# Validated CloudFront SSL Domains

You may have heard of Domain Fronting, and some of the work that I’ve previously done. <https://vincentyiu.co.uk/domain-fronting-via-cloudfront-alternate-domains/>

Then <https://www.peew.pw/blog/2018/2/22/how-i-identified-93k-domain-frontable-cloudfront-domains> came along and showed us how to find 93k frontable CloudFront domains. I mentioned to him that not all are validated as they can have invalid certificates.

The benefit of using Domain Fronting is that as far as the victim’s side proxy is concerned, you are making the SSL exchange with the legitimate server you are using as a front. Fantastic.

I’ve kept this private for a long time now, and since someone else has already shown us how to find these domains, I’ve decided to release my list that has been false positive checked with all of the invalid SSL certificate domains removed.

The following script was used to check for SSL issues and that the domain front was infact working:

```
    import ssl, socket, requests, urllib2, sys
    hostname = sys.argv[1]

    bValid = False
    bFrontSSL = False

    try:
     ctx = ssl.create_default_context()
     s = ctx.wrap_socket(socket.socket(), server_hostname=hostname)
     s.connect((hostname, 443))
     cert = s.getpeercert()

    subject = dict(x[0] for x in cert['subject'])
     issued_to = subject['commonName']
     issuer = dict(x[0] for x in cert['issuer'])
     issued_by = issuer['commonName']
     
     bValid = True
    except:
     bValid = False

    #print bValid

    try:
     txheaders = {"User-Agent":"Mozilla/5.0 (Android 4.4; Mobile; rv:41.0) Gecko/41.0 Firefox/41.0", "Host": "yourinstance.cloudfront.net"}

    url = "https://%s/rare.txt" % sys.argv[1]
     request = urllib2.Request(url, headers=txheaders)
     response = urllib2.urlopen(request).read()
     if "ABC123" in response:
      bFrontSSL = True
     else:
      bFrontSSL = False
    except:
     bFrontSSL = False

    if bFrontSSL:
     print "[!] SSL Front: %s" % sys.argv[1]
```

After hosting rare.txt on my CloudFront instance, using the above script, all I had to do was perform the following parallel command to ensure swift checking:

```
cat fronts.txt | parallel -j 32 "python sslfront.py {} | tee -a output.txt"
```

Soon, output.txt would be filled with legitimate fronts that would have valid certificates that would be used to encrypt our traffic.

[**vysecurity/DomainFrontingLists**](https://github.com/vysecurity/DomainFrontingLists) - A list of Domain Frontable Domains by CDN

There wasn’t much point in keeping this private any longer as the same domains were already out there.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.vincentyiu.com/red-team/domain-fronting/validated-cloudfront-ssl-domains.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.