Senators Wyden & Rubio Ask Google And Amazon To Bring Back Domain Fronting
from the it's-important dept
Earlier this year we wrote about the bad decisions by both Google and Amazon to end domain fronting. Domain fronting was a (somewhat accidental) way in which services could effectively hide certain traffic to make it quite difficult for, say, authoritarian regimes in Iran or China to block the traffic. For that reason, domain fronting was an important tool in keeping services like Signal’s encrypted communications platform working for activists and dissidents in such places.
Amazon and Google claimed that they never intended to allow domain fronting, and that while it helped those services work in such places it might also lead to much broader blocks by those countries trying to get at the fronted communications. Now, in an interesting move, Senators Ron Wyden and Marco Rubio have sent both companies a letter asking them to reconsider.
Both your companies have benefited enormously from the free and open internet protected by the United States and its allies. Indeed, your previous role in facilitating these internet freedom tools by permitting domain fronting was neither a mistake nor a secret. Senior Google officials have publicly referenced traffic obfuscation with admiration and support. Moreover Google even contributed financial resources to advance research in the field. This technology was a central part of an internet freedom agenda that your companies (and the technology industry more broadly) promoted as a part of its public image.
Regrettably, your recent decision to ban the practice of domain fronting will prevents millions of people in some of the most repressive environments including China, Iran, Russia and Egypt from accessing a free and open internet. Dissidents, pro-democracy activists, and protesters living under authoritarian regimes need access to secure communications enabled by domain fronting techniques to stay safe and organize.
Governments with anti?democratic agendas may put signi?cant pressures on technology companies to help enable their censorship and surveillance of the internet. American technology companies, which have ?ourished in our free and open society, must join in the effort to resist such pressure. While this may seem like a reasonable business decision in the short term, it will ultimately do far more harm to your companies and the network of which you have been a core part.
The letter then presents two specific questions the Senators would like the companies to respond to:
1. What steps did your companies take, prior to prohibiting domain fronting, to determine whether it was possible to prohibit its use by malicious actors, while still permitting positive uses, including US. government-supported internet freedom tools?
2. After deciding to take action to limit the use of domain fronting, what efforts, if any, did your companies take to minimize the disruption to US. government-supported internet freedom tools and platforms relied on by human rights activists, journalists, members of faith communities and civil society groups? What steps have your companies taken, or do you plan to take, to mitigate the effect that your decision to end domain fronting has had on internet anti-censorship tools and platforms?
It’s good to see these Senators speak out against both Google and Amazon on this move. Hopefully it leads both companies to reconsider their decision on this one.
Filed Under: activists, authoritarian regimes, censorship, communications, domain fronting, marco rubio, ron wyden
Companies: amazon, google, signal
Comments on “Senators Wyden & Rubio Ask Google And Amazon To Bring Back Domain Fronting”
The direction we are headed
It is disappointing, but understandable, that they left out the USofA. When is too soon to classify the US as repressive?
It will be too late at some point.
Ron Wyden gets it
…he always has.
It will be sad when he’s gone and there’s nobody there to speak for those of us who care about privacy, protections, rights, and freedoms. (Grandstanding aside.)
E
Re: Ron Wyden gets it
There are two ways to look at this.
The first is hope. Hope that someone with integrity will run for office and disguise that integrity long enough to gain office.
The second is to change the system. Get rid of parties, get rid of money in politics (let anyone, not just the rich or connected run), change the way lobbying works. We cannot get rid of lobbying, but we can ‘adjust’ laws so that any money (any free lunch or flights or contributions, or considerations from third parties or…etc.) part of lobbying is considered bribery, and aggressively prosecuted (I know, chicken or egg).
I know I have been plugging that second choice for quite a while, but it really seems like the only way out. Now, how do we get there?
Re: Re: Ron Wyden gets it
Based on Citizens United, we might need a constitutional amendment at this point. Start bugging your state representatives to do it.
Re: Re: Re: Ron Wyden gets it
I am not so sure that an amendment is necessary. Look to the Election Commission where the concept of money is speech started. They could make the change. Getting them to do so is the problem. Politicians are happy with the current state of affairs and stack the Election Commission to continue the current status quo. But current politicians are dependent upon that ‘free’ money to get reelected, or their own personal bank accounts. And power has certain attractions, for the weak and maybe for everyone without the requisite level of integrity, and they face not being reelected.
