Repressive autocracies like Egypt, Oman, and the UAE ban Signal and other encrypted messaging apps, using national firewalls to try to block their traffic; Signal evades these blocks by using “domain fronting,” in which the service’s cloud provider shows up as the origin of its traffic, forcing countries to block Google or Amazon to get at a single service hiding behind them.
The cloud companies don’t like this; Google has terminated its domain-fronting service, prompting Signal to move to Amazon for its censorship-evasion cutout; now, Amazon has ordered Signal to cease using Amazon Web Services to defeat censorship or face having its account terminated.
There are legitimate reasons not to like domain-fronting; it allows both good actors (Signal) and bad actors (fraudsters, hackers, malware purveyors, spammers) to disguise the origin of their traffic.
The concentration in Big Tech is a mixed blessing for anti-censorship efforts; on the one hand, the size of companies like Google and Amazon means that if they can be used as shields for an anti-censorship tool, countries are forced to cut off entire swathes of the internet to get at a single target; on the other hand, the concentration in the cloud sector means that once Signal gets kicked off of a couple platforms, there’s nowhere for it to go.
Now, Marlinspike says that domain-fronting is “largely non-viable” in those countries. “The idea behind domain fronting was that to block a single site, you’d have to block the rest of the internet as well. In the end, the rest of the internet didn’t like that plan,” he writes. While the Signal team is considering options to provide the same service without Amazon or Google domain-fronting, it doesn’t look like there’s an immediate solution on the horizon. “In the meantime, the censors in these countries will have (at least temporarily) achieved their goals. Sadly, they didn’t have to do anything but wait,” says Marlinspike.
Amazon tells Signal’s creators to stop using anti-censorship tool
[Adi Robertson/The Verge]