Russia wants to ban the use of secure protocols such as TLS 1.3, DoH, DoT, ESNI

September 22, 2020

HTTPS TLS SSL website lock — Image: Kon Karampelas

ZDNet Recommends

The best VPN services for your home office or any remote connection

VPNs aren’t essential only for securing your unencrypted Wi-Fi connections in coffee shops and airports. Every remote worker should consider a VPN to stay safe online. Here are your top choices and how to get set up.

The Russian government is working on updating its technology laws so it can ban the use of modern internet protocols that can hinder its surveillance and censorship capabilities.

According to a copy of the proposed law amendments and an explanatory note, the ban targets internet protocols and technologies such as TLS 1.3, DoH, DoT, and ESNI.

Moscow officials aren’t looking to ban HTTPS and encrypted communications as a whole, as these are essential to modern-day financial transactions, communications, military, and critical infrastructure.

Instead, the government wants to ban the use of internet protocols that hide “the name (identifier) of a web page” inside HTTPS traffic.

HTTPS traffic has leaks

Today, while HTTPS encrypts the content of an internet connection, there are various techniques that third-parties such as telcos can apply and determine to what site a user is connecting.

Third-parties may not be able to break the encryption and sniff on the traffic, but they can track or block users based on these leaks, and this is how some ISP-level parental control and copyright infringement blocklists work today.

The primary two techniques used by telcos today include (1) watching DNS traffic or (2) analyzing the SNI (Server Name Identification) field in HTTPS traffic.

The first technique works because browsers and apps make DNS queries in plaintext, revealing the user’s intended site destination even before a future HTTPS connection is established.

The second technique works because the SNI field in HTTPS connections is left unencrypted and similarly allows third-parties to determine to what site an HTTPS connection is going.

New protocols are hindering surveillance and censorship

But over the past decade, new internet protocols have been created and released to address these two issues.

DoH (DNS over HTTPS) and DoT (DNS over TLS) can encrypt DNS queries.

And when combined, TLS 1.3 and ESNI (Server Name Identification) can also prevent SNI leaks.

These protocols are slowly gaining adoption, both in browsers and with cloud providers and websites across the globe, and there is no better sign that these new protocols work as advertised as the fact that China updated its Great Firewall censorship tool to block HTTPS traffic that relied on TLS 1.3 and ESNI.

Russia doesn’t use a national firewall system, but the Moscow regime relies on a system called SORM that allows law enforcement to intercept internet traffic for law enforcement purposes right at the source, in telco data centers.

Furthermore, Russia’s telecommunications ministry, the Roskomnadzor, has been running a de-facto national firewall through its regulatory power over the local ISPs. For the past decade, Roskomnadzor has been banning websites it deemed dangerous and asking ISPs to filter their traffic and block access to the respective sites.

With TLS 1.3, DoH, DoT, and ESNI gaining adoption, all of Russia’s current surveillance and censorship tools will become useless, as they rely on having access to the website identifiers that leak from encrypted web traffic.

And just like China, Russia is cracking down on these new technologies. According to the proposed law amendment, any company or website that uses technology to hide its website identifier in encrypted traffic will be banned inside Russia after a one-day warning.

The proposed law is currently in open debate and awaiting public feedback until next month, on October 5.

Taking into account the strategic, political, and intelligence benefits that come with this law amendment, it’s almost certain that the amendment will pass.