Skip to main content

    Amazon Web Services starts blocking domain-fronting, following Google’s lead

    Amazon Web Services starts blocking domain-fronting, following Google’s lead

    Share this story

    A stock photo of the Amazon logo

    A week after Google shut down a method for app developers to skirt internet censorship, Amazon is doing the same. In a post last week, Amazon Web Services announced that it would implement a new set of enhanced domain protections specifically designed to stop domain-fronting, a practice that lets developers disguise their traffic to evade network blocks.

    In the post, Amazon characterized the change as an effort to stamp out malware. “Tools including malware can use this technique between completely unrelated domains to evade restrictions and blocks that can be imposed at the TLS/SSL layer,” the post explained. “No customer ever wants to find that someone else is masquerading as their innocent, ordinary domain.”

    Domain-fronting works by using major cloud providers as a kind of proxy, making a data request seem like it’s heading to a major service like Google or Amazon only to be forwarded along to a third party once it reaches the broader internet. That’s useful for evading state-level internet blocks like Russia’s recent Telegram block, since state ISPs can’t tell which traffic is bound for the blocked service until it’s too late.

    Unfortunately for circumvention tools, neither Amazon nor Google will let them pull that trick anymore. Amazon will still allow domain fronting within domains owned by the same customer (or more specifically, listed under the same SSL certificate), but customers can no longer use the technique to disguise where data is going, making it far less useful for blocked apps.