back to article China now blocking ESNI-enabled TLS 1.3 connections, say Great-Firewall-watchers

China is now blocking encrypted HTTPS traffic that uses TLS 1.3 with ESNI enabled, according to observers at the Great Firewall Report (GFR). TLS is the foundation of secure online communication and hides content users wish to access or have generated so it can pass over the internet without being observed by unrelated parties …

  1. Anonymous Coward
    Anonymous Coward

    Satellite broadband?

    Just curious what China plan to do as Satellite broadband becomes more readily available?

    1. TinTinTeroo

      Re: Satellite broadband?

      Build a space cannon

    2. RAMChYLD

      Re: Satellite broadband?

      What other countries with an asshole government already do- outright ban dishes that do not bear the logo of authorized satellite providers in their country and ban dishes beyond a certain size (for example, dishes can be no bigger than two feet diameter). The Malaysian government is doing this.

      1. Symon Silver badge
        Big Brother

        Re: Satellite broadband?

        They already do that.

        https://observers.france24.com/en/20090819-chinese-hide-satellite-dishes-banned-foreign-channels

    3. stiine Silver badge
      Devil

      Re: Satellite broadband?

      A very large aluminium umbrella?

    4. Charlie Clark Silver badge

      Re: Satellite broadband?

      Take out the satellites? Or at least their transmitters…

      Anyway, anyone offering the services will presumably want to bill for the service and blocking payments will be pretty easy.

      1. Anonymous Coward
        Anonymous Coward

        Re: Satellite broadband?

        Well, satellite operators are still commercial enterprises, not a charities.

        I have yet to find an organisation clocking serious cash that didn't love money a lot more than "freedom" (IMHO, the "freedom" banner is usually only waved around to get around pesky laws or politics that stand in the way of ever more profit), so I suspect a bit of sponsorship may go a long way to adjust the broadcast envelope. No doubt they will try to get a bidding war going.

        Your choice if you deem that cynical or realistic.

      2. JCitizen Bronze badge
        Go

        Re: Satellite broadband?

        Some satellites transmit and receive in regular RF, and can be easily used by free loaders, because they are not encrypted. I don't know if you could upload encrypted data to them or not. I forgot the details, but it was in either an article here on the Reg or ZDNet, and I was surprised to hear any unencrypted traffic was on satellite any more. The article didn't say if it was C band or Ku band, and that used to make a big difference in the past.

        If your antenna was directional enough, detecting the upload signal might just be difficult enough to avoid CCP police; and the Great Firewall of China cannot control all Pacific Rim traffic like that. Coverage over most of the coastal Chinese state should be pretty evident. The article wasn't clear how much of this "hacking" is totally free - of course all of the download side is. The equipment was amazingly cheap and easy to find amongst junk electronic enthusiasts. It wouldn't surprise me that jammers are setup by the PRC government though; just like the Russians used to attempt when Radio Free Europe was in operation.

    5. Jon 37

      Re: Satellite broadband?

      There are lots of things that China can do:

      * Make it illegal to own an unlicensed satellite transmitter, with serious punishments.

      * Direction-finding equipment to track down unlicensed satellite transmitters.

      * Require satellite operators that provide broadband in China to use a Chinese downlink so China can monitor, filter, and identify who sent what traffic.

      * Threats to satellite operators that provide broadband in China without co-operating with the Chinese government.

      * If the satellite operator has other businesses (e.g. Facebook), block those other businesses if the satellite operator does not comply with Chinese law.

      * Jamming satellite communications frequencies used by the satellite broadband providers that are not co-operating with the Chinese government.

      * Anti-satellite missiles.

      Note: Not saying I approve, but I'm a pragmatist and think mainstream satellite broadband is something China will be able to mostly control. Won't be perfect, but will be good enough for them. They are worried about mass protests growing into revolution, they're not worried about a few campaigners who can be thrown in prison. Sadly there is no technical fix for the Chinese censorship, it needs political change... which the current leaders are trying to block with censorship and other tools.

      1. Anonymous Coward
        Anonymous Coward

        Re: Satellite broadband?

        "[...] which the current leaders are trying to block with censorship and other tools."

        which the autocratic-tendency leaders of several supposedly democratic countries are trying to block with censorship and other tools.

