Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Is Shuttering Domain Fronting, Creating a Big Problem For Anti-Censorship Tools (theverge.com)

Posted by BeauHD on from the unsupported-features dept.

"The Google App Engine is discontinuing a practice called domain fronting, which lets services use Google's network to get around state-level internet blocks," reports The Verge. While the move makes sense from a cybersecurity perspective as domain fronting is widely used by malware to evade network-based detection, it will likely frustrate app developers who use it to get around internet censorship. From the report: First spotted by Tor developers on April 13th, the change has been rolling out across Google services and threatens to disrupt services for a number of anti-censorship tools, including Signal, GreatFire.org and Psiphon's VPN services. Reached by The Verge, Google said the changes were the result of a long-planned network update. "Domain fronting has never been a supported feature at Google," a company representative said, "but until recently it worked because of a quirk of our software stack. We're constantly evolving our network, and as part of a planned software update, domain fronting no longer works. We don't have any plans to offer it as a feature."

Domain-fronting allowed developers to use Google as a proxy, forwarding traffic to their own servers through a Google.com domain. That was particularly important for evading state-level censorship, which might try to block all the traffic sent to a given service. As long as the service was using domain-fronting, all the in-country data requests would appear as if they were headed for Google.com, with encryption preventing censors from digging any deeper. We do not yet know exactly why and when Google is shutting down the practice, but will update this post once we learn more.

59 comments

  1. Collateral by Anonymous Coward · · Score: 0

    Even G can't risk going down because a government decides to block IPs of a fronted service. Like Russia today and AWS !?

    1. Re: Collateral by ArmoredDragon · · Score: 1

      I think G doesn't really mind censorship these days. After all, they seem to be fans of it themselves.

    2. Re: Collateral by Anonymous Coward · · Score: 2, Insightful

      If they want to be able to operate in the EU, they can't have any "right to have your illegal activities forgotton" data relayed through their servers.

    3. Re: Collateral by Anonymous Coward · · Score: 1

      After all, they seem to be fans of it themselves.

      As are most of the voters. This is one big social problem that needs a technical solution. Whether one is possible doesn't matter, we have to try. We cannot let fascists decide what we can see and hear. Remember, *when you let them, you help them*.

    4. Re:Collateral by Applehu+Akbar · · Score: 1

      Even G can't risk going down because a government decides to block IPs of a fronted service. Like Russia today and AWS !?

      Or to take a more serious example of a censurious environment, American college campuses.

    5. Re: Collateral by Anonymous Coward · · Score: 1

      That's right, in the EU we believe that people should be given a second chance to learn from their mistakes and lead a normal life after prison.

    6. Re: Collateral by cascadingstylesheet · · Score: 1

      I think G doesn't really mind censorship these days. After all, they seem to be fans of it themselves.

      Sorry, I was going to reply to your comment, but it mysteriously no longer showed up in a search.

    7. Re: Collateral by Anonymous Coward · · Score: 0

      Yeah, but you lock them in prison for simply expressing their opinion.

    8. Re: Collateral by Anonymous Coward · · Score: 0

      That's an interesting way of saying "we believe that the government should control what people are allowed to remember."

    9. Re: Collateral by Anonymous Coward · · Score: 0

      Nothing wrong with that, the shit they don't want you to remember isn't worth remembering anyway

    10. Re: Collateral by sabri · · Score: 1

      Nothing wrong with that, the shit they don't want you to remember isn't worth remembering anyway

      Yeah, like the Armenian Genocide by Turkey, or the Holocaust by Germany.

      These two examples are exactly why you don't need a government tell you what you can and can't remember. But then again, the EUSSR has been on the slippery slope of censorship for a loooong time now. It started with the children. Then the terrorists. Then the poor ex-cons. What's next, offensive tweets?

      --
      I'm not a complete idiot... Some parts are missing.
    11. Re: Collateral by Anonymous Coward · · Score: 0

      The more important reason to remember our faults is to don't do it again, you can forgive a lion for eating your dog but you must remember never let your dog outside in the wild.

