Google updates App Engine to discontinue support for domain-fronting
Google's App Engine no longer supports a practice called "domain-fronting" that allowed app developers to evade internet censorship. It was particularly helpful in letting apps and other services get around state-level internet blocks. This change in Google's network architecture can be problematic for several anti-censorship platforms like Signal, GreatFire.org and Psiphon's VPN services. The update is rolling out across all Google services.
Domain-fronting can be understood as the ability to use Google as a proxy. It allowed apps and websites to forward traffic to their servers through a Google.com domain. So it would appear to the censors that all the encrypted data is headed for Google.com. Domain-fronting also allowed location spoofing, which is used by VPNs and any other service wanting to get across geo-restricted content.
Domain-fronting majorly came into view in 2016 when secure chat app Signal publicly adopted it. It allowed users to send encrypted messages without being traced. To censors, they looked like a normal HTTPS request to Google.com.
Technically, App Engine never officially supported domain-fronting. Google has now just modified the very framework that the feature was a by-product of, due to which all traces of unintended backend support have also been removed. "Until recently it worked because of a quirk of our software stack. As part of a planned software update, domain-fronting no longer works," a company representative said.
Google is killing an absolutely critical protection for people in places like Iran, China, and Russia trying to reach uncensored news and chat. That this can slide without any opposition from US policy-makers is the epitaph on the US internet freedom agenda's grave. https://t.co/l5OSg72zQ6
— Edward Snowden (@Snowden) April 19, 2018
"Allowing domain fronting has meant that potentially millions of people have been able to experience a freer internet and enjoy their human rights. We urge Google to remember its commitment to human rights and internet freedom and allow domain fronting to continue."
