A Google update just created a big problem for anti-censorship tools

It was first spotted by Tor developers on April 13th;

#25804 new defect

Domain fronting to App Engine stopped working

A recent change in Google’s network architecture means the trick no longer works. The change has been rolling out across Google services and threatens to disrupt services for a number of anti-censorship tools, including Signal, GreatFire.org and Psiphon’s VPN services.

App developers won’t be able to use Google to get around internet censorship anymore. The Google App Engine is discontinuing a practice called domain-fronting, which let services use Google’s network to get around state-level internet blocks.

Google said the changes were the result of a long-planned network update. “Domain fronting has never been a supported feature at Google,” a company representative said, “but until recently it worked because of a quirk of our software stack. We’re constantly evolving our network, and as part of a planned software update, domain fronting no longer works. We don’t have any plans to offer it as a feature.”

Domain-fronting allowed developers to use Google as a proxy, forwarding traffic to their own servers through a Google.com domain. That was particularly important for evading state-level censorship, which might try to block all the traffic sent to a given service. As long as the service was using domain-fronting, all the in-country data requests would appear as if they were headed for Google.com, with encryption preventing censors from digging any deeper.

While never an explicit feature of Google’s App Engine, domain-fronting had been widely publicized since it was publicly adopted by Signal in 2016. The technique was also used by state hackers: According to a recent FireEye report, the Kremlin-linked APT29 used domain-fronting to smuggle information out of targets for as long as two years.