Signal ordered to stop 'domain fronting' on AWS or get thrown off

AWS follows Google in banning domain fronting and warns Signal to discontinue the practice

Signal, the encrypted messaging app recommended by on-the-run NSA whistleblower Edward Snowden, has been warned by Amazon Web Services (AWS) to discontinue one of the practices it uses to stay secure.

Signal uses a technique called 'domain fronting' to disguise the source of its traffic and, therefore, to prevent authoritarian regimes from blocking its service.

Signal is currently showing up as being hosted on Souq, a content delivery network owned by Amazon's CloudFront web service, where it recently switched after Google banned the same practice.

You do not have permission from Amazon to use Souq.com for any purpose

Domain fronting involves disguising web traffic from a specific source to seem like its part of a larger mass of general web traffic. By choosing someone big (like Google or Amazon) a country can't easily block the traffic without blocking the entire domain, which could have major economic implications.

Proof if it were needed is the rather ineffectual way that Russia has blocked Telegram, but ended up screwing up a number of other major providers in the process.

Amazon announced its own ban last Friday, after which Moxie Marlinspike, owner of Open Whisper Systems, which makes Signal, posted the correspondence.

It is also a violation of our Acceptable Use Policy by falsifying the origin of traffic and the unauthorized use of a domain

In it, Signal is warned: "You do not have permission from Amazon to use Souq.com for any purpose. Any use of Souq.com or any other domain to masquerade as another entity without express permission of the domain owner is in clear violation of the AWS Service Terms (Amazon CloudFront, Sec. 2.1: 'You must own or have all necessary rights to use any domain name or SSL certificate that you use in conjunction with Amazon CloudFront').

"It is also a violation of our Acceptable Use Policy by falsifying the origin of traffic and the unauthorized use of a domain."

It goes on to say that Signal is welcome on AWS, but not if it continues with the practice.

Marlinspike mourns that, in his eyes, the censors in countries that banned his service have "won". "Sadly," he broods, "they didn't have to do anything but wait".

Signal is already looking into alternative options to beat the censors.