They're spoofing identity of non-consenting parties. The cause is noble, but it isn't what the headline would imply. Amazon isn't saying "You can't host encrypted services on our platform", they are saying "You can't use TLS and load balancing hacks to pretend to be us in oppresive countries".
And
>The idea behind domain fronting was that to block a single site, you’d have to block the rest of the internet as well. In the end, the rest of the internet didn’t like that plan.
That they interpret AWS and Google as "the rest of the Internet" is pretty sad, too.
That's the entire point. By making it impossible for censors to distinguish Signal traffic from other web traffic going to AWS, domain fronting forces the government censors to either 1) stop censoring, or 2) censor many important websites that people rely upon. The associated economic cost has the tendency to discourage censors, and as shown by Signal, is actually quite an effective deterrent against many oppressive regimes. This concept is known as collateral freedom.[1]
Instead of shutting this down, Amazon could have let Signal continue. In fact, all companies should collaborate to make censorship as expensive as possible. Someone here at HN pointed out that it is very difficult for someone under an oppressive regimes to speak out; this makes it all the more important for those of us who can to assist dissidents and support freedom of expression.
Isn't the first problem that mr Marlinspike has been holding off federation of the Signal protocol? If anyone could run a server and join the Signal network (like Riot/Matrix, who got it right), the problem of circumventing censorship would be a lot easier.
Any one of these federated servers could use whatever tricks they like to circumvent censorship, and yes they'd risk getting banned themselves if their circumvention measures are violating TOS of where they're hosted, but they wouldn't have to demand special treatment in the light of that, like Moxie Marlinspike did, because it doesn't happen to block the entire Signal network at once.
Their lack of federation is their censorship weak spot. I haven't heard a single reason for holding off federation from Moxie (and the "best" reason I currently can come up with is that he has issues letting go of "his baby", other reasons being more nefarious). There's a lot of strongly principled wording about why Signal should or should not do certain things, because Signal doesn't want to rely on anything but the protocol itself to guarantee its security, privacy and censorship resistance.
But really, what are these principles worth if Signal is in fact reliant on a third party (Amazon) closing their eyes to violation of their own TOS? They shouldn't be, and federation allows for that property.
And to add one more reason, it's not entirely fair to Amazon. By using the load balancing trick, the only thing that Signal risks is getting banned from Amazon, they can rent another server from someone else and set up shop there. However, by allowing Signal to continue to use their load balancing service in this manner, Amazon is risking having their entire service banned by an oppressive regime. It's not really cool of Signal/Moxie to ask Amazon to take this risk for them.
> I haven't heard a single reason for holding off federation from Moxie (and the "best" reason I currently can come up with is that he has issues letting go of "his baby", other reasons being more nefarious).
I mean, there's no need to speculate here. There's an entire blog post on signal written about why they chose not to federate just a quick google search for 'signal federation' away, and the reasons, whether you agree with them or not, are pretty solid and sound.
Federation significantly complicates usability, and Signal's approach tends to prioritize usability. This is probably its most significant difference from other open source crypto tools.
Your argument is that Signal should erase its differences and become like other open source crypto tools. But as you pointed out, the tool you're asking for already exists! If Matrix is already doing it right, then what's the problem? Surely everyone will switch over to the superior infrastructure and not look back.
I have a different explanation: Signal is successful specifically because of controversial decisions like refusing federation, and the reason other tools do not enjoy the same success is because of the usability compromises they have made.
My first thought is "How is it in the interest of Amazon's stockholders to prevent censorship in countries ruled by dictatorial regimes?" and secondly, "How does consenting to being a front for services that are strictly forbidden in certain countries benefit our company?"
Perhaps it's not. AMZN is a for-profit entity. Their shareholders come first. Profit comes first.
The more interesting question is, how does this influence our engagement with Amazon, as members of the tech community and the business community? From hackers to founders to dev leads to CEOs we're all individuals with some degree of influence. Most of us hopefully value the idea of a free society to a great degree, because without one our industry wouldn't exist.
I have no problem with saying that the business I own will think twice about making further investments in AWS because of this. I'm less likely to recommend AWS to our customers because of it.
Businesses which host hate speech get punished by advertisers who don't want to be associated with that kind of drivel. I'd like to see businesses which enable dictators be punished in a similar way.
By the market and this community. I'd like to see more hackers and founders say hey, this company enables dictators so we are re-evaluating/freezing/reducing our investment in their products. (Pick whatever level presents an acceptable cost to you.)
Shareholders still come first if they do the right thing here. Letting reputable people do good with your product rises the tide for the ecosystem. Good for the Internet is good for AWS.
This an abhorrent chain of logic. By this rationale everything should be permissible if it’s profitable and legal in the country it’s done in. Ethics be damned.
Slavery?[1] Fine. Assisting with genocide?[2] Ok. Human trafficking. Sure, as long as we’re making money. Now consider the likes of Facebook or Google. If Iran wanted to purge an ethnic minority from their country and offered a government contract to Facebook to help identify said minority, how is it in the interests of Facebook stockholders to prevent genocide in countries ruled by dictatorial regimes?
Finally, if what you say is correct - that in the current system the wealth of the shareholders is what matters most - I think the broader question becomes: “Why should western democracies continue to permit Laisser-faire capitalism if it refuses to impose any ethical or moral boundaries on itself?”
"How is it the interest of Github stockholders to not censor certain projects when China starts DDoSing the whole site?"
or even
"How is it in the interest of Cloudflare to raise the prices for all of its customers, just to protect a site Russia doesn't like?"
It can't all be about money. Companies that think only about money fail in the long term. If you don't believe that, then I urge you to watch this Simon Sinek video:
Stomping on the rights of one party, to obtain rights for another, is not ethically permissible. This is about consent as much as it's about censorship.
You've posted this (wiki page that you wrote) several times in this thread... but the issue is that all the unblocked companies are already unblocked. What do they stand to gain from this other than a near-term disruption (at best)? The only way collateral freedom works is when there is mutual need for everyone to be included, otherwise why take the risk to carry the designated targets? Also I wouldn't underestimate the economic power of regimes and nation-states that know what they're doing.
The mutual need should be considering the freedom of communication that everyone should have as a human right. Like a lot of things when you think of it purely in terms of dollars you end up with an opressive authoritarian system like in China.
On one hand I agree with you, but on the other... why is this Amazon’s place? I don’t agree with how China censors, but what gives a private US entity the right to try and override that in this way? Their place is to choose to, or not to do business with China, not what amounts to a political operation. I think it’s fair to say that it’s the job of governments and intelligence agencies, and some things shouldn’t be privatized.
You are literally posting on an article where Signal's attempt to aid people speaking out against authoritarian regimes are being quelled by entities due to protecting their bottom line.
We don't have oppressive regimes in the West (where Amazon is based) because capitalism encourages freedom and economic prosperity. A company not helping you doesn't mean they're against you. AWS does not want a customer breaking their terms of service, especially when it affects all of their other paying clients.
What does that have to do with other nations and their laws? The censoring issue here is in a foreign state and not caused by capitalism but a lack of it. AWS is not international police so you should focus on government if you want to see political changes.
you hit on the most important part. If an oppressive country's options are to block a bunch of stuff that's not all frowned upon, or allow something they really don't want, they choose the former.
I'm not saying Amazon is evil or anything, but if a bunch of hugely important customers started getting their traffic blocked by huge geographic segments due to another unrelated customer.... business is business.
And in case anyone here doubts this is true, try using Google, Facebook or Twitter in China. It is absolutely possible for countries to block these services, including AWS or parts of it. Amazon has a duty to it's other customers to protect them from that sort of impact caused by the frankly unethical action of another AWS user.
This is a real shame and I wish there was a viable option open to Signal, it's an important app that provides a valuable service, but they really should have seen this coming.
> Instead of shutting this down, Amazon could have let Signal continue. In fact, all companies should collaborate to make censorship as expensive as possible.
Amazon's general stance seems to be "spoofing is bad and makes the internet less reliable, so we're opposing it even here". It's understandable, but I think also thoroughly unjustified. If the objection is "Signal plans to impersonate us without our permission for a good cause", one obvious response is "so let's give them permission".
(Not coincidentally, this is a reasonable alternative to a lot of corporate heavy-handedness. Fighting trademark erosion by slapping down small businesses falls into much the same category - an alternative to coercing harmless-but-unauthorized users is to authorize them.)
Exactly, free countries (or those who consider themselves as such) should make it fully illegal for private companies to aid in any kind of censorship in behalf of oppressive countries. But what we see in reality is the opposite, all companies trying to make it as cheap and as simple as possible to censor anything every government dislikes; meaning the liberal fantasy of allowing every private company to do as it pleases is not going to cut it in a world where every important event you can't find in Google for all practical matters never happened.
As you note, private companies are typically free to do as they please in free countries...that's kinda the point. You have no right to use AWS, so this is not censorship in the legal sense. And free governments also tend to have strong laws respecting the sovereignty of other nations, whether or not their laws are similar. Your frustration is noble, but it's also internally inconsistent.
> "private companies are typically free to do as they please in free countries ... free governments also tend to have strong laws respecting the sovereignty of other nations"
Not always. For example, the Foreign Corrupt Practices Act prohibits U.S. companies from bribing foreign officials, even if the practice is accepted or prevalent in a foreign nation.[1] Just because another country has a particular policy does not mean we have to allow our companies to play along.
I don't think this is the counterexample that you intend. The prohibition is where this bribery is illegal in the foreign countries, even if it happens to be commonplace. Bribery is never "policy", else it would be called something else (as in the U.S., where we call it "campaign contributions").
After reading the linked Wikipedia page, if it's accurate then you seem to be correct. The act prohibits influencing foreign officials by giving them things of value, and doesn't mention whether that would be illegal in the foreign country. So it would seem that a U.S. corporation would be in violation of this law for doing in a foreign land what they routinely do within the U.S. (essentially all large U.S. businesses make, or aggregate, "campaign contributions" with the intent to influence lawmakers and other elected officials).
> private companies are typically free to do as they please in free countries...that's kinda the point
Er, no; in every "free" country, trade/export restrictions are still a thing. US corporations can't sell to North Korean citizens, or even Cuban citizens, despite not being in a state of war against either. And "munitions" (e.g. what encryption algorithms used to be) can be traded hardly anywhere. Just call censorship-enabling technologies "munitions" and it neatly solves the problem of who exactly US corporations can give them to.
That kind of reductionism is not helpful. It's not so simple as "private companies are free to do as they please". In fact many restrictions and regulations can and must be made to ensure that those private entities don't: poison rivers, murder people, manipulate children, steal from costumers, and countless other things. In principle at least, because we know that there are innumerable examples of companies doing just that when it profits them.
Nonetheless, among such regulations, designed to make private companies somewhat work for the general public interest, we can include not aiding censorship.
>You have no right to use AWS, so this is not censorship in the legal sense.
