A recent change to Google's App Engine will stem the so-called domain-fronting technique used by dozens of Internet-freedom tools that allow users to bypass national Internet censorship.
The Google Network architecture update, first discovered by the developers of the privacy-oriented web browser Tor and reported by The Verge, removes an approach taken by services such as the encrypted messaging platform Signal, the anti- Chinese censorship tool GreatFire.org and the VPN services offered by Psiphon  Domain fronting is used to bypass censors by hiding the true endpoint of a connection. Rather than allowing a service to communicate directly with a server, the potential for state Internet sensors to identify and block the connection can be routed through a harmless domain or IP address range – in this case, Google App Engine. As a result, services whose traffic is blocked may be censored by appearing to come from Google.
"Domain frontting has never been a supported feature on Google, but until recently it worked because of a peculiarity of our software stack." Said a spokesman for Google Gizmodo. "We're constantly evolving our network, and as part of a planned software update, domain fronting is no longer working, and we have no plans to offer it as a feature."
The decision to fill the void, the anti-censorship tools allowed to operate, lets the services look for a new provider to work with. Ars Technica reports Cloudflare does not support a domain frontend. Company chief and co-founder Matthew Prince told Ars Technica that the technology "would endanger our traditional customers by masking the prohibited traffic behind their domains".
Criticizing the workaround is not without foundation. While domain frontting has been adopted by dozens of tools aimed at reducing state-sponsored Internet blockers and has been described in the journal Proceedings on Privacy Enhancing Technologies as "a versatile censorship bypass technique," it is a technology that makes it Can also be used by vicious actors. A report from cybersecurity firm FireEye last year found that the Kremlin-affiliated hacker group used Cozy Bear domain-fronting to steal data from Tor users.
Despite the possibility of abuse, digital rights organizations are pushing to allow Google domain fronting
"Google could end online censorship anywhere in the blink of an eye, if desired," said the operator of the anti-censorship group GreatFire.org on Twitter . "It's frustrating to see how half-hearted efforts Jigsaw brings and now that."
"Google knows that this bloc will have a direct, negative impact on human rights defenders, journalists and others seeking the open Internet." Micek, General Counsel at Access Now, said in a statement. "Granting this decision with a shrug, rejecting responsibility, damages the company's image and shatters broader confidence in the foreseeable future."
It seems unlikely that Google would rescind its decision at this time. Domainfrontting used to be a "peculiarity" of the company's services. Restoring it would essentially make it a feature. This would be welcomed by the many valuable tools that help open the Internet to people who operate under oppressive governments, but also let Google control these regimes, as well as services that are damaged by malicious domain-front operations could become. It is not clear that the company is interested in taking on these battles.
[The Verge, Ars Technica]