Google, which has been long known for defending freedom of internet, recently removed access to a feature that was widely used to bypass censorship; domain fronting.
Activists claim Google is siding with censorship, while Google claims it was a regular update. But what is the bigger picture? Should Google ignore the moral effects of its actions?
Before I try to answer that, lets have a look at what domain fronting really is about.
Domain fronting primer
Domain fronting is a technique that hides the actual website the user is trying to connect to from network monitors. As such, it is used by both anti-filtering tools — such as Signal, Tor, and Psiphon — as well as malicious actors. Here is how it works:
The <3 of EU tech
The latest rumblings from the EU tech scene, a story from our wise ol' founder Boris, and some questionable AI art. It's free, every week, in your inbox. Sign up now!
You generally access websites via their URL — a human readable address that translates to an IP, used to locate the server. For instance, www.google.com might translate to 192.123.123.123. When censorship tools monitor outgoing traffic, they look for these URLs (and in some instances direct IPs) and if they detect any “forbidden” URLs, they shut off the connection.
The domain fronting technique masks the “forbidden” URL, and makes the traffic appear as if it’s a request for Google.
Historically, domain fronting is used by CDNs — Content Delivery Networks. CDNs are the systems that improve a website’s loading speed by serving the content from a location near the user.
For instance, if you’re in the US and try to access a website hosted in the UK, normally the transfer must cross the Atlantic every time, which makes it very slow. With a CDN, another server in the US will keep a copy of the UK website. Thus, you bypass the slow process and interact instead directly with a local server, which is much faster.
Of course, for this to work, the URL of the target website must translate to the CDN server’s address instead of its own IP. That means you and the users accessing the site are still calling the same URL but under the hood, the content is coming from a different location.
Next, the CDN must bring its content from the original website. It can cache a lot of files, but for dynamic content (like tweets that are updated every minute) this data must be available immediately. As such, the request to the CDN must be fronted to the actual website — and here is where domain fronting comes in.
The point is that the connection is not between the user and the forbidden website — it is between the user and the CDN, which is serving the contents of the forbidden website.
Domain fronting on Google
The Google App Engine is not a CDN. As such, it does not support domain fronting. But, you can host a website there, and use any other Google domain as a front (such as google.com, gmail.com, or googleapis.com). You would need to set up a “reflector” app in the Google App Engine which would forward the request to the actual website.
As you can see, solely for the extra steps involved, Google is not the ideal candidate for domain fronting. However, Google is lucrative, especially for anti-filtering tools.
Malicious actors can use any CDN — their aim is just to hide the real target server. But in a country with censorship, these choices are limited.
Another limiting factor is that anti-filtering tools are for public use, not for techie hackers. As such, not only must they be simple, but in many instances the censorship body can analyze the tool, find the URLs it uses for masking, and blocks those off in advance.
For this reason, anti-censorship tools must pick sites and services for the fronting that are massively used by the population, making it unfeasible for the governments enter the riddle. Until recently, one of these websites was Google.
“Regular update” or participating in censorship?
Many have questioned the “coincidence” that this happened just after Russia’s ban on Telegram, since Pavel Durov refused to violate the privacy of Telegram users. Russia responded by blocking over 18 million IPs belonging to Amazon Web Services and Google Cloud — something that makes people wonder if Google is giving in to the pressure.
Of course, a company representative of Google claimed that “domain fronting has never been a supported feature at Google,” and that “until recently it worked because of a quirk of our software stack.” They also announced that “we don’t have any plans to offer it as a feature.”
While activists call this a blow to freedom of speech, it could be that this coincidence was exactly as announced: “part of a planned software update.” But that is not the main problem. The main issue is what Google stands for.
The bigger contribution
When I did online marketing, we were taught that any business must always have a “bigger contribution.” For instance donating to a charity, helping other entrepreneurs or motivating youth in their lives. Because eventually, people want to belong to a brand and when it comes down to you and a competitor that offers a similar product as you — the bigger contribution decides the winner.
I can’t think of any other brand more suitable for this than Google.
In the early days of Google, there was great hype around it. It was created by two students, it was disruptive and did an awesome job. And most importantly, it was a new voice in the tech market under Microsoft’s monopoly.
We just wanted it to succeed. We had no clue of how it was making money but would love to give it some just to support its cause.
That’s what “bigger contribution” does; people side with you because of your ideals. People don’t buy the product — they buy the experience behind it. As Simon Sinek puts it: “People don’t buy what you do, they buy why you do it.”
In reverse, this is the same factor that is slamming Facebook over its data privacy scandal. Facebook is not listening through your mic and it’s not selling your data, and the amount of data it collects is a fraction of what Google has on each of us. But when people trust you and you fail to live up to that, people lose faith in your brand.
What happens next?
As Google disables domain fronting, people will turn to other alternatives. There are other services offering domain fronting, such as CloudFront or Azure. The need for freedom pushes people to keep searching and invent new methods.
Recently, anti-filtering tools have seen a huge surge, sometimes nearly 30 times increase in downloads. Shortly after the update, tools such as Signal turned to other websites, such as Sooq.
As mentioned earlier, it’s crucial that the replacements are heavily used, so the government cannot censor it easily. For instance, when the government censored Telegram in Iran, it was eventually forced to lift the restrictions under public pressure (there are nearly 40 million Telegram users there).
As for Google, the Google App Engine was already unavailable there because of US sanctions. China had already blocked Google, so Chinese users were mostly unaffected by this update.
It’s fair to say that the most blow was to Google’s own reputation — a company that was once known for standing for a free internet.
Get the TNW newsletter
Get the most important tech news in your inbox each week.