I guess you meant "duty" instead of "right"; and respecting the sovereignty of other nations means they can block any site they like or even internet itself if they desire, but it doesn't mean we have to allow local companies to comply with laws from those countries.
>As you note, private companies are typically free to do as they please in free countries...that's kinda the point.
That's not the point at all; lets put it this way, companies are NOT free to poison the water we drink or even poison the water of other countries drink just because their governments tell them to do so.
No, I mean right. You have no right to use AWS and thus if they restrict/prevent your usage of said service, on grounds that would otherwise infringe your rights, this is not illegal per se. I might have a right to free speech, but so does Amazon.
> And free governments also tend to have strong laws respecting the sovereignty of other nations
This nearly made me cough my lunch over my keyboard.
Countries tend to have the habit of respecting other countries sovereignty right up until they don’t, at which point they will invade and occupy the other. Or carry out a proxy war, etc.
Even that is too generous. Which country of any influence doesn’t at least a few spies getting about doing their spying. Which major players aren’t subverting the course of things in at least a handful of regions at any time.
Sure, but they do maintain an official public stance of non intervention which is what's at hand here, because companies must abide by that official public stance, not by off the record spy activity.
Private companies are not entirely free to do as they please in free countries. There's always some degree of non-free-ness. It's not at all unreasonable, and it would be at all surprising, to find free states forbidding cooperation with non-free states' oppression. Indeed, it happens all the time in some way or another.
"in a world where every important event you can't find in Google for all practical matters never happened"
Except Google isn't in China, and least I heard important events still happen there...the world isn't as FANG centric as western media would want us to believe.
Three companies I don't use, and one that has lost nearly all of my search traffic due to terrible results for really simple queries. It will be interesting to see in what form they persist over the next few decades!
I haven't been using Google much as of late, basic queries come back with crap results. Its as though they've screwed up their indexing so bad that large chunks of forums and (fairly static) support docs just aren't showing up or are ranked multiple pages back.
Perhaps some of the sites I visit are hosted on Google, but since I stopped visiting reddit (the awful redesign was the last straw), I see very little traffic hitting AWS or GCP IP ranges. Part of that is probably uBlock Origin doing its thing though!
in defense of the parent, it would have been helpful if the quoted phrase said "classical liberal" since the definition of liberal has drifted over the past 100 years, and there's a continental difference depending on if you're in north america vs europe.
A liberal fantasy isn't heavy regulation of business, it's regulations to prevent/punish corporate robbers from exploiting the public. It's only a fantasy because corporations are buying politicians to let them further chain the populace and siphon their money in as many ways as they can get away with (and no, just not buying their product is often not a good enough solution or is hardly even a choice, like private prisons or the electrical grid).
Liberal does not mean "left-wing". It is a political philosophy mainly informed by the work of John Locke. It places primacy on rights of individuals to basically to do as they like to the extent that it does not infringe on the rights of others to do the same.
This is a difficult bit. There are many different ideas about conflicting rights. Without going into these ongoing debates it is enough to say that liberalism is a big tent philosophy. It encompasses "left wingers" in one end where the state has many responsibilities to uphold individual liberties. At the other end are libertarians who say there is no need for government intervention for individuals to pursue their own ends. People can argue about rights and still be correct in calling themselves liberals.
Liberalism is a school of philosophy dating from the 17th century which generally espouses freedom of speech and association, the separation of church and state, pluralism and religious toleration, state protection for property rights and enforcement of contracts, open markets, popular control of the government, separation of powers, etc.
It is the dominant overarching ideology in America (the American “founding fathers” were mostly devoted liberals) and Western Europe, and there are many disagreements among different sorts of liberals.
"Liberal" does indeed have tons of definitions and connotations. I would have called it more of a Libertarian fantasy (fully free, unregulated market and anti-censorship). That appellation too, though, is fraught with sometimes negative connotations; modern Libertarians in the political arena are derided as nothing more than neoconservatives hiding behind a Fawkes mask and stroking Nazi flags.
Edit for the downvoters: I'm not saying I agree with how Libertarians are seen, just reporting what I've observed. I tend to lean Libertarian on a lot of issues (freedom of movement, freedom of and from religion, live and let live, the right to be left alone, and so on), while also being a socially progressive liberal.
Or, you actually get the whole internet shut off for people who need it. It's not unprecedented and nothing is "expensive" when shutting out Google entirely is not considered "expensive".
This important description of the actual implementation of domain fronting — namely that it’s implemented on the client side, and only as a cover for initializing the TLS channel — I think is very important and unfortunately missing from TFA.
There is nothing on the server side which is masquerading as Amazon or Google. There is no impersonation or spoofing whatsoever.
This is akin to making a DNS lookup for a different domain to find the IP of a service which you know is hosted on the same machine.
While it seems to me that this is clearly not actually violating Amazon ToS, I can understand why Signal must give up on this approach.
As an aside, I’m not sure why this doesn’t break SNI, or exactly when or how the certificate gets switched out over to Signal’s cert and private key. The whole point of putting the domain in the ‘Client Hello’ is to get hooked up to the right cert for the rest of the negotiation when there isn’t a 1:1 mapping of IP->Cert so to switch the GET domain/path later on would, I assume, require restarting the key agreement, which I’m surprised doesn’t blow up the TLS session and require a new clear text ‘Client Hello’.
Interesting. Reading their developer guide [1] pg 293 - CloudFront servers have all the private keys anyway, so it hardly matters—from a security perspective—which key is used to establish the TLS connection to the CloudFront endpoint. The connection between CloudFront and Signal’s own severs would be encrypted with Signal’s key.
I also found this paper on domain fronting to be a very good read - Blocking-resistant communication through domain fronting [2]
Exactly. This works because the point of TLS in this instance is for the Signal client to be sure it's talking to Amazon CloudFront. The certificate for an Amazon service also hosted on CloudFront is certainly good enough to prove this, provided the client knows to expect it, which it does.
Amazon was supplying Signal's content as souq.com but with the request making it clear it was for Signal.
How might this be noticeable? Like so:
- (irrelevant) the SNI and certificate presented by the server don't match the request -- only the hoster can see this, so what might they care?
- (serious) metering: if the hoster uses SNI for metering... then Signal would be stealing the fronter's bandwidth
- (mild) DNS metering: the fronter's domains will see more DNS lookups not related to serving the fronter's content
Nothing that couldn't be addressed contractually. Signal could pay the costs that would otherwise be unfairly born by the fronter, and whatever makes the hoster comfortable with the whole thing (if making the fronter good is insufficient for that).
The metering isn't based o he SNI header, so the second point doesn't apply. And since the frontier's domains are presumably using the CDN's DNS servers anyway, it's not an issue either.
2 is hypothetical as none of the fronts are doing this, and even if a front "could" that doesn't matter as the fronts in question do not. We can agree that if this was happening then it would be an issue.
3 seems just wrong. Where does the DNS lookup take place? Why would the fronting server look up the SNI entry?
Are you 100% confirming that the encryption takes place using Souq's cert? Obviously it isn't going to display in a browser, but I'd wonder if there was something else you could do with it.
If the fronting is done on the client side, can we set up clients to perform the same trick on other services? E.g. make Amazon and Google think they use domain fronting, and thus have them reconsider ban?
- This most definitely is against the CloudFront terms of service. See the linked article if you disagree - the ToS is quoted there.
- One direct impact to the owners of the SOUQ.COM domain is that their DNS query volume will increase drastically. They have to pay for those queries. Would you like it if your side project all of a sudden got a 6 figure DNS bill because Signal decided they want to piggy back on your domain to route around censorship?
> Would you like it if your side project all of a sudden got a 6 figure DNS bill because Signal decided they want to piggy back on your domain to route around censorship?
In this hypothetical example, is my side project doing $178,000,000,000 of annual revenue like Amazon.com? If so, I'd like to think I'd be honored help subvert censorship by oppressive regimes.
Except that amazon is not the one paying, it is quad.com (or some other domain they’re piggybacking on) who has to pay for the DNS traffic. If my $3 side project suddenly became a $1000 side project I’d be pissed too. I like what signal is doing but that should not be making others pay for it. Ideally amazon would help them do that but that don’t.
> Except that amazon is not the one paying, it is quad.com
It's souq.com, which is a wholly-owned subsidiary of Amazon. https://en.wikipedia.org/wiki/Souq.com It's an e-commerce site targeted at the middle east that Amazon bought as their play for that market.
Signal deliberately chose it because it's an Amazon domain, so governments would be reluctant to block it.
Nothing stops the signal app from looking up that domain anyway. It's not abuse to genuinely look up an IP. It's the job of resolver caches to keep the traffic under control.
They may not be impersonating Amazon, but they are using Amazon's services to circumvent the intent of policies (laws) that Amazon wants to comply with. Amazon has decided to stop be an unwitting participant in this particular mechanism of circumventing oppression.
For the record, I'm of the opinion that the US should insist that American companies not help dictators abroad in their censorship efforts. But it's hardly unreasonable for Amazon to say, "this type of stuff is illegal in Egypt. We don't want any trouble, so please stop using us as a means of circumventing Egyptian law."
AWS is not siding with oppressive regimes, what's with the misleading political slant?
They don't want customers breaking terms of service, whatever those terms are, and especially when it means the rest of their customers are affected. It's not a single company involved here and they're looking out for everyone else they serve.
In this case, enforcing their Terms of Service does constitute siding with oppressive regimes. You could argue that it's not AWS' goal to help oppressive regimes, but in the struggle against censorship, that is the side they have put themselves on in practice. On one side, there are people all over the world who want to communicate freely. On the other, there are authoritarians who want to suppress and surveil that communication. AWS policy used to help the former, and now helps the latter.
I think maybe you're trying to express that under a free market ethical framework, AWS has done nothing wrong here. Which is true, and an insightful indictment of the free market as an inherently liberatory force.
That's not what "siding with" means. AWS is remaining neutral to politics as a company, which is a very good thing. Why do you want multinational corporations to get more involved in geopolitics? Do you think that will somehow lead to a better outcome?
Signal had an strategy, but it involves breaking the terms of service, so that vendor has no reason to comply and put the other customers at risk. Signal just needs to figure out another option. It's a technical issue and nobody is stopping Signal itself. AWS will still host them just fine as long as they follow the terms.
By the way, the free market is what allowed companies like AWS and Signal to exist in the first place, and lets you contributed effort and money if you'd like, so perhaps you should widen your context before throwing around indictments.
Amazon isn’t nesessarily against censorship. They just don’t want to provide this sort of spoofing service. Regardless of whether the spoofers are good or bad.
I believe this is the fundamental issue, from Amazons PoV: this altruistic project with nice goals is abusing a network nuance, but most other actors using this capability are likely to be bad actors.
I don't think Amazons reasoning was "oh, lets help dictators dictate", but more "hey, isn't this a potential security hole ripe for abuse that would make us look incompetent?".
