Amazon Joins Google In Making Censorship Easy, Threatens Signal For Circumventing Censorship Regimes
from the consequences dept
A couple weeks ago we wrote about the unfortunate decision by Google to stop enabling domain fronting on its AppEngine. As we explained at the time, this was an (accidental) way of hiding certain traffic by using the way certain large companies had set up their online services, such that censors in, say, Iran or China, couldn’t distinguish which traffic was for an anti-censorship app, and which was for others. The two largest services that enabled this were Google and Amazon, and a variety of different anti-censorship tools made use of the ability to effectively “hide” within those sites such that an authoritarian government couldn’t block their apps without blocking all of Google or Amazon or whatever. Some CDNs have admitted that they don’t allow it out of a fear for how it could impact other users on the system, but on the whole it appeared to be a useful, if unintended, way for Google and Amazon to do good in the world.
However, when Google shut it down, the company just said that it was never supported, and the company had no plans to bring it back. Among the companies who relied on domain fronting is the popular encrypted communications app Signal. In a new blog post, Signal has explained why it believes Google suddenly decided to take action:
Direct access to Signal has also been blocked in Iran for the past 3+ years, but it was not possible to use the same domain fronting technique there. In an apparently unique interpretation of US sanction law, Google does not allow any requests from Iran to be processed by Google App Engine. Requests would get past Iranian censors, but then Google themselves would block them.
In early 2018, a number of policy organizations increased pressure on Google to change their position on how they were interpreting US sanction law so that domain fronting would be possible from Iran. Sadly, these lobbying efforts seem to have had the opposite effect. When Google?s leadership became more aware of domain fronting, it generated internal conversations about whether they wanted to put themselves in the situation of providing cover for sites that entire countries wished to block.
A month later, we received 30-day advance notice from Google that they would be making internal changes to stop domain fronting from working entirely.
That is… quite unfortunate. But, the story gets even worse. Because Signal then switched to Amazon, which resulted in the following chain of events:
With Google no longer an option, we decided to look for popular domains in censored regions that were on CloudFront instead. Nothing is anywhere near as popular as Google, but there were a few sites that used CloudFront in the Alexa top 50 or 100. We?re an open source project, so the commit switching from GAE to CloudFront was public. Someone saw the commit and submitted it to HN. That post became popular, and apparently people inside Amazon saw it too.
HN being Headline News. Amazon’s response was even more stark than Google’s. First, it sent Signal an email claiming that Signal was already violating its terms of service:
Yesterday AWS became aware of your Github and Hacker News/ycombinator posts describing how Signal plans to make its traffic look like traffic from another site, (popularly known as ?domain fronting?) by using a domain owned by Amazon — Souq.com. You do not have permission from Amazon to use Souq.com for any purpose. Any use of Souq.com or any other domain to masquerade as another entity without express permission of the domain owner is in clear violation of the AWS Service Terms (Amazon CloudFront, Sec. 2.1: ?You must own or have all necessary rights to use any domain name or SSL certificate that you use in conjunction with Amazon CloudFront?). It is also a violation of our Acceptable Use Policy by falsifying the origin of traffic and the unauthorized use of a domain.
Signal points out, in response, that it’s not actually violating Amazon’s terms. It’s not using security certificates from any other site, and it’s not falsifying the origin of traffic when users get to Cloudfront (it’s just tricking the censors in places like Iran). But, either way none of that matters much, because Amazon then announced that it was following Google’s lead and killing domain fronting, claiming (again) that it doesn’t want other Amazon cloud customers to find out that someone is effectively hiding behind their domain.
Signal admits that this more or less means the end of being able to use domain fronting to avoid censorship in heavily censored countries. It says it will look for alternative ideas, but in the meantime, this could do serious harm to people in those countries. There is, perhaps, a reasonable argument that we shouldn’t have needed to rely on Google and Amazon as ways to hide traffic for important apps like Signal, but the fact that it was used for years this way really highlights how little damage domain fronting really seemed to do compared to the wider benefit.
