For years, governments around the world have tried to block various web services. This has often proved tricky in recent times, as the recent Telegram bans in Iran and Russia revealed. For example, Russia broke countless other sites while attempting to block Telegram, because they shared the same infrastructure (AWS, Google Cloud Messaging, etc).

To get around the Russia ban, Telegram opted to use "domain fronting," a popular method of bypassing censorship. Here's how Amazon defines it:

Domain Fronting is when a non-standard client makes a TLS/SSL connection to a certain name, but then makes a HTTPS request for an unrelated name. For example, the TLS connection may connect to “www.example.com” but then issue a request for “www.example.org”.

Put simply, it allows web services to disguise their traffic as coming from another site. For example, the encrypted messaging app Signal was blocked in Egypt, Oman, Qatar, and UAE over a year ago. To circumvent the block, Signal used domain fronting with Google App Engine. This meant if governments wanted to block Signal, they had to block google.com entirely. This allowed citizens from those countries to use Signal again.

Unfortunately, both Google and Amazon are cracking down on domain fronting. This started when Tor discovered Google App Engine was no longer working for bypassing censorship. Meanwhile, Signal received an email from Google saying domain fronting would be blocked, so the project started looking at other options. The organization decided on using Souq.com, an e-commerce site owned by Amazon that is incredibly popular in the Middle East.

Amazon quickly discovered what Signal was doing, and sent the following email:

Moxie,

Yesterday AWS became aware of your Github and Hacker News/ycombinator posts describing how Signal plans to make its traffic look like traffic from another site, (popularly known as “domain fronting”) by using a domain owned by Amazon -- Souq.com. You do not have permission from Amazon to use Souq.com for any purpose. Any use of Souq.com or any other domain to masquerade as another entity without express permission of the domain owner is in clear violation of the AWS Service Terms (Amazon CloudFront, Sec. 2.1: “You must own or have all necessary rights to use any domain name or SSL certificate that you use in conjunction with Amazon CloudFront”). It is also a violation of our Acceptable Use Policy by falsifying the origin of traffic and the unauthorized use of a domain.

We are happy for you to use AWS Services, but you must comply with our Service Terms. We will immediately suspend your use of CloudFront if you use third party domains without their permission to masquerade as that third party.

Thank you,

[redacted]

General Manager, Amazon CloudFront

In other words, the two most popular options for domain fronting will no longer work. While Amazon and Google are completely within their right to block this behavior (since it puts them at risk), several human rights organizations are campaigning for the companies to reverse their decision.

Signal said in a blog post, "domain fronting as a censorship circumvention technique is now largely non-viable in the countries where Signal had enabled this feature. [...] If recent changes by large cloud providers indicate a commitment to providing network-level visibility into the final destination of encrypted traffic flows, then the range of potential solutions becomes severely limited."