They're spoofing identity of non-consenting parties. The cause is noble, but it isn't what the headline would imply. Amazon isn't saying "You can't host encrypted services on our platform", they are saying "You can't use TLS and load balancing hacks to pretend to be us in oppresive countries".
And
>The idea behind domain fronting was that to block a single site, you’d have to block the rest of the internet as well. In the end, the rest of the internet didn’t like that plan.
That they interpret AWS and Google as "the rest of the Internet" is pretty sad, too.
That's the entire point. By making it impossible for censors to distinguish Signal traffic from other web traffic going to AWS, domain fronting forces the government censors to either 1) stop censoring, or 2) censor many important websites that people rely upon. The associated economic cost has the tendency to discourage censors, and as shown by Signal, is actually quite an effective deterrent against many oppressive regimes. This concept is known as collateral freedom.[1]
Instead of shutting this down, Amazon could have let Signal continue. In fact, all companies should collaborate to make censorship as expensive as possible. Someone here at HN pointed out that it is very difficult for someone under an oppressive regimes to speak out; this makes it all the more important for those of us who can to assist dissidents and support freedom of expression.
I agree. The intent is noble, but this headline makes Amazon look like the bad guy for disapproving unauthorized use of one of their domains, which is quite reasonable.
This doesn't seem quite accurate to me. They are not making an assertion that they ARE Amazon or Cloudfront. They are avoiding making an assertion that they are anybody, by using a shared facility. It's a bit like using a public payphone to avoid being identified. When you use a public payphone, presumably the call originates from a line owned by the phone company, but nobody accuses you of attempting to impersonate the telephone company by doing that.
This may still be a violation of the TOS, but people should be clear about the actual intent of what is being done.
Technically true, but this is not really about terms of service or about "spoofing identities of non-consenting parties." This is about Google and Amazon not wanting to become collateral damage and lose business in those countries.
Signal is/was connecting to Google or Amazon servers with an HTTP Host header of google.com or souq.com, respectively—and only in Egypt, Oman, UAE, and Iran! Google and Amazon could have easily allowed this or even looked the other way.
So basically censorship worked, albeit not how we thought it would. Sad for people in those countries who were relying on Signal for private communication. Who will stand up for us when we lose ours due to some business decision?
But effectively that is the case. If major providers like AWS and Google ban domain fronting, it is effectively dead - nobody needs domain fronting when you have three domains, three domains can be banned the same way as one.
AWS and Google could throw their considerable weight on the side of anti-censorship and openness. They instead chose - as businesses frequently do - to play along with oppressive dictatorial regimes so it won't cost them a couple of bucks extra. That is pretty sad.
The cause is noble, but the mechanism is dubious: it can be viewed as, in effect, saying to oppressive regimes “to harm me, you must harm a bunch of innocent bystanders, too”.
Real work example would be a re-mailer. Outside of the envelope shows one address it goes to but inside where others cannot look actually has the true address?
Since the plain text has the fake address while the encryption has the true address, I see no issue with this.
Sorry, I'm not on board with using an Amazon owned domain for this. That's got the potential to get Amazon itself blacklisted in some places, so they're absolutely not going to be okay with it.
It also forces the poor domain owner who is being fronted, in this case SOUQ.COM, to absorb a huge Route 53 bill for all of the DNS queries that are originating from Signal users. Not fair at all.
This is nothing to do with censorship. AWS has many clients and does not want its network to be blocked because of a single customer. Tough for Signal but that's how it is when dealing with businesses (especially one that so many others rely on).
> Signal plans to make its traffic look like traffic from another site, (popularly known as “domain fronting”) by using a domain owned by Amazon -- Souq.com
They aren't spoofing the domain, they are just making sure that outside parties to an SSL connection will have a difficult time determining where that SSL connection is going. The two parties creating the SSL connection are not lying to each other, though.
I really dislike the way they put it in the title of this post.
What they are doing is simply abusing the name/size of a totally unrelated company to mask signal traffic.
While I am totally in favor of signal, simply using a domain name you dont own in the SNI header just because it is terminated at the same service as you want to use is something you cannot do.
