Domain Fronting Is Critical to the Open Web

 

In the past few weeks, Amazon and Google have both announced they’re pulling the plug on domain fronting, a crucial tool which helps our most vulnerable users get access to Tor when their countries don’t allow it. Users of Signal and Telegram are also affected by this block, and Access Now identified approximately a dozen “human rights-enabling technologies” which had relied on Google for this purpose.

Tor Browser protects against tracking, surveillance, and censorship, but not everyone around the world has the luxury to connect to use it. By default, Tor Browser makes all of its users look alike. However, it doesn't hide the fact you're connecting to Tor, an open network where anyone can get the list of relays. This network transparency has many benefits, but also has a downside: repressive governments and authorities can simply get the list of Tor relays and block them. We strongly oppose this censorship and believe everyone should have access to information on the open web. That’s why we developed pluggable transports to bypass censorship and connect to the Tor network. Watch this video to learn more about pluggable transports.

Domain fronting is a type of pluggable transport where Tor traffic appears to be talking to a third party that is hard to block, like Amazon or Google, when it is really talking to a Tor relay. An example of this is Tor’s “meek” pluggable transport, which is described here.

Google and Amazon have both shut down domain fronting, making meek no longer usable over those CDNs. As of this writing, Microsoft’s Azure cloud still seems to be working with meek.

For the time being, we are shifting to Microsoft’s Azure cloud. But we’ve heard that option will soon be shut down, as well.

Unfortunately, it doesn’t look like there is a fast fix. We were not given advance notice of these changes, so we are thinking hard on potential solutions to ensure our friends living in repressive regimes around the world can continue to access the open web.

 

A scottish team of engineers is attempting to solve all of this by developing the SAFEnetwork. If someone can help them solve eventual consistency in a decentralized network with a high degree of node churn, then we can migrate the existing web over to a highly anonymous system with none of the current weakness of Tor. Problem solved.

Sounds wonderful, but clearly TP cannot put all its eggs in one untested and even undeveloped basket.

I do wish TP had been putting some effort (even a good deal of effort) all these years into developing contingency plans for foreseeable disasters such as the demise of domain fronting.

To be sure, TP is a tiny organization with few resources, but it now seems clear that those of us who have been urging dramatic reprioritization taking full account of political and legal as well as technical attacks on the Tor Network, have been proven correct.

> A scottish team of engineers

IMHO Scotland should have left the UK, not the EU, but as things stand, it seems to me that Scottish engineers face even more dire threats from UK surveillance laws than American engineers face from US surveillance laws.

Seth Schoen

May 04, 2018

Permalink

A very nice gift from Amazon AWS and Google to Russia, China, Iran and the rest of the oppressive regimes.

Russia, China, Iran and the rest of the oppressive regimes.

All countries are oppressive, with different shades of oppression, but let's stop blaming some governments and work on by design solutions.

Domain Fronting : i do not understand the subject !
will you please explain clearly, step by step, in details, in what and why it is important ?
Design solution ? does it not start by a better involvement in the innovation, free-hardware unlocked chip/processor etc.
* i do not care of linus torwald_his time is over (has-been).
* no , all the countries are not oppressive and iran/russia/china are not the worst (misinformation) , the oppression is a subtle game (a nice article about cuba on this blog yet spoke about how a government manages the freedom).

> does it not start by a better involvement in the innovation, free-hardware unlocked chip/processor etc.

You are surely correct that the electronics industry should have been concerned with security from the start, and should have started by securing the "bare metal", then working up to higher layers. However, such programs are clearly far beyond the means of a tiny organization (Tor Project) to even attempt to address. They are far beyond the means of all but a handful of nation states to address--- and those are precisely the ones which desire global insecurity, because this helps them cling to the reigns of power.

> Domain Fronting : I do not understand the subject! Will you please explain clearly, step by step, in detail, what [it is] and why it is important?

