Jump to ContentJump to Main Navigation
Show Summary Details
More options …

Proceedings on Privacy Enhancing Technologies

4 Issues per year

Open Access
Online
ISSN
2299-0984
See all formats and pricing
More options …

Blocking-resistant communication through domain fronting

David Fifield / Chang Lan / Rod Hynes / Percy Wegmann / Vern Paxson
Published Online: 2015-06-22 | DOI: https://doi.org/10.1515/popets-2015-0009

Abstract

We describe “domain fronting,” a versatile censorship circumvention technique that hides the remote endpoint of a communication. Domain fronting works at the application layer, using HTTPS, to communicate with a forbidden host while appearing to communicate with some other host, permitted by the censor. The key idea is the use of different domain names at different layers of communication. One domain appears on the “outside” of an HTTPS request—in the DNS request and TLS Server Name Indication—while another domain appears on the “inside”—in the HTTP Host header, invisible to the censor under HTTPS encryption. A censor, unable to distinguish fronted and nonfronted traffic to a domain, must choose between allowing circumvention traffic and blocking the domain entirely, which results in expensive collateral damage. Domain fronting is easy to deploy and use and does not require special cooperation by network intermediaries. We identify a number of hard-to-block web services, such as content delivery networks, that support domain-fronted connections and are useful for censorship circumvention. Domain fronting, in various forms, is now a circumvention workhorse. We describe several months of deployment experience in the Tor, Lantern, and Psiphon circumvention systems, whose domain-fronting transports now connect thousands of users daily and transfer many terabytes per month.

Keywords: censorship circumvention

References

About the article

Received: 2015-02-15

Revised: 2015-05-15

Accepted: 2015-05-15

Published Online: 2015-06-22

Published in Print: 2015-06-01


Citation Information: Proceedings on Privacy Enhancing Technologies, Volume 2015, Issue 2, Pages 46–64, ISSN (Online) 2299-0984, DOI: https://doi.org/10.1515/popets-2015-0009.

Export Citation

© David Fifield et al.. This work is licensed under the Creative Commons Attribution-NonCommercial-NoDerivatives 3.0 License. BY-NC-ND 3.0

Citing Articles

Here you can find all Crossref-listed publications in which this article is cited. If you would like to receive automatic email messages as soon as this article is cited in other publications, simply activate the “Citation Alert” on the top of this page.

[1]
Johanna Ullrich, Tanja Zseby, Joachim Fabini, and Edgar Weippl
IEEE Communications Surveys & Tutorials, 2017, Volume 19, Number 2, Page 1112
[2]
Lucas Dixon, Thomas Ristenpart, and Thomas Shrimpton
IEEE Security & Privacy, 2016, Volume 14, Number 6, Page 43

Comments (0)

Please log in or register to comment.
Log in