Senators Wyden & Rubio Ask Google And Amazon To Bring Back Domain Fronting

from the it's-important dept

Earlier this year we wrote about the bad decisions by both Google and Amazon to end domain fronting. Domain fronting was a (somewhat accidental) way in which services could effectively hide certain traffic to make it quite difficult for, say, authoritarian regimes in Iran or China to block the traffic. For that reason, domain fronting was an important tool in keeping services like Signal's encrypted communications platform working for activists and dissidents in such places.

Amazon and Google claimed that they never intended to allow domain fronting, and that while it helped those services work in such places it might also lead to much broader blocks by those countries trying to get at the fronted communications. Now, in an interesting move, Senators Ron Wyden and Marco Rubio have sent both companies a letter asking them to reconsider.

Both your companies have benefited enormously from the free and open internet protected by the United States and its allies. Indeed, your previous role in facilitating these internet freedom tools by permitting domain fronting was neither a mistake nor a secret. Senior Google officials have publicly referenced traffic obfuscation with admiration and support. Moreover Google even contributed financial resources to advance research in the field. This technology was a central part of an internet freedom agenda that your companies (and the technology industry more broadly) promoted as a part of its public image.

Regrettably, your recent decision to ban the practice of domain fronting will prevents millions of people in some of the most repressive environments including China, Iran, Russia and Egypt from accessing a free and open internet. Dissidents, pro-democracy activists, and protesters living under authoritarian regimes need access to secure communications enabled by domain fronting techniques to stay safe and organize.

Governments with anti?democratic agendas may put signi?cant pressures on technology companies to help enable their censorship and surveillance of the internet. American technology companies, which have ?ourished in our free and open society, must join in the effort to resist such pressure. While this may seem like a reasonable business decision in the short term, it will ultimately do far more harm to your companies and the network of which you have been a core part.

The letter then presents two specific questions the Senators would like the companies to respond to:

1. What steps did your companies take, prior to prohibiting domain fronting, to determine whether it was possible to prohibit its use by malicious actors, while still permitting positive uses, including US. government-supported internet freedom tools?

2. After deciding to take action to limit the use of domain fronting, what efforts, if any, did your companies take to minimize the disruption to US. government-supported internet freedom tools and platforms relied on by human rights activists, journalists, members of faith communities and civil society groups? What steps have your companies taken, or do you plan to take, to mitigate the effect that your decision to end domain fronting has had on internet anti-censorship tools and platforms?

It's good to see these Senators speak out against both Google and Amazon on this move. Hopefully it leads both companies to reconsider their decision on this one.


Reader Comments

The First Word

Subscribe: RSS

View by: Time | Thread


  • icon
    Anonymous Anonymous Coward (profile), 25 Jul 2018 @ 1:40pm

    The direction we are headed

    "Regrettably, your recent decision to ban the practice of domain fronting will prevents millions of people in some of the most repressive environments including China, Iran, Russia and Egypt from accessing a free and open internet."

    It is disappointing, but understandable, that they left out the USofA. When is too soon to classify the US as repressive?

    It will be too late at some point.

    reply to this | link to this | view in chronology ]

  • icon
    Ehud Gavron (profile), 25 Jul 2018 @ 2:04pm

    Ron Wyden gets it

    ...he always has.

    It will be sad when he's gone and there's nobody there to speak for those of us who care about privacy, protections, rights, and freedoms. (Grandstanding aside.)

    E

    reply to this | link to this | view in chronology ]

    • icon
      Anonymous Anonymous Coward (profile), 25 Jul 2018 @ 2:20pm

      Re: Ron Wyden gets it

      There are two ways to look at this.

      The first is hope. Hope that someone with integrity will run for office and disguise that integrity long enough to gain office.

