Have you heard about a big change happening with how some internet services work? It turns out that a common trick used to hide the true destination of web traffic is about to be shut down on a major platform. This could affect many websites and online tools you might use.

This isn't a story about a funny meme or a weird internet challenge. It's about a technical change that could have real consequences for how some parts of the internet operate. Let's break down what's happening and why it matters.

What is Domain Fronting?

Imagine you want to send a letter, but you don't want the post office to know who it's really from or where it's going. So, you put a fake return address and a fake destination address on the outside, but inside the envelope, you include the real instructions for delivery.

Domain fronting is a bit like that for internet traffic. It's a technique that allows someone to make it look like their web request is going to one website (like a big, trusted one) when it's actually going somewhere else entirely. This was often used to get around internet blocks or to hide the source of certain types of communication.

Think of it as using a well-known highway entrance to get onto a hidden back road. The traffic appears to be heading to a popular landmark, but it's secretly diverting to a different, less obvious location.

Why is This Technique Being Stopped?

While domain fronting might sound clever, it has been used for less than ideal reasons. Security experts and platform providers have increasingly seen it as a way to mask malicious activities. This includes things like spreading misinformation or even carrying out cyberattacks.

Because the technique makes it hard to see where traffic is truly going, it's a gift to those who want to operate secretly. Major online services want to ensure their platforms aren't used to hide harmful actions. Therefore, they are taking steps to stop this practice.

Microsoft's

Announcement and Deadlines

Microsoft, which runs the Azure cloud computing service, recently sent out important notifications to its users. They announced that they are blocking domain fronting on their Azure Front Door and Azure CDN (Content Delivery Network) services.

This isn't a sudden decision. Microsoft had already changed how new services worked starting in April

2022. But now, they are setting firm deadlines for existing services.

"Beginning 8 November 2023, all existing Azure Front Door, Azure Front Door (classic) and Azure CDN Standard from Microsoft (classic) resources will block any HTTP request that exhibits domain fronting behavior."

This means that if you are using these specific Azure services and your application has been using domain fronting, it will stop working as expected after November 8,

2023. This is a hard deadline that requires attention.

What Does This Mean for Users?

For most everyday internet users, this change might not be noticeable at all. You'll continue to browse the web as usual. The main impact will be on developers and companies who use Azure's services and have built applications that rely on domain fronting.

If your company or the services you use have been employing this technique, they need to make changes. Otherwise, their applications could break. This means websites could become unavailable, or certain online tools might stop functioning.

Actions to Take

Before the Deadline

Microsoft has given clear instructions for those affected. The most important step is to check if your application is using domain fronting. If it is, you need to adjust your application's behavior.

The key issue often lies in how the application handles security information during communication. Specifically, it relates to something called the TLS SNI extension. This is a way for the server to know which website the user is trying to connect to, even if the request looks like it's going elsewhere.

If your application uses a different TLS SNI value than the actual website address (the Host header), you need to fix this. The recommendation is to make sure these two match.

How to Fix Your Application

Here are the general steps involved:

• *Identify Usage:

• The first step is to figure out if your application is actually using domain fronting. This might require checking your network logs or consulting with your development team.

• *Check TLS SNI:

• Look at how your application negotiates secure connections (TLS). Pay close attention to the Server Name Indication (SNI) value sent during this process.

• *Align Host Header:

• Ensure that the SNI value matches the Host header in the HTTP request. If they are different, your application is likely using domain fronting.

• *Modify Application:

• You will need to change your application's code or configuration so that the SNI value correctly reflects the intended destination.

• *Test Thoroughly:

• After making changes, test your application extensively to make sure it works as expected and that the domain fronting technique is no longer being used.

If you are unsure how to do this, Microsoft suggests opening a support request with them. Providing details about your Azure subscription and the specific services you are using will help them guide you.

The Bigger Picture: Internet

Security and Transparency

This move by Microsoft is part of a larger trend. Many tech companies are working to make the internet more transparent and secure. Techniques that obscure the true nature of online traffic are increasingly being seen as a risk.

By blocking domain fronting, services like Azure are aiming to:

• *Enhance Security:

• Make it harder for malicious actors to hide their activities.

• *Improve Network Visibility:

• Allow for better monitoring and understanding of internet traffic.

• *Prevent Abuse:

• Stop the platform from being used for harmful purposes.

While some might see this as a restriction, it's generally viewed as a positive step for overall internet safety. It helps ensure that the tools we rely on are not being secretly misused.

What Happens After November 8, 2023?

After the deadline passes, any Azure Front Door or Azure CDN resource that is still attempting to use domain fronting will simply fail to connect. The requests will be blocked by Microsoft's systems.

This could lead to:

• Application errors.

• Unresponsive websites or services.

• Disruptions for users of those services.

Companies that haven't updated their applications will likely face unexpected downtime. This is why the proactive steps recommended by Microsoft are so important.

Conclusion: Adapting to a More Secure Internet

The internet is constantly changing, and with those changes come new security measures. The blocking of domain fronting on Azure is a significant development that highlights the ongoing effort to create a safer online environment.

For businesses and developers using Azure, the message is clear: assess your applications, understand your network traffic, and make the necessary adjustments before the November 8, 2023 deadline. This is about adapting to a more transparent and secure internet, ensuring that the tools we use serve their intended purpose without hidden agendas.

It's a reminder that even behind the scenes, technical decisions are being made to protect us all. Staying informed and prepared is key to navigating these changes smoothly.