Amazon warns messaging app Signal of AWS suspension over anti-censorship tool


Cloud-based instant messaging service Telegram has been in the news recently following large-scale censorship of the service by Russia and Iran. The two nations have moved to ban the encrypted messaging service on an unprecedented scale, making headlines around the world. However, few people have paid attention to the struggles of similar messaging service Signal. Signal, run by Open Whisper Systems (OWS), is a highly popular encrypted messenger that has also found itself struggling against censorship – not by governments, but by the tech giants of the world.

File photo of Matthew Rosenfeld aka Moxie Marlinspike, Founder of Signal. (Image: See page for author [CC BY-SA 2.0], via Wikimedia Commons)

Amazon goes on to say that it will “immediately suspend” Signal’s use of CloudFront if it uses third-party domains “without their permission to masquerade as that third party”.

In his blog post, Matthew explains that Signal has been using a popular technique called “domain fronting” to circumvent censors in countries such Egypt, Oman, Qatar, and the UAE for the past 1.5 years. Domain fronting essentially involves services hiding the endpoint of internet traffic behind a domain allowed by the censor. In Signal’s case, this means that the censor would see internet traffic directing to and allow it; in reality, after clearing Amazon’s clean SSL certificate, the traffic would be redirected to Signal.

Matthew explains that Signal used domain fronting to circumvent censorship in the abovementioned countries, driving traffic through Google App Engine, Google’s cloud service. However, when Google realised this was happening, it opted to make internal changes that would shut down domain fronting entirely. With Google’s services no longer available, Signal decided to switch to AWS for its domain fronting needs, which got picked up by Amazon through public posts. Last week, Amazon announced “Enhanced Domain Protections for Amazon CloudFront Requests”, an update meant to stop practices like domain fronting on AWS entirely.

This, in turn, led to the email from AWS – Signal, for its part, contests Amazon’s claims of ToS violations, but Matthew recognises that “our interpretation is ultimately not the one that matters”.

Against the backdrop of increasing conversations about data privacy and internet censorship, such steps by leading tech giants like Amazon and Google to help censors are bound to raise questions. While there are likely valid concerns about exploitation of practices like domain fronting to spread malware and steal user data, throttling anti-censorship practices completely seems excessive.

In the wake of the letter from Amazon, Signal is unsure of how to proceed. Matthew sums up the situation aptly in his post, saying, “With Google Cloud and AWS out of the picture, it seems that domain fronting as a censorship circumvention technique is now largely non-viable in the countries where Signal had enabled this feature. The idea behind domain fronting was that to block a single site, you’d have to block the rest of the internet as well. In the end, the rest of the internet didn’t like that plan.”


Updates from around the world