The issue of a constitutional amendment bears the same problem. Those in office benefit from the current system, and it would take integrity and a personal commitment to democracy, as pure as a republic can get to pure democracy, to overcome the current situation. Even for those inclined, the strings pull from various directions.
Now how do we get there, without violence?
Re: Re: Re: Ron Wyden gets it
That’s all we need, screwing things up even more.
Re: Re: Ron Wyden gets it
How?
Freedom of association explicitly allows the existence of political parties.
Re: Re: Re: Ron Wyden gets it
One possible method would be to end the practice of “running as a Republican” or “running as a Democrat” – basically, candidates could only officially run under their own names and on their platforms. Political parties will form, but one could possibly take steps to make sure that they are strictly community things. Something like this would take some serious thought to implement, and may not even be feasible.
I can think of a couple of easy, immediate steps, though:
1) Remove the ability for someone to vote by party. Those checkboxes on ballots that let people just say “vote Republican” or “Vote Democrat” can go away.
2) On the Ballot, none of the candidates for anything can be listed alongside their party. It’s similar the first paragraph, but this one’s easy enough to implement. Ballot just has the names.
3) Candidates are listed on the ballot in alphabetical order, or random assignment.
This would remove a lot of the official recognizance of there being “two parties.” People going to vote can no longer just vote by the party without thinking about it – if they do want to vote Republican or Democrat, they have to know which candidates are which.
Sure, in a Presidential election everyone will know which is which, but there’s a lot of party-based voting for less heavily publicized positions as well.
Re: Re: Re:2 Ron Wyden gets it
the random slot asignment is needed anyway: It’s already been proven that the higher your name is on the list, all things being equal, the more likely you are to get the vote. Though this leads to other issues, I suppose.
Re: Re: Re:2 Ron Wyden gets it
“One possible method would be to end the practice of “running as a Republican” or “running as a Democrat” “
Which basically just turns the parties into the biggest and best-funded PACs in the country. I’m not sure what would change.
Re: Re: Re:3 Ron Wyden gets it
I don’t know exactly what would change, either. I can say that I’m tired of people identifying by party. If it could be implemented, an out right official injunction against presidential candidates labeling themselves as “the <Party> Candidate” would send a message of contempt for part politics – and yes, this could also have the opposite effect of what I want.
Mostly what I want is a wider-spread societal distaste for leaders of the whole nation who would dare subscribe to divisive politics. “Oh, that candidate identified as a Republican/Democrat/Green Party, he’s an asshole.”
A pipe dream – but on the other hand, I can just start treating every politician that way and see how people around me react.
Re: Re: Re:4 Ron Wyden gets it
Proportional representation may well be the answer you’re looking for.
Re: Re: Re: Ron Wyden gets it
Remove the rules in Congress that purport a majority and minority standing. I have no problem with parties, so to speak. I have a problem with them having power greater than the electorate. Let them exist, take away any power they have to control candidates for election or to control legislation on a party basis.
This is not a new idea and we might listen to our first President as well as some who went before him. We have a long history of ‘partisanship’ where there should have been anti-partisanship, except for party loyalty, which leads to political support and reelection. I reccomend reading that Widipedia page to better understand what was thought about political parties when our nation was formed, Pay special attention to George Washington’s farewell speech, after he had some experience with parties.
Political parties are not constitutionally demanded, and while the could continue to exist, there is ample opportunity to reduce, or better yet eliminate, their control over our system. The problem is how to get people with power (and likely addicted to) to give up their power, for the good of the nation.
Re: Re: Re:2 Ron Wyden gets it
That’s a good answer, but it seems to me that what you meant wasn’t actually “get rid of parties” so much as “reduce the power of parties.” That’s something I think most of us can probably get behind.
I’d add ranked-choice voting as an obvious way to reduce the power of the two major parties.
Re: Re: Re:3 Ron Wyden gets it
I have reviewed a video about ranked-choice voting, and while the concepts are still a bit hazy for me, I don’t disagree with the concept.
That idea has the same problems as others I have espoused, how to get them implemented. Getting ones foot in the door (so to speak) and getting entrenched politicos to give up their ‘power’ is what is at issue.
Getting ‘rid’ of parties, to me, is the same as removing their power. Power not given from the Constitution. Letting like minded people talk to each other is not part of what I think about when considering the issue. Letting them take a ‘majority’ position in Congress and allow or not allow legislation to the floor for a vote (for example) is. Or putting a particular candidate up for election. Or to hold ‘national conventions’ that determine who is on the ballot. These and other things are what takes ‘belonging’ to a party beyond ‘like people communicating with each other’. That control that seeped in, over time, and is wrong.
