Amazon backtracks on planned S3 changes that would hamper free speech activists

Existing censorship-resistant S3 paths get a stay of execution

Last week, Amazon Web Services (AWS) said it intends to change the way its S3 storage service can be referenced in API and web requests. But by doing so, the cloud giant would have eliminated a means of censorship avoidance.

On Wednesday, AWS chief evangelist Jeff Barr announced a revised plan, acknowledging that too few details were provided in the initial notice but avoiding the touchy subject of censorship. Nonetheless, the change preserves the ability to use S3 to host content in a way that resists site blocking by censors, though only for existing S3 buckets.

AWS S3 supports two ways to reference stored objects: path-style and virtual-hosted style.

Accessed using a browser, the path-style looks like this:<bucket_name>/<object_key_name>

And the virtual-hosted style looks like this:


The plan was to eliminate path-style references on September 30, 2020, breaking any S3 path-style links in the process and hindering the use of the system as a refuge from censorship.

Blocking virtual-hosted style subdomains is easy to do because it only affects that account. Evolving web standards like encrypted SNI, TLS 1.3, DNSSEC and DoT/DoH may help eventually.

Blocking S3-hosted resources utilizing path-style addressing is more difficult because censors have to block all AWS S3 content - or all regional S3 content if regional addressing is used. That would cause collateral damage to businesses, a price that's often (though not always) too much in countries like China. Hence the technique fits under the umbrella term "collateral freedom."

AWS S3 is not the only service used because it's too big to block. GitHub, which became part of Microsoft last year, has long played a similar role.


Once word spread about Amazon's plan, denunciation followed. "This will help Russia, China and other countries censoring the internet," said Samat Galimov, the Riga, Latvia-based CTO of video game database RAWG, via Twitter.

"Path-style access is used to circumvent censorship. I can put my entire website under [the S3 subdomain] and the only way to block it in Russia or China will be to block the entirety of Amazon. This technique is called collateral freedom and is actively used right now. Please keep it working!"

Via instant message, Galimov said, "I am quite sure they are aware of anti-censorship usage of S3. Signal used AWS infrastructure to circumvent censorship and Amazon explicitly prohibited that."

Werner Vogels, CTO of Amazon

Take a deep breath: AWS has just rolled out cheaper instances, glacier-slow storage, and AI container tools


Galimov is referring to a practice known as domain fronting, which both Amazon and Google have done away with, ostensibly because it violated policies and took advantage of unintended technical loopholes.

The Register asked Amazon whether it's aware of the anti-censorship uses of path-style access and whether it would like to comment. We've not received a reply.

Barr in his blog makes no mention of S3's censorship-defeating capabilities, but did say support for the path-style model will continue for buckets created on or before September 30, 2020. S3 buckets created after that, however, will be required to use the virtual-hosted style, which is more susceptible to being blocked.

"I am quite sure there are zero people who have experienced government internet censorship themselves who are making these decisions," said Galimov.

"Not even in the inner circle of people who make decisions, not even people who advise their inner circle. These decision makers are as isolated from their 'constituency' as medieval kings were. At the same time I get that their real constituents are shareholders and we are just 'users.' It’s just so sad." ®

Keep Reading

Tech Resources

How backup modernization changes the ransomware game

If the thrill of backing up your data and wondering if you will ever see it again has worn off, start the new year by getting rid of the lingering pain of legacy backup. Bipul Sinha, CEO of the Cloud Data Management Company, Rubrik, and Miguel Zatarain, Director of Global Infrastructure Technology at PACCAR, Fortune 500 manufacturer of trucks and Rubrik customer, are talking to the Reg’s Tim Phillips about how to eliminate the costly, slow and spotty performance of legacy backup, and how to modernize your implementation in 2021 to make your business more resilient.

The State of Application Security 2020

Forrester analyzed the state of application security in 2020 and found over 75% of external attacks are attributed to web application and software exploits.

Webcast Slide Deck | Three reasons you need a hybrid multicloud

Businesses need their IT teams to operate applications and data in a hybrid environment spanning on-premises private and public clouds. But this poses many challenges, such as managing complex networking, re-architecting applications for the cloud, and managing multiple infrastructure silos. There is a pressing need for a single platform that addresses these challenges - a hybrid multicloud built for the digital innovation era. Just this Regcast to find out: Why hybrid multicloud is the ideal path to accelerate cloud migration.

Top 20 Private Cloud Questions Answered

Download this asset for straight answers to your top private cloud questions.

Biting the hand that feeds IT © 1998–2021