      The second is to change the system. Get rid of parties, get rid of money in politics (let anyone, not just the rich or connected run), change the way lobbying works. We cannot get rid of lobbying, but we can 'adjust' laws so that any money (any free lunch or flights or contributions, or considerations from third parties or...etc.) part of lobbying is considered bribery, and aggressively prosecuted (I know, chicken or egg).

      I know I have been plugging that second choice for quite a while, but it really seems like the only way out. Now, how do we get there?

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 25 Jul 2018 @ 2:22pm

        Re: Re: Ron Wyden gets it

        We cannot get rid of lobbying, but we can 'adjust' laws

        Based on Citizens United, we might need a constitutional amendment at this point. Start bugging your state representatives to do it.

        reply to this | link to this | view in chronology ]

        • icon
          Anonymous Anonymous Coward (profile), 25 Jul 2018 @ 2:45pm

          Re: Re: Re: Ron Wyden gets it

          I am not so sure that an amendment is necessary. Look to the Election Commission where the concept of money is speech started. They could make the change. Getting them to do so is the problem. Politicians are happy with the current state of affairs and stack the Election Commission to continue the current status quo. But current politicians are dependent upon that 'free' money to get reelected, or their own personal bank accounts. And power has certain attractions, for the weak and maybe for everyone without the requisite level of integrity, and they face not being reelected.

          The issue of a constitutional amendment bears the same problem. Those in office benefit from the current system, and it would take integrity and a personal commitment to democracy, as pure as a republic can get to pure democracy, to overcome the current situation. Even for those inclined, the strings pull from various directions.

          How is the Constitution amended?

          Article V of the Constitution prescribes how an amendment can become a part of the Constitution. While there are two ways, only one has ever been used. All 27 Amendments have been ratified after two-thirds of the House and Senate approve of the proposal and send it to the states for a vote. Then, three-fourths of the states must affirm the proposed Amendment.

          The other method of passing an amendment requires a Constitutional Convention to be called by two-thirds of the legislatures of the States. That Convention can propose as many amendments as it deems necessary. Those amendments must be approved by three-fourths of the states.

          The actual wording of Article V is: “The Congress, whenever two thirds of both Houses shall deem it necessary, shall propose Amendments to this Constitution, or, on the Application of the Legislatures of two thirds of the several States, shall call a Convention for proposing Amendments, which, in either Case, shall be valid to all Intents and Purposes, as part of this Constitution, when ratified by the Legislatures of three fourths of the several States, or by Conventions in three fourths thereof, as the one or the other Mode of Ratification may be proposed by the Congress; Provided that no Amendment which may be made prior to the Year One thousand eight hundred and eight shall in any Manner affect the first and fourth Clauses in the Ninth Section of the first Article; and that no State, without its Consent, shall be deprived of its equal Suffrage in the Senate.”

          Now how do we get there, without violence?

          reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 26 Jul 2018 @ 3:57am

          Re: Re: Re: Ron Wyden gets it

          That's all we need, screwing things up even more.

          reply to this | link to this | view in chronology ]

      • identicon
        Thad, 25 Jul 2018 @ 2:36pm

        Re: Re: Ron Wyden gets it

        Get rid of parties

        How?

        Freedom of association explicitly allows the existence of political parties.

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 25 Jul 2018 @ 2:52pm

          Re: Re: Re: Ron Wyden gets it

          One possible method would be to end the practice of "running as a Republican" or "running as a Democrat" - basically, candidates could only officially run under their own names and on their platforms. Political parties will form, but one could possibly take steps to make sure that they are strictly community things. Something like this would take some serious thought to implement, and may not even be feasible.

          I can think of a couple of easy, immediate steps, though:

          1) Remove the ability for someone to vote by party. Those checkboxes on ballots that let people just say "vote Republican" or "Vote Democrat" can go away.
          2) On the Ballot, none of the candidates for anything can be listed alongside their party. It's similar the first paragraph, but this one's easy enough to implement. Ballot just has the names.
          3) Candidates are listed on the ballot in alphabetical order, or random assignment.