With Google Cloud and AWS out of the picture, it seems that domain fronting as a censorship circumvention technique is now largely non-viable in the countries where Signal had enabled this feature. The idea behind domain fronting was that to block a single site, you?d have to block the rest of the internet as well. In the end, the rest of the internet didn?t like that plan.
We are considering ideas for a more robust system, but these ecosystem changes have happened very suddenly. Our team is only a few people, and developing new techniques will take time. Moreover, if recent changes by large cloud providers indicate a commitment to providing network-level visibility into the final destination of encrypted traffic flows, then the range of potential solutions becomes severely limited.
In short, this isn’t a particularly good look. Google and Amazon made these moves so that people don’t call them out for “protecting” apps like Signal by hiding their traffic behind the domains of totally uninvolved third-parties. Which certainly leaves both companies to being called out for favoring the interests of their customers over the interests of the public — especially those in countries with authoritarian regimes. And, again, the “cost” to Google and Amazon was not high. No one was free riding, they were just doing a bit of misdirection to get around a censor’s block. And now that’s gone.
Filed Under: censorship, circumvention, domain fronting, signal
Companies: amazon, google, open whisper systems, signal
Comments on “Amazon Joins Google In Making Censorship Easy, Threatens Signal For Circumventing Censorship Regimes”
It's not quite that simple
As I understand it, what Google and Amazon were really worried about is malware using domain fronting to disguise its traffic and then they end up getting blamed for it or caught up in it, which, in the age of the Internet Of Broken Things, is a quite reasonable thing to worry about. More benevolent things like Signal getting the shaft is just collateral damage.
from the this-is-why-we-can’t-have-nice-things dept
Re: It's not quite that simple
This is exactly why. TOR while used for bypassing censorship can’t be prevented from hosting kiddy porn, CC trading, hacking, et al due to the nature of the design. Domain Fronting is more of an oversight from edge servers in the CDN space. IE it is easier to allow all traffic hit the edge server and than to delegating out to the cache server on the inner request. This enabled the provider to have multiple edge servers accept requests for domain.com on demand, while only spending little on caching for domain.com. This enables the distribution of DOS attacks as they have many more endpoints to hit across a vast array of edge servers when attacked, and the traffic from the caching servers is minimized to localized depots.
Now what will happen is many more SSL certificates for domain.com will have to be published for the freak attack on domain.com, because they will need not only to analyze on the outer header, but also the inner request.
Expect prices to increase for everyone on most CDNs, except maybe Google since they run their own CA.
Circumvention of national blocks
There are two major ways to block unwanted traffic in authoritarian countries that control their infrastructure:
1. Block IPv4 address(es) or ranges of addresses and disallow your users to reach those “unwanted” servers providing those “harmful” services.
2. Enable deep packet inspection (DPI), forged certificates, decrypt everything having performed a man in the middle (MITM) attack, and remove traffic you don’t like.
The former is easy and is why it’s the preferred option. Domain fronting doesn’t making this difficult… it makes it impossible to identify “harmful” traffic from “all of e.g. google cloud” in real time if at all.
Google and Amazon are wrong to do this, and it is their right to do so, but it shows short-sightedness to do so absent any overarching reason for it.
Signal, WhatsApp, etc. should re-engineer their protocols to not be dependent on ONE provider, ONE cloud, or even ONE identifiable communication “stream”. They can learn a lot from TOR, from spread spectrum, from anycast IP addresses, and lastly from thepiratebay.org and remain vibrant, reachable, and well from all countries.
E
Re: Circumvention of national blocks
The problem is more than just blocking. If Signal were to use multiple providers or a distributed system, it would be more difficult to block but would readily be identifiable as Signal traffic. That would make the users in countries like Iran identifiable and vulnerable to retribution. Domain fronting not only made it difficult to block, but made it indistinguishable from traffic the country wanted to allow.
Well...
Signal just needs to nerd harder!
Clickbait headline?
Is this move to “make censorship easy” or because they hadn’t considered this a feature and there are lots of variables to consider in making it a supported feature?
This is kinda akin to finding the undocumented API in some SDK. Sure, go ahead, use it. There is no guarantee that the SDK provider is not going to completely rip that undocumented API out from under you though because it is not a part of the documented contract they have given you. When they decide to do that, are they being malicious?
