There are numerous techniques out there that can be used to enhance online data privacy. Domain fronting is one of the most revered among technocrats.
But what is domain fronting? And when it comes to online security, is it better than using a virtual private network (VPN)? This article will answer both questions.
How Domain Fronting Works
Domain fronting is a technique used to evade online censorship. It works by leveraging Platform as a Service (PaaS) configurations on networks offering this type of customization, usually major cloud service providers.
It allows the obfuscation of an internet connection through HyperText Transfer Protocol (HTTP) manipulation and traffic rerouting. These make it appear as if a user is accessing an innocuous website while he is actually logged on a different, most probably forbidden one.
The transfiguration is made possible through the use of the HTTPS protocol instead of a HTTP header. This is because HTTPS protocols are encrypted. The setup usually works on content delivery networks (CDNs).
Take, for example, two domains hosted under the same CDN. One is blocked by the authorities, while the other is not. In domain fronting, the authorized HTTPS domain is placed in the SNI header. The blocked one, on the other hand, is embedded in the HTTP header.
Regimes and institutions looking to prevent this evasive technique typically have a tough time trying to counter it due to the lack of a detectable intermediate network change. Blocking most websites would do the trick, but the collateral damage would be enormous. This makes domain fronting one of the most formidable tools for people looking to circumvent web restrictions.
However, you might encounter one huge drawback. Most companies that initially offered this service, such as Google, Amazon, and Microsoft, shut it down due to blatant abuse of the feature for malicious purposes.
Where Domain Fronting Beats VPNs
Using a VPN to hide online activity is common among privacy-seekers. This is because the services are a dime a dozen and a lot less technical when compared to domain fronting which usually requires a series of complex configurations.
To work, a VPN hides traffic using an encrypted Internet Protocol (IP) proxy connection. This prevents the user’s browsing habits from being viewed by third parties, including his Internet Service Provider (ISP). This is because the internet connection links to a different ISP (the one used by the VPN company).
A user’s ISP can, however, see the handshake between the network and the VPN node. But it can’t deduce much beyond this. Unlike domain fronting, there are more risks associated with VPN use. This is especially true if it’s illegal in the user’s jurisdiction. In some countries, such as China, the user could get a significant fine.
Using a VPN could also lead to more scrutiny. State-level intelligence agencies usually keep tabs on ISPs used by VPN companies. They try to scan for sinister traffic on those networks because they are notoriously used for seditious purposes.
Due to the advancement of analytics technologies, browsing patterns on the user’s end can be correlated to specific users on the VPN ISP side.
VPN networks can also be viewed and decrypted by a malicious VPN company, if the sites visited are using HTTP instead of HTTPS. This includes sensitive information such as passwords and credit card information. So, you should refrain from using free and relatively unknown VPN services.
Domain Fronting Has Changed
With major CDNs disabling their domain fronting features, data privacy groups have sought to find alternative means to bypass firewalls and censorship systems.
The latest solution to come close to classic domain fronting is “domain hiding”. Developed by cybersecurity expert Erik Hunstad, it relies on software dubbed Noctilucent to bypass firewalls. It does this by overlaying misleading HTTPS data over a connection’s plaintext unencrypted fields.
The encrypted section of the connection contains unassociated information that’s authoritative by network servers, and is therefore accepted.