Domain-fronting refers to the practice used by developers which allows them to hide their traffic and evade network blocks. Recently Google shut down all means for app developers to use this method for avoiding internet censorship. Now it seems that Amazon Web Services is following in their footsteps.
Last week Amazon published a post which quoted how AWS will be implementing a new set of enhanced domain protections to stop domain-fronting and ultimately help in their fight against malware. “Tools including malware can use this technique between completely unrelated domains to evade restrictions and blocks that can be imposed at the TLS/SSL layer [...] No customer ever wants to find that someone else is masquerading as their innocent, ordinary domain,” the post explained.
Domain-fronting basically works by using major cloud platforms as a proxy to first make a request which apparently looks like it is heading to trusted services such as Google and Amazon, only to be rerouted once the request enters the broader internet. This simple tactic has allowed app developers to bypass state-level internet blocks like the Telegram block implemented by Russia. This is possible as state-level ISPs are not able to tell which traffic is headed towards a blocked service until the very last moment.
However, now with these new improvements to their system, the circumventing tactic will not work on the likes of Google and Amazon anymore. It should still be noted that Amazon will allow domain-fronting if it is done within the domains owned by the same customer, or domain names having the same SSL certificates. But domain-fronting data will no longer be hidden which will dramatically reduce its effectiveness for malicious app developers.