What is the domain fronting technique? Examples and concerns
Domain fronting is a technique for evading censorship by concealing the actual website you wish to visit. It works at the HTTPS layer, which gets encrypted and can work in favor of bypassing access blocks. However, domain fronting is not a method supported by cloud providers. Disapproval for this technique also came from the fact that hackers and scammers can exploit it.
Domain fronting meaning and usage
Domain fronting bypasses censorship by obfuscating the final destination of an HTTPS connection. It disguises the forbidden domain name by rerouting the data through a content delivery network (CDN).
So, domain fronting used major cloud providers like a proxy. It would seem like a request intends to reach a service like Amazon. However, it would end up arriving at a completely different destination.
Regular HTTP/HTTPS vs. domain fronting
Before discussing the inner workings of this technique, it is essential to grasp how HTTPS makes it possible. Furthermore, we explain the usual routine for how you visit websites.
- HTTP basics. You enter an URL, and DNS servers find an associated IP address. In this case, nothing gets encrypted, including DNS and HTTP requests. Therefore, everything travels in plaintext, leaving no room for domain fronting.
- HTTPS basics. HTTPS is HTTP protected by TLS (Transport Layer Security). Users also make unencrypted requests for IP addresses from DNS servers. The user sends a “client hello” to the server containing the necessary encryption algorithms and TLS version. The server responds with a certificate and completes the handshake. Upon the handshake, all the data gets encrypted.
As a general HTTPS rule, your final destination should be visible in three places:
- DNS query.
- TLS Server Name Indication (SNI).
- HTTPS Host header.
Typically, all of these would feature the same domain name. However, domain fronting changes the domain in the HTTPS Host header. And since it gets encrypted, censoring mechanisms cannot see it.
Domain-fronted HTTPS requests also look identical to ordinary requests. Therefore, it was a practical way to circumvent blocks since its prevention required blocking domains users pretend to access. Google or Amazon were the top choices used as fronts.
How do CDNs fit in domain fronting?
A CDN (content delivery network) consists of globally distributed servers and data centers. It is an invisible helper allowing users to receive online faster thanks to cached versions of websites.
Therefore, it speeds up browsing by delivering local copies of content from nearby servers. CDNs support most web requests, including to popular hangouts like Facebook, Twitter, or Hulu.
In a way, domain fronting exploits CDNs and masks the true web destination as legitimate CDN traffic. So, it is possible to abuse it, which is accurate for many technologies and tools.
Examples of domain fronting in action
Some big industry names have used domain fronting to bring their services to regions blocking them. Let’s briefly look at several examples:
- Signal supplied its services to people in Egypt, Oman, UAE, and Qatar. It chose to masquerade requests to its services as those reaching Google App Engine. Therefore, if entities wished to block Signal, they would have to block Google.com as well. However, according to a Signal blog post, it does not seem to use domain fronting anymore.
- Tor browser disguised its traffic via meek pluggable transport. The purpose of Tor is to protect against tracking, surveillance, and censorship. Despite its honorable intentions, some locations block it. Therefore, Tor used pluggable transports to make Tor traffic appear as Google or Amazon traffic. Currently, it might use other means to support meek due to the restraints related to domain fronting.
Is domain fronting still possible?
No, domain fronting does not seem like a viable option anymore. It is primarily a thing of the past due to the defense mechanisms CDNs employ. One by one, the biggest cloud providers announced they prevent users from concealing their destinations through their services.
The fears that hackers or scammers could abuse domain fronting to bypass TLS/SSL requirements strongly influenced this decision. So, culprits could have used high-reputation domains to avoid detection and access other sites. Cozy Bear exploited this technique to gain backdoor access to targets.
Lastly, cloud providers like Google argued that the support for domain fronting was never intentional. They claim to have no plans for allowing this technique to happen.
New player in town: domain hiding
Domain hiding and domain fronting have the same goals but use different technologies to achieve them. Also, domain hiding is a newer technique associated with TLS 1.3.
Erik Hunstad introduced domain hiding during DEF CON 2020 as an alternative to the mostly retired domain fronting. The Noctilucent tool uses the encrypted SNI (ESNI) to conceal the true destination. It does not require CDN to use the Host header as it did with fronting.
However, this option also seems to no longer be fully available. The developers left a message on the main Github page stating that Cloudflare has broken Noctilucent’s functionality. It can still hide connections with the Cloudflare DNS hosted domain. However, setting the unencrypted SNI value to arbitrary domains is no longer possible.
A VPN can stand in as domain fronting alternative
Domain fronting was a useful censorship-evasion technique. However, cloud providers pulled the plug on it, forcing entities to look for alternatives.
While domain fronting might be mostly gone, protection against unjustified censorship does not have to be. According to our research in 2021, nearly 40% of users do not have internet freedom.
As a user, consider getting a Virtual Private Network which can work as a way to regain access to essential assets. It is a practical tool for fighting against censorship and increased governments’ control over the digital space.
It does not require any technical how-to and works seamlessly to bring the open internet back to you. So, robust traffic encryption and IP masking help defend against unjust blocks and guarantee safer internet access.