The chinese government has updated the “golden shield”, also known as the”great chinese firewall”. the firewall now blocks internet traffic encrypted with the tls 1.3 cryptographic protocol with the esni (encrypted server name indication) extension. previously, it was believed that the combination of these technologies is the most reliable way to bypass dpi systems.
the fact that the chinese began to block esni connections was reported by experts from the university of maryland, as well as organizations that monitor the situation with censorship in china: iyouport and great firewall report. the reasons for blocking are the global growth of traffic using tls 1.3+esni and the effectiveness of these encryption methods.
What is esni?
TLS hides the content of a user’s messages, but it doesn’t always hide who the user is communicating with. TLS uses the SNI (Server Name Indication) extension for the” handshake”. this extension is used by clients (browsers) to tell the server the name of the host to which they want to connect; in other words, the name of the domain to which the user sends the request. the main problem with sni is that the host/domain/website name passed in this field is not encrypted. it is available to the provider or the “man in the middle” — for example, the dpi system.
the main blocking method used by regulators in censored countries is to use the sni field to block users from accessing certain internet addresses. the chinese firewall works on the same principle.
In 2018, the Encrypted SNI (ESNI) extension was developed for TLS 1.3. In this extension, the name of the requested host is encrypted using the site’s public key, which is taken from the DNS name system. In this case, the provider or DPI system can only read the IP address. But since several hundred domains can be hosted on a single IP address, ESNI does not show which domain the user visited.
At the time of release, ESNI was considered such an effective encryption technology that some supporters of the free Internet enthusiastically talked about the “decline of the DPI era”.
The first browser that introduced support for the ESNI standard was Mozilla Firefox (in 2018). In September 2019, the owners of the Rutracker torrent aggregator announced the inclusion of ESNI.
Why China has stepped up?
Now there is a global growth of HTTPS traffic with support for TLS 1.3 and ESNI.
It is becoming increasingly difficult for Chinese authorities to monitor and filter HTTPS traffic, i.e. to control content that can be accessed by Chinese users. However, while the “Great Firewall” is not yet able to track the domains that the user connects to using ESNI. such https traffic is simply blocked.
Traffic that uses previous versions of TLS, or TLS 1.3 without ESNI, is not “wrapped” by the firewall, since such connections are already monitored.
How the block is organized?
network packets with esni are blocked on “border” routers that work in both directions — from china to the external internet and vice versa.
The firewall drops packets from ESNI that are sent to the server. that is, it is simply discarded, without replacing it with packets with the rst flag, as happens in the case of blocking by server name indication.
After blocking the ESNI packet, the remaining packets that correspond to the source and destination IP, as well as the port number, are also blocked for 2-3 minutes. In this case, the block can occur on any ports from 1 to 65535.
How do you know that?
To study the blocking mechanism in detail, the Geneva researchers created a Python utility that completed the “SSL/TLS handshake” and sent the ClientHello message with the ESNI extension to the server. The ClientHello fingerprint is the same as the fingerprint of the Firefox 79.0 browser with TLS 1.3 support.
the utility sent messages from the client to the server and back for a week, so that traffic could be analyzed in both directions. The servers to which ClientHello was sent completed the handshake at the TCP level, but did not send packets back to the client and did not close the connection first.
In addition to the fact that the firewall did not make RST injections to censor ESNI traffic, it turned out that it drops traffic from the server to the client in order to block the Tor and Shadowsocks servers. However, when ESNI is blocked, the firewall only discards client-server packets.
Geneva experts also noted that the “Golden Shield” does not analyze the flags of TCP packets when they are discarded. This distinguishes the Chinese firewall from some censorship systems in Iran, which do not block packets with RST or FIN flags.
Experts offer several options for bypassing the lock on the client and server sides. For example, the use of the ESNI identifier, which is not yet blocked by the Chinese authorities, is 0xff02. Currently, only packets with 0xffce are blocked.
another way is to use an atypical connection matching algorithm. for example, blocking does not work when an rst packet with an incorrect checksum is substituted, or when a syn packet with an erroneous sequence number is sent. these crawling features are already supported by the geneva plugin, which is posted on github.
According to researchers from the university of maryland, all the proposed circumvention measures will soon become irrelevant:
“these methods [bypass blocking] are a temporary solution. sooner or later, the possibilities of censoring the “great firewall” are likely to expand.”
It can be assumed that independent manufacturers of DPI systems will also not sit idle. Demand for packet filtering software with TLS 1.3 and ESNI support will grow along with the growth of encrypted HTTPS traffic-especially in countries where the Internet is heavily regulated.