Google Is Shuttering Domain Fronting, Creating a Big Problem For Anti-Censorship Tools (theverge.com) 59
"The Google App Engine is discontinuing a practice called domain fronting, which lets services use Google's network to get around state-level internet blocks," reports The Verge. While the move makes sense from a cybersecurity perspective as domain fronting is widely used by malware to evade network-based detection, it will likely frustrate app developers who use it to get around internet censorship. From the report: First spotted by Tor developers on April 13th, the change has been rolling out across Google services and threatens to disrupt services for a number of anti-censorship tools, including Signal, GreatFire.org and Psiphon's VPN services. Reached by The Verge, Google said the changes were the result of a long-planned network update. "Domain fronting has never been a supported feature at Google," a company representative said, "but until recently it worked because of a quirk of our software stack. We're constantly evolving our network, and as part of a planned software update, domain fronting no longer works. We don't have any plans to offer it as a feature."
Domain-fronting allowed developers to use Google as a proxy, forwarding traffic to their own servers through a Google.com domain. That was particularly important for evading state-level censorship, which might try to block all the traffic sent to a given service. As long as the service was using domain-fronting, all the in-country data requests would appear as if they were headed for Google.com, with encryption preventing censors from digging any deeper. We do not yet know exactly why and when Google is shutting down the practice, but will update this post once we learn more.
Domain-fronting allowed developers to use Google as a proxy, forwarding traffic to their own servers through a Google.com domain. That was particularly important for evading state-level censorship, which might try to block all the traffic sent to a given service. As long as the service was using domain-fronting, all the in-country data requests would appear as if they were headed for Google.com, with encryption preventing censors from digging any deeper. We do not yet know exactly why and when Google is shutting down the practice, but will update this post once we learn more.
Re: Collateral (Score:2)
I think G doesn't really mind censorship these days. After all, they seem to be fans of it themselves.
Re: Collateral (Score:2, Insightful)
If they want to be able to operate in the EU, they can't have any "right to have your illegal activities forgotton" data relayed through their servers.
Re: (Score:1)
That's right, in the EU we believe that people should be given a second chance to learn from their mistakes and lead a normal life after prison.
Re: (Score:2)
Nothing wrong with that, the shit they don't want you to remember isn't worth remembering anyway
Yeah, like the Armenian Genocide by Turkey, or the Holocaust by Germany.
These two examples are exactly why you don't need a government tell you what you can and can't remember. But then again, the EUSSR has been on the slippery slope of censorship for a loooong time now. It started with the children. Then the terrorists. Then the poor ex-cons. What's next, offensive tweets?
Re: (Score:1)
After all, they seem to be fans of it themselves.
As are most of the voters. This is one big social problem that needs a technical solution. Whether one is possible doesn't matter, we have to try. We cannot let fascists decide what we can see and hear. Remember, *when you let them, you help them*.
Re: (Score:2)
I think G doesn't really mind censorship these days. After all, they seem to be fans of it themselves.
Sorry, I was going to reply to your comment, but it mysteriously no longer showed up in a search.
Re: (Score:2)
Even G can't risk going down because a government decides to block IPs of a fronted service. Like Russia today and AWS !?
Or to take a more serious example of a censurious environment, American college campuses.
But I need domain fronting! (Score:1)
But I need google domain fronting for my youtube comic con channel click-bot to work. Otherwise, youtube doesn't count the click-bot views!
What am I going to do? Any slashdotter can suggest an alternative for me?
Thanks in advance!
Re: (Score:3)
Because we can all tell that it's just APK shitposting and then responding to himself with his customary "factual and true", perhaps?
Obligatory xkcd (Score:4, Insightful)
https://xkcd.com/1172/ [xkcd.com]
The reason is precisely as Google has stated it. Domain fronting is a hack and arguably a symptom of a security weak point; neither should be relied upon in the long run.
Just because you can do something..... (Score:4, Interesting)
Domain fronting is a case of "just because you can do something, doesn't mean you should."
Domain-Fronting was a good idea with a huge potential for abuse.
VPNs and TOR are the answer to getting around blocks. While you are at it, switch your DNS to 1.1.1.1
The real answer to our problem is to kick China and Russia off the Internet until they learn how to behave.
Re: (Score:2)
VPNs and TOR are the answer to getting around blocks. While you are at it, switch your DNS to 1.1.1.1
I tried that, but then it shit itself the other day, so I went back to using google. Maybe I'll try cloudflare again in some months.
Re: (Score:2)
Re: (Score:2)
I agree knock AliBaba or AliExpress offline for a month and see the impact it has on the government and policy.
There is an old Chinese saying, "Do not offend the majority."
Telegram in Russia (Score:4, Interesting)
i.e. the service Telegram is using to evade Russia.
If there's any doubt that Google would stand up to Russia, take a look here. Russia blocks Google, Google pulls the service.
And can you blame them?
As a corporation, defending freedom is not profitable, and as people, Sergey Mikhaylovich Brin has family in Russia, family with balconies and door handles.
So they comply with Putin, just as Trump did in cancelling the new Russian sanctions.
Re: (Score:1)
Russia's GDP is about 8% of the US's.
Not a nothing market, but not huge, and maybe not big enough to out weight the publicity of being "good".
If they're afraid if Russia, I suspect it's the internet Black ops part they're worried about, not the customer base.
How does this interfere with Signal? (Score:2)
To me, Signal is definitely, terribly, unperfect, but it is the single and only *open-source* app allowing end-to-end encryption for short messaging (and, sometimes, phone calls).
I use it daily.
How does this Google move hits Signal?
Re: (Score:2)
I thought the Pidgin application supported off-the-record (OTR) messaging. What am I missing?
Re: (Score:2)
If at least one of the (non-Signal) services that libpurple can use isn't blocked, you can enable OTR over that service to communicate between Pidgin on a desktop or laptop computer and Pidgin on another desktop or laptop computer.
There is conceptually no difference ... (Score:2)
Quiz: A client wants to connect to a remote endpoint without a passive network observer being able to learn the identity of the endpoint. Is this "malware talking to the control server" or "banned application attempting to evade ISP-enforced censorship"?
Well obviously it's neither/both because there is no damned difference. As far as the transport layer is concerned, an application is an application. If you make it a desirable property that clients can conceal the true identity of the remote endpoint then y
and Google translate?? (Score:1)
Not sure about "domain fronting", but this little hack still works:
https://translate.google.com/translate?sl=fr&tl=en&js=y&prev=_t&hl=en&ie=UTF-8&u=https%3A%2F%2Fyro.slashdot.org%2Fstory%2F18%2F04%2F18%2F2338210%2Fgoogle-is-shuttering-domain-fronting-creating-a-big-problem-for-anti-censorship-tools&edit-text= [google.com]