For anyone else wondering what domain fronting is:

> Domain fronting is a technique for Internet censorship circumvention that uses different domain names in different communication layers of an HTTPS connection to discreetly connect to a different target domain than is discernable to third parties monitoring the requests and connections.

https://en.wikipedia.org/wiki/Domain_fronting

Cool, so we are bowing down further to oppressive regimes now.

FiloSottile

It's been many years, and I am still angry and disappointed by Cloudflare's decision to block domain fronting and drop Lantern as a customer. Lantern was one of the most effective Great Firewall bypass proxies at the time, and Cloudflare was expanding in China. (I was at Cloudflare at the time, but I don't have private information on the deliberation. I strongly considered quitting over it, maybe I should have, but I was junior back then.)

The CEO even came on HN to try to frame it as an abuse mitigation, accusing Lantern of exploiting Cloudflare and arguing that they were not a customer. That was obviously false because you need to have a Cloudflare zone configured for domain fronting to work. They were a customer as much as the targeted hate websites they strenuously defend.

https://news.ycombinator.com/item?id=9234367

Companies show their color in selecting who they will stand up for.

adamfisk

Fascinating, Filippo. We stayed silent on it at the time primarily because we were keeping a low profile particularly as more and more Chinese were using Lantern, but there was also back channel pressure through various contacts, to be honest related to the pending Cloudflare expansion in China.

There was also a prelude to all of this that I think made things stickier and bizarrely personal. Prince and I share a mutual friend who introduced us just a few weeks prior. Prince said he supported what we were doing, but asked that I not talk about it publicly, presumably because of the pending China deal. The problem was that literally moments after our friend had introduced us via email, and before he made that request, I had a call with the WSJ where I talked about precisely this. I did everything I could to walk back the article, but Prince didn't buy it and seemed to go ballistic over it. After the WSJ piece, we pulled back from talking more publicly in general.

Oh, I forgot! We also partly stayed silent because they didn't actually shut down what we were doing at all =). They matched the SNI to the Host header, sure, but they missed a little detail: we weren't using SNI. Hehe. Lantern worked for another six months or so, and then, through a similarly bizarre sequence of events, we essentially tipped them/you off to what was happening. We remained a customer throughout, and we're a customer to this day.

Either way, though, Cloudflare does great work, and everyone has their faults, so I'm generally sympathetic over the whole thing with the one caveat that I am truly unclear how much ultimately did relate to China, most clearly in terms of any public support for these internet freedom techniques.

Oh, and I've wanted you to work on Lantern forever btw. Oooh actually if you're not aware of it, the uTLS Go TLS fork is a hugely impactful project that's in widespread use (I would guess maybe 50 million monthly active users rely on it in censored regions via various projects) but needs updating - https://github.com/refraction-networking/utls

Oh, and if you think we were effective in China then, you should see what we're doing in Russia and especially Iran now!