Amazon has announced the introduction of new rules for the protection of the Amazon CloudFront service domains, which imply a ban on the use of Amazon networks for domain fronting, which allows you to redirect traffic to your own servers through a masked domain. Fronting is also used to bypass locks.
In Amazon, the new rules were explained by the fight against scammers. "Malicious programs can use unrelated domains to bypass locks that are set at the TLS / SSL level (protocols providing secure data transmission)," the company said in a statement.
The client can connect to a server that supports TLS / SSL protocols under a specific name, and then make an HTTPS request under a completely different name. "For example, a TLS connection can connect to www.example.com, and then issue a request to www.example.org," Amazon explained.
"None of the clients would like to know that someone else is masked for his domain," they added to the company. Now Amazon will allow to use front-end only to those users who own addresses protected by a single security certificate.
On April 19, Google banned the use of domain fronts on its networks, saying that this option was never included in the provided functionality. "Until recently, they [the dummy domains] were working because of the peculiarities of our software. We are constantly developing our network, and as part of a planned software upgrade, front-end domains no longer work, "the company said.
The Verge writes that this technology was used to bypass government locks. Telegram did not use fake domains to bypass blocking in Russia, said earlier experts interviewed by RBC.
In Russia, from April 16, the telegram is blocked. To bypass the blockage, Telegram constantly changes the IP addresses of Amazon Web Services and Google Cloud, because of which Roskomnadzor is forced to block them with whole pools. As a result, millions of IP-addresses were blocked, which led to a failure in the work of non-Telegram sites.
The founder of the amoCRM web-program, Mikhail Tokovinin, believes that changes in Amazon's policy will not affect the work of the messenger. "It all depends on how they [Amazon] will follow the rules for the implementation of the new policy. If they follow strictly, Telegram will use other providers and continue to work, "the expert said.
"Amazon has a lot of different cloud services. In this case, we are talking about updating the policy of one of the services CloudFront is a service for delivering large amounts of heavy content, such as video or software updates, to a large number of users (CDN), "Alexander Isavnin, an expert with the Internet Protection Society, told RBC. Telegram and private individuals use other Amazon services to create a proxy, he said.
"[Before Amazon policy was changed] It was possible that a secure connection to a single site behind a cloud front could be used to connect to a completely different site without notifying the client. This mechanism could be used to hide the true source of content in some undesirable states application, but, most likely, they were actively used by intruders, "Isavnin explained. The fact that Amazon began to monitor this behavior indicates that the company is paying "substantial attention to security issues," he concluded.