[anti-censorship-team] Fastly to block domain fronting in February 2024

Cecylia Bocovich cohosh at torproject.org
Wed Oct 25 02:48:39 UTC 2023

We received the following email from Fastly today. They have also 
included a customer report in .csv format that shows accesses to 
snowflake-broker.torproject.net.global.prod.fastly.net and 
moat.torproject.org.global.prod.fastly.net with a variety of front 
domains including those we currently recommend.


Hello The Tor Project,
Fastly is committed to improving the security of our platform for all 
our users. One area we are working on is in enforcing the association 
between a TLS certificate’s SAN entries and the hostname in the HTTP 
request’s host header.

We will be forbidding domain fronting from happening by restricting it 
on a shared offset you might depend upon. This change will be applied 
during February 27th, 2024 .

Here are a few things to highlight based on our previous conversations 
with customers:

*Why block Domain Fronting now?*
We want to block external malicious actors from utilizing domain 
fronting for our customers.

*Does Domain Fronting cause immediate impact?*
Existing domain fronting requests will be allowed. Any new domain 
fronting requests would be blocked. The exception for the existing 
domain fronting requests would be in place until the cert used for the 
request(s) expires or is replaced.

*What does this mean?*
The earliest cert expiration is shown in the “fastlycertificatedetail” 
column in the domain fronting report.. This means that even if we block 
domain fronting today, you will have until the cert expires before 
impacts to domains will be seen. However, new domain fronting requests 
would be blocked.

*What does the report show?*
The purpose of the report is to provide visibility to you regarding 
external requests that are currently defined as domain fronting. These 
requests may be external requests that have explicit purpose to perform 
domain fronting and some requests may be requests that you currently use 
for the operations of your application.

Excluded from this report are services that are service chained or use 
shielding which will continue to work.

*What is Fastly's ask?*
Review the report and take action accordingly.

Actions may include but not limited to:
- *Do nothing* and allow new requests to be blocked after the 
certificate expires.
- *Change Code* to provide the necessary SNI and hostname in TLS 
requests. This needs to be completed before the certificate expires.
- *Update Fastly TLS settings* to ensure that your service domains have 
a corresponding Fastly TLS domains.

More information about the anti-censorship-team mailing list