from the who's-fronting-now? dept
Just as places like Russia are getting more aggressive with companies like Google and Amazon in seeking to stop online communications they can’t monitor, Google made a move that really fucked over a ton of people who rely on anti-censorship tools. For years, various anti-censorship tools from Tor to GreatFire to Signal have made use of “domain fronting.” That’s a process by which services could get around censorship by effectively appearing to send traffic via large companies’ sites, such as Google’s. The link above describes the process as follows:
Domain fronting works at the application layer, using HTTPS, to communicate with a forbidden host while appearing to communicate with some other host, permitted by the censor. The key idea is the use of different domain names at different layers of communication. One domain appears on the ?outside? of an HTTPS request?in the DNS request and TLS Server Name Indication?while another domain appears on the ?inside??in the HTTP Host header, invisible to the censor under HTTPS encryption. A censor, unable to distinguish fronted and nonfronted traffic to a domain, must choose between allowing circumvention traffic and blocking the domain entirely, which results in expensive collateral damage. Domain fronting is easy to deploy and use and does not require special cooperation by network intermediaries. We identify a number of hard-to-block web services, such as content delivery networks, that support domain-fronted connections and are useful for censorship circumvention. Domain fronting, in various forms, is now a circumvention workhorse.
In short, because most countries are reluctant to block all of Google, the ability to use Google for domain fronting was incredibly useful in getting around censorship. And now it’s gone. Google claims that it never officially supported it, that this was a result of a planned update, and it has no intention of bringing it back:
?Domain fronting has never been a supported feature at Google,? a company representative said, ?but until recently it worked because of a quirk of our software stack. We?re constantly evolving our network, and as part of a planned software update, domain fronting no longer works. We don?t have any plans to offer it as a feature.?
As Ars Technica notes, companies like Google may be concerned that it could lead to larger blocks that could harm customers. But, as Access Now points out, there are larger issues at stake, concerning individuals who are put at risk through such censorship:
?As a repository and organizer of the world?s information, Google sees the power of access to knowledge. Likewise, the company understands the many ingenious ways that people evade censors by piggybacking on its networks and services. There?s no ignorance excuse here: Google knows this block will levy immediate, adverse effects on human rights defenders, journalists, and others struggling to reach the open internet,? said Peter Micek, General Counsel at Access Now. ?To issue this decision with a shrug of the shoulders, disclaiming responsibility, damages the company?s reputation and further fragments trust online broadly, for the foreseeable future.?
?Google has long claimed to support internet freedom around the world, and in many ways the company has been true to its beliefs. Allowing domain fronting has meant that potentially millions of people have been able to experience a freer internet and enjoy their human rights. We urge Google to remember its commitment to human rights and internet freedom and allow domain fronting to continue,? added Nathan White, Senior Legislative Manager at Access Now.
Google doesn’t need to support domain fronting, and there are reasonable business reasons for not doing so. But… there are also strong human rights reasons why the company should reconsider. In the past, Google has taken principled stands on human rights. This is another time that it should seriously consider doing so.