They could have simply have sent the question to the owner of the domains (google and amazon) explaining what they wanted to do, and only think about implementing it when the owner agreed.
And last but not least to answer those: 'why would they even care, the traffic goes to cloudfront anyways?' ... It will seriously mess up the stats (and billing, yes, amazon owned companies pay internal bills to aws for usage, it's a very normal way of doing business and get your taxes right).
It's sad that tricks like these are being considered/needed to have access to internet services in some parts of the world, but simply doing it without all parties involved knowing about it and agreeing on it is _NOT_ the way to do it.
Surely better to get an at-least-vaguely-friendly warning pre-implementation rather than a post-implementation block?
I would much prefer censorship circumvention to be possible, but I have some sympathy for platform providers not wanting their customers and their platform to be conflated so easily.
Is this something that CloudFlare could help with? They tend to have an idealistic bend, and they serve content for enough sites that they could conceivably disguise traffic in the crowd for altruistic purposes. I could be misunderstanding the mechanism in question, though.
I posted on the signal community forums in significantly more detail (e.g. how to configure nginx exactly with test connections), but it's relatively easy to use AWS infrastructure only for pass through and configure nginx to accept specific public SNI headers while connecting to domains you are authoritative for (e.g. google.com, amazon.com, yahoo.com, yandex.ru). You can do this by using the ssl_preread nginx module to proxy based on the SNI header (e.g. amazon.com -> 127.0.0.1:444, google.com -> 127.0.0.1:445, yahoo.com -> 127.0.0.1:446). This effectively means that you are not having AWS or GAE do anything other than directly proxy encrypted content, which I would argue is an important distinction.
The downside is that no one is providing the DNS redirect in an encrypted transaction.
"If you put a spoonful of wine in a barrel of sewage, you get sewage. If you put a spoonful of sewage in a barrel of wine, you get sewage." -- Schopenhauer
Clearly they need to create a free iPhone/Android game that becomes wildly popular in these countries so that they can use their own domain to front their 'secret' packets.
I feel like Amazon has a moral obligation to name the country that is forcing them to do this under penalty of having their entire IP block black-holed.
I assume Amazon would not take this step unless that was going to happen otherwise, or at least I don't see why they would.
They don't need to make a political statement about it, just say they did it to comply with law / order of 'X'. <cough>Russia<cough>
Why wouldn't they do this on their own? Keeping their reputation good with all countries(even the oppressive one's) is an important part of business. After all, amazon has stakeholders to answer to.
It is still nessecary , it only works because both domains are serviced by the same CDN servers which ignores the plain text version once the packet reaches them.
If the plain text component is not there none of the intermediary parties will know where to route the packet as they cannot decrypt the header.
Demonstrating that these companies are willing to sell the values of the societies, and many of the people, who created them, down the road. Free and open speech, interaction, and association. Privacy.
For most of us, this is "somewhere else", right now. But it will be "coming to a theater near you", real soon now.
It seems centralized solutions (Telegram, Signal) are under fire recently. I wonder what would happen if federated protocols (Matrix, XMPP, etc.) were more popular and, thus, also in spotlight.
- "Would adding federation to Signal help with users behind country-wide blocks? Seems like a distributed service would be harder to censor than a centralized one."
- "It's trivial to block several distributed hosts simultaneously. An aspiring censor would simply find the most common federated endpoints for a given service and block all of them. Only the users of that software would be affected. There wouldn't be any collateral damage.
If the censors somehow didn't hit every single worthwhile federated endpoint, users would still be left wondering why they couldn't communicate with most of their friends. Moving between federated hosts would also necessitate an entirely new identifier, so users would need to rebuild their social graph again.
In addition to being ineffective against censorship, there are several other properties and trade-offs that make federation a difficult proposition for an application like Signal: https://signal.org/blog/the-ecosystem-is-moving/"
They're paying over 12,000 people in zencash, to host 'securenodes' with domain names and ssl certificates for domain fronting, rather than using domain names without permission.