Re: Re: Re:4 Ron Wyden gets it
My idea of the least-resistance way to get ranked-preference voting (especially the forms with the least remaining susceptibility to things like strategic voting and the spoiler effect) implemented is to start from the bottom up.
In a smaller-scale election system, such as one for school board or city council, there are fewer people who need to be persuaded, so it’s easier to meet with enough of them and explain the matter well enough to convince them on an individual basis.
Once the system is in use at that lower level, you have something to point to as a reference, in trying to convince people at the next level up – county elections, for example.
Then as the system expands at lower levels, use that as support to argue for implementing it at the state level.
Then once enough states are using it, use that as support to implement it for federal elections – which, by the way ranked-preference voting functions, would probably require eliminating the electoral college. (And therefore would require a constitutional amendment.)
That way, even if the attempt to push it up the stack fails (whether permanently or temporarily) at some point in the process, in some part(s) of the country, you still have some of the benefits of ranked-preference voting within those smaller scopes.
Re: Re: Re:3 Ron Wyden gets it
Rather than voting upon a “cult of personality” why not vote upon the issues?
Rather than congress trying to sell a bill that answers all questions (and lines all pockets), why not introduce bills that only do one thing and vote them up or down based solely upon its merits.
… and then there is corruption – with this in play, all bets are off.
Re: Re: Re:4 Ron Wyden gets it
this sounds similar to single-subject rules found in many state constitutions. an amendment is also being worked on by a 527 superpac among others.
Re: Re: Re:5 Ron Wyden gets it
Voting on the issues? Wedge issues? That happens now. It’s why the political spectrum has gone so far to the right. The GOP is chasing right wing nutter votes and the Dems are trying to pick up disaffected Republicans as well as the progressives.
Re: Re: Ron Wyden gets it
Here in the UK election spending is controlled and parties are “given” the same amount of TV time. They can’t buy more and just simply advertise though I guess the bigger ones can make more slick and memorable broadcasts.
And once in they have to register interests including “gifts” received and from whom and there are rules about what they can accept.
I don’t think you can ever get rid of parties but even here I would like people to think more and vote for persons (who may represent a party) that will best represent them and those persons should be able and willing to go against their party where conscience or local needs require it.
Re: Ron Wyden gets it
I agree that Wyden is very unusual in his combination of advocacy and technical literacy. But I like to think we’ll have other advocates in his mold.
Ted Lieu in the House has a pretty good record on civil liberties, plus a BS in CompSci.
Re: Re: Ron Wyden gets it
I like the idea of Lieu running for president. Cory Booker for Veep?
Domain fronting is a security issue domstically.
Domain fronting can be used to hide traffic origins from evil government censors, but it is also used to hide traffic origins to aid criminals, including hiding command and control servers for botnets. Congress should not be telling Google and Amazon to let traffic disguise itself from security measures that protect us from malicious domains.
https://gbhackers.com/domain-fronting-a-new-technique-for-hiding-malware-command-and-control-c2-traffic-within-a-content-delivery-network/
Re: Domain fronting is a security issue domstically.
You must also be in favor of encryption backdoors. You’re willing to give up something good simply because it can also be used for bad. Perhaps you should also give up your car, your guns (if you have them) and your money.
Re: Re: Domain fronting is a security issue domstically.
Domain fronting is specificaly about hiding the true origins. It isn’t needed for legit issues (other than, perhaps, hiding from evil government censorship) which is why Google and Amazon have dumped it. Whereas encryption is vital and fundamental to internet enabled commerce and other key uses. The two are not analogous.
Re: Re: Re: Domain fronting is a security issue domstically.
It’s about hiding the destination; it does nothing to hide the origin.
Re: Re: Re:2 Domain fronting is a security issue domstically.
Internet communications are largely bi-directional (e.g. I send this post to the Techdirt server, said server responds. One packet (or group thereof) has my IP as its origin, the other has it as its destination). Domain fronting hides one end of the conversation; which it is is mostly pedantic.
Re: Domain fronting is a security issue domstically.
Encryption can be used to protect the privacy of individuals from unreasonable search and seizure, but it is also used to hide information that aids criminals, including hiding illicit images and communications. Congress should not be telling Google and Apple to let encryption prevent us from finding and punishing criminals.
Re: Domain fronting is a security issue domstically.
