Google App Engine update makes evading state censorship tougher

20 Apr 2018

Google search app. Image: mirtmirt/Shutterstock

Google says the end of domain fronting was a ‘long-planned’ change.

For the past number of years, Google’s App Engine has inadvertently permitted developers to evade internet censors. The loophole came in the form of a practice known as ‘domain fronting’, which let services use the Google network to escape state-level online obstacles.

According to The Verge, the change in the network architecture was first spotted by Tor developers on 13 April.

A spokesperson for the company said the practice had never been an officially supported feature at Google and only worked due to a glitch in its software stack. They added: “We’re constantly evolving our network and, as part of a planned software update, domain fronting no longer works. We don’t have any plans to offer it as a feature.”

How does domain fronting work?

On a basic level, domain fronting is the routing of application traffic through a larger platform in order to mask its true destination. This allows apps and services to bypass some of the censorship practices in places such as China or Russia.

It manipulates the secure HTTPS Web protocol as well as the transport layer security (TLS) standard to trick deep packet inspection systems and firewalls about the real destination of a web request.

The technique has been used by encrypted messaging service Signal, as well as an alleged Russian state-funded malware campaign. A FireEye report from March 2017 gave details of the attack apparently carried out by the APT29 hacking collective.

If the practice was used, governments and ISPs would then be unable to shut down the targeted service without in turn blocking access to the popular Google product suite, and the disguised data requests would have appeared to be headed towards a Google site, rather than a banned platform.

State censorship – a growing problem

This disabling of the domain-fronting feature is being criticised by digital rights bodies. “There’s no ignorance excuse here: Google knows this block will levy immediate, adverse effects on human rights defenders, journalists and others struggling to reach the open internet,” said Peter Micek, general counsel at Access Now.

Nathan White, senior legislative manager at Access Now, added: “We urge Google to remember its commitment to human rights and internet freedom, and allow domain fronting to continue.”

Google search app. Image: mirtmirt/Shutterstock

Ellen Tannam was a journalist with Silicon Republic, covering all manner of business and tech subjects

editorial@siliconrepublic.com