          This would remove a lot of the official recognizance of there being "two parties." People going to vote can no longer just vote by the party without thinking about it - if they do want to vote Republican or Democrat, they have to know which candidates are which.

          Sure, in a Presidential election everyone will know which is which, but there's a lot of party-based voting for less heavily publicized positions as well.

          reply to this | link to this | view in chronology ]

          • icon
            Mat (profile), 25 Jul 2018 @ 6:49pm

            Re: Re: Re: Re: Ron Wyden gets it

            the random slot asignment is needed anyway: It's already been proven that the higher your name is on the list, all things being equal, the more likely you are to get the vote. Though this leads to other issues, I suppose.

            reply to this | link to this | view in chronology ]

          • identicon
            Bruce C., 26 Jul 2018 @ 6:11am

            Re: Re: Re: Re: Ron Wyden gets it

            "One possible method would be to end the practice of "running as a Republican" or "running as a Democrat" "

            Which basically just turns the parties into the biggest and best-funded PACs in the country. I'm not sure what would change.

            reply to this | link to this | view in chronology ]

            • identicon
              Anonymous Coward, 27 Jul 2018 @ 5:58am

              Re: Re: Re: Re: Re: Ron Wyden gets it

              I don't know exactly what would change, either. I can say that I'm tired of people identifying by party. If it could be implemented, an out right official injunction against presidential candidates labeling themselves as "the <Party> Candidate" would send a message of contempt for part politics - and yes, this could also have the opposite effect of what I want.

              Mostly what I want is a wider-spread societal distaste for leaders of the whole nation who would dare subscribe to divisive politics. "Oh, that candidate identified as a Republican/Democrat/Green Party, he's an asshole."

              A pipe dream - but on the other hand, I can just start treating every politician that way and see how people around me react.

              reply to this | link to this | view in chronology ]

        • icon
          Anonymous Anonymous Coward (profile), 25 Jul 2018 @ 3:09pm

          Re: Re: Re: Ron Wyden gets it

          Remove the rules in Congress that purport a majority and minority standing. I have no problem with parties, so to speak. I have a problem with them having power greater than the electorate. Let them exist, take away any power they have to control candidates for election or to control legislation on a party basis.

          This is not a new idea and we might listen to our first President as well as some who went before him. We have a long history of 'partisanship' where there should have been anti-partisanship, except for party loyalty, which leads to political support and reelection. I reccomend reading that Widipedia page to better understand what was thought about political parties when our nation was formed, Pay special attention to George Washington's farewell speech, after he had some experience with parties.

          Political parties are not constitutionally demanded, and while the could continue to exist, there is ample opportunity to reduce, or better yet eliminate, their control over our system. The problem is how to get people with power (and likely addicted to) to give up their power, for the good of the nation.

          reply to this | link to this | view in chronology ]

          • identicon
            Thad, 25 Jul 2018 @ 3:40pm

            Re: Re: Re: Re: Ron Wyden gets it

            That's a good answer, but it seems to me that what you meant wasn't actually "get rid of parties" so much as "reduce the power of parties." That's something I think most of us can probably get behind.

            I'd add ranked-choice voting as an obvious way to reduce the power of the two major parties.

            reply to this | link to this | view in chronology ]

            • icon
              Anonymous Anonymous Coward (profile), 25 Jul 2018 @ 4:00pm

              Re: Re: Re: Re: Re: Ron Wyden gets it

              I have reviewed a video about ranked-choice voting, and while the concepts are still a bit hazy for me, I don't disagree with the concept.

              That idea has the same problems as others I have espoused, how to get them implemented. Getting ones foot in the door (so to speak) and getting entrenched politicos to give up their 'power' is what is at issue.

