In an HTTPS request, the destination domain name appears in three relevant places: the DNS query, the TLS Server Name Indication (SNI) extension, and the HTTPS Host header. CDNs are used due to idiosyncrasies in how they route traffic and requests, which is what allows fronting to work. Subject Alternative Names) of a large hosting provider or a content delivery network (CDN). The basis for domain fronting is using different domain names at different layers of communication with the servers (that supports multiple target domains i.e.
Refraction networking is an application of the broader principle. Pressure from censors in Russia and China is thought to have contributed to these prohibitions, but domain fronting can also be used maliciously.Ī newer variant of domain fronting, domain hiding, passes an encrypted request for one resource (say, a website), concealed behind an unencrypted (plaintext) request for another resource whose DNS records are stored in the same cloud. Many large cloud service providers, including Amazon, Microsoft, and Google, actively prohibit domain fronting, which has limited it as a censorship bypass technique. ĭomain fronting does not conform to HTTP standards that require the SNI extension and HTTP Host header to contain the same domain. As such they are forced to either allow all traffic to the domain front-including circumvention traffic-or block the domain front entirely, which may result in expensive collateral damage and has been likened to "blocking the rest of the Internet".
After TLS encryption is established, the HTTP header reroutes to another domain hosted on the same CDN.ĭomain fronting is a technique for Internet censorship circumvention that uses different domain names in different communication layers of an HTTPS connection to discreetly connect to a different target domain than is discernable to third parties monitoring the requests and connections.ĭue to quirks in security certificates, the redirect systems of the content delivery networks (CDNs) used as 'domain fronts', and the protection provided by HTTPS, censors are typically unable to differentiate circumvention ("domain-fronted") traffic from overt non-fronted traffic for any given domain name.
0 kommentar(er)