Said another way, domain fronting was an implementation detail of how these cloud providers worked. They could have decided to change this implementation detail at any time because they came up with a better way to implement, irregardless of who was taking advantage of the unintended consequence of that implementation detail. If that were the case would we still have this headline?
Signal is doing great work. They tried to piggy back on a hack and the hack ran out. That’s part of the risk of piggy backing on a hack. I think it’s a bit disingenuous to call out Amazon on this as being “supportive of censorship” though.
Re: Clickbait headline?
It is not disingenuous to call out Google though, who’s motto was “Do no evil” and who had publicly defended their presence in such regimes by stating that it allows them to get their foot in the door. They’ve made this decision unilaterally knowing that it was being used as an essential tool for communication in repressive regimes.
Re: Re: Clickbait headline?
Let’s say that you are a disreputable ambulance chaser, and you decide that more people will answer your calls if you set your Caller ID to the name of some big legit law firm. Do you think the law firm would be happy about this?
Signal was doing basically the same thing, they were potentially causing Google reputation and maybe even legal issue and they weren’t even a Google customer. Is it “evil” to protect your own good name?
Re: Re: Re: Clickbait headline?
Signal did not “set” their IP address to be Google’s, nor did they form TCP connections using Google addresses or any addreses other than their own.
When trying to explain things, analogies help take something we don’t understand and put it in terms we do understand. In this case it took things you didn’t understand and put it in terms that were not correct.
Ehud
Re: Clickbait headline?
Signal didn’t ask them to make it a "supported" feature. It was already working, and Amazon wouldn’t be claiming a ToS violation if that was the problem. It would just break one day, Signal might complain, Amazon would say "we never said it would work".
Analogies
It’s not like finding an undocumented API. Nothing here was undocumented and they weren’t taking advantage of someone’s having left open something that should have been closed.
Here’s a more apt analogy:
They discovered they can use the heavily discounted smart TV for a PC monitor and all that resolution and high refresh rate is a lot cheaper than a normal “monitor only” solution! In response the smart TV vendor says “No no no, we sold you this set at a discount so we can track your viewng behavior and make money on you in other ways. No more using it as a dumb monitor.”
There’s no violation of terms or of using undocumented features, and nobody “piggy back on a hack” as there’s no hack. I think it’s disingenuous to suggest it’s disingenuous to call out Amazon as that is EXACTLY the right thing to do.
Best regards to JB,
Ehud
Re: Analogies
In your analogy, what if the FCC comes after the manufacture because people are using the TV in a way that wasn’t certified. Basically, Google and Amazon simply said “we don’t want to be held responsible for something someone who isn’t EVEN OUR CUSTOMER is doing using our name”.
Re: Re: Analogies
They had to be customers to use domain fronting. The problem is as most know, being a customer of AWS or Google Cloud isn’t exactly a hard task and not much verification goes into setting up an account. So basically anyone can setup an account with a anonymous email and use some laundered account (Visa gift cards, et al) and act like they are Amazon. I certainly wouldn’t want that on my domains, as you may be held responsible for any damages. It’s also a good way for the FBI,NSA or other three letter angency to distribute those 0day vulneribilities to unspecting persons and probably cause as much damage to those hiding behind the domain fronting in the first place.
Re: Re: Re: Analogies
No you wouldn’t. This makes no sense at all. At no point is any client fooled into thinking they are speaking to Amazon. The only ones in the dark are the ISPs and censors who only see the DNS request and initial TLS handshake.
This makes no sense whatsoever. What the hell. Do you not know the difference between ‘domain fronting’ and ‘phishing’ or a ‘man in middle attack’?
Re: Re: Re:2 Analogies
‘At no point is any client fooled into thinking they are speaking to Amazon.’
What? How do you think APT29 ex filtrated the DNC emails from the server, they exported them to a google.com domain which then tunneled through tor on a meek relay…
The DNC wasn’t blocking google.com, and thus couldn’t stop the loss of information.
Re: Re: Re:3 Analogies
You know the malware is the TLS client in that case, right. It knew exactly who it was talking to.
