App developers won’t be able to use Google to get around internet censorship anymore. The Google App Engine is discontinuing a practice called domain-fronting, which let services use Google’s network to get around state-level internet blocks.
A recent change in Google’s network architecture means the trick no longer works. First spotted by Tor developers on April 13th, the change has been rolling out across Google services and threatens to disrupt services for a number of anti-censorship tools..
Reached by The Verge, Google said the changes were the result of a long-planned network update. “Domain fronting has never been a supported feature at Google,” a company representative said, “but until recently it worked because of a quirk of our software stack. We’re constantly evolving our network, and as part of a planned software update, domain fronting no longer works. We don’t have any plans to offer it as a feature.”
Domain-fronting allowed developers to use Google as a proxy, forwarding traffic to their own servers through a Google.com domain. That was particularly important for evading state-level censorship, which might try to block all the traffic sent to a given service. As long as the service was using domain-fronting, all the in-country data requests would appear as if they were headed for Google.com, with encryption preventing censors from digging any deeper.
While never an explicit feature of Google’s App Engine, domain-fronting had been widely publicized since it was publicly adopted by Signal in 2016. The technique was also used by state hackers: According to a recent FireEye report, the Kremlin-linked APT29 used domain-fronting to smuggle information out of targets for as long as two years.
Digital rights groups are already urging Google to reconsider the move.
“Google has long claimed to support internet freedom around the world, and in many ways the company has been true to its beliefs,” said Nathan White of Access Now. “Allowing domain fronting has meant that potentially millions of people have been able to experience a freer internet and enjoy their human rights. We urge Google to remember its commitment to human rights and internet freedom and allow domain fronting to continue.”
Update 9:45pm ET: Updated to include statement from Access Now
Correction 4/26 2:25pm: An earlier version of this piece named the Psiphon VPN as one of the services affected by the change. In fact, Psiphon has never used domain-fronting techniques through Google. The Verge regrets the error.
Comments
Wasn’t it Russia that has just recently blocked Google’s domain as part of its Telegram lockout? Turning that feature off at just the right time to get the business income back – Gordon Gecko and Zuck would be proud.
The Google that walked out of China rather than assist the government there in monitoring / policing its citizens probably died with Alphabet (if not before). Definitely seems like its gone now though. This is also why we can’t rely on commercial entities to protect user privacy / human rights…cause in the end, the governments control access to markets allowing these artificial entities to make money. JMHO…
By SasparillaFizz on 04.18.18 5:13pm
Facts aren’t opinions. Protecting yourself is your job. You can’t really count on anybody else to do it for you. If you care about privacy and human rights, you need to protect your own privacy and stand up for human rights. Even if it means giving up access to some trendy or handy service that you like that abuses your trust. Or refusing to be complicit in the violation of somebody’s rights because you happen to disagree with them – or ‘cause they’re an asshole – or because violating their rights might help get you your way.
By Grouchy Ivan on 04.18.18 5:21pm
> you need to protect your own privacy and stand up for human rights. Even if it means giving up access to some trendy or handy service
Sure. Everyone in countries with violent or dictatorial clampdowns should code their own secure messaging service. Everyone should learn how to ensure their own privacy against state-level operators. Iranians should get off that trendy/handy service.
Was this statement supposed to be a poster-child for privilege?
By RikF on 04.18.18 7:36pm
Poster child for privilege?
I’m sorry, but you can’t expect somebody to have your back. Pragmatism isn’t privilege.
I mean.. You can expect somebody to have your back. But you’re going to be disappointed.
Go ahead. Just keep using those services that abuse your trust, and whine about it after. See how that works out for you.
By Grouchy Ivan on 04.23.18 4:22pm
"Giving up their service" isn’t the only method when it comes to defending your own rights. Public opinion is also a great tool to pressure these big companies to make the decisions we’d like to see.
By killerwhale233 on 04.19.18 7:59am
If you think this happened because of Russia blocking Telegram, you don’t know how any of this really works.
By Livingstonthethird on 04.18.18 7:51pm
They only started blocking IPs on 16th, while Google made the change on 13th. And most IPs blocked were Amazon.
By BigDaddy0790 on 04.19.18 6:26am
Google really has no impact on these tools in the grand scheme of things.
Either Google was going to do this, or the countries people need the anti-censorship tools in were going to block Google entirely. Either way Google had no say in what was going to happen to the anti-censorship tools.
By Grouchy Ivan on 04.18.18 5:17pm
In many countries Google isn’t powerless. Refusing to capitulate and forcing the governments in such areas to leave it alone or make a very unpopular move and disable access to Google is something that they could wield. They have chosen to do so in the past, they have not chosen to do so here.
By RikF on 04.18.18 7:39pm
Russia, China, and Iran would give zero fucks about disabling Google. And they could probably convince their citizens it was in their best interest.
By Grouchy Ivan on 04.23.18 4:23pm
Not sure if I’m buying that it was a routine update and a long planned cancellation.
Most likely Google is wilting under pressure from saber-rattling places like the EU to surrender power.
By Yomcha on 04.18.18 5:35pm
I don’t think the EU was going after domain fronting or encrypted communication. Russia, China, and Iran are the big ones fighting internet anonymity or cloaking right now.
By ench on 04.18.18 5:48pm
These services should build proxy settings into their apps or use CDS solutions if they need the functionality, like CloudFlare or Akamai (like Free Browser – https://freebrowser.org/en). Hacking a loophole in a public infrastructure is never a sustainable design. There are plenty of elegant and technical ways to implement your personal security needs – for the moment anyways. The Internet as a ‘free and open’ network is in decline after all, and national, corporate, and public "security" interests will continue to close it up over time.
(Also, it might not be fair to hold Google to one set of standards and then let Apple and Microsoft be allowed to completely cooperate with entities you personally disagree with; these are all in fact corporations and not moral or ideological organizations.)
By J2theD on 04.18.18 10:14pm
Fair game here. I’m a big privacy advocate but this is just a company whose servers were being used by other entities for their own gain.
We’re not a socialist state and Google isn’t a public service. They can just create their own domains and hosting right?
Just contribute to Tor…
By Glen Donnelly on 04.18.18 10:34pm
I’m hoping Apple will offer VPN as part of an iCloud Subscription.
By Kyleh on 04.18.18 11:51pm
If this allowed Russia to hack our elections with APT 29 then it is a backdoor that needed to be closed ……
Google has no obligation to make it easier or people to spoof domains because their Government is oppressive but Google does have an obligation to keep us safe from State Sponsored Hackers using Advanced Persistent Threat trojans to Hack their way into our computers and spread their Propaganda
By John Russell on 04.19.18 4:13am
it was a bug, never a feature
By cadtek91 on 04.19.18 11:56am
Google’s new motto: "Literally be as evil as you can be"
By mikedon on 04.19.18 12:03pm