We describe “domain fronting,” a versatile censorship circumvention technique that hides the remote endpoint of a communication. Domain fronting works at the application layer, using HTTPS, to communicate with a forbidden host while appearing to communicate with some other host, permitted by the censor. The key idea is the use of different domain names at different layers of communication. One domain appears on the “outside” of an HTTPS request—in the DNS request and TLS Server Name Indication—while another domain appears on the “inside”—in the HTTP Host header, invisible to the censor under HTTPS encryption. A censor, unable to distinguish fronted and nonfronted traffic to a domain, must choose between allowing circumvention traffic and blocking the domain entirely, which results in expensive collateral damage. Domain fronting is easy to deploy and use and does not require special cooperation by network intermediaries. We identify a number of hard-to-block web services, such as content delivery networks, that support domain-fronted connections and are useful for censorship circumvention. Domain fronting, in various forms, is now a circumvention workhorse. We describe several months of deployment experience in the Tor, Lantern, and Psiphon circumvention systems, whose domain-fronting transports now connect thousands of users daily and transfer many terabytes per month.
 K. P. Dyer, S. E. Coull, T. Ristenpart, and T. Shrimpton. Protocol misidentification made easy with format-transforming encryption. In Proceedings of the 20th ACM conference on Computer and Communications Security (CCS), Nov. 2013. https://kpdyer.com/publications/ccs2013-fte.pdf.
 D. Fifield, N. Hardison, J. Ellithorpe, E. Stark, R. Dingledine, P. Porras, and D. Boneh. Evading censorship with browser-based proxies. In Proceedings of the 12th Privacy Enhancing Technologies Symposium (PETS). Springer, July 2012. https://crypto.stanford.edu/flashproxy/flashproxy.pdf.
 J. Geddes, M. Schuchard, and N. Hopper. Cover your ACKs: Pitfalls of covert channel censorship circumvention. In Proceedings of the 20th ACM conference on Computer and Communications Security (CCS), Nov. 2013. http://www-users.cs.umn.edu/~hopper/ccs13-cya.pdf.
 A. Houmansadr, C. Brubaker, and V. Shmatikov. The parrot is dead: Observing unobservable network communications. In Proceedings of the 2013 IEEE Symposium on Security and Privacy, May 2013. http://www.cs.utexas.edu/~amir/papers/parrot.pdf.
 A. Houmansadr, G. T. K. Nguyen, M. Caesar, and N. Borisov. Cirripede: Circumvention infrastructure using router redirection with plausible deniability. In Proceedings of the 18th ACM conference on Computer and Communications Security (CCS), Oct. 2011. http://hatswitch.org/~nikita/papers/cirripede-ccs11.pdf.
 A. Houmansadr, T. Riedl, N. Borisov, and A. Singer. I want my voice to be heard: IP over voice-over-IP for unobservable censorship circumvention. In Proceedings of the 20th Network and Distributed System Security Symposium (NDSS). Internet Society, Feb. 2013. http://www.cs.utexas.edu/~amir/papers/FreeWave.pdf.
 A. Houmansadr, E. L. Wong, and V. Shmatikov. No direction home: The true cost of routing around decoys. In Proceedings of the 21st Network and Distributed Security Symposium (NDSS). Internet Society, Feb. 2014. http://www.cs.utexas.edu/~amir/papers/DecoyCosts.pdf.
 J. Karlin, D. Ellard, A. W. Jackson, C. E. Jones, G. Lauer, D. P. Mankins, and W. T. Strayer. Decoy routing: Toward unblockable internet communication. In Proceedings of the USENIX Workshop on Free and Open Communications on the Internet (FOCI), Aug. 2011. https://www.usenix.org/events/foci11/tech/final_files/Karlin.pdf.
 H. M. Moghaddam, B. Li, M. Derakhshani, and I. Goldberg. SkypeMorph: Protocol obfuscation for Tor bridges. In Proceedings of the 19th ACM conference on Computer and Communications Security (CCS), Oct. 2012. https://cs.uwaterloo.ca/~iang/pubs/skypemorph-ccs.pdf.
 Z. Weinberg, J. Wang, V. Yegneswaran, L. Briesemeister, S. Cheung, F. Wang, and D. Boneh. StegoTorus: A camouflage proxy for the Tor anonymity system. In Proceedings of the 19th ACM conference on Computer and Communications Security (CCS), Oct. 2012. http://www.owlfolio.org/media/2010/05/stegotorus.pdf.
 P. Winter, T. Pulls, and J. Fuss. ScrambleSuit: A polymorphic network protocol to circumvent censorship. In Proceedings of the Workshop on Privacy in the Electronic Society (WPES). ACM, Nov. 2013. http://www.cs.kau.se/philwint/pdf/wpes2013.pdf.
 E. Wustrow, C. M. Swanson, and J. A. Halderman. Tap-Dance: End-to-middle anticensorship without flow blocking. In Proceedings of the 23rd USENIX Security Symposium, San Diego, CA, Aug. 2014. USENIX Association. https://jhalderm.com/pub/papers/tapdance-sec14.pdf.