They could have stopped the loss of information by preventing the installation of the malware in the first place.
Re: Re: Re:2 Analogies
Add to the point, How many Cross site scripting attacks have been used to install malware on vulnerable systems. Say Bank of America has a XSS, and you gladly log in with a Javascript XSS attack gladly sending your information to a third party than redirecting you to the valid page. https://en.wikipedia.org/wiki/Cross-site_scripting
Since the valid url and SSL is pointing to Google/Amazon, it’s very likely to go unnoticed. Do you know how many phishing emails use this?
Re: Re: Re:3 Analogies
Again, what does that have to do with domain fronting?
Re: Analogies
Actually, that’s too generous… The person doing this doesn’t OWN the TV and has never bought a TV from Google or Amazon, they have basically converted YOUR TV into a botnet and now the manufacturer is disabling the capability to protect their reputation.
Re: Analogies
Do you have any evidence for that, i.e., a link to Google or Amazon documentation describing the feature?
The people who publicized (and named) domain fronting thought they had discovered it.
Re: Re: Analogies
When you sign your name on the research grant I’ll do research for you. Until then learn how to use google.
E
Re: Re: Re: Analogies
Ehud,
Here’s the orginal paper from 2015 explaining domain fronting.
http://www.icir.org/vern/papers/meek-PETS-2015.pdf
It was discovered by the University of California Berkley researches and not published documentation on any CDN. It’s a by product of lack of IPv4 space in all honesty and thus using SNI to secure sites on the CDNs.
Most infamous use of it was APT29 (Russian Hackers) which hacked the DNC mailserver. https://threatpost.com/apt29-used-domain-fronting-tor-to-execute-backdoor/124582/
Some of the actual code, packet capture samples and analysis is located here: https://contagiodump.blogspot.co.id/2017/03/part-ii-apt29-russian-apt-including.html
Generation [CENSORED]
Between the slavish corporate support of national censorship policies and all of the moves worldwide to block “fake news” (i.e. any viewpoints those in power don’t like) it’s beginning to look like this generation will be known for being censored.
That’s so sad, given that the web was supposed to make the free exchange of ideas easier.
No reason?
Given the random collateral damage as Russia hunted Telegram across AWS and GCP, there’s clearly some level of risk in allowing this. Its one thing if using GCP was putting Google’s properties at risk, they could choose to make that trade-off, but if apps start using random other domains hosted by GCP or AWS, risking those other companies, that doesn’t seem like something a hosting provider would want to allow.
And that’s before you start pondering what other kinds of shenanigans can occur.
(I work for Google but don’t know any specifics on why this decision was made)
HN
HN being Headline News
or
HN being Hacker News (https://news.ycombinator.com)?
> In the end, the rest of the internet didn’t like that plan.
That sounds like typical Moxie apologese. The “rest of the internet” didn’t do a thing, it was just a bunch of powerful assholes dictating that the gap be closed.
Re: Re:
It’s a joke.
“The rest of the internet” here was clearly used with a sense of humor, since to make the sentence before that factually accurate in an absolutely literal manner, you have to edit it to say “you’d have to block [the most popular domain names in existence, Google and AWS] as well.”
1) create problem (or exasperate existing one)
2) give it a name (fake news)
3) drive issue to top of news cycle
4) promise to fix problem (but never do)
5) profit!
6) rinse, repeat
How come Techdirt never says anything “Bad” about GOOGLE! Google “shill”!
Wait, sorry ,wrong Artical. I meant to post that in a different Artical. THIS “artical” is one where I say Censorship? What about TECHDIRT “censorship”! Why you scaenors my “posts”! with your FLAGS and your “moderation”! and your “ZOMBIES”!
Every nation eats the Paint chips tit Deserves!
Re: Re:
Thad, mate, you need a separate parody for out_of_the_blue…
Jeese did we not see the spirit of these privacy bashing corrporations coming decades ago?
Re: Re:
The corporations aren’t “privacy bashing” per se, they are “for profit.” If a country says, “If you want to do business here you will do censorship,” then the corporation does censorship.