Maybe point that anger towards the government and military then, instead of a private corporation with thousands of business customers and millions of consumers.
Yes. It's called war. What's confusing here? If a citizen of a nation thinks that another nation is not behaving as they would like (whichever country or whatever behavior that is), the proper channels to enact change are through government action, either diplomatic or militarized.
Asking a private corporation to be international police is not good for anyone, as well intentioned as it may seem.
Military (or state in general) may have other, softer and more covert means of influencing other countries besides war, like “persuading” home corporations to act on their behalf. Thats not unheard of nowadays
War is an ultimate and extremely costly measure. Just as inter-personal violence should be reserved for extreme cases - if you don't like a mayor in your city, you vote against him, campaign against him, write letters, go to protests - but you do not assassinate him. The same way, inter-national war is a measure of last resort and should not be resorted to due to mere disagreement about cultural norms and such.
> Asking a private corporation to be international police
This implies only police can and does enforce cultural and moral norms. This is the exact opposite of the correct order of things - the police should be preventing or punishing crimes, like theft, robbery, rape, murder, etc. - and people themselves - individually or in organized groups, like companies, NGOs, voluntary societies, etc. - should be creating and enforcing moral norms. You can not just delegate this to "the police", being it national or international.
Thus, asking Amazon to take part in helping to create an international norm of upholding free speech is reasonable. And their refusal is morally despicable.
Yea, that's why I said: "government action, either diplomatic or militarized". Any reasonable person will choose diplomacy first.
Nobody is talking about cultural norms here. The story is about Signal being used to help those in oppressive societies with active censorship, not some differing cultures. And "police" is a form of expression, not literally a police department.
Asking Amazon to do anything political is absurd because it's a corporation that should be focused on its paying customers, none of whom would appreciate unwillingly being affected by Signal intentionally breaking their terms of service. Do they suddenly not matter?
It's morally despicable to just expect and force others to help you in your causes, no matter how noble (you think) it is.
You say "proper" but what you're describing (at least the military option) is a war of aggression. This is not only illegal (both internationally, and, for example, in US Law), but described as "the supreme international crime."
It's an option, and if it comes to war then the legality of whether it should've been declared is usually not a priority. Also in the context of oppressive regimes, the "aggression" in this case wouldn't be unwarranted, nor is it unprecedented.
Regardless, what actually isn't proper is expecting major corporations to do police duty. That never ends well.
A war of aggression has nothing to do with whether or not it was declared (in fact, declaring such a war is, by itself, considered a war of aggression and is illegal and is a war crime).
Are you sure you still feel that committing a war crime and doing what philosophers and statesmen and lawyers consider the "supreme" crime is really worse than "expecting major corporations to do police duty" ?
I think part of your argument is reasonable to a point that two people could, in good conscious and respectfully, disagree. Maybe governments are better suited to handle this (via what is known as soft power).
But as long as you take such an extreme position that cannot be defended (it's better to wage of war of aggression than to have amazon stand up for Signal), you're just commenting for yourself. No one is going to engage you in meaningful discussion, because even when it gets pointed out that you're advocating for a war crime, you can't even say "well ya, maybe that was a bit extreme."
What? You've seemed to have lost all context here:
1) As noble as the cause may seem, it would be better for everyone if massive corporations just focused on business instead of politics. It's reasonable, predictable, and safer. Signal is not affected by this, it just means picking a better option than breaking terms of service.
2) The correct process for citizens of a country is through government diplomatic and military action, especially when concerning other foreign states. That's all I said, and another posted specifically asked about the military in which case the option is called war. This entire story is about oppressive powers, most of which are disabled through military action, so it's not a strange concept and nowhere is a war of aggression mentioned.
Perhaps take a step down from your moral high ground and try to comprehend the entire conversation before telling someone that they are advocating for war crimes, that would be much more helpful if you want a meaningful discussion.
I find it surprising how these threads get so lost in a just a few posts.
What I said is that if someone has an issue with another country (oppressive or otherwise) then they should use political means to influence change through their (and foreign) governments. As the commenter specifically stated the military, war is how that change is done in that case.
Yes, but I don't think you're considering the significant direct cost to the owner of SOUQ.COM for DNS queries. If all of a sudden I get millions of extra DNS queries for my domain because Signal is using it to front their traffic to CloudFront, I might get a huge DNS bill.
Should any government coerce me into paying a large DNS bill just to sponsor freedom of speech? Even if it is a noble cause, we shouldn't coerce innocent 3rd parties into doing this.
They're not pretending to be Amazon, but they are making their client pretend to talk to an Amazon host, and use the SSL keys of an Amazon-owned host rather than their own.
It's more like this:
Clear text request: "Hello, I would like to speak TLS with host souq.com and encrypt my connection with a key signed by souq.com"
Clear text response: "Why yes, let us do that with these parameters"
Encrypted request: "Actually I meant host signal.org, but please route my request anyway since both hosts are being routed by this service. Please ignore the fact that my symmetric key for this connection was encrypted and transmitted using the keypair of souq.com."
----
This is similar to buying a train ticket to a nearby stop, using it to get on the train, then getting off at a different stop because you know they won't check your ticket again.
Google and Amazon are now adding an additional ticket check.
They're arguably impersonating Amazon on the server side by hosting their service behind Amazon's proxies and using a trick to pretend that they're talking to some Amazon service instead of their own.
You're right of course, my comment was too short and factually wrong. What I meant was that what they're doing is effectively renting office space in Amazon's building and then exploiting a loophole in the way mail is distributed to receive packages even though the outside envelope says "c/o amazon.com" (or c/o souq.com in this case).
So while they don't do anything fishy on the server side they still took care to put their servers there for a reason. And since they also write the client code it's not difficult to show that the intent is to impersonate Amazon to 3rd parties.
Interestingly it seems that amazon couldn't really complain if the people writing the client were independent from those maintaining the servers since the spoofing code is entirely in the client. Although in the end I'm sure if it turned out to be a problem for they they'd just enforce that the domains match the HTTPS query and remove the technical possibility of fronting altogether.
I agree. The intent is noble, but this headline makes Amazon look like the bad guy for disapproving unauthorized use of one of their domains, which is quite reasonable.
Amazon and Google are certainly within their rights to refuse this. Allowing domain fronting is likely to put quite a lot of their money at risk, so this outcome is unsurprising, but it's still the less ethical one.
This might be the only possible outcome given a corporation's legal responsibilities to its shareholders etc, I don't know all that well enough, but I think it's still justified to lower my opinion of Google and Amazon because of this.
I realized I glossed over the fact that this would put other AWS/GAE customers's money at risk too. This complicates matters somewhat, and some (I believe a negligible number of) customers might switch to an unblocked competitor.
Personally this weakens my view a little, but is not enough to change it substantially.
Despite the use case for censorship circumvention, many malware command and control bots use domain fronting to bypass corporate web filters that otherwise might block their traffic. CloudFlare, being a security-focused CDN, most definitely does not want to help enable malware authors to bypass security.
Where do you get that from? The Russian government blocked lots of AWS and Google IPs, and had no problem keeping them blocked until they agreed to stop allowing this, which was the same thing Telegram was using. And it doesn't appear that they cared about the "huge financial cost".
the problem I'm having is that I'm not even sure this qualifies as 'use' really. sure they're putting the domain name in the tls handshake from the client side instead of their own. the handshake itself works the same, everything that happens after is the same. the tls enpoint on googles/amazons servers just makes sure the domain is in its list of known domains, nothing else depends on it.
The conceit here is that you must be "authorized" in order to write an app that puts the domain in question into the SNI field of a TLS connection that it initiates. I don't think that's reasonable.
It is of course up to Amazon what their servers then do when presented with such a connection, in particular whether they ensure the Host: header later presented matches the SNI data.
This doesn't seem quite accurate to me. They are not making an assertion that they ARE Amazon or Cloudfront. They are avoiding making an assertion that they are anybody, by using a shared facility. It's a bit like using a public payphone to avoid being identified. When you use a public payphone, presumably the call originates from a line owned by the phone company, but nobody accuses you of attempting to impersonate the telephone company by doing that.
This may still be a violation of the TOS, but people should be clear about the actual intent of what is being done.
Technically true, but this is not really about terms of service or about "spoofing identities of non-consenting parties." This is about Google and Amazon not wanting to become collateral damage and lose business in those countries.
Signal is/was connecting to Google or Amazon servers with an HTTP Host header of google.com or souq.com, respectively—and only in Egypt, Oman, UAE, and Iran! Google and Amazon could have easily allowed this or even looked the other way.
So basically censorship worked, albeit not how we thought it would. Sad for people in those countries who were relying on Signal for private communication. Who will stand up for us when we lose ours due to some business decision?
But effectively that is the case. If major providers like AWS and Google ban domain fronting, it is effectively dead - nobody needs domain fronting when you have three domains, three domains can be banned the same way as one.
AWS and Google could throw their considerable weight on the side of anti-censorship and openness. They instead chose - as businesses frequently do - to play along with oppressive dictatorial regimes so it won't cost them a couple of bucks extra. That is pretty sad.
Russia had no problem whatsoever blocking both Amazon and Google when it was blocking Telegram a couple weeks ago. What makes you think this would be any different? In other words, why is Signal being able to operate more important than all of the other people who pay AWS and Google for services?
AWS and Google are companies. It's not their job to push for societal changes really. In fact, I hope they don't push for those. I'd prefer them to steer clear of pushing for any higher objectives, that's best left to governments and lawmakers.
Maybe we should consider AWS differently than Google or FB?
"to be Earth’s most customer-centric company, where customers can find and discover anything they might want to buy online, and endeavors to offer its customers the lowest possible prices." - https://www.amazon.jobs/working/working-amazon
"Founded in 2004, Facebook's mission is to give people the power to build community and bring the world closer together. People use Facebook to stay connected with friends and family, to discover what's going on in the world, and to share and express what matters to them." - https://investor.fb.com/resources/default.aspx
Its interesting how these mission statements present vastly different goals.
At what point is something a public utility? If everyone abandons their servers for cloud providers you are at the whim of the corporate political stance of where your machine is hosted..
> It's not their job to push for societal changes really.
Somehow dozens of companies are discussing pushing for societal changes every day. Just recently a bunch of companies discussed severing ties with NRA (which didn't hurt a single living soul) and stopping selling firearms (which would not, indeed, lead to any societal change but at least the declared goal, even if unattainable, is to do exactly that). In another topic, there's a link on political manifesto by SO leadership. Social activism is everywhere in the business world. But when it's about something that may save somebody's life in Iran but cost some $$ to the company, it's suddenly "not their job". Nope, you can't do both. If companies avoided social activism altogether and were completely neutral and apolitical - I could accept that. They are not and haven't been for a long time. You can't just turn on one place and say "we do social activism everywhere but not where it can offend Iran". Or, you can, but that would be, as I said, cowardly and disgusting.
