Slashdot Mirror
Amazon Web Services Starts Blocking Domain-Fronting (theverge.com)
Earlier this month, Google announced it is discontinuing domain fronting, a practice that lets developers disguise their traffic to evade network blocks. Now, Amazon Web Services has announced a similar move to implement a new set of enhanced domain protections specifically designed to stop domain fronting. The Verge reports: In the post, Amazon characterized the change as an effort to stamp out malware. "Tools including malware can use this technique between completely unrelated domains to evade restrictions and blocks that can be imposed at the TLS/SSL layer," the post explained. "No customer ever wants to find that someone else is masquerading as their innocent, ordinary domain." Domain-fronting works by using major cloud providers as a kind of proxy, making a data request seem like it's heading to a major service like Google or Amazon only to be forwarded along to a third party once it reaches the broader internet. Unfortunately for circumvention tools, neither Amazon nor Google will let them pull that trick anymore. Amazon will still allow domain fronting within domains owned by the same customer (or more specifically, listed under the same SSL certificate), but customers can no longer use the technique to disguise where data is going, making it far less useful for blocked apps.
Granted it's double-plus-ungood for the USER to think he's talking to a particular far end when he's actually talking to something else, and that this is, indeed, much of the POINT of the TLS/SSL layer.
But I seem to recall that some tools for evading governmental censorship/surveillance firewalls (such as the Great Firewall of China) relied on creating encrypted tunnels that SEEMED, to a pipe-tapping observer, to be normal encrypted traffic to a service, such as Google or Amazon, which the state-level actor would be loath to block. These tools exist specifically to "evade restrictions and blocks that can be imposed at [among other places] the TLS/SSL layer".
Does this pair of moves by Google and Amazon break any such tools?
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
So the reason for this I bet is the latest fight that is happening between Telegram and ROSKOMNADZOR - a Russian government agency that is trying to block this service.
You can surely find all the information you want/need on this topic but what I want to add is that it is amazing how quickly these companies folded to pressure applied by the Russian government Mafia.
You can't handle the truth.
Cost is not an issue. Amazon's customers pay for the bandwidth their services consume.
(In case it wasn't clear - because TFS is pretty badly worded - Amazon is not, in fact, operating an open proxy. They're simply operating a CDN that lets users connect to services hosted on Amazon's infrastructure, services operated by organizations that are paying Amazon for the privilege.)
As for the motivation, though, TFS seems pretty clear: their goal is specifically to prevent users from being able to access services without their ISP being able to monitor/restrict which services they're using.
Whether that's "darker" or not, I'll leave for you to decide.
This? http://www.wired.co.uk/article...