  2. Evil has money... by Anonymous Coward · · Score: 0

    Google caved to russia blocking.

  3. new world where what you say gets you thrown in ja by Anonymous Coward · · Score: 0

    Nice Google.

  4. But I need domain fronting! by Anonymous Coward · · Score: 1

    But I need google domain fronting for my youtube comic con channel click-bot to work. Otherwise, youtube doesn't count the click-bot views!

    What am I going to do? Any slashdotter can suggest an alternative for me?

    Thanks in advance!

  5. Obligatory xkcd by MostAwesomeDude · · Score: 3, Insightful

    https://xkcd.com/1172/

    The reason is precisely as Google has stated it. Domain fronting is a hack and arguably a symptom of a security weak point; neither should be relied upon in the long run.

    --
    ~ C.
    1. Re:Obligatory xkcd by Anonymous Coward · · Score: 0

      Maybe it wasn't all that good anyway... I guess if anything needs decentralization, it's DNS. I don't know if that would help against the inevitable ISPs "white list".

    2. Re:Obligatory xkcd by Anonymous Coward · · Score: 0

      The security weakness is the fact that, when making a "secure" web connection, your browser sends the hostname unencrypted. Google permitting you to avoid doing that (by letting you access any Google-hosted service while broadcasting an inocuous SNI) was a security *advantage*.

  6. Just because you can do something..... by Proudrooster · · Score: 3, Interesting

    Domain fronting is a case of "just because you can do something, doesn't mean you should."
    Domain-Fronting was a good idea with a huge potential for abuse.

    VPNs and TOR are the answer to getting around blocks. While you are at it, switch your DNS to 1.1.1.1

    The real answer to our problem is to kick China and Russia off the Internet until they learn how to behave.

    1. Re:Just because you can do something..... by drinkypoo · · Score: 2

      VPNs and TOR are the answer to getting around blocks. While you are at it, switch your DNS to 1.1.1.1

      I tried that, but then it shit itself the other day, so I went back to using google. Maybe I'll try cloudflare again in some months.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    2. Re: Just because you can do something..... by Anonymous Coward · · Score: 0

      The economic pressure on the chinese state would be much more effective than a bunch of plebes reading Facebook posts.

      See arhab spring, this power of the masses idea is romantic foolishness

    3. Re:Just because you can do something..... by Anonymous Coward · · Score: 0

      The real solution is for people to wake up and realize we live on a fucking planet. Fuck your imaginary borders and the patriotic death worshipping bullshit that comes with it.

    4. Re: Just because you can do something..... by Proudrooster · · Score: 1

      I agree knock AliBaba or AliExpress offline for a month and see the impact it has on the government and policy.
      There is an old Chinese saying, "Do not offend the majority."

  7. Well, Google Cache exists by Anonymous Coward · · Score: 0

    If you can't reach Slashdot, maybe you can reach Slashdot.

    Then again, that cache may expire very soon.

  8. Telegram in Russia by Anonymous Coward · · Score: 4, Interesting

    i.e. the service Telegram is using to evade Russia.

    If there's any doubt that Google would stand up to Russia, take a look here. Russia blocks Google, Google pulls the service.

    And can you blame them?

    As a corporation, defending freedom is not profitable, and as people, Sergey Mikhaylovich Brin has family in Russia, family with balconies and door handles.

    So they comply with Putin, just as Trump did in cancelling the new Russian sanctions.

    1. Re:Telegram in Russia by Anonymous Coward · · Score: 0

      Yeah, this pretty much closes the thread. They got an offer they can't refuse. Why the summary speculates on it is beyond me, other than to divert attention. No biggie. We just have to find another way to circumvent the fascists.

      I hope the mods notice and mod you up...

    2. Re:Telegram in Russia by AvitarX · · Score: 1

      Russia's GDP is about 8% of the US's.

