The Chinese government has rolled out an update to its national censorship tool, called the Great Firewall (GFW), to block encrypted HTTPS connections from being established using protocols and technologies. modern anti-interceptor.
The ban has been in effect for at least a week since the end of July, according to a joint report released this week by three Chinese censorship-tracking organizations ̵1; iYouPort, University of Maryland and the Firewall Report. Big.
China is currently blocking HTTPS + TLS1.3 + ESNI
Through the new GFW update, Chinese officials are targeting only HTTPS traffic being established with new technologies such as TLS 1.3 and ESNI (Encrypted Host Name Indicator).
Other HTTPS traffic is still allowed through the Great Firewall, if it uses older versions of the same protocol – such as TLS 1.1 or 1.2 or SNI (Host Name Indicator).
For HTTPS connections established over these older protocols, the Chinese censors can deduce the domain the user is trying to connect to. This is done by looking at the SNI (plaintext) field in the early stages of an HTTPS connection.
In HTTPS connections established over newer TLS 1.3, the SNI field may be hidden via ESNI, the encrypted version of the old SNI. As the use of TLS 1.3 continues to grow across websites, the HTTPS traffic where TLS 1.3 and ESNI are used is now giving Chinese sensors a headache as they are now in more trouble. in filtering HTTPS traffic and controlling what Chinese citizens can access.
As a result of the joint report, the Chinese government is currently eliminating all HTTPS traffic where TLS 1.3 and ESNI are used, while temporarily banning IP addresses related to connectivity, in the Small times can vary from two to three minutes.
Several methods of circumvention exist … currently
Currently, iYouPort, University of Maryland and the Great Firewall Report say they were able to find six possible circumvention techniques that can be applied on the client side (inside applications and software) and four that can be applied. apply the server side (on the server and backend) to bypass GFW’s current block.
“Unfortunately, these specific strategies may not be the long-term solution: as the cat-and-mouse game progresses, the Great Firewall will likely continue to improve its censorship,” the three teams. official also adds.
ZDNet also validated the report’s findings with two additional sources – members of a US telecom provider and an internet exchange point (IXP) – using the instructions provided in the directory. this mailing book.
The article is updated to clarify some technical terms.