Last week, Amazon Web Services (AWS) said it intends to change the way its S3 storage service can be referenced in API and web requests. But by doing so, the cloud giant would have eliminated a means of censorship avoidance. On Wednesday, AWS chief evangelist Jeff Barr announced a revised plan, acknowledging that too few
Last week, Amazon Web Services (AWS) said it intends to change the way its S3 storage service can be referenced in API and web requests. But by doing so, the cloud giant would have eliminated a means of censorship avoidance.
On Wednesday, AWS chief evangelist Jeff Barr announced a revised plan, acknowledging that too few details were provided in the initial notice but avoiding the touchy subject of censorship. Nonetheless, the change preserves the ability to use S3 to host content in a way that resists site blocking by censors, though only for existing S3 buckets.
AWS S3 supports two ways to reference stored objects: path-style and virtual-hosted style.
Accessed using a browser, the path-style looks like this:
And the virtual-hosted style looks like this:
The plan was to eliminate path-style references on September 30, 2020, breaking any S3 path-style links in the process and hindering the use of the system as a refuge from censorship.
Blocking virtual-hosted style subdomains is easy to do because it only affects that account. Evolving web standards like encrypted SNI, TLS 1.3, DNSSEC and DoT/DoH may help eventually.
Blocking S3-hosted resources utilizing path-style addressing is more difficult because censors have to block all AWS S3 content – or all regional S3 content if regional addressing is used. That would cause collateral damage to businesses, a price that’s often (though not always) too much in countries like China. Hence the technique fits under the umbrella term “collateral freedom.”
AWS S3 is not the only service used because it’s too big to block. GitHub, which became part of Microsoft last year, has long played a similar role.
Once word spread about Amazon’s plan, denunciation followed. “This will help Russia, China and other countries censoring the internet,” said Samat Galimov, the Riga, Latvia-based CTO of video game database RAWG, via Twitter.
“Path-style access is used to circumvent censorship. I can put my entire website under [the S3 subdomain] and the only way to block it in Russia or China will be to block the entirety of Amazon. This technique is called collateral freedom and is actively used right now. Please keep it working!”
Via instant message, Galimov said, “I am quite sure they are aware of anti-censorship usage of S3. Signal used AWS infrastructure to circumvent censorship and Amazon explicitly prohibited that.”
Take a deep breath: AWS has just rolled out cheaper instances, glacier-slow storage, and AI container tools
Galimov is referring to a practice known as domain fronting, which both Amazon and Google have done away with, ostensibly because it violated policies and took advantage of unintended technical loopholes.
The Register asked Amazon whether it’s aware of the anti-censorship uses of path-style access and whether it would like to comment. We’ve not received a reply.
Barr in his blog makes no mention of S3’s censorship-defeating capabilities, but did say support for the path-style model will continue for buckets created on or before September 30, 2020. S3 buckets created after that, however, will be required to use the virtual-hosted style, which is more susceptible to being blocked.
“I am quite sure there are zero people who have experienced government internet censorship themselves who are making these decisions,” said Galimov.
“Not even in the inner circle of people who make decisions, not even people who advise their inner circle. These decision makers are as isolated from their ‘constituency’ as medieval kings were. At the same time I get that their real constituents are shareholders and we are just ‘users.’ It’s just so sad.” ®
Becoming a Pragmatic Security Leader