China is now blocking all encrypted HTTPS traffic that uses TLS 1.3 and ESNI

The Chinese government has deployed an update to its national censorship tool, known as the Great Firewall (GFW), to block encrypted HTTPS connections that can be installed using modern, interception-proof protocols and technologies Used to be.

Three organizations tracking Chinese censorship – iYouPort, University of Maryland and the Great Firewall Report – have been banned for at least a week since the end of July, according to a joint report published this week.

China is now blocking HTTPS + TLS1.3 + ESNI

Through the new GFW update, Chinese authorities are only targeting HTTPS traffic, which is being installed with new technologies such as TLS 1.3 and ESNI (Encrypted Server Name Indication).

Other HTTPS traffic is still allowed through the Great Firewall if it uses earlier versions of the same protocol – such as TLS 1.1 or 1.2, or SNI (Server Name Indication).

For HTTPS connections established via these older protocols, the Chinese sensor can predict which domain the user is trying to connect to. This is done by looking at the (Plaintext) SNI field in the early stages of an HTTPS connection.

In HTTPS connections established via the new TLS 1.3, SNI fields can be hidden through ESNI, an encrypted version of the old SNI. As TLS 1.3 continues to be used in web, HTTPS traffic, where TLS 1.3 and ESNI are used, Chinese sensors are now giving headaches, as they now have to filter HTTPS traffic and control the content reaching the Chinese population. It is getting harder to do.


Image: Qualis SSL Labs (via SixGen)

According to the findings of the joint report, the Chinese government is currently dropping all HTTPS traffic where TLS 1.3 and ESNI are used, and temporarily imposing restrictions on IP addresses involved in connections, for shorter intervals of time May vary between two and three minutes.

Some perimeter methods exist … for now

For now, iYouPort, University of Maryland, and the Great Firewall Report stated that they were able to find six perimeter techniques that could be implemented client-side (inside applications and software) and four that could be implemented server-side (on the server) App backs) to bypass the current block of GFW.

“Unfortunately, these specific strategies may not be a long-term solution: As the cat and mouse game moves forward, Great Firewall will be likely to continue to improve its censorship capabilities,” the three organizations also said.

ZDNet confirmed the report’s findings with two additional sources – namely an American telecommunications provider and an Internet Exchange Point (IXP) member – using the instructions on this mailing list.

Paragraph updated to clarify some technical terms.