After TLS encryption is established, the HTTP header reroutes to another domain hosted on the same CDN.
Domain fronting is a technique for Internet censorship circumvention that uses different domain names in different communication layers of an HTTPS connection to discreetly connect to a different target domain than is discernable to third parties monitoring the requests and connections.
Due to quirks in security certificates, the redirect systems of the content delivery networks (CDNs) used as 'domain fronts', and the protection provided by HTTPS, censors are typically unable to differentiate circumvention ("domain-fronted") traffic from overt non-fronted traffic for any given domain name. As such they are forced to either allow all traffic to the domain front—including circumvention traffic—or block the domain front entirely, which may result in expensive collateral damage and has been likened to "blocking the rest of the Internet".[note 1]
Domain fronting does not conform to HTTP standards that require the SNI extension and HTTP Host header to contain the same domain.[2] Many large cloud service providers, including Amazon, Microsoft, and Google, actively prohibit domain fronting, which has limited it as a censorship bypass technique. Pressure from censors in Russia and China is thought to have contributed to these prohibitions,[3][4][5] but domain fronting can also be used maliciously.
A newer variant of domain fronting, domain hiding, passes an encrypted request for one resource (say, a website), concealed behind an unencrypted (plaintext) request for another resource whose DNS records are stored in the same cloud. It has much the same effect.[3] Refraction networking is an application of the broader principle.
^Marlinspike, Moxie (1 May 2018). "A letter from Amazon". Signal.
^Eastlake 3Rd, Donald E. (January 2011). "IETF RFC 6066 section 3".{{cite web}}: CS1 maint: numeric names: authors list (link)
^ abCimpanu, Catalin (August 8, 2020). "DEF CON: New tool brings back 'domain fronting' as 'domain hiding'". ZDNET.
^Cite error: The named reference psiphon was invoked but never defined (see the help page).
^Cite error: The named reference china was invoked but never defined (see the help page).
Cite error: There are <ref group=note> tags on this page, but the references will not show without a {{reflist|group=note}} template (see the help page).
Domainfronting is a technique for Internet censorship circumvention that uses different domain names in different communication layers of an HTTPS connection...
the HTTP header host and reject connections with domain-fronted SNI as invalid). While domainfronting was used in the past to avoid government censorship...
Domainfronting – Technique for Internet censorship circumvention Domain hack Domain hijacking Domain name registrar Domain name speculation Domain name...
Look up fronting in Wiktionary, the free dictionary. Fronting may refer to: Fronting (sound change), pronunciation of a sound further forward in the mouth...
Domain name front running is the practice whereby a domain name registrar uses insider information to register domains for the purpose of re-selling them...
Chinese version of the browser. Domainfronting: Circumvention software can implement a technique called domainfronting, where the destination of a connection...
years of block attempts, which the service reportedly evaded using domainfronting. The stated reason was Telegram agreeing to "counter terrorism and...
Paxson V. (2015-05-15). "Blocking-resistant communication through domainfronting". Proceedings on Privacy Enhancing Technologies. 2015 (2). Proceedings...
the IP address and port number of the web server, and sometimes even the domain name (e.g. www.example.org, but not the rest of the URL) that a user is...
hundreds of mirror sites at any time, and each with a varying IP and DNS domain names to defeat IP blocking and DNS hijacking. On the backend, DynaWeb also...
allows for the coexistence of multiple local area network (LAN) broadcast domains interconnected via trunks using the IEEE 802.1Q trunking protocol. Other...
refraction networking with support from the U.S. Department of State. Domainfronting "Refraction Networking". refraction.network. Retrieved 2020-12-06....
DNSCrypt is a network protocol that authenticates and encrypts Domain Name System (DNS) traffic between the user's computer and recursive name servers...
Cybersquatting (also known as domain squatting) is the practice of registering, trafficking in, or using an Internet domain name, with a bad faith intent...
or take down entire services. Cute cat theory of digital activism Domainfronting Lantern (software) Refraction networking Telex (anti-censorship system)...
Domain tasting is the practice of temporarily registering a domain under the five-day Add Grace Period at the beginning of the registration of an ICANN-regulated...
separated from the rest of the Internet. The network uses domain names under the .kp top-level domain that are not accessible from the global Internet. As...
Hand That Serves You: A Closer Look at Client-Side Flash Proxies for Cross-Domain Requests". Lecture Notes in Computer Science. Vol. 6739. pp. 85–103. doi:10...
on the Internet. Censorship is most often applied to specific internet domains (such as, Wikipedia.org) but exceptionally may extend to all Internet resources...
Domain name speculation, popular as domain investing, domain flipping or domaining in professional jargon, is the practice of identifying and registering...
public domain in 2024. Sound recordings that were published in 1923 enter the public domain. The most famous work to enter the public domain in the United...
animated films in the public domain in the United States for which there is a source to verify its status as public domain under the terms of U.S. copyright...
Domain, also known as Hizenhan, was a Tozama domain situated in Saga District, Hizen Province. The Nabeshima clan held the position of the domain's lord...
Global Information