-
Notifications
You must be signed in to change notification settings - Fork 74
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Microsoft Azure announces intention to stop domain fronting #67
Comments
Something similar happened with Google and Amazon in April 2018. Here are some articles for background:
|
A promising alternative to domain fronting is TLS Encrypted Client Hello (ECH, formerly ESNI). In 2018, I made changes to meek to make it possible to run meek using ESNI in place of domain fronting (archive), taking advantage of the ESNI support in the headless Firefox browser meek can use for TLS camouflage). I haven't tried it lately, and Tor Browser no longer uses (archive) the version of meek that supports a headless Firefox, but back then it worked with Cloudflare's ESNI server support, and in principle should still work with ECH. Firefox 85 now supports ECH (archive), though as far as I am aware ECH is not publicly deployed in servers yet. I also made a demo of using a browser as an external engine for making HTTP requests separately from the meek code base, using a browser extension in Firefox and Chromium: You may be interested in this essay anticipating how things will be different when something like ESNI or ECH is more ubiquitous. It predicts that as circumvention technologies become more resistant to direct attack by censors, the next weakest point will be third-party intermediaries such as CDNs and app stores. |
The usage of TLS extensions like ECH is still detectable by adversaries. Since browsers and tools are very likely to retry with an unencrypted handshake message, the censorship tools are likely to block ECH as well. I believe a more viable option for using cloud infrastructure as a censorship resistance tool will be: the usage of shared domain names and disposable domain names. In AWS, the endpoint for AWS Lambda is something like lambda.us-west-1.amazonaws.com. For censorship tools, the domain name is the same for all customers. Similarly, the URL for each API Gateway is something like https://zzzzzzzzzz.execute-api.us-west-1.amazonaws.com/. There is no customer id in the URL. The censorship tools will not be able to know which domain name belongs to which customer. Tools like meek can create a new URL for each user session and delete it after usage. Cloud providers will need to change the URL scheme to make it possible for censorship tools to know the relationship between a domain name and their related customers. This method could work on cloud providers other than AWS as well. (This post express the personal opinions of the author, instead of the affiliated V2Ray/V2Fly organization.) |
In November 2023, some Azure customers got an email informing that domain fronting will be disabled in Azure on 2023-11-08.
|
The announced date of 2023-11-08 (yesterday) has been pushed back to 2024-01-08 in a new email announcement.
|
The Microsoft Security blog has a post on 2021-03-26, saying that they plan to disable domain fronting on Azure.
https://www.microsoft.com/security/blog/2021/03/26/securing-our-approach-to-domain-fronting-within-azure/ (archive)
I was alerted to this by @cohosh and the Tor anti-censorship-team mailing list.
The text was updated successfully, but these errors were encountered: