Domain fronting
Domain fronting is a technique that circumvents Internet censorship by hiding the true endpoint of a connection. Working in the application layer, domain fronting allows a user to connect to a blocked service over HTTPS, while appearing to communicate with an entirely different site.[1]
The technique works by using different domain names at different layers of communication. The domain name of an innocuous site is used to initialize the connection. This domain name is exposed to the censor in clear-text as part of the DNS request and the TLS Server Name Indication. The domain name of the actual, blocked endpoint is only communicated after the establishment of an encrypted HTTPS connection, in the HTTP Host header, making it invisible to censors.[2][3][4]
For any given domain name, censors are typically unable to differentiate circumvention traffic from legitimate traffic. As such, they are forced to either allow all traffic to the domain name, including circumvention traffic, or block the domain name entirely, which may result in expensive collateral damage.[5][6]
See also
References
- ^ Fifield, David; Lan, Chang; Hynes, Rod; Wegmann, Percy; Paxson, Vern (2015). "Blocking-resistant communication through domain fronting" (PDF). Proceedings on Privacy Enhancing Technologies. 2015 (2): 46–64. doi:10.1515/popets-2015-0009. ISSN 2299-0984. Retrieved 2017-01-03 – via De Gruyter.
- ^ "Encrypted chat app Signal circumvents government censorship". Engadget. Retrieved 2017-01-04.
- ^ Greenberg, Andy. "Encryption App 'Signal' Is Fighting Censorship With a Clever Workaround". WIRED. Retrieved 2017-01-04.
- ^ "Domain Fronting and You". blog.attackzero.net. Retrieved 2017-01-04.
- ^ "doc/meek – Tor Bug Tracker & Wiki". trac.torproject.org. Retrieved 2017-01-04.
- ^ "Open Whisper Systems >> Blog >> Doodles, stickers, and censorship circumvention for Signal Android". whispersystems.org. Retrieved 2017-01-04.