Jump to ContentJump to Main Navigation
Show Summary Details

Proceedings on Privacy Enhancing Technologies

2 Issues per year

Open Access
Online
ISSN
2299-0984
See all formats and pricing




Blocking-resistant communication through domain fronting

David Fifield
  • University of California, Berkeley
  • :
/ Chang Lan
  • University of California, Berkeley
  • :
/ Rod Hynes
  • Psiphon Inc
  • :
/ Percy Wegmann
  • Brave New Software
  • :
/ Vern Paxson
  • University of California, Berkeley and the International Computer Science Institute
  • :
Published Online: 2015-06-22 | DOI: https://doi.org/10.1515/popets-2015-0009

Abstract

We describe “domain fronting,” a versatile censorship circumvention technique that hides the remote endpoint of a communication. Domain fronting works at the application layer, using HTTPS, to communicate with a forbidden host while appearing to communicate with some other host, permitted by the censor. The key idea is the use of different domain names at different layers of communication. One domain appears on the “outside” of an HTTPS request—in the DNS request and TLS Server Name Indication—while another domain appears on the “inside”—in the HTTP Host header, invisible to the censor under HTTPS encryption. A censor, unable to distinguish fronted and nonfronted traffic to a domain, must choose between allowing circumvention traffic and blocking the domain entirely, which results in expensive collateral damage. Domain fronting is easy to deploy and use and does not require special cooperation by network intermediaries. We identify a number of hard-to-block web services, such as content delivery networks, that support domain-fronted connections and are useful for censorship circumvention. Domain fronting, in various forms, is now a circumvention workhorse. We describe several months of deployment experience in the Tor, Lantern, and Psiphon circumvention systems, whose domain-fronting transports now connect thousands of users daily and transfer many terabytes per month.

Keywords: censorship circumvention

References


Received: 2015-02-15

Revised: 2015-05-15

Accepted: 2015-05-15

Published Online: 2015-06-22

Published in Print: 2015-06-01


Citation Information: Proceedings on Privacy Enhancing Technologies. Volume 2015, Issue 2, Pages 46–64, ISSN (Online) 2299-0984, DOI: https://doi.org/10.1515/popets-2015-0009, June 2015

© David Fifield et al.. This work is licensed under the Creative Commons Attribution-NonCommercial-NoDerivatives 3.0 License. (CC BY-NC-ND 3.0)

Comments (0)

Please log in or register to comment.