              Getting 'rid' of parties, to me, is the same as removing their power. Power not given from the Constitution. Letting like minded people talk to each other is not part of what I think about when considering the issue. Letting them take a 'majority' position in Congress and allow or not allow legislation to the floor for a vote (for example) is. Or putting a particular candidate up for election. Or to hold 'national conventions' that determine who is on the ballot. These and other things are what takes 'belonging' to a party beyond 'like people communicating with each other'. That control that seeped in, over time, and is wrong.

              reply to this | link to this | view in chronology ]

              • icon
                The Wanderer (profile), 27 Jul 2018 @ 8:24am

                Re: Re: Re: Re: Re: Re: Ron Wyden gets it

                My idea of the least-resistance way to get ranked-preference voting (especially the forms with the least remaining susceptibility to things like strategic voting and the spoiler effect) implemented is to start from the bottom up.

                In a smaller-scale election system, such as one for school board or city council, there are fewer people who need to be persuaded, so it's easier to meet with enough of them and explain the matter well enough to convince them on an individual basis.

                Once the system is in use at that lower level, you have something to point to as a reference, in trying to convince people at the next level up - county elections, for example.

                Then as the system expands at lower levels, use that as support to argue for implementing it at the state level.

                Then once enough states are using it, use that as support to implement it for federal elections - which, by the way ranked-preference voting functions, would probably require eliminating the electoral college. (And therefore would require a constitutional amendment.)

                That way, even if the attempt to push it up the stack fails (whether permanently or temporarily) at some point in the process, in some part(s) of the country, you still have some of the benefits of ranked-preference voting within those smaller scopes.

                reply to this | link to this | view in chronology ]

            • identicon
              Anonymous Coward, 26 Jul 2018 @ 4:01am

              Re: Re: Re: Re: Re: Ron Wyden gets it

              Rather than voting upon a "cult of personality" why not vote upon the issues?

              Rather than congress trying to sell a bill that answers all questions (and lines all pockets), why not introduce bills that only do one thing and vote them up or down based solely upon its merits.

              ... and then there is corruption - with this in play, all bets are off.

              reply to this | link to this | view in chronology ]

              • identicon
                nae such, 27 Jul 2018 @ 8:47am

                Re: Re: Re: Re: Re: Re: Ron Wyden gets it

                this sounds similar to single-subject rules found in many state constitutions. an amendment is also being worked on by a 527 superpac among others.

                reply to this | link to this | view in chronology ]

                • identicon
                  Wendy Cockcroft, 30 Jul 2018 @ 5:43am

                  Re: Re: Re: Re: Re: Re: Re: Ron Wyden gets it

                  Voting on the issues? Wedge issues? That happens now. It's why the political spectrum has gone so far to the right. The GOP is chasing right wing nutter votes and the Dems are trying to pick up disaffected Republicans as well as the progressives.

                  reply to this | link to this | view in chronology ]

      • icon
        tweetiepooh (profile), 26 Jul 2018 @ 1:45am

        Re: Re: Ron Wyden gets it

        Here in the UK election spending is controlled and parties are "given" the same amount of TV time. They can't buy more and just simply advertise though I guess the bigger ones can make more slick and memorable broadcasts.

        And once in they have to register interests including "gifts" received and from whom and there are rules about what they can accept.

        I don't think you can ever get rid of parties but even here I would like people to think more and vote for persons (who may represent a party) that will best represent them and those persons should be able and willing to go against their party where conscience or local needs require it.

        reply to this | link to this | view in chronology ]

    • identicon
      Thad, 25 Jul 2018 @ 2:41pm

      Re: Ron Wyden gets it

      It will be sad when he's gone and there's nobody there to speak for those of us who care about privacy, protections, rights, and freedoms. (Grandstanding aside.)

      I agree that Wyden is very unusual in his combination of advocacy and technical literacy. But I like to think we'll have other advocates in his mold.

      Ted Lieu in the House has a pretty good record on civil liberties, plus a BS in CompSci.

      reply to this | link to this | view in chronology ]

  • identicon
    Scote, 25 Jul 2018 @ 3:17pm

    Domain fronting is a security issue domstically.

