I'm thinking of a legislative, not technological solution to this, which seems to be pretty straightforward: make it unlawful for US companies to refuse service simply for Domain fronting. That way, none of the big companies could lawfully refuse service to Signal; neither could they be faulted by these other regimes for "letting Signal use their domain".
No, the solution is to solve the technical problem of leaking metadata during the TLS handshake.
Should it also be unlawful to refuse service to someone who pretends to be you when they resell your widgets to the mob because they fear retaliation if the mob isn't happy with the goods?
The fact that in Signal's case, the client and the server are fully aware of who each other are is immaterial (thus not part of the analogy).
What the analogy demonstrates is that there exists a potentially-retaliatory party that sees the server identify itself as someone else. That someone else (in this case, the cloud provider) has the right to protest the use of their identity in a way that makes it a target for the retaliatory party.
Couldn't the service providers simply counter by offering Domain fronting as a premium feature at $1M/GB transferred? Or are we going to over-legislate service providers to essentially place them under government control when they refuse service to a given customer out of rational self interest?
Good, go ahead and pass those laws and I'll use Cloudfront to impersonate Amazon.com and steal credit card info, and Amazon will be legally unable to stop me.
You've misunderstood how the trick works. Nobody is impersonating anybody.
To make an analogy, they're like a guy who tells the building security guard that they're going to apartment 5 (the Souq servers), but when they're in they actually go to apartment 8 (Signal's servers).
Except the censors can only see the conversation with the guard, but they can't see where he actually goes, so they can't distinguish him from a real Souq visitor.
This is a nice analogy. The problem here is that the visitor has logged in that he is visiting apartment 5 in the guestbook. So if he ends up breaking something, security would hold apartment 5 liable (and not apartment 8). So it makes sense that apartment 5 does not want to be responsible.
No, that's not the correct analogy, because Amazon is the building, and they know where he went to. There's no guestbook.
The actual problem is that, since the censors can't distinguish them, they might stop everyone coming in to apartment 5, and potentially to the whole building.
