CNET también está disponible en español.

Ir a español

Don't show this again

Tech Industry

Signal says Amazon, Google will no longer help it evade censorship

Hot on the heels of Google's move last week, Amazon Web Services said it will also switch off functionality for domain fronting.

Signal

Amazon is switching off functionality for domain fronting, and encrypted messaging app Signal isn't happy about it.

Getty Images

Signal, a widely-used encrypted messaging app, said Tuesday it will stop employing a commonly-used method for avoiding censorship after two major cloud platforms turned off support for the practice.

The company behind the app said it could no longer use domain fronting, a method for disguising internet traffic that helps circumvent censorship. The decision came after Google and Amazon said they would turn off support for the functionality. 

"With Google Cloud and AWS (Amazon Web Services) out of the picture, it seems that domain fronting as a censorship circumvention technique is now largely non-viable in the countries where Signal had enabled this feature," Signal said in a statement. "The idea behind domain fronting was that to block a single site, you'd have to block the rest of the internet as well. In the end, the rest of the internet didn't like that plan."

Domain fronting allows encrypted messaging apps like Signal to funnel their traffic through a cloud provider, effectively concealing their traffic. Signal and a similar app, Telegram, have played critical roles in evading government censorship during movements like the Arab Spring earlier this decade. 

Access to Signal has been censored in Egypt, Oman, Qatar and UAE for the past 1 1/2 years, Signal says. It has responded by using domain fronting in those countries with Google App Engine. In order to block Signal, those countries would have to block google.com, which they weren't willing to do. That provided people in those nations with access to the app. 

Domain fronting has a side effect: hackers use it to obscure where their malware comes from. 

After Google shut down its domain fronting functionality, Signal switched to Amazon's CloudFront. Amazon soon made the announcement that it would disable unauthorized domain fronting.

In a post late last week, Amazon Web Services said "the new measures are designed to ensure that requests handled by CloudFront are handled on behalf of legitimate domain owners."

Signal says it's considering ideas for a more robust system, but that the changes happened suddenly and "developing new techniques will take time."

Amazon and Google didn't immediately respond to requests for comment.

First published May 1, 2:36 p.m. PT.
Update, May 3 at 10:30 a.m.: Clarifies details surrounding Amazon's disabling of domain fronting.