The point of domain fronting is to use a domain that is a key internet service, so that blocking it would cause significant collateral damage. If a domain was created specifically for domain fronting it is useless. Egypt could simply block every domain in that list and setup a cron job to automatically block new ones as they are added.
[+] [-] unethical_ban|7 years ago|reply
And
>The idea behind domain fronting was that to block a single site, you’d have to block the rest of the internet as well. In the end, the rest of the internet didn’t like that plan.
That they interpret AWS and Google as "the rest of the Internet" is pretty sad, too.
[+] [-] tony101|7 years ago|reply
That's the entire point. By making it impossible for censors to distinguish Signal traffic from other web traffic going to AWS, domain fronting forces the government censors to either 1) stop censoring, or 2) censor many important websites that people rely upon. The associated economic cost has the tendency to discourage censors, and as shown by Signal, is actually quite an effective deterrent against many oppressive regimes. This concept is known as collateral freedom.[1]
Instead of shutting this down, Amazon could have let Signal continue. In fact, all companies should collaborate to make censorship as expensive as possible. Someone here at HN pointed out that it is very difficult for someone under an oppressive regimes to speak out; this makes it all the more important for those of us who can to assist dissidents and support freedom of expression.
[1] https://en.wikipedia.org/wiki/Collateral_freedom
[+] [-] dice|7 years ago|reply
They're not pretending to be Amazon, they're pretending to initiate a connection to an Amazon domain. The "conversation" goes like so:
Clear text request: "Hello, I would like to speak TLS with souq.com"
Clear text response: "Why yes, let us do that with these parameters"
Encrypted request: "Please give me the page for signal.org/api/whatever"
etc...
[+] [-] kempbellt|7 years ago|reply
[+] [-] zmmmmm|7 years ago|reply
This doesn't seem quite accurate to me. They are not making an assertion that they ARE Amazon or Cloudfront. They are avoiding making an assertion that they are anybody, by using a shared facility. It's a bit like using a public payphone to avoid being identified. When you use a public payphone, presumably the call originates from a line owned by the phone company, but nobody accuses you of attempting to impersonate the telephone company by doing that.
This may still be a violation of the TOS, but people should be clear about the actual intent of what is being done.
[+] [-] colechristensen|7 years ago|reply
[+] [-] aorth|7 years ago|reply
Signal is/was connecting to Google or Amazon servers with an HTTP Host header of google.com or souq.com, respectively—and only in Egypt, Oman, UAE, and Iran! Google and Amazon could have easily allowed this or even looked the other way.
So basically censorship worked, albeit not how we thought it would. Sad for people in those countries who were relying on Signal for private communication. Who will stand up for us when we lose ours due to some business decision?
[+] [-] smsm42|7 years ago|reply
AWS and Google could throw their considerable weight on the side of anti-censorship and openness. They instead chose - as businesses frequently do - to play along with oppressive dictatorial regimes so it won't cost them a couple of bucks extra. That is pretty sad.
[+] [-] dragonwriter|7 years ago|reply
The cause is noble, but the mechanism is dubious: it can be viewed as, in effect, saying to oppressive regimes “to harm me, you must harm a bunch of innocent bystanders, too”.
[+] [-] avip|7 years ago|reply
[+] [-] andrepd|7 years ago|reply
[+] [-] 2close4comfort|7 years ago|reply
[+] [-] yndoendo|7 years ago|reply
Since the plain text has the fake address while the encryption has the true address, I see no issue with this.
[+] [-] confounded|7 years ago|reply
[+] [-] QuinnyPig|7 years ago|reply
[+] [-] smileysteve|7 years ago|reply
Want to censor the internet, fine, send your citizens back to the dark ages; see how long it is until they protest or move.
[+] [-] illumin8|7 years ago|reply
[+] [-] kayone|7 years ago|reply
[+] [-] manigandham|7 years ago|reply
The same thing just happened with Telegram in Russia which explains the preemptive messages: https://arstechnica.com/information-technology/2018/04/in-ef...
