China is considered one of the countries in the world with the highest Internet restriction. In fact, anyone who has been there on a trip will have noticed the difficulty in connecting to certain services and platforms. Everything related to Google or Facebook is inaccessible without a VPN. Today we echo a news item that reports on how they are now implementing a block against all HTTPS encrypted sites that use LTS 1.3 and ESNI. China blocks all encrypted sites coming from rest of the world.
China blocks sites with better encryption
We can say that in China they are starting to block all the sites that have better encryption . This means that they use LTS 1.3 and ESNI. Keep in mind that the Great Firewall is nothing new, but it has been updated over the years.
This change has been implemented a few weeks ago, at the end of July. Now they block any web page that is HTTPS and uses LTS 1.3 and ESNI. Basically those that use modern protocols to avoid leaks.
This we mentioned has been confirmed by three organizations that are dedicated to analyzing Chinese censorship: iYouPort, the University of Maryland and the Great Firewall Report.
As we can see, with this new update the Great Firewall only includes HTTPS websites that use LTS 1.3 and ESNI. This means that sites that use older encryption, such as LTS 1.2 and 1.1, will not be blocked.
Regarding HTTPS connections configured through these older protocols, Chinese censors could know which domain a user is trying to connect to. This is done by looking at the SNI (plain text) field in the early stages of an HTTPS connection.
HTTPS with LTS 1.3 can hide SNI field
China blocked all encrypted sites that uses LTS security. An HTTPS website using LTS 1.3 could hide the SNI field through ESNI. This logically makes browsing more private and that possible external users could not know which website we are connecting to. This makes it more difficult to control in a country where Internet censorship is present.
In addition to blocking traffic to HTTPS encrypted websites with LTS 1.3, this report also indicates that it temporarily prohibits IP addresses that are involved for a time interval of 2 or 3 minutes.
These three organizations that have worked on this report indicate that at the moment there would be six ways to avoid this new lock on the client side and four on the server side. However, it is to be expected that the Great Firewall in future updates will improve its techniques and it will be more complex to avoid this censorship.
In short, according to this report that we have been echoing for a few days, it is more difficult to navigate from China through certain websites. The objective once again is to filter Internet traffic in the Asian country and this time it has been up to the sites that are encrypted with modern techniques.