{"id":93241,"date":"2021-03-26T15:00:55","date_gmt":"2021-03-26T22:00:55","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/?p=93241"},"modified":"2023-05-26T15:11:57","modified_gmt":"2023-05-26T22:11:57","slug":"securing-our-approach-to-domain-fronting-within-azure","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/03\/26\/securing-our-approach-to-domain-fronting-within-azure\/","title":{"rendered":"Securing our approach to domain fronting within Azure"},"content":{"rendered":"

Every single day our teams analyze the trillions of signals we see to understand attack vectors, and then take those learnings and apply them to our products and solutions. Having that understanding of the threat landscape is key to ensuring our customers are kept safe every day. However, being a security provider in a complex world sometimes requires deeper thinking and reflection on how to address emerging issues, especially when the answer is not always immediately clear. Our approach to domain fronting within Azure is a great example of how the ever-changing dynamics of our world have prompted us to re-examine an important and complicated issue\u2014and ultimately make a change.<\/p>\n

Let\u2019s start with some background. Domain fronting is a networking technique that enables a backend domain to utilize the security credentials of a fronting domain. For example, if you have two domains under the same content delivery network (CDN), domain #1 may have certain restrictions placed on it (regional access limitations, etc.) that domain #2 does not. By taking the valid domain #2 and placing it into the SNI header, and then using domain #1 in the HTTP header, it\u2019s possible to circumvent those restrictions. To the outside observer, all subsequent traffic appears to be headed to the fronting domain, with no ability to discern the intended destination for particular user requests within that traffic. It is possible that the fronting domain and the backend domain do not belong to the same owner.<\/p>\n

As a company that is committed to delivering technology for good, supporting certain use cases that support free and open communication are an important consideration when weighing the potential impacts of a technique like domain fronting. However, we know that domain fronting is also abused by bad actors and threat actors engaging in illegal activities, and we\u2019ve become aware that in some cases bad actors configure their Azure services to enable this.<\/p>\n

When it comes to situations like this, Microsoft\u2014as a security company\u2014leads from a place of providing greater simplicity for our customers when they face increased complexity. Our mission is to give our customers peace of mind and help them adapt quickly to a rapidly shifting threat landscape. Therefore, we\u2019re making a change to our policy to ensure that domain fronting will be stopped and prevented within Azure.<\/p>\n

Changes like this one are not made lightly, and we understand that there will be impacts across a number of areas:<\/p>\n