Domain fronting is the process of cloaking traffic to a Site so that it appears that it’s arriving from a different domain. For the connection to work the user engages a hosting provider or CDN which has a certificate that supports multiple target domains, so that the target domain’s real HTTP address is hidden under the encrypted layer of HTTPS. This automatically obfuscates data sent from a browser to the Internet.
What Is Domain Fronting Used For?
Legitimate use case for users: A user can employ Domain Fronting in much the same way as they’d use a VPN to keep their Web traffic private. It’s far harder to detect traffic’s destination when Domain Fronting is used than for traffic sent via VPN because with a VPN, the initial connection alerts the network to the name & type of VPN in use by the user.
This type of connection is useful for Internet users who live in “restrictive” countries who might want to visit Websites that they’re forbidden to use by their governments, can also use this method. They can visit the Site using Domain Fronting since the address they enter under the shroud of HTTPS, looks like a “legitimate” site to the blocking mechanism employed to prevent access – such as an innocuous government supported or allowed news Website.
Apps & services: Apps such as Telegram & Signal both use Domain Fronting to ensure their user’s privacy & allow connections from countries that limit their services.
On the other hand, Domain Fronting is a fav tool of hackers. It has been used by nefarious elements to hide their true domain when targeting victims. Criminals were using both Google & Amazon’s services to engage in illegal activities until both stopped allowing the protocol in 2018. Microsoft’s Azure allowed Domain Fronting until March 26, 2021, when they banned it as well.
In 2017 Russian nation-state attackers APT29 used the meek plugin for TOR (The Onion Router) to encrypt a network tunnel to look as if it connected to Google services over TSL (Transport Layer Security), which is an updated more secure form of SSL, thereby gaining access to a host’s system & the privileged command shell on Windows without authenticating.
Domain Fronting uses well known addresses to cover for restricted services & gain access to data & hijack systems or users. Despite the protocol being banned by all major services such as Google, hackers still find methods to circumvent security & exploit the protocol. The latest technique, which is very similar to Domain Fronting is now called Domain Hiding -it keeps internet censors & firewalls blind to the true destination of a network connection in more sophisticated ways using TSL to obfuscate the domain. A tool developed by Erik Hunstad called Noctilucent makes it possible to display incorrect information in the HTTPS connection’s plaintext fields, but the connection’s encrypted fields contain different information than that seen by the server.
Image by Gerd Altmann from Pixabay