Also there's recent story of Google removing shopping results containing "gun" which went hilariously wrong (yes, you couldn't search for Burgundy for a while :) : https://news.ycombinator.com/item?id=16474102
The cause is noble, but the mechanism is dubious: it can be viewed as, in effect, saying to oppressive regimes “to harm me, you must harm a bunch of innocent bystanders, too”.
The name even hints at that: it's freedom that rests on the targets unwillingness to inflict collateral damage.
Which, questions of morality in the abstract and consent aside, seems to gamble pretty heavily on sensitivity the regimes of concern are decidedly not known for.
They are sensitive to collateral damage, though, otherwise they could just turn off internet access. It's actually pretty easy for a state-level actor.
But Signal was doing all of this without Amazon's consent. I don't care how noble you think your cause is, dragging other people into your fight against their will is wrong, full stop.
Just to be clear, I am not affiliated with Signal in any way. I am just a user.
> "your freshly minted wiki page"
I am a regular contributor to Wikipedia, and I created the article on "collateral freedom" in January 2017[1] when I came across the topic because it satisfied Wikipedia's notability guidelines.[2]
> "kind of dodgy to do without mentioning that you wrote it"
The article is completely neutral, cites reliable sources, has been reviewed by another editor[1], and abides by all Wikipedia policies. I do not personally gain anything from posting it here.
I didn't think the fact that I initially created the article was relevant to this conversation, because for all intents and purposes, it does not make a difference.[2] The article meets Wikipedia's standards, and anyone is free to edit it subject to the applicable content policies.
I see your point, though it still feels a bit dodgy to me, and I suspect to many other HN readers. Fortunately it's a rare and borderline case so we don't need to worry about it too much.
What does "innocent" mean in this context? You seem to be using the word to distinguish between people who use the app and other people who don't, but that can't be right. Is it unethical to use a communications app?
It would be a very particular sort of autocratic state, which could censor communications apps on a blanket basis, but would have to go through some sort of charade with laws and courts for each particular app. Still, the app and its users are different parties.
How is it moral for Amazon to shirk their fiduciary duty to shareholders for the sake of a political battle it isn't theirs to wage?
I counter it would be more immoral to put, say, the retirement funds of firefighters and teachers arty risk to achieve what is the responsibility of, say, the State Department?
Berkshire Hathaway could have never existed if it were actually a legal requirement. For decades they've constantly passed on doing things that could have easily juiced shareholder value, including hostile actions in regards to takeovers. It's why nearly all of their acquisitions come to them instead: an extraordinary reputation.
Further, the fiduciary myth is silly as a premise upon any inspection: legally who gets to decide what's the one right ideal path for optimizing shareholder value, such that if you don't follow The One True Path then you're failing shareholders. Any other path than the single best one, would be inherently defined as failing the fiduciary responsibility to maximize shareholder value (which is another way of saying: legally it's an impossible concept to implement; and logically it's stupid, it falls down instantly, no person could know the maximization path at all times). It doesn't pass even a minute of rational intellectual scrutiny.
To put it bluntly: fuck the shareholders. The question being asked shouldn't be "are the capital owners getting paid", but "is this company improving lives and delivering benefit". It's after all, what they're here for, not just to make money. No matter how much money I can make selling heroin, they're not gonna let me because, you guessed it, I'm doing damage by doing it.
What about countless of other, not censored, services delivered from the same network? Do they not "improve lives" and "deliver benefit"? Collateral freedom is akin to placing your guerilla command center in a hospital, in a gamble that the other side will leave you alone instead of risking extra harm to innocent civilians. In this case, the hospital decided to disallow guerillas to use it as cover.
> They're not trying to take advantage of any particularly sensitive institution.
They are. Amazon. And previously, Google.
The worst-case consequence is not people losing access to Amazon store, but losing access to anything that's powered by Amazon cloud. People operating all kinds of services hosted on Amazon servers are the patients and hospital staff from my example.
Amazon servers are an entire city. There is a vast gulf between the equivalent of "being in a city that has a hospital" and the equivalent of "locating a base inside a hospital".
Then it's even worse, because the picture you're trying to paint implies that it's either leave guerillas alone, or nuke the entire city.
A ban of a cloud service affects everything else that depends on it. The more popular a service, the more damage. That's the point of "collateral freedom".
(Note the name of the term. It's no accident. It comes from "collateral damage".)
But if they were going to nuke the city? Fuck them, don't negotiate, it is absolutely not the fault of any group that is merely located somewhere inside the city.
I feel we're talking past each other because of a spatial analogy.
My point is - by employing domain fronting against censorship, you bet that the adversary will not ban the service you're using as a front. But they very well might just do that. At this point, everyone else using the service suffers. So that service, by refusing to be used as a domain front, is not just protecting its own interest - it's protecting interests of all the others who depend on it. You, on the other hand, are unilaterally putting those other people at risk. This does not make you a hero, it makes you a villain (even if a lesser one).
"Putting them at risk" not by doing anything to them, but by being near them.
The domain fronting could be set up in a way that doesn't spoof domains, and the risks would be exactly the same. The spoofing is a red herring. The issue is the mere idea that a censor would be unable to tell what domain a connection is for. The actual thing that puts people at risk is ridiculous to attack on a moral basis. It's the same as just existing in a crowd. Not grabbing someone to be your shield.
The mistake here is that they are not guerrillas and are not hurting anyone. It's censors that do. It's collateral damage only from the point of view of censors.
The same technique is being used to prevent censorship in a host of countries, like UAE, that have giant piles of cash and influence, and where blocking AWS/Google would have unacceptable consequences. No one gives a damn about a few Russians.
Real work example would be a re-mailer. Outside of the envelope shows one address it goes to but inside where others cannot look actually has the true address?
Since the plain text has the fake address while the encryption has the true address, I see no issue with this.
A real world example would be an automated postal sorting/routing center with a bug that lets it be exploited as a remailer. By doing domain fronting, a single party is betting that this postal center is important enough not to get shut down/bombed. Obviously, the postal center isn't happy that you just put it at risk of getting shut down, because they deliver lots of other mail, none of which is obviously less important than your shenanigans. So instead, they opt to patch the bug that allows them to be unwittingly used as a remailer.
The core point being: Signal isn't using Amazon as a shield - it's using every single customer of Amazon as a shield.
An HTTPS connection sends the domain it wants to connect to in two layers: first unencrypted in the TLS headers, then encrypted in the HTTP header.
In a regular connection (even using a CDN), those two will match. Using domain fronting, you put a popular domain in the unencrypted part, and the real domain in a encrypted HTTP header.
Due to how they're implemented, the load balancers at Google and Amazon will ignore the first (unencrypted) layer, and will send the traffic to the correct server based only on the encrypted HTTP header.
Regular browsers always send the same domain in both layers, only a custom app like Signal can perform domain fronting.
> only a custom app like Signal can perform domain fronting.
Or curl, or openssl s_client. I'm still trying to understand domain fronting, and exactly what is being disallowed now. Do all of my CDN requests have to have identical Host headers and TLS server name indicators now? What if they're mismatched? Does the TLS handshake still succeed, and the traffic just doesn't get passed through the CDN server?
I'm still trying to understand domain fronting, and exactly what is being disallowed now. Do all of my CDN requests have to have identical Host headers and TLS server name indicators now? What if they're mismatched? Does the TLS handshake still succeed, and the traffic just doesn't get passed through the CDN server?
Well, the current conflict is with Amazon; your CDN might or might not object to domain fronting.
Amazon is not saying that they must match, they're saying that you can't use someone else's domain for domain fronting without their permission. That is, if the domains don't match, whoever owns the domain indicated in the TLS server name must give express permission to do that.
I don't think their infrastructure can actually block it, they just ban your Cloudfront account if they happen to know this is going on. So you can probably get away with it if you keep quiet and nobody finds out.
> Well, the current conflict is with Amazon; your CDN might or might not object to domain fronting.
Yeah, understood, I meant CloudFront specifically.
> I don't think their infrastructure can actually block it
If I terminate TLS at CloudFront they can certainly compare SNI with the Host header and block on any mismatches. This is silly of course, since there are legit reasons to do this.
Sorry, I'm not on board with using an Amazon owned domain for this. That's got the potential to get Amazon itself blacklisted in some places, so they're absolutely not going to be okay with it.
I'm guessing you haven't spent much time looking into how oppressive regimes work.
They aren't going "to realize that they are being an oppressive regime" and have an epiphany where they realize, "Hey maybe I'm an evil dictator?"
If you are up for reading, I highly recommend Michael Malice's book, Dear Reader: The Unauthorized Autobiography of Kim Jong Il . After reading that you will completely understand why "see how long it is until they protest or move" is a silly thing to say.
We don't need oppressive regimes to "realize" they're oppressive. We simply need to shift the incentives by making it financially expensive to censor. This is known as "collateral freedom"[1], and has been used to publish censored content in China.
This is a bloodless equivalent of using human shields or hiding your forces in a hospital - you involve lots of innocent civilians in hope that the government will not be willing to absorb the sacrifice.
> We simply need to shift the incentives by making it financially expensive to censor. This is known as "collateral freedom"
In this context, "making it financially expensive" means "banning us would also mean banning lots of other unrelated services, which will have negative impact on both economy and morale of the population".
In the same way, in warfare, using civilians as human shields is "shifting incentives", making it PR-expensive to strike you down.
In both cases, an authoritarian government may be willing to eat the loss and deal with you anyway. And in both cases, you're the one putting innocent people in harm's way.
In your strategy you only have three choices - put your own label, put someone else's label, or just give up. The labels are necessary for routing. If you put someone else's label on your packets, you're turning them into a potential target.
They might not have reasonable freedom to move or protest, but people will always have the radical freedom to oppose an oppressive regime. It is just much more costly and requires the knowledge that you live in an oppressive regime and access to information in order to break it.
I'd be happy to give a very brief TL;DR with the disclaimer that I recommend either the book for a full picture or the Michael Malice interview on Joe Rogan's podcast (WARNING: NSFW language) [1]
There are a few factors involved (and please bear in mind I'm leaving out a lot of detail here, and this is nowhere near a comprehensive list).
1. There is extensive "brainwashing" regarding the great leader. He is praised for everything. There's a famous story about a western optometrist that performs surgery routine every where else in the world, but rare in N Korea that restores eye sight. The first thing people often do after receiving their sight is not thank the doctor, but to praise a poster of the great leader, thanking him for restoring their sight (I think this was a Nat Geo thing but I don't remember exactly).
2. There is a culture of tattling that heavily incentivizes ratting out your friends and family to the authorities. You will be punished for even having unclean thoughts, let alone taking bad actions. The pervasiveness of this makes it such that people often self-report themselves for thought crimes due to feelings of guilt or concern over getting turned in by friends/family (you may do less time in the prison camp for self-reporting).