“We” (some of us) have the unreasonable expectation that corporations will forgo business in order to try to force good policy on other nations. They can’t. They have a fiduciary duty to their stockholders to do whatever is in the best interest of profit.
This article, and the previous article about Google, are misdirected. In all probability, one or more nations said, “Stop doing this or we will block you,” which would mean the end of business, the end of profit. (One of the countries did block one of the major companies, temporarily.)
But, even if these actions by Google and Amazon are unilateral, they were still inevitable; and laying blame on the corporations for a national policy that is bad is idiotic.
Re: Re: Re:
I think the attitude being expressed is precisely (one part of) an objection to the idea that expecting an entity not to treat "profit" as its primary, indeed overriding, goal/motivation/etc. is unreasonable; if a human behaved that way we’d call them greedy, so why should we just accept the idea that a corporation is outright obligated to do so?
We’re a long, long way from getting society (much less law, much less the global / international consensus about law) to redefine the duty of a publicly-traded corporation in some way other than "profit for stockholders", but there’s nothing wrong with the idea of advocating for that to happen.
Re: Re: Re: Re:
I got your point, and worthy point it is. The only thing is, how do we overcome the obligation that a company has to a nation like, say, China? Because China would certainly say that Google, for example, is obliged to follow its laws. And taking Google again, it is obliged by US law to seek profit for its stockholders, but it’s no obligation to enforce US constitutional rights in China.
It’s not exactly fair for all of these different obligations to be laid upon a company, and then expect the company to step up and be the big one in the room.
Re: Re: Re:2 Re:
Well, why is the company obligated to seek profit for its shareholders (as its overriding priority) in the first place?
As I understand matters, it is because A: American law requires it to, and B: the company is incorporated in America.
If US law gets changed to require something else instead of (or in addition to) profit as the overriding priority, and the company doesn’t want to have to adhere to that even in other countries, it would seem reasonable to say “then don’t incorporate in the US”.
IOW, the thing which would place US law ahead of other countries’ laws in the hierarchy of overrides would be the fact that the (primary / governing / parent) corporation is incorporated under US law.
As far as I know it’s not possible for a single company to be incorporated in two different places at the same time, so that would seem to provide a reasonable tiebreaker.
(In theory, a genuinely communist / socialist government – as distinct from the generally totalitarian / authoritarian ones which have adopted the names of “Communism” and “Socialism” in actual historical practice – would probably object to giving “profit” such primacy, more than a capitalist government would. At which point we might see the same problem arise from the opposite direction.)
Re: Re: Re:3 US Corporations and their objectives
United States incorporated entities (“corporations”) have documents that detail their purpose, their scope, their organizational details, and management and oversight. Typically in a typical US corporation you’d find these in the Articles of Incorporation (AOI) which are — in many states — even found online.
A US Corporation isn’t required to focus on GROWTH, PROFIT, REVENUE, or even HELPING THE WORLD. It is whatever its incorporators decided when they created it. Similarly, INVESTORS are not required to invest in any instrument (stocks, bonds, etc.) unless they feel the instrument will reward them in some way.
Put together, corporations that seek outside funding and stockholders often provide revenue forecasts and share revenue (dividends) or provide growth forecasts so that the market will drive share value (and price) up. Either way the investors are rewarded and they will invest.
Some corporations don’t want these investors. They are typically also not going to go for an initial public offering (IPO) or list themselves on a major exchange (e.g. NASDAQ, AMSE, FOREX, etc.) because the traffic in their securities will be miniscule compared to the high-moving stocks with great dividends or growth.
So to say that this is a problem with US law is wrong. To say that this is a requirement of nonsocialism is wrong. It’s merely looking a a microcosm (PUBLIC corporations and their investors) and analogize the rest to it.
Now back to the original question… we know both Google and Amazon are publicly traded, and yes, their investors want growth and profit. If you want to use services of companies that aren’t thus limited my I recommend you check out Whisper Systems (they make Signal), and of course the now-defunct Lavabit. There are PLENTY of non-public corporations whose goals are NOT profit and growth but rather providing a service and not screwing their customers.
