ADVERTISEMENT

Telegram Block Gets Help from Google and Amazon

Telegram Block Gets Help from Google and Amazon

(Bloomberg) -- Google and Amazon have failed the test of whether they’d sacrifice their commercial interests in Russia (and other authoritarian regimes) to some higher principle. As the messenger Telegram tried to use the companies’ cloud services to dodge a Russian ban, the two U.S.-based giants ended so-called domain fronting, the practice on which Telegram was relying.

Telegram, which had 15 million users in Russia (out of about 200 million overall), was banned by a Moscow court last month after Russia’s domestic intelligence, the FSB, demanded its encryption keys, ostensibly so it could get access to suspected terrorists’ messages. Pavel Durov, who founded Telegram with his brother Nikolai, a wizard developer, was adamant that the FSB wouldn’t get its wish. As Roskomnadzor, the Russian internet censorship body, told providers to block access to internet addresses normally used by the messenger, it began jumping between IP addresses owned by Amazon’s and Google’s cloud businesses. As Roskomnadzor moved to block entire subnetworks (blocks of IP addresses) to stop this, hundreds of businesses — including, at one point, Google Search — became temporarily unavailable to Russian internet users. Runet, as the country’s internet segment is known, was suddenly broken — but Telegram kept working without a proxy.

On April 17, Durov used his Telegram channel to thank “Apple, Google, Amazon, Microsoft — for not taking part in political censorship.” Apple and Microsoft got the thanks largely because their operating systems allowed the Telegram apps to transmit ever-changing IP addresses to users. Google and Amazon received theirs for the possibility of domain fronting.

That practice has never been officially approved by the cloud giants. It involves showing an innocuous hostname — like google.com —  to anyone observing the traffic and actually sending that traffic to a different host with the help of what’s known as a “man-in-the middle proxy.” The method is widely known thanks to Signal, Edward Snowden’s favorite messenger, which announced in 2016 that it would implement the technique to bypass censorship in Egypt and the United Arab Emirates. “The idea is that to block the target traffic, the censor would also have to block those entire services,” Matthew Rosenfield, a.k.a Moxie Marlinspike, a Signal co-founder, wrote in the announcement. “With enough large scale services acting as domain fronts, disabling Signal starts to look like disabling the internet.” 

That, however, can only work if Google, Amazon and other cloud providers don’t mind their clients’ sites being disabled as censors go after Telegram (or any other target). They do mind. And killing domain fronting doesn’t even have to look as through the U.S.-based giants are bending to pressure from an authoritarian government hostile to the U.S. The technique is a double-edged sword. The cybersecurity firm FireEye wrote last year, for example, that Advanced Persistent Threat 29, a hacker group often linked to Russian intelligence, has used domain fronting and the encrypted TOR network “to create a hidden, encrypted network tunnel that appeared to connect to Google services” but actually allowed it to mask traffic to and from hacked systems.

I predicted last month that Telegram’s cat and mouse game wouldn’t last forever, not while Google and Amazon have businesses to run. Now Durov is probably not feeling very thankful to them.

The changes came without fanfare. Roughly around the time Roskomnadzor embarked on its Telegram hunt, Google began rolling out technical changes that would disable domain fronting. It called it a “planned software update.” Last week, Amazon Web Services warned Signal that it would cancel its cloud account if it continued using Amazon’s sites to beat censorship — and said it would soon implement “enhanced protections” against domain fronting. 

Signal’s Marlinspike wrote:

With Google Cloud and AWS out of the picture, it seems that domain fronting as a censorship circumvention technique is now largely non-viable in the countries where Signal had enabled this feature. The idea behind domain fronting was that to block a single site, you’d have to block the rest of the internet as well. In the end, the rest of the internet didn’t like that plan.

The timing suggests Telegram may have had more to do with this than Signal, which described its use of domain fronting two years ago, or APT 29, whose exploitation of the technique was discovered a year ago. And indeed, Roskomnadzor’s wholesale attack must have been disconcerting to cloud providers. The censor is still blocking more than 14.6 million IP addresses, and it has signaled a disregard for the side effects of its actions, confining itself to opening a hotline for the owners of accidentally blocked sites. The hotline hasn’t always worked: Roskomnadzor claims it has been under powerful distributed denial of service attacks since it began blocking Telegram. Despite persistent rumors to the contrary, the censor is still determined to continue blocking subnetworks that contain addresses used by Telegram.

The messenger’s fight isn’t over yet. On April 30, some 12,000 people gathered in Moscow to protest against the Telegram ban. And Telegram still works for most Russian users, even those who don’t bypass the blocks with the help of proxies and virtual private networks. Some cloud providers still allow domain fronting, and it’ll be some time before the cat gets the mouse.

Then, VPNs and proxies (which allow users to pretend they’re connecting from a different country) will be the next targets. And even if they’re beaten into submission, Telegram will survive outside its founders’ home country. It has just raised $1.7 billion in the biggest initial coin offering ever — so much that it has canceled a plan to raise more money from the public. The Durovs will be all right in any case.

Engineers looking to beat censorship, however, must find different loopholes now. But they ultimately can’t get around the dominance of a few big companies which can only allow a bit of privateering until it starts affecting their relationships with clients. It’s not personal or political; it’s just business. 

To contact the author of this story: Leonid Bershidsky at lbershidsky@bloomberg.net.

To contact the editor responsible for this story: Therese Raphael at traphael4@bloomberg.net.

©2018 Bloomberg L.P.