3. Families are harshly punished for actions taken by their family members. This means that if you escape, your family will be likely killed or sent to prison camp. If you die in camp, your son/daughter/father/mother will have to take your place to finish your sentence. Thus even suicide/death in prison camp is a betrayal of your family. There is no way out.
There is a difference when people have never had access to things and when you take away access.
A difference would be like America and North Korea and taking away the internet. The vast majority of Americans use the internet and it is an integral part to their lives. You take it away and they would riot in a heartbeat. On the other hand if you have a regime where the majority of people never had access to the internet (or any whatever), taking it away does not cause a riot. The small groups of people that had access won't have the critical mass needed to cause such a riot.
The point is not to make a dictator to realize "Hey, maybe I'm the baddie" but "If I take this away then someone will stage a coup." Dictatorships tend not to be very stable regimes. It is hard to balance the line of power and being overthrown.
TLDR: People care much more when you remove something that is already integral to their life. Not so much if it isn't.
> You take it away and they would riot in a heartbeat.
I'm not certain that this is true.
No American Dictator would just outright ban the internet, no they'd say they were protecting children and blocking terrorists, and require internet providers to block that content.
Anyone arguing that this is censorship would be branded as a supporter of child pornography and terrorists.
A few more steps along that line and what you have is no longer the internet as we know it, but PatriotNet(tm) (insert waving flag, anthem, etc).
Do it enough subtle steps and they'd get away with it without anything more than a few grumpy "libtards" complaining on TV.
You're right in that it can be done through a long process. But as freedomben notes (in response to my reply), Egypt is an example of what I'm talking about.
Amazon isn't in the business of forcing oppressive regimes to realize they are oppressive regimes, they are in the business of selling goods and services regardless of the oppressiveness of the regime governing the region where the currency comes from.
If you want Amazon to stop doing business with oppressive regimes, contact your politicians about sanctions.
The problem is deeper than that; even if Amazon doesn't sell stuff to oppressive regimes, they host the sites/services of companies who do.
And if the solution was to force Amazon to block any access from their servers to those oppressive regimes, that wouldn't help Signal at all, because they too would be blocked.
You're not wrong, it would certainly not be in shareholder's financial interest for amazon to take this stance.
For the record, U.S. politicians have voted on sanctions on Russia for cyber crimes and brought representatives to the UN raising the issue of their human rights records.
> For the record, U.S. politicians have voted on sanctions on Russia
Indeed, the US nearly destroyed Russia's largest aluminum company - Rusal - recently in a sanctions move against an oligarch close to Putin (Oleg Deripaska, who owns the majority of Rusal).
The best way to deal with oppressive regimes, is generally to go through powerful political bodies/groups, whether the UN, G7, or US Congress. The impact a company like Amazon (or Google, Facebook, etc) can make is very trivial. So trivial as to be meaningless to a typical oppressive regime. Congress, in tandem with large allies, can hammer eg Russia's primitive industrial economy, by comparison, with targeted sanctions on steel, aluminum, whatever.
"On April 23, however, the US government gave Rusal's American customers "more time to comply with sanctions", even saying it would "consider lifting them if United Company Rusal Plc’s major shareholder, Russian tycoon Oleg Deripaska, ceded control of the company." Department of the Treasury gave these clients until October 23, 2018 to comply with (wind down business) the Rusal sanctions."
For the record, Deripaska is no friend of Putin, who forced him to start paying tax and stay out of politics.
Look at how Putin humiliated him several years ago during an industrial dispute, when Putin took the side of workers against Deripaska.
That premise has a very mixed bag of results historically. It works on some regimes, and fails entirely on others.
Cuba defied an aggressive embargo by the US for ~50 years, which is partially responsible for Cubans typically having present incomes of about $20 per month. [1] By contrast, Haiti, which is one of the poorest nations on earth, has a higher median income than Cuba. The Castro brothers were simply unmoved by the extreme financial consequences (and the people of Cuba also did not topple them across more than half a century).
Similarly it didn't work against North Korea across 60 years. Even while the North watched South Korea develop and grow into one of the 20 or so richest nations.
It also didn't work very well against the USSR. The West heavily limited its trade and economic cooperation with the USSR across the entire post WW2 era until their collapse. The West rapidly developed advanced technological economies, the USSR did not, their people suffered extraordinary poverty and backwardness. The regimes in Moscow didn't care. What finally brought down the USSR, was the collapse of the price of oil brought on by a strong dollar shock in the late 1980s (by contrast they were doing far better economically in the 1970s and early 1980s as the price of oil was very high).
One of the common characteristics of an oppressive regime is that they already suffer financial consequences for their actions; sanctions, overseas account seizures, trade embargoes.
Hoping that they'll throw their hands in the air and give-up instead of blocking AWS etc is naive. The people making the decision don't suffer the consequences as do their subjects.
Sure, but the point being is that Amazon is not consenting to being a bargaining chip in this manner. If you're in control of a site, and you want to say, "If you block them, my site will be blocked too, in solidarity," that's just fine. But it would be pretty awful for you to involve me in that, as well, if I don't wish to be part of it.
Right, and them taking that stand isn't what most of their customers want from them. "We don't want to make political points in other countries, we're just here to sell ads" is the generic corporate position.
China is huge compared to those other oppressive regimes out there.
Also, AFAIK, China hasn't been able to recreate GitHub. Since GitHub is HTTPS-only and China needs it enough to not block it, a lot of censorship circumvention tools are available in China through GitHub.
It also forces the poor domain owner who is being fronted, in this case SOUQ.COM, to absorb a huge Route 53 bill for all of the DNS queries that are originating from Signal users. Not fair at all.
This is nothing to do with censorship. AWS has many clients and does not want its network to be blocked because of a single customer. Tough for Signal but that's how it is when dealing with businesses (especially one that so many others rely on).
Amazon has a ton of customers, at least a few of which like https://preemptivelove.org/ are also doing good things in these countries. It's not just Amazon that suffers, but Amazon's customers and everyone else downstream.
Preemptive Love is one of the most fearless organisations on the planet operating in the most dangerous places on the planet with little regard for their own safety. They constantly surprise me with the risks they are willing to take so that others might love.
The point is that Signal isn't the only app being used for good in such countries. Amazon's bottom line will be ok, but the customers & users who live in the censored countries will no longer be able to access other important sites hosted by Amazon.
No, it doesn't. This is Amazon saying they don't wish to be a part of this dispute, which is entirely their right. It is not Signal's right to drag Amazon into the dispute against their will.
They're not capitulating to anything... they're asking one of their customers to not break the terms of their service. Same scenario if someone was running crypto mining or bittorrent on the cloud.
It's not a single company here, thousands of businesses rely on AWS and don't want their service disrupted because of Signal.
It's a warning to not break terms of service. The strategy still works, but it's against TOS of most hosts so it was never really viable.
Time to look for another option then, like any other technical challenge. I support Signal's work here but unfortunately we can't just enlist every other business to help (otherwise censorship wouldn't be much of a problem in the first place).
Potential sure, but considering that unblocked companies already have access today, they effectively gain nothing by creating more friction, other than short-term disruption. It's not as simple as it sounds.
I wonder if that means AWS, Google, etc oppose measures like encrypted SNI, since it's more likely to get their entire IP range banned by authoritarian governments.
It's true that encryption (within the desirable parameters discussed in that ID) costs us a round trip, but it might be worth it for most of us most of the time.
Keep in mind the TLS you're using today for most sites has 2RTT setup, and we put up with that (if you have a modern browser and go to some major sites you end up using TLS 1.3 draft 23 and thus 1RTT)
Modern browsers (send ALPN) to sites with decent TLS 1.2 stacks (respond to ALPN, even if it's just to say http/1.1) get a 1RTT handshake on TLS 1.2 with TLS false start. TLS 1.3 is nice, but it's not required to get 1RTT.
The doc you sent is titled SNI encryption, but is really about tunneling a client hello through a proxy, and provides for the proxy to not send its own server hello, but only send the origin server's server hello. That's interesting, and should be useful for domain fronting and as a general purpose TLS proxy with fewer layers, but it's not really encrypted SNI.
In TLS False Start the client sends encrypted data to an unknown remote party. It hopes they're the intended recipient, but it won't actually know until it gets a reassuring Finished message which is too late. Now, if it isn't really the intended recipient the remote party doesn't have all the keys it should have. So cross fingers they can't decrypt the data they've been sent. But this is... less than ideal. It's a high price to pay for performance.
In TLS 1.3 that 1RTT completes the handshake so as the client we know who we're taking to.
That SNI draft is the result of interested parties coming up with a list of desirable properties for SNI encryption. If you have a better idea that satisfies those properties you absolutely should propose it.
I don't have a better idea, I don't think it's possible.
When a server has multiple identities to choose from, and the client has not previously communicated with (and has no no out of band information), as far as I can tell, either the SNI has to be in plain text, or it could be encrypted with an untrusted DHE key (which only eliminates passive detection).
Way upthread, bscphil wondered if [big companies] will oppose encrypted SNI to avoid having their IP ranges banned, but their business reasons don't really flow into a decision not to do impossible things.
> Signal plans to make its traffic look like traffic from another site, (popularly known as “domain fronting”) by using a domain owned by Amazon -- Souq.com
They aren't spoofing the domain, they are just making sure that outside parties to an SSL connection will have a difficult time determining where that SSL connection is going. The two parties creating the SSL connection are not lying to each other, though.
But the result may be Amazon getting blocked in those countries, which could cause Amazon financial and logistical harm.
I'm all for Signal helping people bypass state censorship, but they're attempting to bring third parties into the fold and use them as fodder for the cause.
That's the whole point of this, by blocking Amazon, these countries would be taking down a large part of the Internet inside their borders. We're not talking Amazon your one stop shop for dildos and bobble heads, but AWS, which powers a lot of other websites. The countries listed, like Egypt, know that you can get away with torture, but don't touch the people's memes.
How is Amazon "one of the two parties" to my Signal message to a friend? An infrastructure provider, a carrier maybe, but a party to?
I'm not against Amazon's decision, but I disagree with anyone framing this as Signal trying to deceive its users. What they're doing isn't too far removed from me using a VPN to deceive Comcast regarding my use of "their" services. That is, if we're going to get loose with our metaphors.
I think you are misunderstanding what is going on here.
The Signal client on your phone is connecting to a load balancer that Amazon owns. In the initial handshake it lies about what website it is trying to contact, claiming to be looking for an Amazon shopping site. Once the connection is fully established it says "just kidding I am actually trying to reach the Signal server hosted in AWS."
They are abusing a bug in Amazon's front end load balancers, having them route traffic in a way that wasn't intended. This is a warning to knock it off, while Amazon works on fixing that bug.
Are you? It looks like the Amazon load balancers don't actually care what your SNI domain is when routing traffic. They terminate your TLS connection, and then use the domain in your actual HTTP request to route it, which is not Amazon's domain. Amazon's ability to allow these two domains to differ, and to mostly ignore the former, is the crux of this whole trick.
