Google updates App Engine to discontinue support for domain-fronting
Google's App Engine no longer supports a practice called "domain-fronting" that allowed app developers to evade internet censorship. It was particularly helpful in letting apps and other services get around state-level internet blocks. This change in Google's network architecture can be problematic for several anti-censorship platforms like Signal, GreatFire.org and Psiphon's VPN services. The update is rolling out across all Google services.
What is domain-fronting?
Domain-fronting can be understood as the ability to use Google as a proxy. It allowed apps and websites to forward traffic to their servers through a Google.com domain. So it would appear to the censors that all the encrypted data is headed for Google.com. Domain-fronting also allowed location spoofing, which is used by VPNs and any other service wanting to get across geo-restricted content.
Domain-fronting allowed Signal to become indistinguishable from uncensored traffic
Domain-fronting majorly came into view in 2016 when secure chat app Signal publicly adopted it. It allowed users to send encrypted messages without being traced. To censors, they looked like a normal HTTPS request to Google.com.
Domain-fronting was unofficial, won't become official in future either: Google
Technically, App Engine never officially supported domain-fronting. Google has now just modified the very framework that the feature was a by-product of, due to which all traces of unintended backend support have also been removed. "Until recently it worked because of a quirk of our software stack. As part of a planned software update, domain-fronting no longer works," a company representative said.
Edward Snowden is not happy
And, Digital rights activists urge Google to reconsider
"Allowing domain fronting has meant that potentially millions of people have been able to experience a freer internet and enjoy their human rights. We urge Google to remember its commitment to human rights and internet freedom and allow domain fronting to continue."
