Wednesday, 2 May 2018

AWS warns Signal to not utilize their server to beat censors

Domain Fronting


It was Google who began lowering the boom on “domain fronting”, and now Amazon has followed the same example. Various organizations like Signal have utilized domain fronting to get government censorship.

According to Amazon Web Services, Domain Fronting is whenever a TLS/SSL connection has been made by a non-standard client with a specific name, but at the same time, an HTTPS request has also been made with respect to an unrelated name.

For example, when a TLS connection connects to www.abc.com, it also issues an additional request to www.abc.org. So at this scenario, the Signal is being blocked by government laws, but domain fronting makes the traffic appear and emerges in a much legitimate place.
The main idea behind domain fronting was that on blocking a particular site, the rest of the internet also needed to be blocked. But, this wasn’t considered as a viable option by most internet users, explains Signal founder Moxie Marlinspike.

Signal was the first targeted company complying with the policy forbidding Domain Fronting, announced by AWS and Marlinspike has now taken time to explain this concept. He has also said that Amazon is threatening to kick Signal off AWS.

AWS is not on board with Domain Fronting as it accompanies a security risk due to its domain-impersonation techniques which can also bring a number of harmful uses.

Souk.com is a domain, owned by AWS and is primarily utilized for geographies in various countries including the United Arab Emirates, Saudi Arabia, Egypt, and Kuwait.

Through this domain, AWS has sent a message to Signal, with respect to using domain fronting. The message from the CloudFront terms of service states that, if Signal wishes to use domain fronting and domain names or SSL certificates adjoined with Amazon CloudFront, the need to either own or have all the required rights associated with it.

Previously, Signal was using the Google App Engine along with its main domain but has since been prohibited to practice it since the month of April. Making this decision made Signal to once again repeat this approach on Amazon.

The recent post of Marlinspike is with respect to the explanation when Signal is trying to make a particular encrypted connection which will be enough for the censor’s beady eye. He says that a TLS handshake will be enough to entirely expose the main target hostname in plaintext, as it has been included in the SNI header. This is also the same case with TLS 1.3, as the sensor is given all that they need.

After AWS made the accusation, Marlinspike had stated that Signal is not trying to impersonate anyone else. He says that even though the interpretation made by Signal isn’t relative and does not matter, they do not believe that their company is violating any of the terms that are described. Signal’s CloudFront distributions aren’t using the SSL certificate of any other domains but their very own. He then adds that when their clients are connecting to CloudFront, they are not misrepresenting the main origin of the incoming traffic.


But Marlinspike didn’t provide an explanation to all the other possible options that now remain for Signal. But, he did warn that a workaround would be possible. It will happen at a slower rate as presently Signal stands with a very small team. But, as of now, the countries that wish to have Signal blocked can do that.

No comments:

Post a Comment

Amazon Macie: Identifying Sensitive Information in S3 Objects

Amazon Macie: An Overview Amazon Macie is an AWS service designed to help detect sensitive information, such as Personally Identifiable Info...