Amazon Web Services (AWS) is cracking down on domain fronting, a practice that some folks use to get round state-level internet censorship of the likes seen in China and Russia (among other countries).
Domain fronting essentially enables access to a blocked (censored) domain by making the request to connect to that site appear to relate to a completely innocuous unrelated (and unblocked) website.
It can be pulled off as long as the blocked domain and ‘dummy’ domain are hosted by the same provider, like Amazon, except AWS is now moving to stop the practice.
As the Verge spotted, the new measures have been introduced in the form of ‘enhanced domain protections’ for Amazon CloudFront.
The AWS security blog explains: “Using CloudFront to receive traffic for a domain you aren’t authorized to use is already a violation of our AWS Terms of Service. When we become aware of this type of activity, we deal with it behind the scenes by disabling abusive accounts. Now we’re integrating checks directly into the CloudFront API and Content Distribution service, as well.”
Amazon says this is part of an effort to stamp out malware, and essentially dodgy practices in general, noting that while “this technique can’t be used to impersonate domains”, it’s clearly the case that “no customer ever wants to find that someone else is masquerading as their innocent, ordinary domain”.
Of course, domain fronting is perfectly legitimate if it’s used by a customer who owns both the domains in question – obviously in this case it’s up to them what they do with their web properties.
Note that another web giant, Google, already implemented countermeasures to prevent domain fronting last month, so folks who engage in this practice are rapidly finding the online world a much tougher place in which to pull the subterfuge off. Google made it clear that it never officially supported domain fronting in the first place.
This comes at a time when state censorship is becoming increasingly tight in many nations, with the likes of Russia and China clamping down not just on web content deemed inappropriate, but on VPN services that can be a potential evasive measure, too.