They used domain fronting because it was there, not because it was particularly helpful. They could hard-code a set of IP addresses, or use BitTorrent trackers or distributed hash tables, or take advantage of blockchains, or put stuff on Github or Pastebin….
Encryption’s only going to improve. There’s ongoing work to encrypt DNS lookups (DNS over HTTPS) and encrypt the hostname during TLS/HTTPS negotiation (“encrypted SNI”).
So, Google to be used for societal good, NOT just gain money?
Contradicts your assertion that “platforms” are “persons” having “First Amendment Rights”, including to deny service to anyone for any reason or none. — BUT NOW, you believe that Google should be compelled to what’s arguably “speech”, possibly against its own views, eh?
Your usual consistency: ZERO.
Re: So, Google to be used for societal good, NOT just gain money?
Supporting free speech means i support your right to speak your opinion. It does not mean I will not oppose your opinion, or the decisions you have made.
Re: Re: So, Google to be used for societal good, NOT just gain money?
It is funny to watch the confusion set in when this point finally begins to be understood by some folk as they were sure they had a right to not be subjected to counter arguments – aka fake news.
Google and Amazon have developed a taste for authoritarian cock.
Don’t expect them to spit it out any time soon.
Re: They are going to have to take turns with ol blue there.
I’m a bit confused here. Wyden and Rubio just asked AWS and Google Compute to become cops of all hosted content on their services.
This sounds a lot like asking for YouTube’s ContentID on their hosted services.
Re: Re:
What? They asked about the steps these companies took; they didn’t ask them to prohibit “malicious” use, or even (contrary to the headline) to bring back domain fronting. The only requests were to answer some questions and to reconsider (because it harms the US government’s efforts to promote free speech).
Wyden and Rubio Together?
As a Florida resident it feels weird and surprisingly refreshing to see my right wing junior Senator teaming up with one of the most respected liberal voices in the federal government. I can’t recall another time he’s ever reached across the aisle.
Re: Wyden and Rubio Together?
I don’t care why Rubio did the right thing, I’m just glad he did.
“Both your companies have benefited enormously from the free and open internet protected by the United States and its allies”
Would this “free and open internet” be before or after Google pays the $5 billion to an ally.
Re: Re:
The fuck does that have to do with the price of tea in China?
To a sufficiently ignorant observer, any technology is...
Q: What steps did you take to determine whether it was possible to prevent bad people from using this tool, while still allowing good people to use it?
A: That seems obviously impossible, and we don’t remember taking any “steps” to verify that. Why? Do you know something we don’t? Please, if you know a way to do it, tell us! If it works we’ll admit you’re better engineers than we are, and give you stock options and gold medals and your pictures will be on every front page. Seriously, why do you politicians keep asking this question, about every new tool we invent? The answer is that we don’t see any way to do that, so will you please stop blaming us for all human evil, and telling us to look harder?
Re: tl;dr
We’re not just talking about encryption here. Domain fronting relies on the CDN (in this case Google or Amazon) reading the destination — a site on the same CDN — from the HTTP header and redirecting to it.
The CDN — let’s say Google, for example — knows where the traffic is coming from and where it’s going; in fact, it’s going to one of Google’s customers.
Now, the traffic is encrypted, and Google doesn’t know what’s in it and what its ultimate destination is. That much is true. But as I understand it, the reflector knows where the traffic is going.
So Google has an option for an administrative fix: require any client running a reflector to agree to blacklist certain destinations. You couldn’t stop all "bad guy" traffic, but you could block major "bad" sites. And it should be simple enough for Google to test whether its customers were complying.
The question is whether this would be desirable. Blocking major criminal sites would merely force people looking for criminal sites to less well-known ones (much as SESTA has pushed sex trafficking underground). And of course who gets to decide what sites to blacklist? Once Google introduces a blacklist mechanism, every oppressive regime is going to demand Google blacklist the sites it doesn’t like, which would defeat the purpose.
I think I agree with you that there’s no good solution to the "let the good guys in but keep the bad guys out" question. But I think that’s more for political and administrative reasons than technical ones.
Re: Re: tl;dr
You don’t understand it at all. There’s no “CDN” involved as most people understand the term. And “recursor?” It’s all just Google servers, since the customers are all running on Google App Engine or AWS. They know exactly which cloud customer the traffic is going to. They see the plaintext HTTP request.
But everyone was just using Google and Amazon to bridge to Tor, tunneled over HTTPS, so there is literally no way to stop bad guys without breaking or blocking Tor, one of those USA-sanctioned internet freedom tools.