        FTFY

  2. RM Myers Silver badge
    Unhappy

    1984

    Orwell may have gotten the date wrong, but the rest of the novel seems to be a fairly accurate description of where China is going (or maybe already there?). This is definitely scary when you consider China has 18% of the world population and the second largest economy by GDP.

    1. Kabukiwookie Silver badge

      Re: 1984

      What China seems to be doing here is pretty bad, but if you think that they're the only ones who think that 1984 was an instruction manual, you're sadly mistaken.

      We're already having the push for Newspeak here in 'the west' along with perpetual war (if you're living in the US).

      1. Wade Burchette Silver badge

        Re: 1984

        In China, they had a campaign against Four Olds: Old customs, old idea, old habits, old culture. This seems very similar to what antifa has been doing, tearing down statues and other monuments. You also have some politicians actively calling for an end of history classes.

        1. Anonymous Coward
          Anonymous Coward

          Re: 1984

          Antifa?

          LOL.

        2. Anonymous Coward
          Anonymous Coward

          Re: 1984

          Wait wait wait. I thought your kind of people thought history can only be learned by looking at statues. Now you also care about actual classes? How odd.

      2. Anonymous Coward
        Anonymous Coward

        Re: 1984

        There's thing that people who keep banging the "1984" drum always forget: in the book, there is no good side. All sides use the exact same techniques, and whatever they call their ideology is explicitly irrelevant. They're only different labels affixed to the same oppression tools.

        1. Louis Schreurs Bronze badge

          Re: 1984

          In the real world there also isn't 'a good side ' .

          It's called humanity.

          1. Psmo Silver badge

            Re: 1984

            Wait. We're the good guys now? Since when?

      3. RM Myers Silver badge
        FAIL

        Re: 1984

        Yes, I've noticed the great firewall around the UK which blocks access to subversive websites, like El Reg. Plus the number of cartoonists getting put into jail for doing caricatures of Johnson/Trump/Merkel/other western leader is truly terrifying. Winnie the Pooh would definitely approve.

        1. Anonymous Coward
          Anonymous Coward

          Re: 1984

          Not so long ago people would have been jailed for treason or murdered by the state for drawing unflattering caricatures or criticising a monarch.

          https://www.bbc.co.uk/news/uk-politics-20462098

          1. Mike 16 Silver badge

            Re: 1984

            I'm sure those killed in the little dust-up between Cromwell and the Crown were thinking "Well, at least we are not targeted for political cartoons". Note how the BBC article carefully starts counting at the 18th century.

        2. TheMeerkat Bronze badge

          Re: 1984

          You remember those French cartoonists killed?

          And everyone else too afraid to republish them?

          And no El Reg is not a subversive site - it toes the official propaganda line, like good old Pravda.

        3. Anonymous Coward
          Anonymous Coward

          Re: 1984

          "Yes, I've noticed the great firewall around the UK which blocks access to subversive websites [...]"

          The current Westminster government is intent on removing the established checks and balances that limit their grab for authoritarian powers. When this government fails to deliver the milk and honey promised to their supporters - then the same voters will offer a unapologetic tyrant unfettered power.

          Any open-ended provisions for use by the government need to be evaluated not against the scruples of the current politicians - but how those powers could be abused in the future.

    2. Anonymous Coward
      Anonymous Coward

      Re: 1984

      China

      Australia

      America

      UK

      ..

      They all want to monitor communications and limit Internet activity.

      1. Anonymous Coward
        Anonymous Coward

        Re: 1984

        You forgot Russia on that headline list. Yes, there may be other countries wanting to do this but Russia definitely deserves a call-out on this post.

        1. Anonymous Coward
          Anonymous Coward

          Re: 1984

          In china its used for population management

          in Auzy land its to look like they have control

          in the US it's used for insider trading

          in the UK its used to look like they are trying.

    3. iron Silver badge

      Re: 1984

      Orwell may have gotten the date wrong, but the rest of the novel seems to be a fairly accurate description of where UK + USA are going (or maybe already there?).

      FTFY

  3. tip pc Silver badge

    I’m surprised China don’t just use a massive transparent proxy and just mim everything, permitting tls1.3 and everyone with nothing to hide being non the wiser.

    It’s probably the easiest closest comparison to what currently happens in the west.

    At least China are open about their snooping. Most people in the west don’t know they are being snooped on.

    1. Phil NZ

      How do you know what cert CN/subject alternate name to forge when SNI is encrypted? How do you get your client to not break the connection if they don’t trust your root cert?