A bit of frosting on the cloud which now hangs over our future: answering this question for reporters may provide an opportunity for TP to reach out the media, and perhaps garner an opportunity for a less one-sided portrait of our community by helping reporters to explain domain fronting for their readers?

> Please educate yourself.

But to do that we need to have Tor, and very soon, we may no longer have Tor. And we have nothing to replace it (nothing usable by average blokes for general self-educational purposes, that is.)

One point to note about the demise of domain-fronting is that some portions of USG may still be reluctant to reveal USG as an oppressive government, and may prefer to pressure critical global corporations like Google and Amazon to do their dirty work for them. That is exactly what the governments of CN, RU, and others have been doing, so we ought to expect more of the same.

The goal of all these governments is to make Tor effectively illegal, or effectively unusable, in some combination.

Seth Schoen

May 04, 2018

Permalink

This is all because of the Telegram block in Russia in which Russia blocked millions of Amazon IPs which pissed the hell out of them off. That's why we can't haz nice things

Russia FSB 1 - US SillyValley Corporates 0

Even China itself - author of the GREAt firewall of China - didn't attempt such crazy thing.

Well they took down on Crimea you think they won't be able to take down on a few IP addresses? They're even controlling the US senate now and have dirty 'kompromat' on the US president and you think they can't control their Internet? To be honest Russia just screwed up domain fronting for the lulz and guess whose losing? Not Putin - he still has 90% of votes - but your regular average guy who wants to hide his Tor activity or the UAE lady who wants to communicate with her family abroad using Signal.

I can't believe otherwise intelligent people really think Russia had anything to do with the 2016 election. Do you think a dossier full of internet memes and lines from The Dark Knight Rises is really evidence? Did you actually read the joke that was the Crowdstrike report? Did you think there were weapons of mass destruction in Iraq?

Seth Schoen

May 04, 2018

Permalink

> We were not given advance notice of these changes, so we are thinking hard on potential solutions to ensure our friends living in repressive regimes around the world can continue to access the open web.
Shame.

Seth Schoen

May 04, 2018

Permalink

None of these organizations runs a relay, right?

So why would you have thought that they'd let you go on using them as entry points, once something brought it to their attention?

This is just one more thing added to a heap of things that make me think the "Tor model" isn't sustainable. Exits are already few, which makes them centralized, and will probably get more pressure that will make them fewer and more centralized. More and more "respectable" institutions seem to be trying to wash their hands of Tor, to the point of outright blocking all access via Tor. That's a postive feedback cycle; fewer "legitimate" supporters makes Tor look more disreputable, leading to more "legitimate" supporters leaving.

I'm starting to think that y'all should retool to some kind of P2P or F2F model where it's harder to know what's part of the network.

I'm also thinking you should stop trying to support access to services on the clearnet, and become more of a closed system like I2P. Clearnet support forces you to accept too many risks, and exits will always be a weak point in any attempt to decentralize further. I'm not even sure clearnet support does any favors for your users to begin with, because it encourages them to use highly surveilled centralized "mainstream" services instead of seeking out more secure alternatives.

Tor is already P2P and no F2F isn't the answer. F2F reduces the anonymity set for the users. There is no reason to hide where the middle relays are, nor the exits. The only reason to hide the guards is to support bridges.

Centralised vs decentralised is not the problem. The problem is trusted vs verified.

Tor would be perfectly fine with fewer exit nodes so long that it can still handle the load. This would promote mixing, but it'll trigger more DDoS mitigation tools with the extra load per IP.

If you want stronger anonymity: don't use tor, with many semi-trusted relays. Use a tight (centralised) set of verifiable mix nodes. This will add more latency and/or bandwidth overheads depending on which network you choose.

You're worrying about architecture to solve a problem... while politics are changing the problem underneath you.

A small number of exits gives you a better anonymity set ...if they haven't all been shut down (or compromised). A system where all the middle nodes are known gives you more path choices... if everybody running a node hasn't been thrown off the Internet or arrested.

