[pyre]

The part you're missing is:

  ... to third parties.

They aren't spoofing the domain, they are just making sure that outside parties to an SSL connection will have a difficult time determining where that SSL connection is going. The two parties creating the SSL connection are not lying to each other, though.

[Someone1234]

But the result may be Amazon getting blocked in those countries, which could cause Amazon financial and logistical harm.

I'm all for Signal helping people bypass state censorship, but they're attempting to bring third parties into the fold and use them as fodder for the cause.

[socket0]

That's the whole point of this, by blocking Amazon, these countries would be taking down a large part of the Internet inside their borders. We're not talking Amazon your one stop shop for dildos and bobble heads, but AWS, which powers a lot of other websites. The countries listed, like Egypt, know that you can get away with torture, but don't touch the people's memes.

[lambda]

Except it wasn't Amazon's domain they were using; it was souq.com, an online shopping site in the Middle East that is owned by Amazon.

[dsl]

But they are. With SNI you are literally lying to the Amazon load balancer, which is one of the two parties of your encrypted communications.

[ballenf]

How is Amazon "one of the two parties" to my Signal message to a friend? An infrastructure provider, a carrier maybe, but a party to?

I'm not against Amazon's decision, but I disagree with anyone framing this as Signal trying to deceive its users. What they're doing isn't too far removed from me using a VPN to deceive Comcast regarding my use of "their" services. That is, if we're going to get loose with our metaphors.

[dsl]

I think you are misunderstanding what is going on here.

The Signal client on your phone is connecting to a load balancer that Amazon owns. In the initial handshake it lies about what website it is trying to contact, claiming to be looking for an Amazon shopping site. Once the connection is fully established it says "just kidding I am actually trying to reach the Signal server hosted in AWS."

They are abusing a bug in Amazon's front end load balancers, having them route traffic in a way that wasn't intended. This is a warning to knock it off, while Amazon works on fixing that bug.

[apendleton]

Are you? It looks like the Amazon load balancers don't actually care what your SNI domain is when routing traffic. They terminate your TLS connection, and then use the domain in your actual HTTP request to route it, which is not Amazon's domain. Amazon's ability to allow these two domains to differ, and to mostly ignore the former, is the crux of this whole trick.

[textmode]

Does this mean that Cloudfront does not actually require (correct) SNI?

Example: Sending HTTP request for signal.org over TLS to Cloudfront IP address with SNI as "allergan.com" returns signal.org web page, not allergan.com web page.

[computerfriend]

Yes, this is the premise of domain fronting.

[bitCromwell]

still lying though and it seems like that’s a foundational problem. it’s reasonable for a machine to refuse connections from a machine that has lied.

[drusepth]

Would you mind explaining why this makes the spoofing any more acceptable?

[tony101]

Because this spoofing only prevents the ISP / government censors from seeing the correct destination. I would argue that the ISP and the government censors have no legitimate right to that information in the first place, especially if they use it for oppression.

[s73v3r_]

But in order to do that, they're dragging an unrelated third (fourth?) party into it, without their consent.