      I hope TLS 1.3 is very widely adopted very quickly

      1. tip pc Silver badge

        "How do you know what cert CN/subject alternate name to forge when SNI is encrypted? How do you get your client to not break the connection if they don’t trust your root cert?"

        Not Disagreeing with you but ZScaler claim to have that sussed, i suspect their solution requires a trusted root installed on all hosts, but china could do that.

        https://www.zscaler.com/blogs/corporate/tls-13-busting-myths-and-debunking-fear-uncertainty-doubt

        "The Zscaler advantage

        Zscaler is a true inline SSL proxy. It terminates the SSL connection established by the client and establishes a new SSL connection to the server; from a client’s perspective, Zscaler becomes the server and from the original SSL server’s perspective, Zscaler becomes the client. Considering that Zscaler is not just inspecting the SSL traffic on the wire, but terminating the connections, Zscaler has full visibility to the CN (Common Name), and other certificate parameters typically not visible to a passive SSL inspection devices."

        1. Brian Morrison
          Boffin

          ZScaler mention that they will be releasing another blog about the effect of ESNI on their system.

          It will be interesting to see what they say.

      2. Jon 37

        The SNI is encrypted ... with a key that the client got from DNS. So all you have to do is MITM the DNS traffic to replace that key with one you know.

        Browsers do DNS-over-HTTPS to try to stop that, but they can't use ESNI for the connection to the DNS server (there's a chicken-and-egg problem), so you can intercept and forge that initial connection to the DNS server. (Assuming you have subverted a CA or have installed your own CA root certificate on all devices - but that's necessary for all TLS interception).

    2. Anonymous Coward
      Anonymous Coward

      Sorry? In the "west" our TLS traffic is already being intercepted on an industrial scale?

      Can you:

      a) explain just how that works

      b) explain why, if that's the case, our so-called Governments are still demanding protocol backdoors, in their ongoing denial of mathematics?

      1. Anonymous Coward
        Anonymous Coward

        a - traffic is routed via the US. Of course, that's always "accidental", but it happens. Especially the big ones use one and the same cert for TLS/SSL, so getting the private key to that communication is not hard.

        b - governments have been known to keep pretending they need something to hide the fact that they have access to technological advances. If you want any evidence of that, read what the UK let happen during WW II to prevent the Germans discovering that their Enigma encryption had been cracked. There's no reason to assume that has changed.

        1. Kabukiwookie Silver badge

          You're probably right.

          The only reason the US wouldn't do the same as China is if they can already capture your traffic at the end points.

          Remember that according to the Snowden revelations, Microsoft was one of the first ones to cooperate with US agencies. That started back in 2007 if I remember correctly.

          1. Anonymous Coward
            Anonymous Coward

            There's a reason they were instrumental in getting the Cloud Act established - I suspect that ensured legal cover for what they were doing all along.

      2. tip pc Silver badge

        “Sorry? In the "west" our TLS traffic is already being intercepted on an industrial scale?”

        That’s not what I wrote.........

        I wrote.....

        “ I’m surprised China don’t just use a massive transparent proxy and just mim everything, permitting tls1.3 and everyone with nothing to hide being non the wiser.”

        Anyway, some research links for you

        https://www.gov.uk/government/news/uk-to-introduce-world-first-online-safety-laws

        https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/504192/Operational_Case_for_the_Retention_of_Internet_Connection_Records_-_IP_Bill_introduction.pdf

        https://www.theverge.com/2016/11/23/13718768/uk-surveillance-laws-explained-investigatory-powers-bill

        Spot any similarities in my suggestion and my links?

        ...............

    3. rg287

      TLS1.3 isn't just about mathematically more secure ciphers or ESNI.

      TLS1.3 also mandates cipher suites with Forward Secrecy. This breaks MITM boxes because you can't just siphon off a data stream and decrypt it at will using your private/internal Certificate (as plenty of banks & corps do using a private Certificate Authority). Cipher Suites with Forward Secrecy generate a new - ephemeral - secret key for every session.

      Also, as noted - ESNI complicates the process of knowing what domain the user is requesting and presenting the user with an appropriate spoofed certificate.

      This is all by design, has created many headaches in corps with regulatory requirements to monitor everything going across their networks. It is telling that China have just thrown in the towel and banned it outright.

