top | item 16868868

(no title)

vmarquet | 7 years ago

Note that domain fronting is not only usefull to circumvent Internet censorship, it's also used by malware.

With domain fronting, you can exfiltrate data from a company by making the connection appear to go to a legitimate google service (ex: drive.google.com), whereas it actually is going to a server hosted on google cloud services and controlled by an attacker.

discuss

kodablah|7 years ago

Gotta take the bad with the good. Some governments act like companies and treat tools like Signal as malware. Another discussion can be had for citizen freedom vs employee freedom, but public network restrictions benefit all kinds of censorship. It's also another discussion worth having on whether one's need to monitor all data in/out of their company is worth giving that power to other who use it for wrong (mitm devices and TLS termination w/ custom device certs notwithstanding).

buildbuildbuild|7 years ago

Google or another more privacy-supporting company could block domain fronting for everyone _except_ Signal, Tor, and similar projects, with some sort of application process. Blocking everyone seems heavy handed but fronting itself is ultimately a sneaky way around censorship rather than an intended feature.

askmike|7 years ago

So the decision on what apps can be domain fronted because they need to get around censorship lies with Google or another big company, what could go wrong here?

05|7 years ago

I’m pretty sure you can achieve pretty much the same thing by just uploading encrypted exfil’ed data to actual legit Google Drive using OAUTH to programmatically access a throwaway account (to avoid possible CAPTCHA requirements for non-programmatic access)