    Domain fronting can be used to hide traffic origins from evil government censors, but it is also used to hide traffic origins to aid criminals, including hiding command and control servers for botnets. Congress should not be telling Google and Amazon to let traffic disguise itself from security measures that protect us from malicious domains.

    https://gbhackers.com/domain-fronting-a-new-technique-for-hiding-malware-command-and-control -c2-traffic-within-a-content-delivery-network/

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 25 Jul 2018 @ 4:36pm

      Re: Domain fronting is a security issue domstically.

      You must also be in favor of encryption backdoors. You're willing to give up something good simply because it can also be used for bad. Perhaps you should also give up your car, your guns (if you have them) and your money.

      reply to this | link to this | view in chronology ]

      • identicon
        Scote, 25 Jul 2018 @ 9:13pm

        Re: Re: Domain fronting is a security issue domstically.

        Domain fronting is specificaly about hiding the true origins. It isn't needed for legit issues (other than, perhaps, hiding from evil government censorship) which is why Google and Amazon have dumped it. Whereas encryption is vital and fundamental to internet enabled commerce and other key uses. The two are not analogous.

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 26 Jul 2018 @ 7:22am

          Re: Re: Re: Domain fronting is a security issue domstically.

          It's about hiding the destination; it does nothing to hide the origin.

          reply to this | link to this | view in chronology ]

          • identicon
            Anonymous Coward, 26 Jul 2018 @ 11:45am

            Re: Re: Re: Re: Domain fronting is a security issue domstically.

            Internet communications are largely bi-directional (e.g. I send this post to the Techdirt server, said server responds. One packet (or group thereof) has my IP as its origin, the other has it as its destination). Domain fronting hides one end of the conversation; which it is is mostly pedantic.

            reply to this | link to this | view in chronology ]

    • icon
      Stephen T. Stone (profile), 25 Jul 2018 @ 4:38pm

      Re: Domain fronting is a security issue domstically.

      Encryption can be used to protect the privacy of individuals from unreasonable search and seizure, but it is also used to hide information that aids criminals, including hiding illicit images and communications. Congress should not be telling Google and Apple to let encryption prevent us from finding and punishing criminals.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 25 Jul 2018 @ 4:53pm

      Re: Domain fronting is a security issue domstically.

      They used domain fronting because it was there, not because it was particularly helpful. They could hard-code a set of IP addresses, or use BitTorrent trackers or distributed hash tables, or take advantage of blockchains, or put stuff on Github or Pastebin....

      Encryption's only going to improve. There's ongoing work to encrypt DNS lookups (DNS over HTTPS) and encrypt the hostname during TLS/HTTPS negotiation ("encrypted SNI").

      reply to this | link to this | view in chronology ]

  • This comment has been flagged by the community. Click here to show it
    identicon
    Anonymous Coward, 25 Jul 2018 @ 7:39pm

    So, Google to be used for societal good, NOT just gain money?

    Contradicts your assertion that "platforms" are "persons" having "First Amendment Rights", including to deny service to anyone for any reason or none. -- BUT NOW, you believe that Google should be compelled to what's arguably "speech", possibly against its own views, eh?

    Your usual consistency: ZERO.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 25 Jul 2018 @ 10:03pm

      Re: So, Google to be used for societal good, NOT just gain money?

      Supporting free speech means i support your right to speak your opinion. It does not mean I will not oppose your opinion, or the decisions you have made.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 26 Jul 2018 @ 4:05am

        Re: Re: So, Google to be used for societal good, NOT just gain money?

        It is funny to watch the confusion set in when this point finally begins to be understood by some folk as they were sure they had a right to not be subjected to counter arguments - aka fake news.

        reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 25 Jul 2018 @ 8:24pm

    Google and Amazon have developed a taste for authoritarian cock.

    Don't expect them to spit it out any time soon.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 26 Jul 2018 @ 4:36am

    I'm a bit confused here. Wyden and Rubio just asked AWS and Google Compute to become cops of all hosted content on their services.

