These are the visual aids I used to deliver a talk on domain fronting on June 30, 2015 at PETS 2015.

For the full paper see: https://www.bamsoftware.com/papers/fronting/.

I extracted the video of my presentation from the full-length conference videos: Day 1, Day 2, Day 3.

Blocking-resistant communication through domain fronting

David Fifield
Chang Lan
Rod Hynes
Percy Wegmann
Vern Paxson

Domain fronting is the use of different domain names at different layers of communication.

The censor sees one domain name (an unblocked front domain), while an intermediate network device sees and obeys another.

$ wget -q -O- https://www.google.com/ | grep -o '<title>.*</title>'
<title>Google</title>

$ wget -q -O- https://www.google.com/ --header 'Host: maps.google.com' | grep -o '<title>.*</title>'
<title>Google Maps</title>

$ wget -q -O- https://www.google.com/ --header 'Host: meek-reflect.appspot.com'
I’m just a happy little web server.

Transports based on this idea are now deployed in the Tor, Lantern, and Psiphon circumvention systems.

What does the censor get to see?

schemehttps://domainexample.compath/foobar

What does the censor get to see?

schemehttps://domainexample.compath/foobar

When you make an HTTPS request, the domain ends up in three places:

DNS query	(censor can see)
TLS SNI	(censor can see)
HTTP Host header	(censor cannot see)

We put an unblocked front domain in the DNS query and the TLS SNI. In the Host header, we put the real destination domain, hidden from the censor by HTTPS encryption.

$ wget -q -O- https://www.google.com/ --header 'Host: maps.google.com' | grep -o '<title>.*</title>'
<title>Google Maps</title>

How to circumvent:

Run a proxy on a domain you control.
Use fronting to reach that domain.

The rest is plumbing. You pay a 2–4× performance penalty depending on how you implement the transport layer.

Where does this work?

Content delivery networks, mostly.

Comparison with decoy routing and CloudTransport

All these systems use TLS and some sort of tag that is undetectable by the censor but detectable by some network intermediary.

domain fronting	decoy routing	CloudTransport
front domain	decoy web site	cloud storage
Host header	e.g. TLS tag	URL path
CDN edge server	ISP router	shared files

Why is this a compelling idea?

Think of the challenges of censorship circumvention like this:

address blocking
content blocking (DPI)
active probing

Costs (of meek with Tor)

month	GB	cost
early 2014	185	$21
Oct 2014	1,064	$202
Nov 2014	3,143	$641
Dec 2014	4,222	$808
Jan 2015	6,030	$1,201
Feb 2015	7,097	$1,321
Mar 2015	9,437	$1,584
Apr 2015	11,517	$1,881
May 2015	11,666	$2,043

Includes fees for Google App Engine, Amazon CloudFront, and (estimated) Microsoft Azure.

Users (Tor)

Bandwidth (Lantern)

Users (Psiphon)

Ready-to-run executables:

Tor Browser torproject.org
Lantern getlantern.org
Psiphon psiphon.ca

General information and source code:

fifield@eecs.berkeley.edu