China is now blocking all encrypted HTTPS traffic that uses TLS 1.3 and ESNI

August 08, 2020

ZDNet Recommends

The best VPN services for your home office or any remote connection

VPNs aren’t essential only for securing your unencrypted Wi-Fi connections in coffee shops and airports. Every remote worker should consider a VPN to stay safe online. Here are your top choices and how to get set up.

The Chinese government is currently using the Great Firewall censorship tool to block certain types of encrypted HTTPS connections.

The block has been in place for more than a week, according to a joint report authored by three organizations tracking Chinese censorship — iYouPort, the University of Maryland, and the Great Firewall Report.

ZDNet also confirmed the report’s findings with two additional sources — namely members of a US telecommunications provider and an internet exchange point (IXP) — using instructions provided in a mailing list.

Neither of the two sources wanted their identities and employers named due to China’s known habit of direct or indirect reprisals against entities highlighting its internet censorship practices.

China now blocking HTTPS+TLS1.3+ESNI

Per the report, China’s Great Firewall (GFW) is now blocking HTTPS connections set up via the new TLS 1.3 encryption protocol and which use ESNI (Encrypted Server Name Indication).

The reason for the ban is obvious for experts.

HTTPS connections negotiated via TLS 1.3 and ESNI prevent third-party observers from detecting what website a user is attempting to access. This effectively blinds the Chinese government’s Great Firewall surveillance tool from seeing what users are doing online.

There is a myth surrounding HTTPS connections that network observers (such as internet service providers) cannot see what users are doing. This is technically incorrect.

While HTTPS connections are encrypted and prevent network observers from viewing/reading the contents of an HTTPS connection, there is a short period before HTTPS connections are established when third-parties can detect to what server the user is connecting.

This is done by looking at the HTTPS connection’s SNI (Server Name Indication) field.

In HTTPS connections negotiated via older versions of the TLS protocol (such as TLS 1.1 and TLS 1.2), the SNI field is visible in plaintext.

In TLS 1.3, a protocol version launched in 2018, the SNI field can be hidden and encrypted via ESNI.

As the TLS 1.3 protocol is seeing broader adoption today, ESNI usage is increasing as well, and more HTTPS connections are now harder to track for online censorship tools like the GFW.

According to iYouPort, the University of Maryland, and the Great Firewall Report, the Chinese government is currently dropping all HTTPS connections where TLS 1.3 and ESNI are used and temporarily blocking the IP addresses involved in the connection for between two and three minutes — depending on the location of the Great Firewall where the “unwanted” connection settings are detected.

Some circumvention methods exist… for now

Luckily for app makers and website operators catering to Chinese audiences, the three organizations said they found six circumvention methods that can be applied client-side (inside apps and software) and four that can be applied server-side (on servers and app backends) to bypass the Great Firewall’s current block.

“Unfortunately, these specific strategies may not be a long-term solution: as the cat and mouse game progresses, the Great Firewall will likely to continue to improve its censorship capabilities,” the three organizations wrote in their joint report.