Expert On China Is Now Blocking All Encrypted HTTPS Traffic That Uses TLS 1.3 And ESNI

It was reported today that China is now blocking all encrypted HTTPS traffic that uses TLS 1.3 and ESNI. The block was put in place at the end of July and is enforced via China’s Great Firewall.

Experts Comments

August 11, 2020
John ‘Turbo’ Conwell
Principal Data Scientist
DomainTools
When someone enters a domain name in their browser, their system first looks up the domain's IP address using the DNS protocol. The internet's DNS infrastructure finds and returns the domain's IP address, and then that person can browser the domain's web site. Before DoH (DNS over HTTPS) this all happened unencrypted, so anyone sitting in the middle of DNS lookup, like an ISP or China's Great Firewall, could inspect the DNS request and see the domain being looked up. This is one of the.....Read More
When someone enters a domain name in their browser, their system first looks up the domain's IP address using the DNS protocol. The internet's DNS infrastructure finds and returns the domain's IP address, and then that person can browser the domain's web site. Before DoH (DNS over HTTPS) this all happened unencrypted, so anyone sitting in the middle of DNS lookup, like an ISP or China's Great Firewall, could inspect the DNS request and see the domain being looked up. This is one of the techniques China uses to block access to restricted domains. With the recent introduction of DoH (DNS over HTTPS) and ESNI (Encrypted SNI), DNS lookups are now fully encrypted. This means that anyone monitoring DNS traffic wouldn't be able to see what domains are being resolved. This posed a problem for China, prompting them to make a change this week to their Great Firewall to block all TLS 1.3 and ESNI traffic, effectively stopping people in China from using DoH to hide their DNS lookups. Funnily enough, a new tool was released this week at DEF CON 2020 called Noctilucent, which gets around this blocking tactic by adding both unencrypted and encrypted SNI to the DNS request. It would expose some benign domain as plaintext in the SNI extension of the TLS handshake, but the actual domain being requested would be encrypted in the ESNI extension. This way, anyone looking at DNS traffic would think they could see that actual domain being requested and let the request through the firewall. Unfortunately, this win for privacy was very short-lived. On August 10th, 2020 CloudFlare made an update to their system to block all HTTPS requests that contain both SNI and ESNI extensions in DNS requests, effectively killing Noctilucent.  Read Less
August 11, 2020
Richard Bejtlich
Principal Security Strategist
Corelight
Those who developed TLS 1.3 and ESNI believed that they could enable privacy by encrypting almost every aspect of a connection. The Chinese Communist Party decided that level of encryption was beyond the capabilities of their Great Firewall to inspect, so they are now blocking *all* TLS 1.3 and ESNI connectivity. This is a setback for those in China trying to access the free Internet, and probably not what the designers of TLS 1.3 and ESNI expected. I personally believe that liberal democracies .....Read More
Those who developed TLS 1.3 and ESNI believed that they could enable privacy by encrypting almost every aspect of a connection. The Chinese Communist Party decided that level of encryption was beyond the capabilities of their Great Firewall to inspect, so they are now blocking *all* TLS 1.3 and ESNI connectivity. This is a setback for those in China trying to access the free Internet, and probably not what the designers of TLS 1.3 and ESNI expected. I personally believe that liberal democracies worldwide should be working to undermine the Great Firewall. However, I also believe that cyber freedom fighters should think a step or two beyond their immediate purview when imagining how their protocols will be perceived by the very authoritarian regimes they also seek to undermine.  Read Less

Submit Your Expert Comments

What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.

Write Your Expert Comments *
Your Registered Email *
Notification Email (If different from your registered email)
* By using this form you agree with the storage and handling of your data by this web site.