Does this mean that Cloudfront does not actually require (correct) SNI?
Example: Sending HTTP request for signal.org over TLS to Cloudfront IP address with SNI as "allergan.com" returns signal.org web page, not allergan.com web page.
Because this spoofing only prevents the ISP / government censors from seeing the correct destination. I would argue that the ISP and the government censors have no legitimate right to that information in the first place, especially if they use it for oppression.
I really dislike the way they put it in the title of this post.
What they are doing is simply abusing the name/size of a totally unrelated company to mask signal traffic.
While I am totally in favor of signal, simply using a domain name you dont own in the SNI header just because it is terminated at the same service as you want to use is something you cannot do.
They could have simply have sent the question to the owner of the domains (google and amazon) explaining what they wanted to do, and only think about implementing it when the owner agreed.
And last but not least to answer those: 'why would they even care, the traffic goes to cloudfront anyways?' ... It will seriously mess up the stats (and billing, yes, amazon owned companies pay internal bills to aws for usage, it's a very normal way of doing business and get your taxes right).
It's sad that tricks like these are being considered/needed to have access to internet services in some parts of the world, but simply doing it without all parties involved knowing about it and agreeing on it is _NOT_ the way to do it.
> simply using a domain name you dont own in the SNI header just because it is terminated at the same service as you want to use is something you cannot do
Why not out of curiosity? I'm not disputing Amazon's right to disallow this (it's their service after all), but before that I don't see any objective reason why this is something they they "cannot" or even "should not" do. Also, unless Amazon put in a technical barrier (which they are in the process of doing), then they can't stop a third party from doing it anyway (i.e. me personally sending a different domain in the SNI header than the one I actually end up communicating with), and on that level (ie me rather than Amazon's customer) I see no reason why I wouldn't do exactly that if my ISP was blocking the target domain.
Because you are lying about what domain you want to access.
This is against the TOS, and simply something you should not do.
I know it helps signal to get around censorship and blocks, and it's technically working, but one should not do that.
I'm not lying about anything. This entire system is designed so that the user can get what they're looking for, and the user is using it to get what they're looking for.
Whether doing this as AWS's customer breaks their TOS is up for debate, but it's a fairly moot one as Amazon could easily change their TOS.
You are only pretending to contact a certain address during the (short) unencrypted phase of the request. As soon as encryption is present you reveal the real address you want to talk to.
Still, the initial package is meant for the infra of the outer domain.
Sure, the real payload will be billed to the inner domain owner, but not the initial handshake (and usage of keys etc)
It's not an issue with 'domain names per customer' but with SNI.
Because ip addresses are limited (well, ipv4 at least) they cannot use dedicated ip's per domain name.
That's the whole issue.
Surely better to get an at-least-vaguely-friendly warning pre-implementation rather than a post-implementation block?
I would much prefer censorship circumvention to be possible, but I have some sympathy for platform providers not wanting their customers and their platform to be conflated so easily.
Is this something that CloudFlare could help with? They tend to have an idealistic bend, and they serve content for enough sites that they could conceivably disguise traffic in the crowd for altruistic purposes. I could be misunderstanding the mechanism in question, though.
In the request from the Signal app to Amazon's servers, they pretend that's the domain they want to contact, but inside the encrypted connection, they actually ask for a different domain (the latter of which they own).
I posted on the signal community forums in significantly more detail (e.g. how to configure nginx exactly with test connections), but it's relatively easy to use AWS infrastructure only for pass through and configure nginx to accept specific public SNI headers while connecting to domains you are authoritative for (e.g. google.com, amazon.com, yahoo.com, yandex.ru). You can do this by using the ssl_preread nginx module to proxy based on the SNI header (e.g. amazon.com -> 127.0.0.1:444, google.com -> 127.0.0.1:445, yahoo.com -> 127.0.0.1:446). This effectively means that you are not having AWS or GAE do anything other than directly proxy encrypted content, which I would argue is an important distinction.
The downside is that no one is providing the DNS redirect in an encrypted transaction.
"If you put a spoonful of wine in a barrel of sewage, you get sewage. If you put a spoonful of sewage in a barrel of wine, you get sewage." -- Schopenhauer
In the past, the alternatives was a static IP, which are easier to block. i can’t think of a solution that doesn’t just pass the buck to another third party (like a CA) which would be sucseptible to the same attacks.
Clearly they need to create a free iPhone/Android game that becomes wildly popular in these countries so that they can use their own domain to front their 'secret' packets.
I feel like Amazon has a moral obligation to name the country that is forcing them to do this under penalty of having their entire IP block black-holed.
I assume Amazon would not take this step unless that was going to happen otherwise, or at least I don't see why they would.
They don't need to make a political statement about it, just say they did it to comply with law / order of 'X'. <cough>Russia<cough>
Why wouldn't they do this on their own? Keeping their reputation good with all countries(even the oppressive one's) is an important part of business. After all, amazon has stakeholders to answer to.
I don't see how it hurts their reputation to allow Signal to anonymize. They could even block domain fronting in general to block bad actors, and quietly whitelist Signal.
It's not about anonymizing, it's about hiding under the mask of some other entity, without their(other entity's) permission. AWS's other customers and various governments won't be happy about aws allowing Signal to do so.
While they could white list Signal, I don't see why they would want to go through this trouble. It's not like any of these public companies care any more about supporting people under oppressive rules, than profit.
It is still nessecary , it only works because both domains are serviced by the same CDN servers which ignores the plain text version once the packet reaches them.
If the plain text component is not there none of the intermediary parties will know where to route the packet as they cannot decrypt the header.
Fixing domain fronting is easy. You just match the certificate SANs (or SNI requested domain) to the request Host header.
The only problem is it breaks a subset of users who are domain fronting by accident (Think a mobile app that connects to www.app.com but sends api.app.com).
This is not useful. The great thing about domain fronting when e.g. Google semi-officially supported it is that it is a non-secret technique which leverages the unique status of a large-scale technical operation that the citizenry demands access to. It allows the citizenry of an oppressive state to engage in collective action via the machinery of global capitalism.
Google and Amazon should not only be supporting this practice, but celebrating it. Subverting an oppressive state is a moral good. Specifically cutting off anonymous, safe communication paths for those being oppressed is, to put it mildly, fucking evil.
More evil than cutting off all the other users of other services that chose to host with AWS/Google? Cause that's what happened when Russia banned Telegram, and Russia didn't show any problem with doing it again.
Demonstrating that these companies are willing to sell the values of the societies, and many of the people, who created them, down the road. Free and open speech, interaction, and association. Privacy.
For most of us, this is "somewhere else", right now. But it will be "coming to a theater near you", real soon now.
It seems centralized solutions (Telegram, Signal) are under fire recently. I wonder what would happen if federated protocols (Matrix, XMPP, etc.) were more popular and, thus, also in spotlight.
- "Would adding federation to Signal help with users behind country-wide blocks? Seems like a distributed service would be harder to censor than a centralized one."
- "It's trivial to block several distributed hosts simultaneously. An aspiring censor would simply find the most common federated endpoints for a given service and block all of them. Only the users of that software would be affected. There wouldn't be any collateral damage.
If the censors somehow didn't hit every single worthwhile federated endpoint, users would still be left wondering why they couldn't communicate with most of their friends. Moving between federated hosts would also necessitate an entirely new identifier, so users would need to rebuild their social graph again.
In addition to being ineffective against censorship, there are several other properties and trade-offs that make federation a difficult proposition for an application like Signal: https://signal.org/blog/the-ecosystem-is-moving/"
I'm not sure this holds water, really - all you need to solve this is to allow identity to migrate between servers (by linking it to a keypair held by the user), or for that matter go the whole hog and go p2p rather than federated.
Matrix is currently working towards transparent migration (account portability) between servers with p2p as a longer term target - and meanwhile projects like Status are going all the way to p2p today.
I think it may depend on how well distributed would a service be: having several big servers would not help but if every family and company had their own mini server, located in a non-censoring country then the censors would be unable to do anything easily. These servers, in turn, would be able to easily connect to the broader network. Of course that wouldn't be as easy to setup as a simple installation of the Signal app.
An aspiring censor could also "easily connect to the broader network" and masquerade as a federated server in order to discover others. This process could even be automated.
Federated services also require an identifier, and this identifier usually indicates where the user's account is located and how to connect with them (e.g. user@domain.com). As people share these identifiers, the aspiring censor can just keep adding new entries to the blacklist.
At least in case of XMPP, the client doesn't need to be able to connect to other domains, so as long as you can connect to your own server outside of the censorship's reach (which could be accessible for c2s connections in a completely different way than for s2s), you should be fine.
Yes, but it's always possible to block IP (targeted attack). Federated with a big amount of small servers make it hard to automate. You can block several hosts but the rest of the network would work fine. And because of how federation in XMPP works you just need a one client to server connection to reach the entire network.
It sounds like a hard thing, but in case of XMPP "rebuilding your social graph again" is very easy - it's just a matter of importing your roster and sending authorization requests where needed. Could be, and probably already is, easily automated with some user friendly tool.
If the solution to censorship is to constantly switch to new hosts, it would be even easier to do this via a VPN (which wouldn't require you to rebuild your social graph at all, unlike a federated endpoint switch).
If the more straightforward solution (VPN) isn't a panacea for censorship, then federation isn't either.
Of course it's not a "panacea". It just makes some situations easier to handle, including server operator going rogue or broken by government. It doesn't magically provide answer to everything, but it's definitely an improvement when compared to purely centralized networks.
No, Friend-to-Friend is an effective tactic against censorship. Normal P2P network allow an aspiring censor to use the normal node discovery system to enumerate the entire network.
They're paying over 12,000 people in zencash, to host 'securenodes' with domain names and ssl certificates for domain fronting, rather than using domain names without permission.
The point of domain fronting is to use a domain that is a key internet service, so that blocking it would cause significant collateral damage. If a domain was created specifically for domain fronting it is useless. Egypt could simply block every domain in that list and setup a cron job to automatically block new ones as they are added.
All the big tech companies are pretty well represented here - it is most likely an employee spotted and flagged the issue whilst having a wee browse over their morning coffee.
"Unfortunately, a TLS handshake fully exposes the target hostname in plaintext, since the hostname is included in the SNI header in the clear. This remains the case even in TLS 1.3, and it gives a censor all they need."
Does this mean that endpoints that require SNI are potentially contributing to censorship?
Facts: SNI is optional. Not all websites require it. For example, https://signal.org does not require SNI; clients that do not send SNI can be used to fetch this blog post, without exposing the hostname.
The process listening to IPs that resolve as signal.org must not have alternative hosts on it, since the web server can’t choose a certificate based on anything but IP. Now the censor can just block your IP.
"According to our communication with the International Computer Science Institute's certificate notary, which observes on the order of 50 million TLS connections daily, 16.5% of TLS connections in June 2014 lacked SNI, which is enough to make it difficult for a censor to block SNI-less TLS outright."
