These are the visual aids I used to deliver a talk on domain fronting on June 30, 2015 at PETS 2015.

For the full paper see:

I extracted the video of my presentation from the full-length conference videos: Day 1, Day 2, Day 3.

Blocking-resistant communication through domain fronting

David Fifield
Chang Lan
Rod Hynes
Percy Wegmann
Vern Paxson

Domain fronting is the use of different domain names at different layers of communication.

The censor sees one domain name (an unblocked front domain), while an intermediate network device sees and obeys another.

$ wget -q -O- | grep -o '<title>.*</title>'

$ wget -q -O- --header 'Host:' | grep -o '<title>.*</title>'
<title>Google Maps</title>

$ wget -q -O- --header 'Host:'
I’m just a happy little web server.

Transports based on this idea are now deployed in the Tor, Lantern, and Psiphon circumvention systems.

What does the censor get to see?


What does the censor get to see?


When you make an HTTPS request, the domain ends up in three places:

DNS query (censor can see)
TLS SNI (censor can see)
HTTP Host header (censor cannot see)

We put an unblocked front domain in the DNS query and the TLS SNI. In the Host header, we put the real destination domain, hidden from the censor by HTTPS encryption.

$ wget -q -O- --header 'Host:' | grep -o '<title>.*</title>'
<title>Google Maps</title>

How to circumvent:

  1. Run a proxy on a domain you control.
  2. Use fronting to reach that domain.

The rest is plumbing. You pay a 2–4× performance penalty depending on how you implement the transport layer.

Where does this work?

Content delivery networks, mostly.

Comparison with decoy routing and CloudTransport

All these systems use TLS and some sort of tag that is undetectable by the censor but detectable by some network intermediary.

domain fronting decoy routing CloudTransport
front domain decoy web site cloud storage
Host header e.g. TLS tag URL path
CDN edge server ISP router shared files

Why is this a compelling idea?

Think of the challenges of censorship circumvention like this:

Costs (of meek with Tor)

month GB cost
early 2014 185 $21
Oct 2014 1,064 $202
Nov 2014 3,143 $641
Dec 2014 4,222 $808
Jan 2015 6,030 $1,201
Feb 2015 7,097 $1,321
Mar 2015 9,437 $1,584
Apr 2015 11,517 $1,881
May 2015 11,666 $2,043

Includes fees for Google App Engine, Amazon CloudFront, and (estimated) Microsoft Azure.

Users (Tor)

Bandwidth (Lantern)

Users (Psiphon)

Ready-to-run executables:

General information and source code: