1. bookVolume 2015 (2015): Issue 2 (June 2015)
Journal Details
First Published
16 Apr 2015
Publication timeframe
4 times per year
access type Open Access

Blocking-resistant communication through domain fronting

Published Online: 22 Jun 2015
Page range: 46 - 64
Received: 15 Feb 2015
Accepted: 15 May 2015
Journal Details
First Published
16 Apr 2015
Publication timeframe
4 times per year

We describe “domain fronting,” a versatile censorship circumvention technique that hides the remote endpoint of a communication. Domain fronting works at the application layer, using HTTPS, to communicate with a forbidden host while appearing to communicate with some other host, permitted by the censor. The key idea is the use of different domain names at different layers of communication. One domain appears on the “outside” of an HTTPS request—in the DNS request and TLS Server Name Indication—while another domain appears on the “inside”—in the HTTP Host header, invisible to the censor under HTTPS encryption. A censor, unable to distinguish fronted and nonfronted traffic to a domain, must choose between allowing circumvention traffic and blocking the domain entirely, which results in expensive collateral damage. Domain fronting is easy to deploy and use and does not require special cooperation by network intermediaries. We identify a number of hard-to-block web services, such as content delivery networks, that support domain-fronted connections and are useful for censorship circumvention. Domain fronting, in various forms, is now a circumvention workhorse. We describe several months of deployment experience in the Tor, Lantern, and Psiphon circumvention systems, whose domain-fronting transports now connect thousands of users daily and transfer many terabytes per month.


[1] Akamai. http://www.akamai.com/.Search in Google Scholar

[2] P. Alpha. Google disrupted prior to Tiananmen anniversary; mirror sites enable uncensored access to information, June 2014. https://en.greatfire.org/blog/2014/jun/google-disrupted-prior-tiananmen-anniversary-mirror-sites-enable-uncensored-access.Search in Google Scholar

[3] Amazon CloudFront. https://aws.amazon.com/cloudfront/.Search in Google Scholar

[4] Y. Angel and P. Winter. obfs4 (the obfourscator), May 2014. https://gitweb.torproject.org/pluggable-transports/obfs4.git/tree/doc/obfs4-spec.txt.Search in Google Scholar

[5] J. Appelbaum and N. Mathewson. Pluggable transport specification, Oct. 2010. https://gitweb.torproject.org/torspec.git/tree/pt-spec.txt.Search in Google Scholar

[6] ASL19 and Psiphon. Information controls: Iran’s presidential elections. Technical report, 2013. https://asl19.org/cctr/iran-2013election-report/.Search in Google Scholar

[7] D. J. Bernstein, T. Lange, and P. Schwabe. Public-key authenticated encryption: crypto_box, Aug. 2010. http://nacl.cr.yp.to/box.html.Search in Google Scholar

[8] B. Boe. Bypassing Gogo’s inflight Internet authentication, Mar. 2012. http://bryceboe.com/2012/03/12/bypassing-gogos-inflight-internet-authentication/.Search in Google Scholar

[9] BridgeDB. https://bridges.torproject.org/.Search in Google Scholar

[10] C. Brubaker, A. Houmansadr, and V. Shmatikov. Cloud-Transport: Using cloud storage for censorship-resistant networking. In Proceedings of the 14th Privacy Enhancing Technologies Symposium (PETS), July 2014. http://www.cs.utexas.edu/~amir/papers/CloudTransport.pdf.10.1007/978-3-319-08506-7_1Search in Google Scholar

[11] S. Burnett, N. Feamster, and S. Vempala. Chipping away at censorship firewalls with user-generated content. In USENIX Security Symposium, Washington, DC, USA, Aug. 2010. USENIX. https://www.usenix.org/event/sec10/tech/full_papers/Burnett.pdf.Search in Google Scholar

[12] CloudFlare. https://www.cloudflare.com/.Search in Google Scholar

[13] T. Dierks and E. Rescorla. RFC 5246: The Transport Layer Security (TLS) Protocol Version 1.2, Aug. 2008. https://tools.ietf.org/html/rfc5246.10.17487/rfc5246Search in Google Scholar

[14] R. Dingledine. Obfsproxy: the next step in the censorship arms race, Feb. 2012. https://blog.torproject.org/blog/obfsproxy-next-step-censorship-arms-race.Search in Google Scholar

[15] R. Dingledine and N. Mathewson. Design of a blocking-resistant anonymity system. Technical Report 2006-11-001, Tor Project, Nov. 2006. https://research.torproject.org/techreports/blocking-2006-11.pdf.Search in Google Scholar

[16] E. Dou and A. Barr. U.S. cloud providers face backlash from China’s censors. Wall Street Journal, Mar. 2015. http://www.wsj.com/articles/u-s-cloud-providers-face-backlash-from-chinas-censors-1426541126.Search in Google Scholar

[17] K. P. Dyer, S. E. Coull, T. Ristenpart, and T. Shrimpton. Protocol misidentification made easy with format-transforming encryption. In Proceedings of the 20th ACM conference on Computer and Communications Security (CCS), Nov. 2013. https://kpdyer.com/publications/ccs2013-fte.pdf.10.1145/2508859.2516657Search in Google Scholar

[18] D. Eastlake. RFC 6066: Transport Layer Security (TLS) extensions: Extension definitions, Jan. 2011. https://tools.ietf.org/html/rfc6066.10.17487/rfc6066Search in Google Scholar

[19] Fastly. http://www.fastly.com/.Search in Google Scholar

[20] R. Fielding, J. Gettys, J. Mogul, H. Frystyk, L. Masinter, P. Leach, and T. Berners-Lee. RFC 2616: Hypertext transfer protocol — HTTP/1.1, June 1999. https://tools.ietf.org/html/rfc2616.10.17487/rfc2616Search in Google Scholar

[21] D. Fifield. Summary of meek’s costs, April 2015, May 2015. https://lists.torproject.org/pipermail/tor-dev/2015-May/008767.html.Search in Google Scholar

[22] D. Fifield, N. Hardison, J. Ellithorpe, E. Stark, R. Dingledine, P. Porras, and D. Boneh. Evading censorship with browser-based proxies. In Proceedings of the 12th Privacy Enhancing Technologies Symposium (PETS). Springer, July 2012. https://crypto.stanford.edu/flashproxy/flashproxy.pdf.10.1007/978-3-642-31680-7_13Search in Google Scholar

[23] J. Geddes, M. Schuchard, and N. Hopper. Cover your ACKs: Pitfalls of covert channel censorship circumvention. In Proceedings of the 20th ACM conference on Computer and Communications Security (CCS), Nov. 2013. http://www-users.cs.umn.edu/~hopper/ccs13-cya.pdf.10.1145/2508859.2516742Search in Google Scholar

[24] GoAgent. https://github.com/goagent/goagent.Search in Google Scholar

[25] Google. Google Transparency Report: China, all products, May 31, 2014–present, July 2014. https://www.google.com/transparencyreport/traffic/disruptions/124/.Search in Google Scholar

[26] Google App Engine. https://cloud.google.com/appengine/.Search in Google Scholar

[27] GreatFire.org. https://a248.e.akamai.net is 100% blocked in China. https://en.greatfire.org/https/a248.e.akamai.net.Search in Google Scholar

[28] A. Houmansadr, C. Brubaker, and V. Shmatikov. The parrot is dead: Observing unobservable network communications. In Proceedings of the 2013 IEEE Symposium on Security and Privacy, May 2013. http://www.cs.utexas.edu/~amir/papers/parrot.pdf.10.1109/SP.2013.14Search in Google Scholar

[29] A. Houmansadr, G. T. K. Nguyen, M. Caesar, and N. Borisov. Cirripede: Circumvention infrastructure using router redirection with plausible deniability. In Proceedings of the 18th ACM conference on Computer and Communications Security (CCS), Oct. 2011. http://hatswitch.org/~nikita/papers/cirripede-ccs11.pdf.10.1145/2046707.2046730Search in Google Scholar

[30] A. Houmansadr, T. Riedl, N. Borisov, and A. Singer. I want my voice to be heard: IP over voice-over-IP for unobservable censorship circumvention. In Proceedings of the 20th Network and Distributed System Security Symposium (NDSS). Internet Society, Feb. 2013. http://www.cs.utexas.edu/~amir/papers/FreeWave.pdf.Search in Google Scholar

[31] A. Houmansadr, E. L. Wong, and V. Shmatikov. No direction home: The true cost of routing around decoys. In Proceedings of the 21st Network and Distributed Security Symposium (NDSS). Internet Society, Feb. 2014. http://www.cs.utexas.edu/~amir/papers/DecoyCosts.pdf.10.14722/ndss.2014.23292Search in Google Scholar

[32] The ICSI certificate notary. http://notary.icsi.berkeley.edu/.Search in Google Scholar

[33] G. Kadianakis and N. Mathewson. obfs2 (the twobfuscator), Jan. 2011. https://gitweb.torproject.org/pluggabletransports/obfsproxy.git/tree/doc/obfs2/obfs2-protocolspec.txt.Search in Google Scholar

[34] G. Kadianakis and N. Mathewson. obfs3 (the threebfuscator), Jan. 2013. https://gitweb.torproject.org/pluggabletransports/obfsproxy.git/tree/doc/obfs3/obfs3-protocolspec.txt.Search in Google Scholar

[35] J. Karlin, D. Ellard, A. W. Jackson, C. E. Jones, G. Lauer, D. P. Mankins, and W. T. Strayer. Decoy routing: Toward unblockable internet communication. In Proceedings of the USENIX Workshop on Free and Open Communications on the Internet (FOCI), Aug. 2011. https://www.usenix.org/events/foci11/tech/final_files/Karlin.pdf.Search in Google Scholar

[36] Lantern. connpool. https://github.com/getlantern/connpool.Search in Google Scholar

[37] Lantern. enproxy. https://github.com/getlantern/enproxy.Search in Google Scholar

[38] Lantern. flashlight. https://github.com/getlantern/flashlight-build.Search in Google Scholar

[39] Lantern. fronted. https://github.com/getlantern/fronted.Search in Google Scholar

[40] Lantern. https://getlantern.org/.Search in Google Scholar

[41] B. Leidl. obfuscated-openssh, Apr. 2010. https://github.com/brl/obfuscated-openssh.Search in Google Scholar

[42] Level 3. http://www.level3.com.Search in Google Scholar

[43] K. Loesing. Counting daily bridge users. Technical Report 2012-10-001, Tor Project, Oct. 2012. https://research.torproject.org/techreports/counting-daily-bridge-users-2012-10-24.pdf.Search in Google Scholar

[44] M. Majkowski. SSL fingerprinting for p0f, June 2012. https://idea.popcount.org/2012-06-17-ssl-fingerprinting-for-p0f/.Search in Google Scholar

[45] B. Marczak, N. Weaver, J. Dalek, R. Ensafi, D. Fifield, S. McKune, A. Rey, J. Scott-Railton, R. Deibert, and V. Paxson. China’s Great Cannon. https://citizenlab.org/2015/04/chinas-great-cannon/.Search in Google Scholar

[46] Microsoft Azure. https://azure.microsoft.com/.Search in Google Scholar

[47] H. M. Moghaddam, B. Li, M. Derakhshani, and I. Goldberg. SkypeMorph: Protocol obfuscation for Tor bridges. In Proceedings of the 19th ACM conference on Computer and Communications Security (CCS), Oct. 2012. https://cs.uwaterloo.ca/~iang/pubs/skypemorph-ccs.pdf.Search in Google Scholar

[48] J. Newland. Large scale DDoS attack on github.com. https://github.com/blog/1981-large-scale-ddos-attack-on-githubcom.Search in Google Scholar

[49] E. Nygren, R. K. Sitaraman, and J. Sun. The Akamai network: A platform for high-performance Internet applications. ACM SIGOPS Operating Systems Review, 44(3):2–19, 2010. http://www.akamai.com/dl/technical_publications/network_overview_osr.pdf.10.1145/1842733.1842736Search in Google Scholar

[50] M. Perry. Tor Browser 4.0 is released, Oct. 2014. https://blog.torproject.org/blog/tor-browser-40-released.Search in Google Scholar

[51] M. Perry, E. Clark, and S. Murdoch. The design and implementation of the Tor Browser. Technical report, Tor Project, Mar. 2013. https://www.torproject.org/projects/torbrowser/design/.Search in Google Scholar

[52] Psiphon Team. A technical description of Psiphon, Mar. 2014. https://psiphon.ca/en/blog/psiphon-a-technicaldescription.Search in Google Scholar

[53] D. Robinson, H. Yu, and A. An. Collateral freedom: A snapshot of Chinese users circumventing censorship. Technical report, Open Internet Tools Project, May 2013. https://openitp.org/pdfs/CollateralFreedom.pdf.Search in Google Scholar

[54] M. Schuchard, J. Geddes, C. Thompson, and N. Hopper. Routing around decoys. In Proceedings of the 19th ACM conference on Computer and Communications Security (CCS), Oct. 2012. http://www-users.cs.umn.edu/~hopper/decoy-ccs12.pdf.10.1145/2382196.2382209Search in Google Scholar

[55] C. Smith. We are under attack, Mar. 2015. https://en.greatfire.org/blog/2015/mar/we-are-under-attack.10.1016/S1353-4858(15)70002-4Search in Google Scholar

[56] Y. Sovran, J. Li, and L. Submaranian. Unblocking the Internet: Social networks foil censors. Technical Report TR2008-918, Computer Science Department, New York University, Sept. 2009. http://kscope.news.cs.nyu.edu/pub/TR-2008-918.pdf.Search in Google Scholar

[57] Tor Project. #4744: GFW probes based on Tor’s SSL cipher list, Dec. 2011. https://bugs.torproject.org/4744.Search in Google Scholar

[58] Tor Project. #8860: Registration over App Engine, May 2013. https://bugs.torproject.org/8860.Search in Google Scholar

[59] Tor Project. #12778: Put meek HTTP headers on a diet, Aug. 2014. https://bugs.torproject.org/12778.Search in Google Scholar

[60] Tor Project. Bridge users using transport meek, May 2015. https://metrics.torproject.org/userstats-bridge-transport.html?graph=userstats-bridge-transport&end=2015-05-15&transport=meek.Search in Google Scholar

[61] Tor Project. Bridge users using transport obfs3, May 2015. https://metrics.torproject.org/userstats-bridge-transport.html?graph=userstats-bridge-transport&end=2015-05-15&transport=obfs3.Search in Google Scholar

[62] Q. Wang, X. Gong, G. T. K. Nguyen, A. Houmansadr, and N. Borisov. CensorSpoofer: Asymmetric communication using IP spoofing for censorship-resistant web browsing. In Proceedings of the 19th ACM conference on Computer and Communications Security (CCS), Oct. 2012. https://netfiles.uiuc.edu/qwang26/www/publications/censorspoofer.pdf.10.1145/2382196.2382212Search in Google Scholar

[63] Z. Weinberg, J. Wang, V. Yegneswaran, L. Briesemeister, S. Cheung, F. Wang, and D. Boneh. StegoTorus: A camouflage proxy for the Tor anonymity system. In Proceedings of the 19th ACM conference on Computer and Communications Security (CCS), Oct. 2012. http://www.owlfolio.org/media/2010/05/stegotorus.pdf.10.1145/2382196.2382211Search in Google Scholar

[64] T. Wilde. Great Firewall Tor probing circa 09 DEC 2011. Technical report, Team Cymru, Jan. 2012. https://gist.github.com/da3c7a9af01d74cd7de7.Search in Google Scholar

[65] B. Wiley. Dust: A blocking-resistant internet transport protocol. Technical report, School of Information, University of Texas at Austin, 2011. http://blanu.net/Dust.pdfhttps://github.com/blanu/Dust/blob/master/hs/README.Search in Google Scholar

[66] P. Winter and S. Lindskog. How the Great Firewall of China is blocking Tor. In Proceedings of the USENIX Workshop on Free and Open Communications on the Internet (FOCI), Aug. 2012. https://www.usenix.org/system/files/conference/foci12/foci12-final2.pdf.Search in Google Scholar

[67] P. Winter, T. Pulls, and J. Fuss. ScrambleSuit: A polymorphic network protocol to circumvent censorship. In Proceedings of the Workshop on Privacy in the Electronic Society (WPES). ACM, Nov. 2013. http://www.cs.kau.se/philwint/pdf/wpes2013.pdf.10.1145/2517840.2517856Search in Google Scholar

[68] C. Wright, S. Coull, and F. Monrose. Traffic morphing: An efficient defense against statistical traffic analysis. In Proceedings of the 16th Network and Distributed Security Symposium (NDSS). IEEE, Feb. 2009. https://www.internetsociety.org/sites/default/files/wright.pdf.Search in Google Scholar

[69] E. Wustrow, C. M. Swanson, and J. A. Halderman. Tap-Dance: End-to-middle anticensorship without flow blocking. In Proceedings of the 23rd USENIX Security Symposium, San Diego, CA, Aug. 2014. USENIX Association. https://jhalderm.com/pub/papers/tapdance-sec14.pdf.Search in Google Scholar

[70] E. Wustrow, S. Wolchok, I. Goldberg, and J. A. Halderman. Telex: Anticensorship in the network infrastructure. In Proceedings of the 20th USENIX Security Symposium, Aug. 2011. https://www.usenix.org/events/sec/tech/full_papers/Wustrow.pdf.Search in Google Scholar

Recommended articles from Trend MD

Plan your remote conference with Sciendo