HTTP History

The HTTP 1.0 protocol developed in the early 1990s, used one host per IP. With the explosion of the internet and the issue with the exhaustion of the IPv4 addresses, HTTP 1.1 was developed . HTTP 1.1 made it possible for IPs to be shared among website with the introduction of the host header. When a client make a request to a server for a website, it would form a TCP connection with the server using the IP and the application layer read the host header of the HTTP request to respond with the appropriate website.

To make these requests secure, TLS (formerly SSL) is used to encrypt the traffic. TLS also faced issues with hosting multiple HTTPS websites, hence SNI (Server Name Indication) was introduced as an extension to TLS. SNI indicates the domain whose certificate the client wants to form the TLS connection with.

The rollout of these features, combined with the lack of proper validation between protocols operating at different layers of the network stack, made this technique possible.

Domain Fronting

Domain Fronting is a technique that leverages CDNs to mask traffic. The client sends a ClientHello to start negotiating the TLS tunnel. In the ClientHello message, the client specifies the front domain (front.example.com) in the SNI field. So the TLS tunnel is formed with the parameters of the front domain.

To an external entity, it maybe companies , governments or any one else viewing the connection, the client would seem communicating with the front domain. The external entities can view the SNI and it is the only way for determine the destination .

Once the TLS tunnel is established, all HTTP requests are now encrypted , which includes the host header with the actual destination domain. The CDNs route the requests to the destination domain using their internal routing. While routing the requests, the CDN does not validate a match between the domain in the SNI and the host fields. This allows Domain Fronting.

Is it still allowed (2025)

Domain Fronting in now blocked by major platforms. While it helps bypassing firewalls, masking destinations and helped overcome censorship, malicious actors also abused the quirks . It was used to connect to command-and-control servers, for distributing malware or also espionage .

In 2018 Russia blocked IPs of all major CDNs to stop Domain Fronting which caused issues for other companies and services using the CDN. Later Google and AWS disabled Domain Fronting, so as not get completely banned. While no direct regulation exists today banning the technique, most providers voluntarily don’t allow it.

Passkeys use asymmetric cryptographic keys for authentication — a public and a private key. When a user register for a service, a the user device creates a pair of public-private key. The private key is stored on the user device, while the public key is sent to and stored on the server.

Each time the user tries to login to a service, the user device digitally signs a challenge from the server. The server then verifies the signature and authenticates the user to the service. Passkeys eliminates user burden of remembering passwords for multiple services.

Passkeys offers numerous security advantages.

• Phishing is thwarted since the public-private key pair is associated with a particular service’s real domain. A change in domain, however subtle or unnoticeable will remain ineffective since the platform used to store the keys, only associated them with the real domain.

• A breach of public keys stored on the servers is worthless since they can neither be used to authenticate nor derive the private key within a feasible period with the existing computational capabilities and mathematical understanding.

• Eliminates developer effort required to develop and maintain complex security measures to safe public keys.

• The authentication process does not involve the transmission of the private key to the server, the key is only used to sign a challenge response

• Passkeys can be stored on a native or 3rd party services and synced across all devices used by the user.

Given the security enhancements and the ease of use passkeys (password-less) authentication will become the primary method for users to authenticate users to a service. Major companies have started the implementation of passkeys and smaller organizations soon following them