Sunday, May 06, 2018

Amazon protects Third World censors

On Tuesday, Moxie Marlinspike, founder of the secure messaging app Signal, posted a letter sent to him from Amazon threatening to suspend the company’s AWS account for using a technique called domain-fronting on its network. The technique is used to protect messages sent via the Signal’s messaging app from being tracked or censored in countries such as Egypt, Oman, Qatar and UAE, where the service is banned.

The move was admonished by anti-censorship and free speech advocates at the American Civil Liberties Union and the Electronic Frontier Foundation.

“Amazon is acquiescing to their business interests by banning the ability to do domain-fronting on their infrastructure,” said Daniel Kahn Gillmor, senior staff technologist at the ACLU. “What Amazon is effectively doing, by barring domain-fronting, is sending a message that nobody can rely on Amazon to help them enjoy freedom of speech. That’s a sad outcome. Amazon had the opportunity to stand up for the right thing here and they don’t appear to be taking it.”

The action by Amazon follows a similar move by Google, who earlier this year also threatened to push Signal off its platform if it continued to use the domain-fronting technique on its servers.

Domain-fronting, akin to hiding in plain sight, is  used to obscure the true endpoint of a connection. The networking technique, first detailed in a paper (.PDF) by academics at the University of California Berkeley in 2015, uses HTTPS to communicate with a censored host while appearing, on the outside, to be communicating with a completely different, permitted host — in this case, Amazon and Google.

According to the Amazon letter sent to Signal and posted by Marlinspike, Amazon chastised him for using the domain as part of Signal’s domain-fronting routine.

“You do not have permission from Amazon to use for any purpose. Any use of or any other domain to masquerade as another entity without express permission of the domain owner is in clear violation of the AWS Service Terms,” the letter read. “We will immediately suspend your use of CloudFront if you use third-party domains without their permission to masquerade as that third party.”

Marlinspike wrote, “With Google Cloud and AWS out of the picture, it seems that domain-fronting as a censorship circumvention technique is now largely non-viable in the countries where Signal had enabled this feature.


1 comment:

Anonymous said...

It seems that wealth and power lead to bad policies.