Amazon Web Services starts blocking domain-fronting, following Google’s lead

A week after Google shut down a method for app developers to skirt internet censorship, Amazon is doing the same. In a post last week, Amazon Web Services announced that it would implement a new set of enhanced domain protections specifically designed to stop domain-fronting, a practice that lets developers disguise their traffic to evade network blocks.

In the post, Amazon characterized the change as an effort to stamp out malware. “Tools including malware can use this technique between completely unrelated domains to evade restrictions and blocks that can be imposed at the TLS/SSL layer,” the post explained. “No customer ever wants to find that someone else is masquerading as their innocent, ordinary domain.”

Domain-fronting works by using major cloud providers as a kind of proxy, making a data request seem like it’s heading to a major service like Google or Amazon only to be forwarded along to a third party once it reaches the broader internet. That’s useful for evading state-level internet blocks like Russia’s recent Telegram block, since state ISPs can’t tell which traffic is bound for the blocked service until it’s too late.

Unfortunately for circumvention tools, neither Amazon nor Google will let them pull that trick anymore. Amazon will still allow domain fronting within domains owned by the same customer (or more specifically, listed under the same SSL certificate), but customers can no longer use the technique to disguise where data is going, making it far less useful for blocked apps.


It sure looks like this was only used to circumvent censorship. Was there another, deeper reason for this? Dark web or something?

They want to avoid state censors from blocking their entire network to block the "offending" domain fronted by cloud services.

It was not an intended feature but those anti-censorship apps are betting on the state censors don’t block their app because of the potential collateral damage (all sites that run on AWS or Google App Engine).

Google and Amazon do not want to get to a situation where some of their customer’s networks are unreachable because the state censor wishes to block one of their customers’ domain.

Just another nail in the coffin of the centralized web.

Someone do a Kickstarter and everyone in the country kick in $5 and we’ll start our "Owned by the People" network.

You don’t even need a kickstarter, there are already many possible technologies for this that simply lack users, but this would quickly get regulated by countries and governments, just as the original Internet did.

Good to see Amazon follow Google’s lead on this.

My, what "leadership" these companies are showing. Truly noble, these companies are.

View All Comments
Back to top ↑