We received the following email from Fastly today. They have also included a customer report in .csv format that shows accesses to snowflake-broker.torproject.net.global.prod.fastly.net and moat.torproject.org.global.prod.fastly.net with a variety of front domains including those we currently recommend.
---
Hello The Tor Project, Fastly is committed to improving the security of our platform for all our users. One area we are working on is in enforcing the association between a TLS certificate’s SAN entries and the hostname in the HTTP request’s host header.
We will be forbidding domain fronting from happening by restricting it on a shared offset you might depend upon. This change will be applied during February 27th, 2024 .
Here are a few things to highlight based on our previous conversations with customers:
*Why block Domain Fronting now?* We want to block external malicious actors from utilizing domain fronting for our customers.
*Does Domain Fronting cause immediate impact?* Existing domain fronting requests will be allowed. Any new domain fronting requests would be blocked. The exception for the existing domain fronting requests would be in place until the cert used for the request(s) expires or is replaced.
*What does this mean?* The earliest cert expiration is shown in the “fastlycertificatedetail” column in the domain fronting report.. This means that even if we block domain fronting today, you will have until the cert expires before impacts to domains will be seen. However, new domain fronting requests would be blocked.
*What does the report show?* The purpose of the report is to provide visibility to you regarding external requests that are currently defined as domain fronting. These requests may be external requests that have explicit purpose to perform domain fronting and some requests may be requests that you currently use for the operations of your application.
Excluded from this report are services that are service chained or use shielding which will continue to work.
*What is Fastly's ask?* Review the report and take action accordingly.
Actions may include but not limited to: - *Do nothing* and allow new requests to be blocked after the certificate expires. - *Change Code* to provide the necessary SNI and hostname in TLS requests. This needs to be completed before the certificate expires. - *Update Fastly TLS settings* to ensure that your service domains have a corresponding Fastly TLS domains.