Amazon Web Services starts blocking domain-fronting, following Google’s lead

A week after Google closed a method for application developers to circumvent Internet censorship, Amazon is doing the same. In a post last week, Amazon Web Services announced that it would implement a new set of enhanced domain protections specifically designed to halt front end domain, a practice that allows developers to disguise their traffic to evade network blocks.

In the publication, Amazon characterized the change as an effort to eradicate the malware. "Tools, including malware, can use this technique between completely independent domains to evade restrictions and blockages that can be imposed on the TLS / SSL layer," explains the publication. "No client wants to find another person posing as their innocent and ordinary domain."

The front-end domain works by using large cloud providers as a kind of proxy, making the data request appear to be directed to a main service. like Google or Amazon only to be forwarded to a third party once it reaches the internet in general. This is useful for evading Internet blocks at the state level such as the recent Russian Telegram block, since state ISPs can not tell which traffic is going to the blocked service until it is too late.

Unfortunately for the circumvention tools, neither Amazon nor Google will allow them to pull that trick anymore. Amazon will still allow the search of domains within domains owned by the same client (or more specifically, listed under the same SSL certificate), but customers can no longer use the technique to disguise where the data goes, which makes them much less useful for blocked applications.

Leave a Comment

Scroll to Top