Loss of domain fronting, loss of much Tor capacity

Qubes and Whonix were originally wholly separate. Both achieved the separation of the user’s work environment from the traffic handling environment, which is obviously The Right Way. Whonix chose Tor only, while Qubes chose to further divide the network and firewall functions, without making any default provisions for an anonymizing network.

I find it easy to get Tor running and I have no problem whipping up an OpenVPN connection in a qube. Overall getting VPNs running seems to be a constant headache, if the steady flow of posts about it here are any measure.

Last week I noticed a serious issue brewing for Tor. The domain fronting function has been removed from Amazon, Cloudflare, Google, and Microsoft. Now it seems Fastly will be the next CDN to end this access.

What is “domain fronting”? Tor and other anonymity software will send a DNS request for something innocuous, like mail.google.com, and then it will attempt to start a TLS aka SSL connection to the site. The actual encrypted connection request, which is hidden from a user’s government, instead contains a different destination, like a Tor relay.

Tor hasn’t worked for most of what I do for a very long time, so it’s kinda meh for me, but this is a disaster for those in repressive countries who depend on domain fronting to safely access the internet.

I am posting this because I searched and could find no mention of “fronting” in the forums. Are Qubes users aware of this change? Is there any possible remediation?

You could tunnel Tor through a VPN, but that has many drawbacks, including “what if your government also bans (certain kinds of) VPNs?”…other than that: Starlink? Probably also regulated, though, and there’s a question about where the base stations are.

This is off-topic outside of the All around qubes category. Because @nealr doesn’t (yet) have access to that category, moving the topic is not an option, so I’m closing it.