China expands Great Firewall to block HTTPS traffic that uses TLS 1.3 and ESNI

Posted on Aug 10, 2020 by Caleb Chen
China expands Great Firewall to block HTTPS traffic that uses TLS 1.3 and ESNI

The Great Firewall of China is getting longer. Chinese censors upgraded the GFW to be able to block HTTPS traffic that uses TLS 1.3 and ESNI. We know about this news thanks to a joint report by three long-time observers of the Chinese censorship machine: iYouPort, the Great Firewall Report, and the University of Maryland. The report does indicate that there are several working circumvention techniques to still send this typeof HTTPS traffic through the GFW.

TLS 1.3 (Transport Layer Security) and ESNI (Encrypted Server Name Indication) are new technologies that augment HTTPS – the secure way in which website users “talk” with the websites they visit over the internet. When using TLS 1.2 or TLS 1.1 and regular Server Name Indication (SNI), internet providers are able to infer what websites internet traffic is bound for because the SNI contains identifiable information that is not encrypted even though the specific contents of the traffic are. These types of HTTPS traffic are still permitted through the GFW.

The Great Firewall of China continues to grow

The GFW has long been well known for its use of deep packet inspection (DPI) which involves internet traffic analysis at a level that can differentiate between different types of encrypted data. Using DPI, China identifies internet traffic such as open VPN connections and now TLS 1.3 traffic and blocks it entirely. This upgrade to the firewall represents an escalation in the differentiation between the splinternet that China uses and the internet that the rest of the world uses. The Chinese government seems to now officially consider TLS 1.3 and ESNI a circumvention tool against the country’s strict censorship that must be blocked.

While there are ways to circumvent the GFW’s TLS 1.3 and ESNI block, we shouldn’t expect them to stay around for very long. The report’s authors specifically mentioned:

“Unfortunately, these specific strategies may not be a long-term solution: as the cat and mouse game progresses, the Great Firewall will likely to continue to improve its censorship capabilities.”

The behavior has been observed since late at least late July and signifies the most recent escalation in the blocking arsenal used by the Great Firewall of China. China’s internet censorship techniques are now being adopted by other oppressive regimes around the world. Additionally, we might soon see the Great Firewall encircle Hong Kong. Even though censorship continues to grow in China, and existing circumventions might by patched, there will always be new ways to find the truth and access the real internet. This is the ingenuity that fuels human progress and it will forever stand in defiance of China’s Great Firewall and the censorship firewalls set up by any other country or entity.