Today , China blocks all HTTPS encoded traffic with TLS 1.3 and ESNI

Article Edited by | Jhon N |


Block was implemented at the end of July and is implemented via the Internet surveillance technology of China's Great Firewall.

The Chinese government is currently blocking certain encrypted type of HTTPS connections by using the Great Firewall censoring tool.

According to a joint report by three organisations, iYouPort, The University of Maryland and the Grand Firewall Report, the block has been in place for over a week and is now in operation.

ZDNet also confirmed the findings of this report using the instructions given in a mailing list with 2 additional sources – namely US Telecoms Provider members and an Internet Exchange Point.

Both sources did not wish to identify themselves and employers, named for the familiar Chinese habit of repression against entities that emphasise their practices of Internet censorship.

The Chinese Great Firewall (GFW), which uses ESNI (Encrypted Server Name Indication), now blocks hTTPS connections that are created via the new encryption protocol TLS 1.3.

Third party observers are not able to detect which website a user is trying to access HTTPS connections negotiated through TLS 1.3 and ESNI. This effectively blinds the Great Firewall monitoring tool of the Chinese government from looking at what users are doing online.

There is a myth that HTTPS connections can not be viewed by network observers (e.g. , web service providers). Technically, this is wrong.

As HTTPS connections are encrypted and network observers prevent viewing and reading of contents for HTTPS connections, the connection to the third-party server to which the user connects takes place a short time before HTTPS connections are established.

This is achieved by viewing the SNI (Server Name Indication) field of the HTTPS connection.

The SNI field can be seen in plaintext in HTTPS links negotiated through older versions of the TLS protocol (like TLS 1.1 and TLS 1.2).

The SNI field may be hidden and encrypted by ESNI in TLS 1.3, a protocol version launched in 2018.

With the more broadly adopted TLS 1.3 protocol now, the use of ESNI is also growing and more HTTPS connections for Online Censorship tools like the GFW are now difficult to track.

The Chinese government currently drops all HTTPS connections where TLS 1.3 and ESNI are used and temporarily blocks the IP addresses of the link between two and 3 minutes , depending on where a Great Firewall has been located where "unwanted" connection sets are detected. The Chinese government reports iYouPort, the University of Maryland, and the Great Firewall Report.

Fortunately the three organisations found six circumventing methods for app manufacturers and site operators catering to China's audiences (in-client apps and software), and four which can be used to bypass the present block of the Great Firewall server-side (on servers and app back-end).

"The Great Firewall will unfortunately not become a long-term solution: as the cat and mouse game advances, the Great Firewall will likely continue to enhance its censorship," the three organisations said in their joint report.