This website does readability filtering of other pages. All styles, scripts, forms and ads are stripped. If you want your website excluded or have other feedback, use this form.

Verge3.0_Logomark_Color_1

Log In or Sign Up

A Google update just created a big problem for anti-censorship tools

New, 18 comments

Domain-fronting is now a thing of the past

By Russell Brandom@russellbrandom Apr 18, 2018, 4:55pm EDT Share Tweet Share Share A Google update just created a big problem for anti-censorship tools share tweet Linkedin Reddit Pocket Flipboard Email

App developers won’t be able to use Google to get around internet censorship anymore. The Google App Engine is discontinuing a practice called domain-fronting, which let services use Google’s network to get around state-level internet blocks.

A recent change in Google’s network architecture means the trick no longer works. First spotted by Tor developers on April 13th, the change has been rolling out across Google services and threatens to disrupt services for a number of anti-censorship tools..

Reached by The Verge, Google said the changes were the result of a long-planned network update. “Domain fronting has never been a supported feature at Google,” a company representative said, “but until recently it worked because of a quirk of our software stack. We’re constantly evolving our network, and as part of a planned software update, domain fronting no longer works. We don’t have any plans to offer it as a feature.”

Domain-fronting allowed developers to use Google as a proxy, forwarding traffic to their own servers through a Google.com domain. That was particularly important for evading state-level censorship, which might try to block all the traffic sent to a given service. As long as the service was using domain-fronting, all the in-country data requests would appear as if they were headed for Google.com, with encryption preventing censors from digging any deeper.

While never an explicit feature of Google’s App Engine, domain-fronting had been widely publicized since it was publicly adopted by Signal in 2016. The technique was also used by state hackers: According to a recent FireEye report, the Kremlin-linked APT29 used domain-fronting to smuggle information out of targets for as long as two years.

Digital rights groups are already urging Google to reconsider the move.

“Google has long claimed to support internet freedom around the world, and in many ways the company has been true to its beliefs,” said Nathan White of Access Now. “Allowing domain fronting has meant that potentially millions of people have been able to experience a freer internet and enjoy their human rights. We urge Google to remember its commitment to human rights and internet freedom and allow domain fronting to continue.”

Update 9:45pm ET: Updated to include statement from Access Now

Correction 4/26 2:25pm: An earlier version of this piece named the Psiphon VPN as one of the services affected by the change. In fact, Psiphon has never used domain-fronting techniques through Google. The Verge regrets the error.

Next Up In Tech

Command Line

Command Line delivers daily updates from the near-future.

By signing up, you agree to our Privacy Policy and European users agree to the data transfer policy. This Article has a component height of 11. The sidebar size is medium.

Loading comments...

tweet share