Slashdot Mirror

← Back to Stories (view on slashdot.org)

Amazon Web Services Starts Blocking Domain-Fronting (theverge.com)

Posted by BeauHD on from the two-can-play-that-game dept.

Earlier this month, Google announced it is discontinuing domain fronting, a practice that lets developers disguise their traffic to evade network blocks. Now, Amazon Web Services has announced a similar move to implement a new set of enhanced domain protections specifically designed to stop domain fronting. The Verge reports: In the post, Amazon characterized the change as an effort to stamp out malware. "Tools including malware can use this technique between completely unrelated domains to evade restrictions and blocks that can be imposed at the TLS/SSL layer," the post explained. "No customer ever wants to find that someone else is masquerading as their innocent, ordinary domain." Domain-fronting works by using major cloud providers as a kind of proxy, making a data request seem like it's heading to a major service like Google or Amazon only to be forwarded along to a third party once it reaches the broader internet. Unfortunately for circumvention tools, neither Amazon nor Google will let them pull that trick anymore. Amazon will still allow domain fronting within domains owned by the same customer (or more specifically, listed under the same SSL certificate), but customers can no longer use the technique to disguise where data is going, making it far less useful for blocked apps.

27 comments

  1. Earlier this month by Anonymous Coward · · Score: 0

    emmmmmm

    1. Re:Earlier this month by omnichad · · Score: 1

      Earlier this month was Google. Now it's Amazon. If you're in a faraway time zone, note that it's still April 30th in the US.

    2. Re:Earlier this month by Anonymous Coward · · Score: 0

      > If you're in a faraway time zone, note that it's still April 30th in the US.

      If the guy is in a faraway zone, the US is faraway to him.

      Please be aware that this UTC thing is Euro-centric; Hawaii (USA) is 10 hours behind UTC time. I wonder which other place would be 11h behind it.

      So that you know, there are a lot of problems we must deal with when reading US articles:
      - time (as just mentioned);
      - temperature (what the heck is 110 F?);
      - length, area and volume: feet? square feet? cubic feet? (this looks like part shapes for robots)
      - culture bias: American culture might be great for you, and it surely has its qualities, but other places have good things you miss; some opinions and conclusions are drawn upon a cultural context, which renders them less useful, at times;
      - English itself: I don't want to look condescending, my language also has problems, but English is not easy and is confusing.

      Slashdot is a tech site. I believe most expect tech news and a technical discussion (of course, there's lot of trolls). The above things makes reading less enjoyable, maybe even for Americans.

      TBH some of the above rants would still happen were we to use French (for instance). We really would be better using a more neutral language like Esperanto. But we'll probably get the year of the Linux desktop before that...

      One possible answer to the above rant is "OK, feel free to look for another unbiased site". Fair enough, maybe it's up to us to find out (or to create) sites without these and other problems...

    3. Re:Earlier this month by Anonymous Coward · · Score: 0

      For my person:
      I am actively moving my purchases away from Amazon.
      google, i am trying to shift from as well. Its harder.

      For a business who has become enamored with the cloud solves it all crap. Its harder to shift those choices made at the top.

      These companies have become too big and too predatory.

  2. Did they hire that Al guy to do this work? by Anonymous Coward · · Score: 0

    Al has been busy lately. Anyone know his last name?

    1. Re: Did they hire that Al guy to do this work? by Anonymous Coward · · Score: 0

      deez nutz

    2. Re: Did they hire that Al guy to do this work? by Anonymous Coward · · Score: 0

      So "AI deez nuts"...i guess it really is A to Z...:)

    3. Re: Did they hire that Al guy to do this work? by Anonymous Coward · · Score: 0

      Nutz...damn spell check...

  3. About Time by Anonymous Coward · · Score: 0

    People should not do things behind your back.
    The real sting is it makes Google's and Amazons ads worth more - less parasite and me-too leeching. The other big players must follow.
    So said, Google is not stopping things going its way. Now ad blockers can get a certificate grip, there will be no future competition.

    1. Re:About Time by AHuxley · · Score: 1

      Only approved fully encrypted ads will be allowed.

      --
      Domestic spying is now "Benign Information Gathering"
  4. Does this break any gov firewall bypass tools? by Ungrounded+Lightning · · Score: 2

    Granted it's double-plus-ungood for the USER to think he's talking to a particular far end when he's actually talking to something else, and that this is, indeed, much of the POINT of the TLS/SSL layer.

    But I seem to recall that some tools for evading governmental censorship/surveillance firewalls (such as the Great Firewall of China) relied on creating encrypted tunnels that SEEMED, to a pipe-tapping observer, to be normal encrypted traffic to a service, such as Google or Amazon, which the state-level actor would be loath to block. These tools exist specifically to "evade restrictions and blocks that can be imposed at [among other places] the TLS/SSL layer".

    Does this pair of moves by Google and Amazon break any such tools?

