The Chinese government has deployed an update to its national censorship tool, known as the Great Firewall (GFW), to block encrypted HTTPS connections set up with modern, interception-proof protocols and technologies.
The ban has been in place for at least a week since the end of July, according to a joint report published this week by three organizations that follow Chinese censorship – iYouPort, the University of Maryland, and the Great Firewall Report.
China is now blocking HTTPS + TLS1.3 + ESNI
Due to the new GFW update, Chinese officials are only targeting HTTPS traffic that is introduced with new technologies such as TLS 1.3 and ESNI (Format for Encrypted Server Names).
Other HTTPS traffic is still allowed through the Great Firewall, as it uses older versions of the same protocols – such as TLS 1.1 or 1.2, or SNI (Server Name Indication).
For HTTPS connections set up using these older protocols, Chinese censors can infer to which domain a user is trying to connect. This is done by looking at the (plaintext) SNI field in the early stages of an HTTPS connection.
In HTTPS connections set up via the newer TLS 1.3, the SNI field can be hidden via ESNI, the encrypted version of the old SNI. As TLS 1.3 usage continues to grow on the web, HTTPS traffic using TLS 1.3 and ESNI now gives Chinese sensors headaches as they now find it harder to filter HTTPS traffic and check on what content the Chinese population has access.
Image: Qualys SSL Labs (via SixGen)
According to the findings of the joint report, the Chinese government is currently banning all HTTPS traffic using TLS 1.3 and ESNI, and temporarily bans the IP addresses involved in the connection, for short intervals that can vary between two and three minutes.
Some embracing methods exist … for now
For now, iYouPort, the University of Maryland, and the Great Firewall Report said they were able to find six surrounding techniques that can be applied on a client-side (within apps and software) and four that are on the server side can be applied (on servers and app backends) to bypass the current block of GFW.
“Unfortunately, these specific strategies may not be a long-term solution: as the cat and mouse game progresses, the Great Firewall will likely continue to improve its censorship capabilities,” the three organizations added.
ZDNet also confirmed the findings of the report with two additional sources – namely members of a US telecommunications provider and an Internet exchange (IXP) – using instructions provided in this mailing list.
Article updated to clarify some technical terms.
