When this occurs, we will add an entry to the Privacy Bulletin describing what was recorded, how long it was kept, and why. This domain is used by Google App Engine, a service that allows users to create and host web applications on Google’s cloud platform.What user information does Psiphon collect?įrom time to time Psiphon may have to record additional information in order to resolve a problem with our service. Google, for example, allows redirection through the HTTP host header from to. However, most of them only allow it for domains that belong to their customers, so one must become a customer in order to use this technique. Their research revealed that many cloud service providers and content delivery networks allow HTTP host header redirection, including Google, Amazon Cloudfront, Amazon S3, Azure, CloudFlare, Fastly and Akamai. In a domain-fronted request, however, the DNS query and SNI carry one name (the “front domain”), while the HTTP Host header, hidden from the censor by HTTPS encryption, carries another (the covert, forbidden destination).”
“Ordinarily, the same domain name appears in all three places.
“In an HTTPS request, the destination domain name appears in three relevant places: in the DNS query, in the TLS Server Name Indication (SNI) extension and in the HTTP Host header,” the researchers said in their paper.
If done over HTTPS, such redirection would be invisible to someone monitoring the traffic, because the HTTP Host header is sent after the HTTPS connection is negotiated and is therefore part of the encrypted traffic. The technique involves sending requests to a “front domain” and using the HTTP Host header to trigger a redirect to a different domain.