Google Just Made Things a Lot Easier for Censors

Score one for the Internet’s censors.

Last month, Russia’s government blocked nearly 19 million Internet Protocol addresses in a bid to stop people from accessing the messaging app Telegram after it refused to comply with government demands to share content from encrypted chats. Authorities blocked so many IP addresses because Telegram uses a technique called domain fronting to circumvent simple filtering of Telegram’s web addresses.  

Domain fronting allows Telegram to tell the connection in Russia that they are a different, uncensored domain also using Telegram’s cloud hosting providers, primarily Google and Amazon—while Telegram itself moves from IP address to IP address, also at the cloud hosting service, to stay ahead of government blocks of each one. Unable to identify which connections were actually to Telegram’s domains, Russian authorities likely hoped to block enough IP addresses that accessing working Telegram connections would be difficult.

Officials also may have hoped that such drastic blocks, which also blocked Russians’ access to thousands of unrelated Google and Amazon customers, might encourage those companies and others to stop doing business with Telegram and any other organizations using their cloud hosting services to evade online censorship, or even forbid domain fronting altogether. Such pressure succeeded quite recently: in early April, Russia’s censors threatened to block millions of IP addresses to prevent Russians from accessing Zello, a walkie-talkie app used by Russian truckers to organize protests. In that case, Amazon and Google yielded to the pressure and asked Zello to stop using their services.

Whatever their strategy, Russia’s censors, and those in many other countries, had some welcome news this week.  Both Google and Amazon announced that they are instituting measures to prevent customers from using domain fronting, and have already warned some customers who use domain fronting to evade censorship that doing so is not permitted. The secure messaging app Signal is among those affected , as is the Tor browser. Tor announced that they continued operations by shifting to Microsoft’s Azure cloud, but that they heard that Microsoft would soon prohibit domain fronting as well. The Daily Beast reached out to Microsoft Azure to ask if this is indeed their intention, but has not received an answer as of the time of writing.

Google’s plans were first visible on April 13, when domain fronting stopped working for many users .  Amazon announced their plans on April 27. This timing has caused some to question if Russian pressure played a role in the decision. It may have—Google and Amazon have yet to reply to questions on the topic—but this decision did not occur in a vacuum.

Neither company ever explicitly offered domain fronting as a censorship evasion service. It was instead something possible for operators with a good understanding of how the companies’ cloud hosting services work. However, in recent months awareness of domain fronting as a censorship evasion tool increased, which then forced Google and Amazon to address the fact that by continuing to permit domain fronting, they were taking sides in sensitive political issues around the world, and also enabling illicit online activity.

Beginning during anti-government protests in Iran last December and January, Google came under pressure from free speech advocates to allow domain fronting in Iran as a way to help Iranians evade online filters. Google blocks most connections to Iran to comply with international sanctions, but doing so also blocks the connections that make domain fronting work. Changing that policy would assist Iranians circumvent censorship efforts by their government, but it would also be a de facto admission by Google that they were deliberately supporting protesters against the wishes, and orders, of Iran’s government.

Russia’s threat to block millions of IP addresses used by Zello further upped the stakes, as it carried with it real consequences not only for Google and Amazon, but thousands of customers as well, should their IP addresses be among those blocked. What is more, Russia is not the only country that could enact such large-scale blocks, and the companies could soon find themselves the targets of significant blocks in multiple countries that conduct substantial internet censorship.

In addition to a desire to avoid global controversy, the tech giants have real security reasons to worry about domain fronting. The technique works by allowing its practitioners to claim to be from a site to which they have no actual connection. Cybercriminals and spies can and do use it just as well as anti-censorship crusaders can. The most famous cyberespionage group to use it is Cozy Bear, one of the two Russian groups that compromised the DNC in 2016. Cozy Bear used domain fronting years before it became well-known.  

Amazon addressed this potential for abuse in their announcement that they would be ending domain fronting, saying, “clearly, no customer ever wants to find that someone else is masquerading as their innocent, ordinary domain.”  It’s understandable that domain owners do not want to be powerless to stop others from impersonating them. From this perspective, ending domain fronting makes sense.

Theoretically, there is another option. Many existing efforts to evade censorship do not impersonate independent websites; rather they impersonate the cloud providers themselves. This works because domains like Google’s are so important that countries are reluctant to block them. If the cloud hosting providers were to permit only verified anti-censorship operations to use their domains, they could hinder criminals without denying organizations a critical anti-censorship resource.

Google appeared to at least tacitly accept such approach as late as in 2014, when then-CEO wrote in a New York Times Op-Ed that “obfuscation techniques — when one thing is made to look like another — are also a path forward. A digital tunnel from Iran to Norway can be disguised as an ordinary Skype call.”

This would require taking an unambiguously political stance, one that could be viewed as hostile in countries enacting some form of censorship. In any country, it could open the providers to criticism or even liability for crimes or other illicit activity conducted on the supported networks. Although services such as Signal and Tor are important for democratic activists, they are also sometimes used by criminals and terrorists, and cloud service providers are unable to police this. As things are now, the combined hazards appear to be too much for many organizations to accept.

Unfortunately, censors are also aware of these concerns. Now that domain fronting is gone from Google and Amazon and may not be available at Microsoft for long, activists and independent thinkers in countries with online censorship have lost an important way to access information and stay safe. Domain fronting may not be the end either. From the perspective of the censors, heavy pressure tactics such as Russia’s may be working.