[vmarquet]

Note that domain fronting is not only usefull to circumvent Internet censorship, it's also used by malware.

With domain fronting, you can exfiltrate data from a company by making the connection appear to go to a legitimate google service (ex: drive.google.com), whereas it actually is going to a server hosted on google cloud services and controlled by an attacker.

[kodablah]

Gotta take the bad with the good. Some governments act like companies and treat tools like Signal as malware. Another discussion can be had for citizen freedom vs employee freedom, but public network restrictions benefit all kinds of censorship. It's also another discussion worth having on whether one's need to monitor all data in/out of their company is worth giving that power to other who use it for wrong (mitm devices and TLS termination w/ custom device certs notwithstanding).

[buildbuildbuild]

Google or another more privacy-supporting company could block domain fronting for everyone _except_ Signal, Tor, and similar projects, with some sort of application process. Blocking everyone seems heavy handed but fronting itself is ultimately a sneaky way around censorship rather than an intended feature.

[askmike]

So the decision on what apps can be domain fronted because they need to get around censorship lies with Google or another big company, what could go wrong here?

[Spivak]

I mean the entire trick to domain fronting is that some large company, whose site no country would dare censor, offers up their infrastructure as a front.

Who else do you think should decide who gets to host content through Google's servers?

[askmike]

> whose site no country would dare censor

Google is not accessible to about 1.4 billion people because the single government of China "dares" to censor Google. That's close to 20% of the world's population.

I don't think companies nor governments should get to decide this at all. Information wants to/should be free.

[05]

I’m pretty sure you can achieve pretty much the same thing by just uploading encrypted exfil’ed data to actual legit Google Drive using OAUTH to programmatically access a throwaway account (to avoid possible CAPTCHA requirements for non-programmatic access)