Signal says that Amazon is threatening to suspend the company’s AWS account over its plans to circumvent censorship. The company published an email it received from Amazon over the matter, one that states, “We will immediately suspend your use of CloudFront if you use third party domains without their permissions to masquerade as that third party.”
Signal is an encryption-based messaging app known for its secure messaging service. Because of its security measures, the app has been banned in multiple countries, including Qatar, Egypt, and Oman. The company behind Signal offers a basic explanation of the technology behind it and how countries block access to it:
Like most modern services, Signal does not have a single static IP address that ISPs can filter … This can make it more difficult for a censor to identify traffic based on IP address alone. Unfortunately, a TLS handshake fully exposes the target hostname in plaintext, since the hostname is included in the SNI header in the clear. This remains the case even in TLS 1.3, and it gives a censor all they need.
However, Signal explains, a method of circumvention known as domain fronting makes it possible to trick the blocking attempts by making it look like a connection is being made with a different domain. Signal previously used domain fronting via Google App Engine to get around the censorship in the countries blocking access.
Google had notified Signal of plans to put a stop to domain fronting via “internal changes,” prompting the company to turn to Amazon instead.
With Google no longer an option, we decided to look for popular domains in censored regions that were on CloudFront instead. Nothing is anywhere near as popular as Google, but there were a few sites that used CloudFront in the Alexa top 50 or 100. We’re an open source project, so the commit switching from GAE to CloudFront was public. Someone saw the commit and submitted it to HN. That post became popular, and apparently people inside Amazon saw it too.
Once aware of the plans, Amazon fired off an email to Signal, advising the company that it doesn’t have permission to use the intended Souq.com domain for its domain fronting practice. Signal argues that it doesn’t believe it is violating the terms of service, arguing that it isn’t falsifying the origin of the traffic when the clients connect to CloudFront, nor is it using the SSL certificate for any domain other than its own.
At the end of the day, Signal points out that its interpretation doesn’t matter and that domain fronting for this purpose “is now largely non-viable.”