      Not a nothing market, but not huge, and maybe not big enough to out weight the publicity of being "good".

      If they're afraid if Russia, I suspect it's the internet Black ops part they're worried about, not the customer base.

      --
      Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
    3. Re:Telegram in Russia by Anonymous Coward · · Score: 0

      It's not that anybody is 'afraid' of Russia. It's just, "why jeopardize a good business relationship?" Google isn't 'anti-censorship' by even the loosest definition.

      We all need to keep and share our own domain name caches if we have to keep using such primitive system. But how do you avoid ISP inspection/redirection? Because they will require 'authorization' to use a VPN, or any other encryption. Until they do, TOX might work. We need more 'serverless' communications to make them private and secure. The holy grail is to unchain ourselves from the ISP. They are the real enemy, not Google, or Russia.

    4. Re:Telegram in Russia by Anonymous Coward · · Score: 0

      Google **IS** a censorship tool these days.

  9. Do Only Evil.. by Anonymous Coward · · Score: 0

    It's what the DoD Paid for

  10. It was to be expected by Anonymous Coward · · Score: 0

    Isn't this "domain fronting" a kind of open proxy? Why is it a bad thing if Google shuts down its open proxy? Let these "private browsing providers" find (or create) other open proxies and stop piggybacking on Google.

    1. Re:It was to be expected by Anonymous Coward · · Score: 0

      Isn't this "domain fronting" a kind of open proxy?

      No, because Google's front-end servers have only allowed you to access services that are hosted on Google's infrastructure (i.e., the operators of the service are paying Google for the privilege.)

      Why is it a bad thing if Google shuts down its open proxy?

      Because privacy and freedom of expression are good things, and there are some really nasty governments out there.

      Let these "private browsing providers" find (or create) other open proxies and stop piggybacking on Google.

      Well, they're not "piggybacking" in the sense of dishonestly using Google's bandwidth or server resources - again, we're talking about organizations that pay Google to host their services. Speaking more abstractly, it's true in a way that they are piggybacking on Google's good will... because that's what it means to evade censorship; evading censorship always means, in some way, trying to make your traffic look inocuous. Make your traffic look (to the censors' eyes) like you're shopping on Amazon, you're piggybacking on Amazon's good will. Make your traffic look like Skype calls, you're piggybacking on Skype's good will. And so forth.

      To be more specific, there isn't any way for a small organization, or even a moderately-large one, to "find or create" a service similar to what the big three (Google/Microsoft/Amazon) offer - because the value of those services is precisely in the fact that they are "too big to block".

  11. Re:JEWgle "censorbeams" on maximum? by Zontar+The+Mindless · · Score: 2

    Because we can all tell that it's just APK shitposting and then responding to himself with his customary "factual and true", perhaps?

    --
    Il n'y a pas de Planet B.
  12. Re:JEWgle "censorbeams" on maximum? by Anonymous Coward · · Score: 0

    Look, everyone--it's our favourite "Vatican II was wrong and the Nazis were right" armchair philosopher, APK!

    Do you admit to all your shit-posting in Confession?

  13. Comment removed by account_deleted · · Score: 1

    Comment removed based on user account deletion

  14. Exterminate them all by Anonymous Coward · · Score: 0

    More and more censorship, directly or indirectly.
    CHARLIE HEBDO google, youtube, twitter and facebook
    Kill anyone working there, their families and kids, anyone they hold dear
    Torture and mutilation before death, all on hd video
    Make it scary to work for these giants.
    KILL THEM ALL

  15. How does this interfere with Signal? by Herve5 · · Score: 1

    To me, Signal is definitely, terribly, unperfect, but it is the single and only *open-source* app allowing end-to-end encryption for short messaging (and, sometimes, phone calls).
    I use it daily.
    How does this Google move hits Signal?

