China has given the internet traffic blocking capabilities a big update and is now using more modern interception technology. This will further strengthen what is known as the The Great Firewall of China as it continues to censor and block content, websites and apps from access by users within China. The update to the censoring tools is believed to be more potent in restricting HTTPS traffic that uses new technologies like TLS 1.3 and ESNI (Encrypted Server Name Indication). This comes as a part of a new joint report published this week by iYouPort, University of Maryland, and the Great Firewall Report. These three organizations have been tracking Chinese censorship on the internet.
“We confirm that the Great Firewall (GFW) of China has recently begun blocking ESNI—one of the foundational features of TLS 1.3 and HTTPS. We empirically demonstrate what triggers this censorship and how long residual censorship lasts,” say the authors of the report. The Transport Layer Security (TLS) standard is the basis of secure HTTPS, or Hypertext Transfer Protocol Secure protocol, which allows users to see who they are communicating with, but no intermediary can snoop in on the information being transmitted. This communication also includes the Server Name Indication (SNI), which Chinese censors will use to detect and block content, websites and apps.
“TLS 1.3 introduced Encrypted SNI (ESNI) that, put simply, encrypts the SNI so that intermediaries cannot view it. ESNI has the potential to complicate nation-states’ abilities to censor HTTPS content; rather than be able to block only connections to specific websites, ESNI would require censors to block all TLS connections to specific servers. We do confirm that this is now happening in China!” reveals the report.
Researchers say that the blocking can be triggered bidirectionally, which means a connection from outside China can be blocked by the firewall, as would a connection from a user in China to a destination outside the firewall. There is however a way, researchers say, to circumvent the new-found powers of the firewall. This can be deployed by the client or the server. “Geneva (Genetic Evasion) is a genetic algorithm developed by those of us at the University of Maryland that automatically discovers new censorship evasion strategies. Geneva manipulates packet streams—injecting, altering, fragmenting, and dropping packets—in a manner that bypasses censorship without impacting the original underlying connection,” say the researchers. However, they do warn that this tool is a research prototype and does not provide any encryption, protection, data privacy and is not optimized for speed.