Ehud
Re: Re: Re:3 US Corporations and their objectives
I had a lengthy reply but it’s been “awaiting moderation” for a day now with no release. I’ll try and recap the salient points.
There are no laws requiring profit or growth. Corporations that want outside investment on the open market CHOOSE to emphasize those in their Articles of Incorporation (AOI), to go have an initial public offering (IPO), and to publicly trade. When they do that, they provide incentives for investors to buy and hold the shares (“long position”) through continued growth (share value goes up) or profit and distribution (dividends).
Nothing in the law requires this. Corporations exist that do not emphasize this. Typically they are non-public. Some are for profit and some are not for profit. (Not for profit doesn’t mean they don’t make a profit… merely that they reinvest it back into the corporation).
Amazon and Google are public corporations. If you don’t like their corporate goals or their data sharing models, find private corporations (Open Whisper Systems? Lavabit? etc.) and use their services.
Ehud
Re: Re: Re:4 US Corporations and their objectives
In my initial comment, I qualified my comments as being specifically about publicly-traded corporations; my reference to understanding the law as requiring profit-seeking, in my second comment, was in that context and should be read as implicitly containing that same qualifier.
Bringing in corporations which do not choose to become publicly-traded is expanding the universe of discourse. The question is precisely why – indeed, whether – it’s appropriate to require publicly-traded corporations to adopt a posture which would be labeled "greedy" if held by an individual.
Re: Re: Re:5 US Corporations and their objectives
In my initial comment I addressed that.
THERE IS NO SUCH LAW.
Perhaps I was too subtle and the point was missed.
THERE IS NO SUCH LAW.
Public corporations exist to further outside investors, and as I explained they do this via growth or profit. It has nothing to do wiht a law, nor greed, nor anti-communism, nor anything else you’ve espoused. It’s simply to attract investment money over the next security.
E
Re: Re: Re:6 US Corporations and their objectives
I’m sorry; I interpreted that part of your comment as meaning “there is no law requiring corporations to seek profit, just a law requiring publicly-traded ones to do so”, because I understood it to be so clearly established that publicly-traded corporations have a fiduciary duty (read: obligation) to seek profit on behalf of their shareholders and can be punished in court for failing to adhere to that duty.
If publicly-traded corporations do not have such an obligation, I’m befuddled as to why I’ve seen it mentioned so many times in so many places that I couldn’t begin to tell you where I first got the idea from.
If they do, then there is a law which underlies that obligation.
The question is why “further (the profits of) outside investors” should be an obligation which comes along with being publicly traded – or, to put it another way, why we should not impose an obligation on such corporations to do things other than merely seek profit, if only to counter a naturally-existing incentive provided by the investment market. (I believe we already do that in some sectors and some areas; banks, for example, are apparently legally required to have community investment / improvement / etc. plans.)
Re: Re: Re:7 US Corporations and their objectives
2. If a corporation has told its shareholders (through either their Articles or their annual 10K filings or the quarterly 10Q filings or other SEC filings) that it intends to do so THEN and ONLY THEN is it the fiduciary duty of management to adhere to those goals… that THEY THEMSELVES SET OUT in order to encourage investors. If they fail, CIVIL lawsuits ensue. (No pun intended).
3. “[w]hy should we not impose”… because YOU are NOT someone who gets to impose ANYTHING on ANYONE and neither am I. Corporations have specific goals and so long as they are operating within the law we don’t get to tell them what to do.
Arguendo you may say “But they have to follow laws and we can pass laws that make them do these other things” and then they’ll go incorporate in other countries that don’t have your absurd ideas of forcing businesses to do what YOU want vs what THEY want.
Banks are not required to have community investment. I don’t know where your ideas are coming from, but they are not United States corporate law. That’s for sure.
Ehud
CEO – several US corporations
CTO – several US corporations (formerly one public)
Manager – several US LLCs
Helicopter Pilot Extraordinaire (FAA CPL-H)
Peer. To. Peer.
This is what happens to you when you have a centralized, brittle, pressurable, surveillable server-based architecture.
I see Briar has a release candidate on Google Play…
Another reason not to use DuckDuckGo.