    --
    Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
    1. Re:Does this break any gov firewall bypass tools? by Anonymous Coward · · Score: 0

      Granted it's double-plus-ungood for the USER to think he's talking to a particular far end when he's actually talking to something else, and that this is, indeed, much of the POINT of the TLS/SSL layer.

      That might be the sales pitch, but it's almost entirely bullshit.

      The only thing it does is ensure there's an encrypted tunnel between you and a server; the rest is so fragile as to be next to useless.

    2. Re:Does this break any gov firewall bypass tools? by Anonymous Coward · · Score: 1

      For quite some time now, this has been the recommended way to connect to the Tor network from China.

      (For the time being, it looks like both of the remaining 'meek' bridges are still working. It's a little sad and a little funny to think that Microsoft will be the last one standing.)

      Tor supports a few other censorship-evasion protocols, but as far as I'm aware, all of them require you to connect to the bridge's public IP address, so it's comparatively easy for a determined adversary to discover those addresses and block them.

    3. Re:Does this break any gov firewall bypass tools? by Anonymous Coward · · Score: 0

      Granted it's double-plus-ungood for the USER to think he's talking to a particular far end when he's actually talking to something else, and that this is, indeed, much of the POINT of the TLS/SSL layer.

      That might be the sales pitch, but it's almost entirely bullshit.

      The only thing it does is ensure there's an encrypted tunnel between you and a server; the rest is so fragile as to be next to useless.

      Been saying that for literally a decade. Hell I built my first interception boxes back in 96. As installed today, SSL / TLS are completely inadequate for what the public is told mostly because it's by design, meant to be monitored. The security vendors wouldn't be able to sell their wares otherwise.

      There's also this rather disturbing idea among security "circles", that deniability is another problem for someone else to solve. Wasn't until a _recent_ blackhat did anyone even talk about it.

  5. Telegram by roman_mir · · Score: 5, Interesting

    So the reason for this I bet is the latest fight that is happening between Telegram and ROSKOMNADZOR - a Russian government agency that is trying to block this service.

    You can surely find all the information you want/need on this topic but what I want to add is that it is amazing how quickly these companies folded to pressure applied by the Russian government Mafia.

    --
    You can't handle the truth.
    1. Re:Telegram by Anonymous Coward · · Score: 0

      What's amazing is how quickly the russian trolls downvoted your comments. Can't believe they care about sites like this.

    2. Re:Telegram by Wolfier · · Score: 4, Interesting

      Very interesting. Telegram seems the most likely ultimate cause. If Russia is threatening to block all of AWS, I can imagine this happening.

    3. Re:Telegram by damn_registrars · · Score: 1

      What's amazing is how quickly the russian trolls downvoted your comments. Can't believe they care about sites like this.

      Are you trying to make a funny here or did you not check the moderation history on his comment? Roman posts at -1 because he has a habit of starting religious flamewars and showing no tolerance for those who are not adherents to his preferred religious movement. His comment was not moderated down at all; to the contrary it was only moderated up. In this rare case of him not writing a comment as a recruitment tool for his faith, he was duly up-moderated (some would call this karma-whoring).

      --
      Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
    4. Re:Telegram by Anonymous Coward · · Score: 0

      Russia is not blocking or even "threatening" to block anything. Stop listening to the liberal media that is lying to you.

    5. Re:Telegram by Anonymous Coward · · Score: 0

      I block all of AWS

      That shit is a cancer. Never let AWS servers touch yours. I don't care if you're from Russia or the last cannibal in the Congo.

  6. Why ??? by Anonymous Coward · · Score: 0

    Essentially they are talking about stopping people from operating a cloud hosted reverse proxy. It's a configuration that consumes lots of network bandwidth, but very little else (so possibly not a good revenue proposition for hosting companies).

    Is this a decision based on cost - or are there darker ideas afoot?

    1. Re:Why ??? by Anonymous Coward · · Score: 2, Insightful

      Cost is not an issue. Amazon's customers pay for the bandwidth their services consume.

      (In case it wasn't clear - because TFS is pretty badly worded - Amazon is not, in fact, operating an open proxy. They're simply operating a CDN that lets users connect to services hosted on Amazon's infrastructure, services operated by organizations that are paying Amazon for the privilege.)

      As for the motivation, though, TFS seems pretty clear: their goal is specifically to prevent users from being able to access services without their ISP being able to monitor/restrict which services they're using.

      Whether that's "darker" or not, I'll leave for you to decide.

  7. Would the actual cause be by Wolfier · · Score: 2

    This? http://www.wired.co.uk/article...

  8. Yes, yes, and yes. by Kludge · · Score: 1

    https://www.accessnow.org/goog...

  9. I can't figure this one out. by Kludge · · Score: 1

    Is this parent post a Russian pretending to be an American? Or an American pretending to be a Russian pretending to be an American?
    I'm thinking perhaps the latter, b/c I think the Russians are better at astroturfing that that.

    1. Re: I can't figure this one out. by Anonymous Coward · · Score: 0

      Yes any time you disagree with some one it's either a Russian or a conservative with bad agenda, amirite!