Interesting. Reading their developer guide [1] pg 293 - CloudFront servers have ... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		zaroth on May 1, 2018 \| parent \| context \| favorite \| on: Amazon threatens to suspend Signal's AWS account o... Interesting. Reading their developer guide [1] pg 293 - CloudFront servers have all the private keys anyway, so it hardly matters—from a security perspective—which key is used to establish the TLS connection to the CloudFront endpoint. The connection between CloudFront and Signal’s own severs would be encrypted with Signal’s key. I also found this paper on domain fronting to be a very good read - Blocking-resistant communication through domain fronting [2] [1] - https://docs.aws.amazon.com/AmazonCloudFront/latest/Develope... [2] - https://www.bamsoftware.com/papers/fronting/

caf on May 2, 2018 [–]

Exactly. This works because the point of TLS in this instance is for the Signal client to be sure it's talking to Amazon CloudFront. The certificate for an Amazon service also hosted on CloudFront is certainly good enough to prove this, provided the client knows to expect it, which it does.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact