Amazon's AWS just kicked some censorship-evading apps to the curb

Domain fronting helps apps evade censorship, but hackers use it to obfuscate where their malware comes from.
Written by Zack Whittaker, Contributor

Signal relies on domain fronting to evade censorship. (Image: file photo)

Amazon Web Services has become the latest cloud giant to switch off its domain fronting service.

The cloud giant said late last week that "the new measures are designed to ensure that requests handled by CloudFront are handled on behalf of legitimate domain owners."

Amazon's move comes just a week after Google became the first major cloud service to shut down its domain fronting functionality.

Domain fronting allows apps and services to use a cloud provider as a proxy to better conceal their traffic. It means that encrypted messaging apps like Signal or an anonymity service like Tor sending communications can essentially funnel their traffic through a cloud provider -- making it look a lot more innocuous to network monitors than the apps themselves.

But hackers and attackers also use domain fronting to obfuscate where their malware is coming from.

On one hand, pulling the plug on domain fronting makes it much harder for malware to hide behind cloud giants. On the other, it makes it harder for apps designed to evade censorship in parts of the world where internet monitoring is rife to continue to help ordinary people communicate more freely.

Signal, seen as the gold standard of encrypted messaging apps, has long used Google's Cloud Engine to make it more difficult for states to cut off access to the app. Instead of blocking the app, states would have to block the entire Google service.

Russia took that exact measure in recent weeks to cut off access to a similar app, Telegram, after the app refused to give over its encryption keys to the Russian state security service.

Editorial standards