Fifield et al. Proceedings on Privacy Enhancing Technologies 2015(2):1-19 at 2.
Why is fully decentralized option like WebRTC not considered ?, there is no real need for message apps to be centralized especially on mobile.
Loss of message queuing can be mitigated easily when both end points are more or less always running and messages sent only when both parties are on online.
TURN relays could still be a problem and potential censorship blocks. However the protocol is standard it is not very difficult to setup one even behind NAT. You could even bundle lightweight version with app and make all the clients relays too making it very hard to crackdown on
All of the domains still would need to point to cloudfront. Only CF was ignoring the outer header, which aws is changing it and this hack won't work in the future
AFAIK There was some effort to make this TLS 1.3 SNI header encrypted but some influential groups blocked that (I think I read something about ability to route and control traffic easily). Really sad :(
What do you encrypt the header to? Options include:
- Start an encrypted unauthenticated conversation with the server first: that adds at least one extra round-trip, so most people won't do it, so it's easy to block all connections that do
- Encrypt it to a key you have from the previous connection: doesn't help the initial connection and you already have session resumption for the rest
- Encrypt it to a well-known "private" key: doesn't help at all
Most app developers, sure, but most web server developers are definitely going to optimize for it - the cost of an extra round-trip is immediately noticeable in benchmarks. And most app developers are running a pre-existing web server to proxy to their code (whether via HTTP to localhost / within the firewall, or something else like WSGI or FCGI), not linking TLS libraries themselves.
wouldn't it be possible to actually allow "signal" customers create an appengine account via the signal app? i.e. every customer can just add their google account as a setup to setup an appengine proxy to signal. this would mean that iran would either need to block appengine or they would need to find out all customers.
it could be even implemented with a shuffle so that you can shuffle your app id.
If TLS incorporated a feature by which clients can send the server name after the TLS handshake which would cause renegotiation of encryption keys with the requested server (if available) then wouldn't that solve the problem at hand?
That way there would be no nees for an unencrypted SNI.
Is there already a TLS extension for this? If not,would have been nice if 1.3 incorporated this.
It's frustrating because I can see both sides having valid concerns, however, while Signal's position may be the right one ethically, AWS/Google are in the right practically.
Should these countries kick up a stink about a private business acting from their perspective to undermine the laws of their country, it could very well blow up into an international incident. From the point of view of AWS/Google, allowing this to happen or turning a blind eye makes them just a culpable if this were to turn into an incident.
That's not to say I don't support what Signal is trying to achieve, in fact, I very much do, however, given that in essence they forced Google/AWS into this situation without much thought makes me less sympathetic to their plight.
It's a strange choice to use Souq.com as the target here. They could have used any AWS customer but chose to use one owned by Amazon. It probably is genuinely one of the biggest Middle East customers on AWS but going this way would really have forced Amazon's hand.
It needs to be big enough so you can try and rationalise the morality of the DNS call cost (even being a few dollars, you're still being a bad actor in this scenario), a site known and well classified by traffic monitors that they won't get blocked on their own.
I guess also that hitting an Amazon domain means the logical recourse is to get AWS restrictions (such as we have here), rather than having an aggressive this party company outright trying to sue.
Couldn't Signal use popular domains to host IP addresses as a rudimentary DNS server of sorts? For example, host a text file containing Signal server IPs on Google App engine (using the app.google.com address), Azure Blob Storage (using blob.azure.com endpoint), GitHub (raw.githubusercontent.com), S3 (s3.amazonaws.com), etc. There are hundreds of possibilities on some really popular hosting services. Then, when the app starts, it queries in them in series, gets a list of IPs used by Signal, and tries them directly. Signal can then push new IPs (preferably ones in the AWS address space) to the list as often as needed to avoid blocking. Need a new IP? Just grab another from AWS elastic IP service, update the text file, etc.
That's the point, it'd be a never ending game of cat and mouse, resulting in them blocking thousands of Amazon IPs. You don't have to plaintext the text files either, you could require some kind of shared secret from the app or user login to prevent the censors from just pulling the file in plaintext.
Why can’t they use raw HTTP vs HTTPS and use an encrypted payload? That handles the SNI front as they outlined as the detection mechanism hindering them. I’m sure there’s more to it because this seems pretty basic, but curious the reason why this was ruled out.
> That occurred to me too. But HTTP/1.1 requires a Host: header.
Yes, but that’s easily forgeable as long as the servers in between allow it.
> It also brings a problem of key distribution.
Not really, you can still do chain of trust SSL validation on a payload in the body of HTTP as you could to encrypt the entire HTTP connection as in the case of HTTPS.
The issue here isn't that the content can be read, it's that oppressive regimes can censor content from apps like Signal completely. It's a question of hiding the source/destination, not the contents.
1) they already said they can rotate IPs just by using a cloud service
2) I have to assume they aren’t relying on traditional dns alone because that’s the first thing countries like the UAE filter on, so if dns blocking was an issue, they’d be dead before domain fronting would be needed.
3) the mechanism claimed for detection now is TLS SNI. So my point is remove that part and secure contents otherwise thus moving the cat and mouse game further!
I still don't understand why would Google or Amazon care about this, and why it's against their ToS. Do they think that some of those states may block all kind of access to their IP blocks just because of some people using Signal?
No, the trick works the other way around; they pretend they want to talk to someone, but then talk to someone else. They never pretend to be someone else.
I actually can't :) I mean, I can see why one would oppose it because of how it affects Amazon, but I can't see how it could be used for a non-noble cause.
"If you’d like to help, we’re hiring."
Sure but none of the open jobs are related to the problem the post is describing ... unless designers started to have super powers or Android developers are the new Avengers
The load balancers will have to have a public IP address, controlled by Signal, which is trivial to block.
The whole reason this hack works is because CloudFront is the one terminating the TLS connection with a misleading SNI header. Blocking CloudFront means nobody can use CloudFront for any purpose.
Can someone explain how does one serve content on a domain they don't own, like in this case Souq.com? Do they shove their content to something like product reviews or what?
EDIT: I realized they use souqcdn.com. Does this mean it works because their clients use "souqcdn.com" to resolve to CloudFront CDN's IP address and then they craft a different Host header (like "Host: api.signal.org").
Also how can they possibly use CDN for this? As far as I know, CDN works only with GET requests, so how are they doing a chat app on this?
They aren't serving content on that domain. They just make requests look like they are going to that domain in the outer layer (by using it as the TLS server name), but the actual request inside the encryption is for a different domain they own. The load-balancer in front of the cloud service accepts the connection for souq.com (since it is responsible for that too it has the matching server certificate), decrypts the request, sees in the request that its for "signal.org" or whatever and delivers it there.
Essentially when implementing encrypted channels with TLS, the domain name is still clear text in the SNI field, making the censorship circumvention scheme vulnerable to deep packet inspection. The technique is to modify the SNI field in TLS traffic to innocent domains. Major anticencorship efforts have all adopted this approach. Tor has it as meek.
A while ago Google has disabled such usage for Tor. This is just another cloud vendor shutting down another anticensorship vendor.
The real implications here are two things. First, domain fronting is built based on the deterrence of collateral damage, i.e. as a censor you wouldn't want to block TLS traffic with google.com SNI in it, but this deterrence viewed from the perspective of cloud providers is unwanted risks. Second, domain fronting in practice is abused by malware too much (in fact Tor is also a major malware enabler) and cloud providers can't accept this.
You want to use the resources and influence of a large corporation to acheive your organizations goals. They don’t have to be on board with your mission, and it’s arrogant to think so IMO. Why should they let you do it, when they won’t allow it for others? Seems like you feel entitled because you think by default people should support what you’re trying to do.
The flipside of free speech you’re ignoring is that people get to abstain from using their voice in addition to using it.
The fact that they posted the e-mail from Amazon, so readers could direct the blame at them. You can’t
read that blog post and say it’s the most unbiased and objective way they could have presented this, especially if they want to remain on good terms with Amazon, who has done nothing wrong at all.
I understand; but you're saying you can tell they feel entitled by the fact that they're not objective or unbiased. And what I'm saying is that not being objective doesn't show they feel entitled.
Maybe they feel entitled, but I don't think there's anything in the blog post showing that. All I see is (fairly mild) disagreement with Amazon's actions.
I thought it was 100% objective, straight across. I don't see any barbs or negativity toward Amazon whatsoever, just the facts about that situation and an honest discussion of the facts looking forward.
I feel the phrasing of the title (the word "threatens", using the phrase "censorship circumvention", not mentioning that they're doing all that stuff without Amazon's consent) is definitely aimed at generating negative feeling toward Amazon.
>>Direct access to Signal has been censored in Egypt, Oman, Qatar, and UAE for the past 1.5 years.
Yeah but Amazon alone, should not bear the cost of making Signal accessible to these countries--especially without their consent. People underestimate dictators, they will block God's channel to ensure their own survival. How many times has Youtube been blocked by countries? Plenty of time. So Amazon cannot risk being blocked completely because of this.
Couldn't they ask people to donate their AWS instances or a portion of their webserver (or domain) resources to running a small outward facing webserver as a dummy, making the domain look like its a real website (eCommerce etc) and then passing Signal data through a Shadowsocks (or something similar) proxy? Couldn't they develop an AMI that they hold the keys to that people could deploy with ease?
Those who wish to suppress Signal would just play whack-a-mole. They'd login to Signal, find what domains it was connecting to and then block those. To update Signal with new addresses constantly, you'd need a server hosting those updates- which would in turn be blocked immediately.
The idea of using Souq.com or Google.com as the domain name in the TLS header was that even oppressive regimes won't block Google or Souq for their entire country.
>The idea of using Souq.com or Google.com as the domain name in the TLS header was that even oppressive regimes won't block Google or Souq for their entire country.
Which, at least in the case of Russia, seems to be false.
This has been explored by Tor, through a design sometimes called "flash proxy" and "snowflake".
They used websockets and webrtc datachannels so that all you have to do to volunteer yourself as a relay is visit a webpage with JS enabled. The idea is to have many short-lived proxies on residential connections, paired with an announce mechanism.
Amusing idea: use Bitcoin's blockchain as a peer announce mechanism. Does your country want to be involved in cryptocurrencies less than they want to censor?
On second thought, the countries most interested in censoring are probably also the countries most interested in blocking people from using Bitcoin? :)
I'm thinking of a legislative, not technological solution to this, which seems to be pretty straightforward: make it unlawful for US companies to refuse service simply for Domain fronting. That way, none of the big companies could lawfully refuse service to Signal; neither could they be faulted by these other regimes for "letting Signal use their domain".
No, the solution is to solve the technical problem of leaking metadata during the TLS handshake.
Should it also be unlawful to refuse service to someone who pretends to be you when they resell your widgets to the mob because they fear retaliation if the mob isn't happy with the goods?