    --
    Herve S.
    1. Re:How does this interfere with Signal? by tepples · · Score: 1

      I thought the Pidgin application supported off-the-record (OTR) messaging. What am I missing?

    2. Re:How does this interfere with Signal? by Anonymous Coward · · Score: 0

      OTR is not seamless, and required you to run Pidgin. I dont see Pidgin in Google Play to download as an app on my mobile device. Not really sure what you are trying to say?

      Pidgin does not provide a service, its an application that can integrate into services. How does OTR help you bypass network censorship when they block you form even reaching Signals services?

    3. Re:How does this interfere with Signal? by Anonymous Coward · · Score: 0

      Signal uses this service to bypass ISP level of blocking. So that feature will no longer work. For day to day users in places without ISP censorship/blocking, this should have no impact.

    4. Re:How does this interfere with Signal? by Anonymous Coward · · Score: 0

      what does Pidgin OTR have to do with Signal being blocked by ISPs from reaching it's server?

    5. Re:How does this interfere with Signal? by Anonymous Coward · · Score: 0

      Until it does. The problem is not if it will happen, but when. Lets say another person wants to whistle blow and they would prefer to do it with a 3rd party in another location. We'll use as an example since Whisper utilizes this 'loophole'. It makes it incredibly harder to do so or to make real contact with Snowden. Who frankly. Whether they agree or not with his actions is *the* only person outside the US who has done what he has. And is openly communicating with specific people.

      There are a great many things Snowden knows and can confirm without the leaked information he gave to various new agencies. On top of that if those people were ever compromised it would destroy any sort of leverage Snowden could utilize.

    6. Re:How does this interfere with Signal? by tepples · · Score: 1

      If at least one of the (non-Signal) services that libpurple can use isn't blocked, you can enable OTR over that service to communicate between Pidgin on a desktop or laptop computer and Pidgin on another desktop or laptop computer.

  16. They Fixed the Glitch by Anonymous Coward · · Score: 0

    ...and global free speech gets moved into the basement, as far back against the wall as possible, and it's red stapler taken.

  17. Internet 3 by Anonymous Coward · · Score: 0

    Yep. This is one of the reasons we need everybody working towards Internet 3, A completely decentralized mesh network with...

    1. No DNS
    2. No DHCP dependency
    3. A MESH network
    4. Full P2P encryption

  18. There is conceptually no difference ... by Wrath0fb0b · · Score: 1

    Quiz: A client wants to connect to a remote endpoint without a passive network observer being able to learn the identity of the endpoint. Is this "malware talking to the control server" or "banned application attempting to evade ISP-enforced censorship"?

    Well obviously it's neither/both because there is no damned difference. As far as the transport layer is concerned, an application is an application. If you make it a desirable property that clients can conceal the true identity of the remote endpoint then you sweep in both.

    Maybe this will change if we get adoption of RFC 3514 though.

  19. and Google translate?? by mad7777 · · Score: 1

    Not sure about "domain fronting", but this little hack still works:

    https://translate.google.com/translate?sl=fr&tl=en&js=y&prev=_t&hl=en&ie=UTF-8&u=https%3A%2F%2Fyro.slashdot.org%2Fstory%2F18%2F04%2F18%2F2338210%2Fgoogle-is-shuttering-domain-fronting-creating-a-big-problem-for-anti-censorship-tools&edit-text=

    --
    Might makes right irrelevant.
  20. Re:JEWgle "censorbeams" on maximum? by Anonymous Coward · · Score: 0

    Yes, I recommend all do look to know your enemy. I don't see apk there but I do see verifiable facts from jews themselves.

  21. Wait so they didn't know.. by Anonymous Coward · · Score: 0

    They didn't know they were essentially being an open HTTPS proxy?

    1. Re:Wait so they didn't know.. by Anonymous Coward · · Score: 0

      No, Google's front-end proxies allowed you to access any web service that was hosted on Google's infrastructure. That's not an open proxy, that's shared web hosting working as intended.