    4. LDS Silver badge

      China is not interested in snooping - it's interested in outright blocking anything it deems dangerous for the Party. They don't even need much snooping, they will just arrest you and "extract" all the information they need - just look at the recent arrests in Hong-Kong.

      Most people don't understand how worse the Chinese situation is.

      1. Hubert Cumberdale Silver badge
      2. Kabukiwookie Silver badge

        just look at the recent arrests in Hong-Kong

        I'd rather be treated like the protesters in Hongkong, where even the 'horrible actions' of the police there seem rather mild compared to what the police in the US does to peaceful protesters

  4. Ken Hagan Gold badge

    Own goal?

    So what happens if Windows Update decides to insist on using TLS 1.3 to grab patches? Is that every Windows box in China knocked off the updates bandeagon, with new exploits being revealed each month?

    1. Blazde

      Re: Own goal?

      That's a bit like asking what happens if Huawei insist all 5G equipment sold in the West has to be Great Firewall enabled. The own goal would be by Microsoft.

    2. Alister Silver badge

      Re: Own goal?

      I shouldn't worry about that for a while, Microsoft hasn't caught up with TLS 1.3 yet for their operating systems.

      1. keith_w Bronze badge

        Re: Own goal?

        yes it has.

        TLS/1.3 is supported in all versions of Chromium-based Edge (and will be supported on all platforms. The Chromium based Edge just went GA so this should be good to go. Chrome and Firefox and other chromium-based browsers support TLS 1.3.

        https://devblogs.microsoft.com/premier-developer/microsoft-tls-1-3-support-reference/

        1. Lee D Silver badge

          Re: Own goal?

          To my knowledge, Windows Update does not use a web browser to load its updates.

          It's the internal Windows crypto APIs connecting to a specific service - there's no way that they're using TLS1.3, or any installed web browser - especially ChromiEdge, which isn't on most machines - for that.

          It's not even BITS any more, it's some peer-to-peer-supporting thing.

          1. Ken Hagan Gold badge

            Re: Own goal?

            There's no technical reason to use *any* encryption, since the update files are signed, but that's not my point. MS *could* gratuitously use a transport that they know is blocked by some users with the intention of being awkward. They might even try to justify it on privacy grounds, since the updates that you query for, request and retrieve, give away information about your system.

            Why would they be awkward? Well, there is a Chinese version of pretty much every major western player in technology (search, tat bazaars, social media, ...). Sooner or later, there will be a Chinese "Windows-compatible" OS as well. (They must surely have the source code. It's just waiting for Winnie-the-Pooh to give it his sign-off.) Once that happens, there is no money for MS in China and they might as well close the door behind them.

            1. TheMeerkat Bronze badge

              Re: Own goal?

              They still use TLS.

            2. Anonymous Coward
              Anonymous Coward

              Re: Own goal?

              "Once that happens, there is no money for MS in China and they might as well close the door behind them."

              If MS buy the US arm of Tik Tok - then any business they already do in China becomes a hostage.

          2. TheMeerkat Bronze badge

            Re: Own goal?

            Windows still using TLS to encrypt its Windows update traffic.

        2. Alister Silver badge

          Re: Own goal?

          @keith_w

          Which bit of "operating systems." don't you understand?

          Yes I know the browsers support it. But the OS doesn't. Not even Server 2019.

    3. IGotOut Silver badge

      Re: Own goal?

      "Is that every Windows box in China knocked off the updates bandeagon, with new exploits being revealed each month?"

      Yes that would be brilliant, several million more bots on the net.

  5. Bronek Kozicki Silver badge
    Go

    Huh

    So, new censorship strategies circumvented by genetic algorithms - in other words, a very specific application of AI.

    That's probably first time I see AI being actually useful.

    1. Lee D Silver badge

      Re: Huh

      AI = brute force and cross your fingers for luck.

      All they did was fuzz the API until they hit some kind of success, that's all the AI can (ever) do.

    2. RM Myers Silver badge

      Re: Huh

      AI, well machine learning, has been used for many useful tasks, particularly where the underlying problem is simple pattern matching, or in this case, randomly generating potential solutions and then testing them. The problem is people trying to use it for complex tasks (e.g., autonomous driving) and the absolute blitz of BS concerning its capabilities.

  6. Anonymous Coward
    Anonymous Coward

    Anyone in China found with Geneva on their PC

    Would go straight to jail.

    Presumably in the same category as Tor software.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020