasn't the solution anyway.

Domain fronting is a hack. The issue is that traffic of all sorts and destinations should not be destinguishable based on type of service or, until the last hop, even the destination, PERIOD.

There are a lot of people trying to figure out how to make backwards compatible security solutions. You can’t do that if the problem exists at a lower level of the stack. Which it does.

The web is busted in ten thousand ways. TCP/IP is busted in just a few ways. Fix the latter, and the formers problems dwindle by an order of magnitude, just on the basis of mitigating leakage.

Anonymous Coward says:

Re: Wasn't the solution anyway.

The issue is that traffic of all sorts and destinations should not be destinguishable based on type of service or, until the last hop, even the destination, PERIOD.

That is what TOR provides, but even that relies on a valid address on the visible envelope, and trusted relay nodes. Would you trust the Telecoms sector to provide a secure TOR like system, as that is what you are asking for.

Anonymous Coward says:

Re: Re: Wasn't the solution anyway.

“Would you trust”

A fundamental design tenant of TOR like systems, is that trust of the carrier is not required. If it is or was required in any way, then the protocol design is by definition a failure. TOR does have some weakness’s as I understand it, and it has been a while since I looked at the spec. But the goal of TOR is achievable, even if TOR itself is not the solution.

You spend 1/3rd on building the thing, you spend 1/3rd operating it, and the last 1/3rd is spent preventing thievery. We should very much like it not to be so, because it adds a tremendous demand on computational resources. But it is so.

Since IPV4 and IPV6 have no mechanism for preventing thievery, they are failures in terms of providing their designed goal. Which was to deliver an inexpensive resilient communications system. While the network may be resilient against backhoes, it isn’t resilient against corruption. And without the resilience, it will eventually (and may have already) evolve into something that is more of a weapon than a facilitator of free interchange of ideas.

Anonymous Coward says:

Re: Re: Re: Wasn't the solution anyway.

A fundamental design tenant of TOR like systems, is that trust of the carrier is not required.

However if you widely available and fast TOR like networks, you need infrastructure on the scale of the carriers for its implementation.

As a general rule, if you introduce any broker or middleman into a secure system, you have to trust that they are not evil, or compromised. The certificate system suffers failures because of this, as do public key system if there is a key broker involved. The central problem being verification of who you are communicating with, and that requires direct public key exchange where the parties can verify each other identities as they exchange keys.

The certificate system, which is meant to be able to verify identity of the certificate user has been compromised on many occasions.

Anonymous Coward says:

Re: Re: Re:2 Wasn't the solution anyway.

“you need infrastructure on the scale of the carriers for its implementation”

I disagree. The first commercial Internet provider was a single leased T1 line. You don’t need administrative authority over layer 1 to start. You do need it over layer 3, with layer being 2 is debatable.

The remaining question is whether there is a market for semi-public capacity that isn’t shit-smudged by the current ISP environment. Which I think is more a question of “when” than “if”.

Anonymous Coward says:

Re: Wasn't the solution anyway.

Domain fronting is a hack.

There’s an IETF plan to standardize something like it.

Mike: there’s nothing that limits domain fronting to Google. If you think it’s a good service to provide, why not hide a Tor service on You’re not "too big to fail" like Google, but it’s something.

Anonymous Coward says:

Re: Re: Wasn't the solution anyway.

“There’s an IETF plan to standardize something like it.”

There are lots of incremental hacks that are being worked on in IETF working groups. Much of it is intended to extend the life of existing infrastructure.

Sometimes you can extend the life of infrastructure past its full depreciation point. Nobody really knows whether we are there yet. And we also don’t really know whether the market is calling for the next iteration of the lower levels of the stack.

But I’m better we are, and it is.

Anonymous Coward says:

oh please, you would be supportive if it was the good old US doing it. At least that’s what I’ve witnessed these past few years of “RUSSIA, TRUMP, NAZIS” hysteria the MSM has been pushing. Years ago it was the internet versus Congress and Media in the battle for free expression, now suddenly the users and companies themselves are begging the government for censorship against ‘FAKE NEWS’ ‘PROSTITUTION’ or ‘TROLLS’.

MDT (profile) says:

Timing argument is BS

I’m sorry, but this is a BS argument that Alphabet did this days after Russia broke part of it. It would take weeks of internal testing to fix something like this, you wouldn’t be able to throw it in a production environment as big as Alphabet’s without extensive testing. And that would take weeks.

This is almost certainly (99.999999% likelyhood) either exactly what they say it is, a planned rollout with changes for security reasons, or it has to do with something that happened months ago (SESTA/FOSTA or some security issue that popped up internally last year and wasn’t broadcast by Alphabet because they didn’t want people swooping in and exploiting before it could be fixed).

I’m not saying Alphabet is all rainbows and unicorns, they’re a corporation, and they will screw you over for their bottom line, but I work in tech and you can’t toss out something on a production environment this big in a few day developing it from scratch.

I will grant that they may have had it in the pipe and moved it up in response to Russia, but caused by Russia? Extremely unlikely.

Anonymous Coward says:

Re: Timing argument is BS

I will grant that they may have had it in the pipe and moved it up in response to Russia, but caused by Russia? Extremely unlikely.

Who’s making that argument?

What I’m inferring is that Google was worried about overly broad blocking, and Russia and China provide some examples of this.

Ninja (profile) says:

Google is a company. Even if it says it won’t be evil there are always the profits, the shareholders to please.

If society isn’t willing to boycott companies for decisions that aren’t good (for lack of a better word) then we have to just eat it. We should have imposed financial punishment when they bowed to China censorious pressure, when they accepted working with tyrannical regimes (ie: Federation Internationale de l’Automobile when they took their busines to Bahrein) etc etc.

I’m also guilty of it to some extent even though I have been trying to do my best. I stopped buying from companies that have been caught using slave labor for example. Some are easier to avoid, others are much harder.

Anonymous Coward says:

Google's decision

While I get that domain fronting did help people defeat censorship, it’s main use was hiding C&C malware traffic. Need to tell that botnet to DDoS company X, have them check a google site that redirects to bad guy A. It’s not just Google having the issue either, many companies in the content delivery space are vulnerable or available to use.
A good article here on the problem:

Anonymous Coward says:

Re: Google's decision

Need to tell that botnet to DDoS company X, have them check a google site that redirects to bad guy A.

So that leaves only the other 1000 Google services that can do the same thing. Post your target on a Google Docs spreadsheet, a Google Plus post, on some page indexed in the Google search engine or cache…

Anonymous Coward says:

by design, Google would be liable now

The way this was working, it made traffic appear to come from Google… with the new laws any ‘facilitation of communication’ related to XYZ (kiddie porn, human trafficking, rainbow unicorn poop, take your pick) they could be sued and potentially held liable.

They didn’t originate the communication, they may not have been the end point, but their system allowing domain fronting could have been held to have been facilitating in the communication.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...