AWS threatens to kill Signal's cloud account

Amazon Web Services has threatened to suspend Signal's cloud services account if the messaging app continues to use a technique known as domain fronting.

The cloud provider wrote to the messaging app's creator Moxie Marlinspike to say that domain fronting is in breach of its terms of service.

Domain fronting is used by specially crafted clients that issue HTTPS requests to a certain domain, but then follow this up with a request for a different name.

It takes advantage of how Google and Amazon designed their TLS termination, allowing developers to make a request for an innocuous domain that is not blocked, and then have the established authenticated and encrypted connection continue to a domain that would normally be inaccessible due to censorship. 

AWS said that Signal was domain fronting using Amazon's souq.com domain, something that it was not permitted to do.

"We are happy for you to use AWS services, but you must comply with our service terms. We will immediately suspend your use of CloudFront if you use third party domains without their permissions to masquerade as that third party," an unnamed AWS Cloudfront general manager wrote to Marlinspike.

AWS' decision to explicitly not allow domain fronting follows a similar decision made by Google last month.

After Google shut down domain fronting, Signal moved to AWS CloudFront.

Marlinspike argued that banning the technique was effectively a victory for countries that censored access to online services like Signal.

Signal has been blocked by Egypt, Oman, Qatar and the United Arab Emirates for the past year-and-a-half, Marlinspike said.

Thanks to domain fronting, the censors in these countries would have had to block Google and Amazon if they wished to deny access to Signal's servers, a step they were unwilling to take.

"The censors in these countries will have (at least temporarily) achieved their goals. Sadly, they didn’t have to do anything but wait," Marlinspike said.

Marlinspike denied that Signal breached AWS' service terms. He said that Signal was not falsifying the origin of traffic when its apps connected to CloudFront, which AWS alleged the messaging app did.

Signal's developer Open Whisper Systems is working on ideas for a more robust system to evade censorship, and is looking to hire developers to speed up the process.

However, Marlinspike warned that "if recent changes by large cloud providers indicate a commitment to providing network-level visibility into the final destination of encrypted traffic flows, then the range of potential solutions becomes very limited."