Originally published at: https://boingboing.net/2018/05/03/amazon-doesnt-like-how-signa.html
…
I think it would be a little fairer to also highlight why Amazon has prohibited domain-fronting - as I understand it, it’s a highly useful tool for fraudsters.
I suspect this is like tools for providing anonymity on the net. The same features that allow vulnerable people to speak also enable trolls to flourish.
With respect to Amazon’s actions, it’s eminently fair to argue that the benefits of providing that service outweigh the costs, but it’s a rather unfair not to mention what the costs are.
Especially when failing to ban the practice might make the next headline “Amazon makes millions enabling fraudsters to attack the poor and desperate”.
Welcome to BoingBoing!
Didn’t you already publish this story yesterday?
I agree with this.
Presumably Amazon will be blocked in those countries if it continues to allow Signal. So you can have an Egypt with no Amazon and no Signal, or an Egypt with Amazon but no Signal. There is not an outcome where Signal continues in its current mode.
They wouldn’t block just Amazon, a store, but AWS a platform on which a huge proportion of the world’s Internet services are hosted. That’s the appeal of Signal using domain-fronting on AWS (and previously on Google App Engine), they can blend in with such a large proportion of sites the country doesn’t want to block, it’s likely that blocking will cause collateral damage they can’t stomach.
it’s likely that blocking will cause collateral damage they can’t stomach
I’d hoped this would be the case. The reality is pretty disappointing.
Maybe there’s a future in using certificates with IP address-based SANs instead of DNS-based ones?
In the case of Russia, they did (from what I saw a week or so ago) follow through with blocking large swaths of AWS/etc traffic because they didn’t care, and only stopped when Amazon agreed to play ball. If you’re an authoritarian gov’t willing to block communications, you’re not going to flinch at smaller business stuff either.
Except that the way both Amazon and Google have applied this rule is highly selective. I could only agree with this if both companies demonstrated that they have an automated way of finding and shutting down bad actors doing the same thing.
Instead, they focused on the only good actor.
I’m still working on my coffee, but haven’t you just described The Cloud?
And I’m sure this has nothing to do with any former or future contracts between Amazon and the CIA, NSA or any other such entity who may not cotton to secure communications among the citizenry. Not necessarily in an explicit contractual obligation per se, but rather in a keep the customer happy to win the contract kind of way.
Signal is not inherently good. It’s just a tool. It would be equally useful for a human rights activist or a human trafficker.
Domain-fronting is a bug not a feature.
I’ve read this three times, including the tortuous second paragraph.
How is the statement in the headline supported by the text of the article?
How do you understand domain-fronting to be useful to fraudsters? Because I get the impression that people think domain-fronting is about being able to impersonate someone else’s domain to an unsuspecting user, and it’s not at all.
It’s possible that Egypt could block all of AWS (which, remember, represents 34% of all cloud computing worldwide). It’s also possible that Egypt could turn off internet access completely, which would be more dramatic, but not by all that much. After all, blocking just AWS wouldn’t solve the problem, they’d also have to block other major American cloud providers: Google, Microsoft, IBM. By that point you’ve effectively blocked more than half of the internet anyway.
There are many political and economic reasons why these approaches would be worse for the regime than allowing some dissidents to keep using Signal. So it’s far from obvious that these countries would actually block AWS, it’s more of an empty threat. And come to think of it, I’m not aware of them even threatening to block, it’s just a theoretical scenario.
There’s no specific reason Amazon needs to act against Signal now, after all Signal has been using domain-fronting for a long time with no harm. Amazon just recently learned of the situation, and is deliberately moving to distance themselves from efforts to avoid censorship. Shitty, but I guess what do we really expect from Evil Corp.
Or Egypt is an excuse, and the message to act came from elsewhere. Remember the Trump vs Bezos feud?
I’m sure that some people are putting a lot of thought into ways to abuse domain-fronting.
Back in the day, spammers were quite clever at tricks like pumping gallons of spam with a dial-up connection using asymmetric routing, so it’s best not to underestimate them.
(The trick was that they sent the spam from their high-speed real connection, spoofed with the dial-up’s IP address (no egress IP filtering). The TCP/IP return packets would come back via the dial-up to complete the handshake and let it work. They’d lose the dial-up accounts for spamming, but not their “bullet-proof” connection. That was evil genius!)
Indeed they are:
Well sure, it’s a given that criminal hackers can use domain fronting for the same purpose Signal can: to make surveillance of their own internet connections more difficult.
They can also use tools like Tor for this purpose. But if it were Tor being blocked, I hope that folks here would not be saying “Well, it’s understandable, after all Tor can be used by criminals”.
Fraudsters are putting a lot of thought into ways to abuse pretty much every technology that exists, but that’s not a reason to shut those technologies down. It’s interesting that nobody ever suggests shutting down the credit card network. After all, criminal hackers are hugely dependent on that vulnerability. The difference, of course, is that credit cards are vital to the bottom-lines of important corporations, whereas domain fronting is only vital to the lives of some third-world dissidents.
I’m all for correcting security vulnerabilities and making the internet more secure, but internet anonymity is not a bug to be corrected. It is a vital feature.
This topic was automatically closed after 5 days. New replies are no longer allowed.