    1. What steps did your companies take, prior to prohibiting domain fronting, to determine whether it was possible to prohibit its use by malicious actors, while still permitting positive uses, including US. government-supported internet freedom tools?

    This sounds a lot like asking for YouTube's ContentID on their hosted services.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 26 Jul 2018 @ 7:27am

      Re:

      What? They asked about the steps these companies took; they didn't ask them to prohibit "malicious" use, or even (contrary to the headline) to bring back domain fronting. The only requests were to answer some questions and to reconsider (because it harms the US government's efforts to promote free speech).

      reply to this | link to this | view in chronology ]

  • icon
    timlash (profile), 26 Jul 2018 @ 5:55am

    Wyden and Rubio Together?

    As a Florida resident it feels weird and surprisingly refreshing to see my right wing junior Senator teaming up with one of the most respected liberal voices in the federal government. I can't recall another time he's ever reached across the aisle.

    reply to this | link to this | view in chronology ]

  • icon
    Jinxed (profile), 26 Jul 2018 @ 9:56am

    "Both your companies have benefited enormously from the free and open internet protected by the United States and its allies"

    Would this "free and open internet" be before or after Google pays the $5 billion to an ally.

    reply to this | link to this | view in chronology ]

  • icon
    Beta (profile), 26 Jul 2018 @ 4:15pm

    To a sufficiently ignorant observer, any technology is...

    Q: What steps did you take to determine whether it was possible to prevent bad people from using this tool, while still allowing good people to use it?

    A: That seems obviously impossible, and we don't remember taking any "steps" to verify that. Why? Do you know something we don't? Please, if you know a way to do it, tell us! If it works we'll admit you're better engineers than we are, and give you stock options and gold medals and your pictures will be on every front page. Seriously, why do you politicians keep asking this question, about every new tool we invent? The answer is that we don't see any way to do that, so will you please stop blaming us for all human evil, and telling us to look harder?

    reply to this | link to this | view in chronology ]

    • identicon
      Thad, 26 Jul 2018 @ 5:19pm

      Re: tl;dr

      We're not just talking about encryption here. Domain fronting relies on the CDN (in this case Google or Amazon) reading the destination -- a site on the same CDN -- from the HTTP header and redirecting to it.

      The CDN -- let's say Google, for example -- knows where the traffic is coming from and where it's going; in fact, it's going to one of Google's customers.

      Now, the traffic is encrypted, and Google doesn't know what's in it and what its ultimate destination is. That much is true. But as I understand it, the reflector knows where the traffic is going.

      So Google has an option for an administrative fix: require any client running a reflector to agree to blacklist certain destinations. You couldn't stop all "bad guy" traffic, but you could block major "bad" sites. And it should be simple enough for Google to test whether its customers were complying.

      The question is whether this would be desirable. Blocking major criminal sites would merely force people looking for criminal sites to less well-known ones (much as SESTA has pushed sex trafficking underground). And of course who gets to decide what sites to blacklist? Once Google introduces a blacklist mechanism, every oppressive regime is going to demand Google blacklist the sites it doesn't like, which would defeat the purpose.

      I think I agree with you that there's no good solution to the "let the good guys in but keep the bad guys out" question. But I think that's more for political and administrative reasons than technical ones.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 31 Jul 2018 @ 7:38am

        Re: Re: tl;dr

        You don't understand it at all. There's no "CDN" involved as most people understand the term. And "recursor?" It's all just Google servers, since the customers are all running on Google App Engine or AWS. They know exactly which cloud customer the traffic is going to. They see the plaintext HTTP request.

        But everyone was just using Google and Amazon to bridge to Tor, tunneled over HTTPS, so there is literally no way to stop bad guys without breaking or blocking Tor, one of those USA-sanctioned internet freedom tools.

        reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Shop Now: Copying Is Not Theft
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.