{"id":36516,"date":"2020-08-08T07:00:08","date_gmt":"2020-08-08T07:00:08","guid":{"rendered":"http:\/\/39b431e3-1f2d-4da4-95bf-b4b7f4b66f42"},"modified":"2020-08-08T07:00:08","modified_gmt":"2020-08-08T07:00:08","slug":"def-con-new-tool-brings-back-domain-fronting-as-domain-hiding","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/def-con-new-tool-brings-back-domain-fronting-as-domain-hiding\/","title":{"rendered":"DEF CON: New tool brings back ‘domain fronting’ as ‘domain hiding’"},"content":{"rendered":"
\"noctilucent.jpg\"<\/span>
<\/span> Image: Erik Hunstad <\/span><\/figcaption><\/figure>\n

At the DEF CON 28 security conference this week, a security researcher has released a new tool that can help the makers of sensitive applications evade censorship and bypass firewalls to keep services up inside problematic areas of the globe.<\/p>\n

The new tool, named Noctilucent, was developed by Erik Hunstad, Chief Technical Officer at cyber-security firm SixGen.<\/p>\n

According to Hunstad, Noctilucent comes to fill a role left void by cloud providers like Amazon and Google blocking “domain fronting”<\/a> on their infrastructure.<\/p>\n

Hunstad said he used the new TLS 1.3 protocol to revive domain fronting (sort of) as an anti-censorship technique, but in a new format, the researcher calls “domain hiding.”<\/p>\n

What is domain fronting<\/h3>\n

Domain fronting<\/a> is a technique that has been made popular by mobile app developers in the 2010s and has been used to allow apps to bypass censorship attempts in oppressive countries.<\/p>\n

The domain fronting technique allows clients (apps) to connect to a “front” domain, which then forwards the connection to the aapp maker’s real infrastructure.<\/p>\n

Countries who want to block an app protected by domain fronting only see the front domain, due to a technicality in how HTTPS connections would be negotiated. See the Wikipedia explanation below:<\/p>\n

<\/section>\n

“In a domain-fronted HTTPS request, one domain appears on the “outside” of an HTTPS request in plain text-in the DNS request and SNI extention-which will be what the client wants to pretend they are targeting in the connection establishment and is the one that is visible to censors, while a different domain appears on the “inside”-in the HTTP Host header, invisible to the censor under HTTPS encryption-which would be the actual target of the connection.”<\/em><\/p>\n

If a country blocks the front domain, an app’s operators only have to rotate to a new front domain, while keeping their actual and larger infrastructure in the same place — without having to migrate thousands of servers.<\/p>\n

\"noctilucent-df.png\"<\/span>