Russia wants to outlaw TLS 1.3, ESNI, DNS over HTTPS, and DNS over TLS

Posted on Sep 22, 2020 by Caleb Chen
Russia wants to outlaw TLS 1.3, ESNI, DNS over HTTPS, and DNS over TLS

The Russian Ministry of Digital Development, Communications, and Mass Media has released a draft law which outlines plans to outlaw TLS 1.3, ESNI, DNS over HTTPS, and DNS over TLS. The draft law (text in Russian) “bans the use of encryption protocols allowing for hiding the name (identifier) of a web page or Internet site on the territory of the Russian Federation.” This is supposed to help the Roskomnadzor in their job as Russia’s censor. If a site is found to be using these encryption tools, they can be blocked by the Roskmonadzor within a day. Meduza, reporting on the news noted:

“Experts point out that a number of large Internet companies, including the Russian Internet giant Yandex, currently rely on these technologies — and underscore that this new initiative could lead to another mass block of IP addresses belonging to major providers like Amazon Web Services and Cloudflare, the hosts behind many sites.”

The Russian government had previously blocked a large portion of the internet in their since halted attempts to block access to Telegram. Russia has banned a lot of things – like certain types of VPN use – in its day, and some of the bans have been more efficacious than others.

Russia’s response to privacy technologies is to ban them


The Roskomnadzor’s job used to be easy. Dmitry Belyavsky, an encrypted systems developer, explained to Meduza:

“Once upon a time, all of the addresses of sites and pages on the Internet were transmitted in plain text, not encrypted, so when the Roskomnadzor blocking system [first] began working in Russia, it was assumed that the filter would work according to URL, that is, the addresses of individual pages on Internet sites. However, one year after [its] implementation, largely under the influence of Edward Snowden’s revelations, the whole world began rapidly switching to using HTTPS — a protocol that provides encryption between the site and the user’s device. For this reason, it’s impossible to block the individual pages of sites that are using HTTPS according to URL.”

Since then, the Roskomnadzor has turned to blocking based on hostnames and that’s where these new technologies that are finally being implemented across the web stand in the way. The draft law explained the rationale behind the ban:

“The use of the algorithms and encryption methods listed has the capacity to reduce the effectiveness of using existing filtration systems [for Internet traffic], which, in turn, significantly complicates the identification of resources available on the Internet, which contain information that is restricted or prohibited for distribution in the Russian Federation.”

Those are well known features of TLS 1.3, ESNI, DNS over HTTPS, and DNS over TLS and for a whole government to seek to outlaw these technologies by name is a vote in favor of their efficacy. The official Russian solution is for websites to use state approved Russian cryptographic algorithms “Magma” and “Kuznechik” and a state issued SSL certificate. Whether this draft law passes remains to be seen, but what is clear is that Russia is still barrelling headlong towards the establishment of a Russian internet (coined RuNet) that may eventually put the infamous Great Firewall of China to the south to shame.