When you sit and count possible paths, you're assuming a happy little world in which it's not illegal to run an exit, and not illegal to have anything at all to do with Tor. It looks like fewer and fewer people are going to be living in that world. Jurisdictional arbitrage will fall apart if there's no diversity between jurisdictions. Being stealthier might slow that down a bit; talking to the clearnet brings down heat.

Furthermore, no matter how many exit nodes you have, there are going to be fewer and fewer things that will accept connections from those exit nodes. In the end, you're not going to be able to provide access to the clearnet, because the clearnet is increasingly refusing to talk to you.

Rumblings about crackdowns on anonymity are everywhere, from private and public sources. Tor's been operating in a very easy environment for a very long time, but that doesn't seem likely to last.

As for hiding the exits, that's not even possible. If you didn't publish a list, it wouldn't be hard for somebody to compile one. Anyway, at the moment, assuming you're running an exit, it actually helps to be known as one, because it keeps people from attributing the traffic to you personally. A node that acted like a Tor exit without being one would be even worse off than an exit. But being known as an exit will stop helping if being an exit is grounds in itself to harm you.

The thing to do is to start getting ready to eliminate the exits. The outside world will shun you anyway, so stop worrying about communicating with it. Worry about surviving. Worry about hiding the fact of participation.

I don't know if it's even possible to do that, but it's definitely impossible if you connect directly to everything with a plausible claim to be a node, or let just anything confirm you as a participant. Hence F2F (or something like it).

A nonexistent network gives you no anonymity set. A large anonymity set gives you nothing if it's fatal to even be a member of the set.

Side issues:

Show me the math that says F2F reduces your anonymity set at all with long term repeated use in any network, given a realistic fraction of compromised nodes, a realistically distributed passive adversary, a realistic rate of new path creation, and a realistic rate of software bugs.

...and Tor isn't P2P. It has a handful of directory authorities, a few hundred relays, an unknown number of bridges, and a ton of pure client nodes. Yes, they all run the same software, but they're not all "peers" with one another in any meaningful sense. They're distinct classes of devices with distinct roles, and the pure clients are the vast majority. There are probably fewer Tor relays than Facebook has CDN nodes; are you going to say that Facebook is P2P?

Seth Schoen

May 04, 2018

Permalink

“They're even controlling the US senate now”

What are you talking about? Is this crazy stuff or can you cite a source?

Our distaste for President Trump has apparently caused some of us to lose our minds. We should not forget that the same media screaming about Russian collusion was screaming about WMDs in Iraq not that long ago.

Seth Schoen

May 04, 2018

Permalink

Maybe we could consider using cloudflare or akamai for domain fronting? Those could heavily help here and this would be beneficial to all parties.

CLoudflare is the worst to use with TBB. And all these sites using cloudflare makes tracking even easier. Can you imagine? Cloudflare know each and every site you've visited!
No.

Seth Schoen

May 04, 2018

Permalink

This is great news, now TOR devs will have to accelerate other workable Tor Transports than relying on backdoor services.

Seth Schoen

May 04, 2018

Permalink

a nice action from google and amazon :)
now every anonymous ! cant cause silly works.the open internet should be safe from hackers attack , not be safe to attack others.
Do you understand or think to destoring

Seth Schoen

May 05, 2018

Permalink

> We were not given advance notice of these changes, so we are thinking hard on potential solutions to ensure our friends living in repressive regimes around the world can continue to access the open web.

But Tor Project was given plenty of warning, right here in this blog, that our enemies (particularly in USG) have been plotting sudden moves taken in the dead of night which will severely impact the Tor user community. I hope TP will start taking such warnings seriously now, because there is a very real possibility that USG will go much further and literally outlaw unbackdoored encryption. TP needs to have an emergency plan for an emergency response to that. Note that other governments will be eager to follow the US lead, so I fear TP may face the choice of either ceasing to offer Tor, or else going underground and attempting to operate illegally.

