Expert On China Is Now Blocking All Encrypted HTTPS Traffic That Uses TLS 1.3 And ESNI

It was reported today that China is now blocking all encrypted HTTPS traffic that uses TLS 1.3 and ESNI. The block was put in place at the end of July and is enforced via China’s Great Firewall.

Subscribe
Notify of
guest
2 Expert Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
John ‘Turbo’ Conwell
John ‘Turbo’ Conwell , Principal Data Scientist
InfoSec Expert
August 11, 2020 11:25 am

When someone enters a domain name in their browser, their system first looks up the domain\’s IP address using the DNS protocol. The internet\’s DNS infrastructure finds and returns the domain\’s IP address, and then that person can browser the domain\’s web site.

Before DoH (DNS over HTTPS) this all happened unencrypted, so anyone sitting in the middle of DNS lookup, like an ISP or China\’s Great Firewall, could inspect the DNS request and see the domain being looked up. This is one of the techniques China uses to block access to restricted domains.

With the recent introduction of DoH (DNS over HTTPS) and ESNI (Encrypted SNI), DNS lookups are now fully encrypted. This means that anyone monitoring DNS traffic wouldn\’t be able to see what domains are being resolved. This posed a problem for China, prompting them to make a change this week to their Great Firewall to block all TLS 1.3 and ESNI traffic, effectively stopping people in China from using DoH to hide their DNS lookups.

Funnily enough, a new tool was released this week at DEF CON 2020 called Noctilucent, which gets around this blocking tactic by adding both unencrypted and encrypted SNI to the DNS request. It would expose some benign domain as plaintext in the SNI extension of the TLS handshake, but the actual domain being requested would be encrypted in the ESNI extension.

This way, anyone looking at DNS traffic would think they could see that actual domain being requested and let the request through the firewall. Unfortunately, this win for privacy was very short-lived. On August 10th, 2020 CloudFlare made an update to their system to block all HTTPS requests that contain both SNI and ESNI extensions in DNS requests, effectively killing Noctilucent.

Last edited 2 years ago by John ‘Turbo’ Conwell
Richard Bejtlich
Richard Bejtlich , Principal Security Strategist
InfoSec Expert
August 11, 2020 11:17 am

Those who developed TLS 1.3 and ESNI believed that they could enable privacy by encrypting almost every aspect of a connection. The Chinese Communist Party decided that level of encryption was beyond the capabilities of their Great Firewall to inspect, so they are now blocking *all* TLS 1.3 and ESNI connectivity. This is a setback for those in China trying to access the free Internet, and probably not what the designers of TLS 1.3 and ESNI expected. I personally believe that liberal democracies worldwide should be working to undermine the Great Firewall. However, I also believe that cyber freedom fighters should think a step or two beyond their immediate purview when imagining how their protocols will be perceived by the very authoritarian regimes they also seek to undermine.

Last edited 2 years ago by Richard Bejtlich
2
0
Would love your thoughts, please comment.x
()
x