The fact that in Signal's case, the client and the server are fully aware of who each other are is immaterial (thus not part of the analogy).
What the analogy demonstrates is that there exists a potentially-retaliatory party that sees the server identify itself as someone else. That someone else (in this case, the cloud provider) has the right to protest the use of their identity in a way that makes it a target for the retaliatory party.
Couldn't the service providers simply counter by offering Domain fronting as a premium feature at $1M/GB transferred? Or are we going to over-legislate service providers to essentially place them under government control when they refuse service to a given customer out of rational self interest?
Good, go ahead and pass those laws and I'll use Cloudfront to impersonate Amazon.com and steal credit card info, and Amazon will be legally unable to stop me.
You've misunderstood how the trick works. Nobody is impersonating anybody.
To make an analogy, they're like a guy who tells the building security guard that they're going to apartment 5 (the Souq servers), but when they're in they actually go to apartment 8 (Signal's servers).
Except the censors can only see the conversation with the guard, but they can't see where he actually goes, so they can't distinguish him from a real Souq visitor.
This is a nice analogy. The problem here is that the visitor has logged in that he is visiting apartment 5 in the guestbook. So if he ends up breaking something, security would hold apartment 5 liable (and not apartment 8). So it makes sense that apartment 5 does not want to be responsible.
No, that's not the correct analogy, because Amazon is the building, and they know where he went to. There's no guestbook.
The actual problem is that, since the censors can't distinguish them, they might stop everyone coming in to apartment 5, and potentially to the whole building.
Amazon isn't targeting Signal, this is their new policy based on (mostly) abusers (though I doubt Signal was intentionally trying to abuse the system for malicious reasons). Hopefully this doesn't get spun out of control, but the title of this post seems to be spinning it.
meek-amazon makes it look like you are talking to an Amazon Web Services server (when you are actually talking to a Tor bridge), and meek-google makes it look like you are talking to the Google search page (when you are actually talking to a Tor bridge).
Bundling Tor in an app is quite an engineering hurdle and latency increase, but yes. Pluggable transports allow the public to find solutions that work for specific countries faster than an in-house development team as well. Delegating censorship circumvention to the Tor Project as an opt-in option for users could save a lot of engineering hours.
Tackling it yourself does get you some easy press opportunities though, as this upvoted article proves.
Maybe someone (ICANN) could start a donation register for domains which tells applications they allow using there domain name in domain fronting for censorship circumventing purposes?
Since Amazon's TOS does allow domain fronting when the domain's owner allows it.
Kinda a misleading headline. Amazon is stating the don't want their domain name used as a circumvention measure. I think that's reasonable. Signal is the one hijacking it and Amazon is taking the risk if it gets blocked.
The title is misleading they are pretending to be Amazon. The title, Amazon threatening to suspend Singnal’s AWS acoount over censorship circumvention, is more vague, less accurate and potentially harmful.
Wouldn't a federated system be much more robust where you would only need to access one of the nodes and this would send it through a chain of nodes to the receiver?
>The idea behind domain fronting was that to block a single site, you’d have to block the rest of the internet as well. In the end, the rest of the internet didn’t like that plan.
Plays into Russia's hands, actually. Russia has been pushing for a nationalist approach to messaging, rather than having its citizens use Telegram (ironically, developed by the Russian who created VKontakte.)
Nations that lean authoritarian are teching up their sovereign walled gardens, banning external/ungovernable services as soon as it's feasible.
The long play is to knuckle under and defer to local governments, as Amazon, Google and Facebook have shown.
I have looked into the Russia/Telegram war thoroughly due to personal interest, and to my knowledge that situation hasn't involved domain fronting. Rather, Russia is blocking by IP and Telegram is hopping to IPs all over the cloud.
Russia is on record as wishing to go a different path than the Great Firewall of China. From statements I read including Putin, they're saying they want to avoid a deep packet inspection regime à la NSA or China except when they've got a court order to go after someone in particular.
In this case the naivete is in taking press reports at their word.
When Telegram sued, the court proceedings were published by zona.media: https://zona.media/online/2018/03/20/tlgrmvs . I have read them in full (in translation, but it was specifically addressed and crystal clear with regard to this matter). The transcript firmly establishes that it is factually incorrect that this matter is "over handing them everything". That was reported by some outlets, but the zona.media reporter covering the court proceedings complained that it was immediately misreported. There was a bombing that claimed fatalities, it was established that Telegram was able to provide the decrypted chats of the suspects, the FSB got a lawful order for those conversations, and I believe the relevant keys. (If Telegram really doesn't key its users' conversations using separate derived keys, their crypto is even worse than we thought!) Russia has a law specifically protecting the privacy of private conversations, and the FSB specifically acknowledged this right in court and specified that their order was lawful and narrow.
The hugely broad blocking is precisely because they are not getting into wholesale deep packet inspection. These episodes are embarrassing for them, as confirmed by recent statements by two of Putin's advisers, but they do it to pursue the rule of law. I am a fan of less government intervention in general, but if the government intervenes, I want it to be transparent and follow due process. At least in this case, Russia is doing that...it's just ridiculously heavy-handed.
It's about how an IP range assigned to a country establishes nexus, and a service that operates within this jurisdiction must abide by said country's laws.
Telegram has some pretty interesting ideas wrt censorship circumvention. I.e. you can still use Amazon, Google, Microsoft as an unblockable side channel to deliver proxy settings, same way domain fronting relies on them. And you can sponsor other people to setup proxies, making it hard to detect and suspend accounts used for censorship circumvention on Amazon and other hosting companies.
As a side channel dns over https still works even with tls to google.com and then putting Host: dns.google.com into the header. Frequent updates to applications and push notifications can be used as side channels too. You can also register a bunch of domain names ahead of time using hash of a current day, month, year and then let the app generate domains names to query on the fly and query them over normal dns. The censor would need to reverse engineer the app to figure out the domain generation algorithm.
To make proxies hard to enumerate you can shard the mapping of ids/phone_numbers to proxies in a such way, that each id receives multiple proxies using multiple different sharding schemes. This not only makes it harder to enumerate, but also lowers the chances of someone else obtaining the same set of proxies as the censor and rendering the app unusable. Changing IPs then forces the censor to chase you, but never really catch you to censor the app.
But I do think building peer-to-peer network instead of proxies is a better idea for circumvetion.
Given its an open source app, it should be reasonably easy for the censor to reverse engineer the algorithmically generated domains. Frequent tiny updates would be an interesting solution though. Now that most mobile apps can deliver just deltas to save bandwidth it'd be viable.
I realize now, that it's possible to even dynamically deliver a bytecode of a domain generating algorithm itself or pretty much any circumvention logic by embedding a tiny interpreter into the app.
You don't need to deliver bytecode, just a new seed for the algorithm. Even 64 bits is more than sufficient to ensure that they can't enumerate all possible seeds.
According to the founder of matrix, him and Moxie had a meeting a few years ago to discuss federation where Moxie debated that it wasn't ideal to create a federated protocol, that somehow it would create too many problems. Now that Signal is unable to service everyone without federation, does Moxie still hold reservations on federated protocols?
On another tangent; the Host Identity Protocol would resolve this (and countless other) security issue by simply rendering all traffic impossible to analyze in such a way. Why a big tech company like google hasn't put their men on the idea is beyond words, especially since it also elegantly solves mobility.
Why should we in the United States coerce (or sneak into) countries whose Governments don't want us there? Are these folks really "idealists" who think that access to tools like "Signal" will usher in a new spring! (See how well that worked in Egypt and Syria?)
Let these Nations enjoy their sovereign right to protect their borders--even their digital ones--as they see fit.
Citizens under oppressive governments often don't like their governments. The feeling's usually mutual. Some people in such countries - I actually think "most" but I'll remain conservative here - appreciate such tools and its creators. Not necessarily to do anything so ambitious as "ushering in new springs", but often simply to talk to relatives or make online friends or learn new things or exchange ideas online. In case you didn't realize it, lack of freedom and powerlessness really brings down one's mood, and anything to brighten it up is welcome.
I don't like this. The last few services taking privacy seriously are under attack all over the world. Telegram vs. Russia, Signal vs. Amazon, WhatsApp Encryption vs. Facebook...
Well, this is what happens when countless startups go to a couple of web hosters in the name of outsourcing unsexy stuff like racking and stacking servers.
If they hosted on VMs they would simply hop from one place to the other. The problem is that all of this stuff is "difficult" and no one would be writing stories about how great signal is if it could switch between thousands of companies that provide VMs to masses.
We do not have these thousands of companies because AWS/GCS/Azure are the go to. Well, guess what? That means that objectively there are three kings of the world and the lieutenants of those kings get to decide what is and is not allowed.
> If they hosted on VMs they would simply hop from one place to the other.
No, that isn't a good enough solution. Signal needs to be reliable, or it's not worth having at all. The fundamental problem is node discovery: allowing the users to discover the IP address of the mothership (or, if you prefer, other members of the P2P network, but Signal is a centralized network) without the oppressive regime finding those IP addresses. Domain fronting was supposed to be a "cut the knot" solution, but CDN providers are shutting it down.
Tor's approach has been to use a La Resistance approach, where Dave in the US runs an obfsproxy node for Yasim and his twelve trusted friends, that's how node discovery works, and as long as Dave is a good sysadmin and nobody squeals it's reliable. Personally, I think that's the only sustainable solution, but it's not very user-friendly, because you need to have trusted confidants on the other side of the firewall that your government doesn't know about. Signal can't be that trusted confidant, though I imagine Signal works over Tor just fine if you set it up.
That's a real problem, but I don't think it's related to this situation. We have to assume that censors can inspect apps, and can inspect some app traffic before it gets encrypted. This means that they'll know all about your servers and their IP addresses.
Push notifications? How do these work, when the app can't rely on access to any particular domain or IP? Your posts in this thread seem to include a great deal of hand-waving.
It was used by Akamai to do automated billing from the edges in the nineties when it was the first network that billed per byte delivered at the edges with multiple tiers.
It is very easy to kill an annoying mosquito in a room if it can hide in 3 places. It is much more difficult if it can hide in thousands.
Sure that could work for a while, even if it's a bit inconvenient for users. Eventually the bastards will filter emails too. Spam filters could certainly be trained to find these notifications.
Based on the story Amazon has no problem with you circumventing censorship, it is not the subject of the topic at all, do not lie please because you only hurt your own reputation and trustfulness - which in a highly sensitive area that you are working in is paramount!
This is not waht's in the title of the article!
The title says the account is threatened to be closed on the grounds of circumventing censorship!
Big fat lie!
The account suspension threat is based on using something that is not permitted! Knowingly not permitted, illegitimate use!
And
>The idea behind domain fronting was that to block a single site, you’d have to block the rest of the internet as well. In the end, the rest of the internet didn’t like that plan.
That they interpret AWS and Google as "the rest of the Internet" is pretty sad, too.