Domain fronting

Due to quirks in security certificates, the redirect systems of the content delivery networks (CDNs) used as 'domain fronts', and the protection provided by HTTPS, censors are typically unable to differentiate circumvention ("domain-fronted") traffic from overt non-fronted traffic for any given domain name.

[1] Many large cloud service providers, including Amazon, Microsoft, and Google, actively prohibit domain fronting, which has limited it as a censorship bypass technique.

This resulted in a large scale network outages for major banks, retail chains, and numerous websites; the manner of blocking was criticised for incompetence.

It is possible to emulate this same behaviour with host services that don't automatically forward requests, through a "reflector" web application.

[6]: 2 Common secure internet connections (using TLS) have an unencrypted initial message, where the requesting client contacts the server.

[12] Signal, a secure messaging service, deployed domain fronting in builds of their apps from 2016 to 2018 to bypass blocks of direct connections to their servers from Egypt, Oman, Qatar and the United Arab Emirates.

[12] GreatFire, a non-profit that assists users in circumventing the Great Firewall, used domain fronting at one point.

[7] Domain fronting has been used by private, and state-sponsored individuals and groups to cover their tracks and discreetly launch cyberattacks and disseminate malware.

[7] The Russian hacker group Cozy Bear, classed as APT29, has been observed to have used domain fronting to discreetly gain unauthorised access to systems by pretending to be legitimate traffic from CDNs.

[14][15] The endurance of domain fronting as a method for censorship circumvention has been attributed to the expensive collateral damage of blocking.

This blocked many unrelated web services (such as banking websites and mobile apps) that used content from the Google and Amazon clouds.

[30][26][31][32][3][4] Digital rights advocates have commented that the move undermines people's ability to access and transmit information freely and securely in repressive states.

[33] According to Signal's founder, Moxie Marlinspike, Google management came to question whether they wanted to act as a front for sites and services entire nation states wanted to block as domain fronting gained popular attention with apps like Signal implementing it.

After TLS encryption is established, the HTTP header reroutes to another domain hosted on the same CDN.