Domain Fronting Is Critical to the Open Web
In the past few weeks, Amazon and Google have both announced they’re pulling the plug on domain fronting, a crucial tool which helps our most vulnerable users get access to Tor when their countries don’t allow it. Users of Signal and Telegram are also affected by this block, and Access Now identified approximately a dozen “human rights-enabling technologies” which had relied on Google for this purpose.
Tor Browser protects against tracking, surveillance, and censorship, but not everyone around the world has the luxury to connect to use it. By default, Tor Browser makes all of its users look alike. However, it doesn't hide the fact you're connecting to Tor, an open network where anyone can get the list of relays. This network transparency has many benefits, but also has a downside: repressive governments and authorities can simply get the list of Tor relays and block them. We strongly oppose this censorship and believe everyone should have access to information on the open web. That’s why we developed pluggable transports to bypass censorship and connect to the Tor network. Watch this video to learn more about pluggable transports.
Domain fronting is a type of pluggable transport where Tor traffic appears to be talking to a third party that is hard to block, like Amazon or Google, when it is really talking to a Tor relay. An example of this is Tor’s “meek” pluggable transport, which is described here.
Google and Amazon have both shut down domain fronting, making meek no longer usable over those CDNs. As of this writing, Microsoft’s Azure cloud still seems to be working with meek.
For the time being, we are shifting to Microsoft’s Azure cloud. But we’ve heard that option will soon be shut down, as well.
Unfortunately, it doesn’t look like there is a fast fix. We were not given advance notice of these changes, so we are thinking hard on potential solutions to ensure our friends living in repressive regimes around the world can continue to access the open web.
Snowflake still requires domain fronting to access the broker.
Shown in this digram.
If you're following the latest trac tickets you'd know that there are non-fronting methods such as DNS-over-HTTPS for communicating with the broker ;)
Thank you for the helpful info, I did not know that. :)