[+] [-] Talyen42|7 years ago|reply
> Signal plans to make its traffic look like traffic from another site, (popularly known as “domain fronting”) by using a domain owned by Amazon -- Souq.com
[+] [-] pyre|7 years ago|reply
[+] [-] FranOntanaya|7 years ago|reply
[+] [-] mvanbaak|7 years ago|reply
While I am totally in favor of signal, simply using a domain name you dont own in the SNI header just because it is terminated at the same service as you want to use is something you cannot do.
They could have simply have sent the question to the owner of the domains (google and amazon) explaining what they wanted to do, and only think about implementing it when the owner agreed.
And last but not least to answer those: 'why would they even care, the traffic goes to cloudfront anyways?' ... It will seriously mess up the stats (and billing, yes, amazon owned companies pay internal bills to aws for usage, it's a very normal way of doing business and get your taxes right).
It's sad that tricks like these are being considered/needed to have access to internet services in some parts of the world, but simply doing it without all parties involved knowing about it and agreeing on it is _NOT_ the way to do it.
[+] [-] andrewaylett|7 years ago|reply
I would much prefer censorship circumvention to be possible, but I have some sympathy for platform providers not wanting their customers and their platform to be conflated so easily.
[+] [-] goatsi|7 years ago|reply
[+] [-] jessaustin|7 years ago|reply
[+] [-] _bxg1|7 years ago|reply
[+] [-] ClassAndBurn|7 years ago|reply
[+] [-] maxmorlocke|7 years ago|reply
The downside is that no one is providing the DNS redirect in an encrypted transaction.
[+] [-] bluefox|7 years ago|reply
Unencrypted server name indication is sewage.
[+] [-] ChuckMcM|7 years ago|reply
[+] [-] RockyMcNuts|7 years ago|reply
I assume Amazon would not take this step unless that was going to happen otherwise, or at least I don't see why they would.
They don't need to make a political statement about it, just say they did it to comply with law / order of 'X'. <cough>Russia<cough>
[+] [-] RandomCSGeek|7 years ago|reply
[+] [-] rajacombinator|7 years ago|reply
[+] [-] CamTin|7 years ago|reply
[+] [-] manquer|7 years ago|reply
If the plain text component is not there none of the intermediary parties will know where to route the packet as they cannot decrypt the header.
[+] [-] dannyw|7 years ago|reply
[+] [-] Tinyyy|7 years ago|reply
[+] [-] foobarbazetc|7 years ago|reply
[+] [-] pasbesoin|7 years ago|reply
For most of us, this is "somewhere else", right now. But it will be "coming to a theater near you", real soon now.
[+] [-] Promarged|7 years ago|reply
[+] [-] mmahmad|7 years ago|reply
- "Would adding federation to Signal help with users behind country-wide blocks? Seems like a distributed service would be harder to censor than a centralized one."
- "It's trivial to block several distributed hosts simultaneously. An aspiring censor would simply find the most common federated endpoints for a given service and block all of them. Only the users of that software would be affected. There wouldn't be any collateral damage. If the censors somehow didn't hit every single worthwhile federated endpoint, users would still be left wondering why they couldn't communicate with most of their friends. Moving between federated hosts would also necessitate an entirely new identifier, so users would need to rebuild their social graph again.
In addition to being ineffective against censorship, there are several other properties and trade-offs that make federation a difficult proposition for an application like Signal: https://signal.org/blog/the-ecosystem-is-moving/"
src: https://news.ycombinator.com/item?id=16868564
[+] [-] jlund|7 years ago|reply
[+] [-] idonotknowwhy|7 years ago|reply
They're paying over 12,000 people in zencash, to host 'securenodes' with domain names and ssl certificates for domain fronting, rather than using domain names without permission.
https://securenodes.na.zensystem.io/nodes/all
[+] [-] flyGuyOnTheSly|7 years ago|reply
It would be trivial for censors to just block every single one of them.
[+] [-] goatsi|7 years ago|reply
[+] [-] myth_buster|7 years ago|reply
Side note, Not sure what the point of [Redacted] is as it's trivial to get name from > General Manager, Amazon CloudFront
[+] [-] insensible|7 years ago|reply