You should not expect any advanced notice about the USG's next attack on Tor.

Seth Schoen

May 05, 2018

Permalink

It would be nice if Tor made a simple for layerpersons to read page describing the different pluggable transports... a user who wants to use them basically has to pick at random in the UI

Seth Schoen

May 05, 2018

Permalink

It is sad to see that these companies , who could have just shown the middle finger and ignored the begging states, didn't use their deep pockets and big infrastructure to stand up for oppressed citizens in need.

Seth Schoen

May 05, 2018

Permalink

It's not really that they're "hard to block", they're undesirable to block because it'd make your citizens unhappy.

Seth Schoen

May 05, 2018

Permalink

Team up with Mozilla or Wikipedia and use their domain.

aus1.mozilla.org
en.wikipedia.org

Seth Schoen

May 06, 2018

Permalink

Is anyone really surprised by this? Such corporations will almost always put their own interests, the interests of capital, above human needs and human rights. Meek transports are ABSOLUTELY CRUCIAL currently to Chinese Tor users and Chinese dissidents. I cannot say that I am surprised but I am beyond infuriated!

Seth Schoen

May 07, 2018

Permalink

Maybe duckduckgo, apple, hitachi, cisco, facebook, a company of elon musk or twitter could assist?

Just throwing this out there, but it might help.

Seth Schoen

May 09, 2018

Permalink

The initial "spin" in early news reports about the demise of domain fronting were quite hostile to anonymity providers, but the second round is more balanced:

techdirt.com
Bad Decisions: Google Screws Over Tools Evading Internet Censorship Regimes
from the who's-fronting-now? dept

dailybeast.com
Google Just Made Things a Lot Easier for Censors
Google and Amazon have banned domain fronting, a key technique for hiding cybercrimes—and evading censorship, too. Millions of people can kiss their secure communications goodbye.
Kimberly Zenz
8 May 2018

gizmodo.com.au
A Recent Update From Google Could Severely Hamper Anti-Censorship Tools
AJ Dellinger
20 Apr 2018

zdnet.com
Amazon's AWS just kicked some censorship-evading apps to the curb
Domain fronting helps apps evade censorship, but hackers use it to obfuscate where their malware comes from.
Zack Whittaker

Wired's initial coverage of the end of domain fronting was not friendly but an older article actually praises Signal for using domain fronting:

wired.com
Encryption App 'Signal' Fights Censorship With a Clever Workaround
Andy Greenberg
21 Dec 2016

Seth Schoen

May 09, 2018

Permalink

For those thinking about preparing for the potential emergency use of off-line mechanical cryptosystems which are (much!) less insecure than ancient field ciphers such as the Playfair cipher, see:

https://eprint.iacr.org/2017/339

Anyone have links to current projects to develop citizen networks for decentralized urban area communication which is independent of government or corporate control? Badly needed in cities like NYC, Moscow, etc.

As further evidence (not really needed) that no-one can trust the big telecoms:

techdirt.com
AT&T Stumbles As It Tries To Explain Why It Paid $200K To Cohen's Shady Shell Company
Karl Bode
9 May 2018

Speaking of backdoors in encryption devices:

https://www.schneier.com/blog/archives/2018/05/virginia_beach_.html
Virginia Beach Police Want Encrypted Radios

> This article says that the Virginia Beach police are looking to buy encrypted radios.
>
> Virginia Beach police believe encryption will prevent criminals from listening to police communications. They said officer safety would increase and citizens would be better protected.
>
> Someone should ask them if they want those radios to have a backdoor.

:-)

Seriously, given such recent cases as Baltimore and NYPD officers convicted of running criminal shakedown schemes, the cops and a serving Marine recently discovered amongst the ranks of violent neo-Nazi extremist groups in Florida and Michigan, the arrest of a former cop as a serial killer, etc., etc., the FBI would no doubt insist that they have a backdoor into any device issued to local or state police. But on grounds of "national security" they will demand an exemption for themselves, of course.