An update to the Google App Engine, the platform developers use to create web applications, puts an end to “domain fronting.” The tool, which gave apps the ability to hide their location, was used to circumvent state-wide censorship in countries like China or Egypt.
It worked by using Google’s network as a proxy to feed data through before that data reached the app’s own servers. The search giant’s encryption would then shield anyone from knowing where those requests were going next. If someone was taking advantage of domain fronting, it would appear as though all of their data requests would be going to and coming from Google.com.
This level of anonymity also opens the doors for hackers. Last year, security researchers at FireEye caught “Russian nation-state attackers” using the technique to gain backdoor access to computers.
It doesn’t appear this feature was created intentionally by Google but was rather a byproduct of providing developers the infrastructure required for sending app data. Google confirmed as much in a statement to the Verge, claiming domain fronting has “never been a supported feature at Google” and that it only worked because of a “quirk” in its software.
“We’re constantly evolving our network, and as part of a planned software update, domain fronting no longer works. We don’t have any plans to offer it as a feature,” Google said.
Signal, a messaging app known for its strong encryption, began supporting domain fronting natively in 2016 after it was blocked by Egypt. Along with other anti-censorship apps like GreatFire.org and Psiphon, Signal relied on the App Engine to give users a way to bypass censorship. We have reached out to Signal to find out if it will still offer the tool.
Nathan White of digital rights group Access Now criticized the Google update and urges the company to reinstate domain fronting.
“Google has long claimed to support internet freedom around the world, and in many ways the company has been true to its beliefs,” he told the Verge. “Allowing domain fronting has meant that potentially millions of people have been able to experience a freer internet and enjoy their human rights. We urge Google to remember its commitment to human rights and internet freedom and allow domain fronting to continue.”