Jump to content
Kev

China is now blocking all encrypted HTTPS traffic that uses TLS 1.3 and ESN

By Kev, in Stiri securitate

Recommended Posts

Kev Experienced

Kev

Posted
Posted

The block was put in place at the end of July and is enforced via China's Great Firewall.

chinese-hackers.png

 

The Chinese government has deployed an update to its national censorship tool, known as the Great Firewall (GFW), to block encrypted HTTPS connections that are being set up using modern, interception-proof protocols and technologies.

 

The ban has been in place for at least a week, since the end of July, according to a joint report published this week by three organizations tracking Chinese censorship -- iYouPort, the University of Maryland, and the Great Firewall Report.

 

CHINA NOW BLOCKING HTTPS+TLS1.3+ESNI

Through the new GFW update, Chinese officials are only targeting HTTPS traffic that is being set up with new technologies like TLS 1.3 and ESNI (Encrypted Server Name Indication).

 

Other HTTPS traffic is still allowed through the Great Firewall, if it uses older versions of the same protocols -- such as TLS 1.1 or 1.2, or SNI (Server Name Indication).

 

For HTTPS connections set up via these older protocols, Chinese censors can infer to what domain a user is trying to connect. This is done by looking at the (plaintext) SNI field in the early stages of an HTTPS connections.

 

In HTTPS connections set up via the newer TLS 1.3, the SNI field can be hidden via ESNI, the encrypted version of the old SNI. As TLS 1.3 usage continues to grow around the web, HTTPS traffic where TLS 1.3 and ESNI is used is now giving Chinese sensors headaches, as they're now finding it harder to filter HTTPS traffic and control what content the Chinese population can access.

 

tls13-stats.png

Image: Qualys SSL Labs (via SixGen)

 

 

Per the findings of the joint report, the Chinese government is currently dropping all HTTPS traffic where TLS 1.3 and ESNI are used, and temporarily banning the IP addresses involved in the connection, for small intervals of time that can vary between two and three minutes.

 

SOME CIRCUMVENTION METHODS EXIST... FOR NOW

For now, iYouPort, the University of Maryland, and the Great Firewall Report said they were able to find six circumvention techniques that can be applied client-side (inside apps and software) and four that can be applied server-side (on servers and app backends) to bypass the GFW's current block.

 

Quote

"Unfortunately, these specific strategies may not be a long-term solution: as the cat and mouse game progresses, the Great Firewall will likely to continue to improve its censorship capabilities," the three organizations also added.

 

ZDNet also confirmed the report's findings with two additional sources -- namely members of a US telecommunications provider and an internet exchange point (IXP) -- using instructions provided in this mailing list

 

Via zdnet.com.

 

 

  • Upvote 3
andr82 Contributor

andr82

Posted
Posted
1 hour ago, Nytro said:

Clasic China. Monitorizare peste tot. Cel putin asa pare din-afara. Stie cineva vreun chinez sa ne zica parerea? 

Eu nu "pricep" de ce fac acest lucru. Ce rost are sa permiti doar traficul mai vulnerabil in tara ta? Nu este sigur TLS 1.3? Eu cred ca tocmai este invers 1.3 acopera o gama larga de slabiciuni pe care le prezenta 1.2. Sa zicem ca putea decripta sau monitoriza pe 1.2 si acum nu mai poate pe 1.3 de ce sa il blochezi? Le este frica sa nu comunice spionii ascunsi cu occidentul prin TLS 1.3? :) :) Nu voi intelege aceasta natie niciodata... :)  

Nytro Mentor

Nytro

Posted
Posted

Aici nu  vorba de trafic slab ci de faptul ca ceea ce blocheaza acum nu poate fi monitorizat.

In pachetele TLS in general se poate vedea serverul destinatie (e.g. rstforums.com). Ei bine, cu acest nou feature, nu se mai vede si ei nu au cum sa stie pe ce site-uri intra oamenii...

  • Upvote 1
ardu2222 Contributor

ardu2222

Posted
Posted (edited)
50 minutes ago, Nytro said:

Aici nu  vorba de trafic slab ci de faptul ca ceea ce blocheaza acum nu poate fi monitorizat.

In pachetele TLS in general se poate vedea serverul destinatie (e.g. rstforums.com). Ei bine, cu acest nou feature, nu se mai vede si ei nu au cum sa stie pe ce site-uri intra oamenii...

Adica daca imi activez acum in Firefox TLS 1.3 cei de la Digi nu mai pot vedea in Gateway pe ce site intru?

Edited by ardu2222

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...