China is now blocking all encrypted HTTPS traffic using TLS 1.3 and ESNI 5 years ago (zdnet.com) 7 comments vayne Reply Add to library 1MachineElf 5 years ago Up until now, I thought "The Great Firewall" was limited to layer 2, layer 3, and just layer-7 DNS controls.The capability described in this article sounds more like a full layer-7 MITM.That's terrifying. Is any HTTPS secure within mainlan China's networks?Or am I misunderstanding, and it's just the government websites that are blocking incoming TLS 1.3 connections? dylz 5 years ago GFW has been all layer for a long time, including actively re-probing and connecting back to a server from random (really, virtually any CN IP space).HTTPS is somewhat secure, but subject to MITM. Most Chinese forks of browsers ignore certificate errors and allow everything through. unicodepepper 5 years ago Would I be safe from this type of MITM attack if my browser respects SSL warnings? (and I don't bypass them) 1 reply → Legogris 5 years ago Some further explanation here: https://geneva.cs.umd.edu/posts/china-censors-esni/esni/Looks like it's L4? msmith 5 years ago That link was fascinating to me. For as long as I remember, there have been tools to evade network intrusion detection systems and stateful firewalls, but I never thought about how the same techniques can be used to evade censorship. aaomidi 5 years ago This is our fault for taking so long with ESNI.
1MachineElf 5 years ago Up until now, I thought "The Great Firewall" was limited to layer 2, layer 3, and just layer-7 DNS controls.The capability described in this article sounds more like a full layer-7 MITM.That's terrifying. Is any HTTPS secure within mainlan China's networks?Or am I misunderstanding, and it's just the government websites that are blocking incoming TLS 1.3 connections? dylz 5 years ago GFW has been all layer for a long time, including actively re-probing and connecting back to a server from random (really, virtually any CN IP space).HTTPS is somewhat secure, but subject to MITM. Most Chinese forks of browsers ignore certificate errors and allow everything through. unicodepepper 5 years ago Would I be safe from this type of MITM attack if my browser respects SSL warnings? (and I don't bypass them) 1 reply → Legogris 5 years ago Some further explanation here: https://geneva.cs.umd.edu/posts/china-censors-esni/esni/Looks like it's L4? msmith 5 years ago That link was fascinating to me. For as long as I remember, there have been tools to evade network intrusion detection systems and stateful firewalls, but I never thought about how the same techniques can be used to evade censorship.
dylz 5 years ago GFW has been all layer for a long time, including actively re-probing and connecting back to a server from random (really, virtually any CN IP space).HTTPS is somewhat secure, but subject to MITM. Most Chinese forks of browsers ignore certificate errors and allow everything through. unicodepepper 5 years ago Would I be safe from this type of MITM attack if my browser respects SSL warnings? (and I don't bypass them) 1 reply →
unicodepepper 5 years ago Would I be safe from this type of MITM attack if my browser respects SSL warnings? (and I don't bypass them) 1 reply →
Legogris 5 years ago Some further explanation here: https://geneva.cs.umd.edu/posts/china-censors-esni/esni/Looks like it's L4? msmith 5 years ago That link was fascinating to me. For as long as I remember, there have been tools to evade network intrusion detection systems and stateful firewalls, but I never thought about how the same techniques can be used to evade censorship.
msmith 5 years ago That link was fascinating to me. For as long as I remember, there have been tools to evade network intrusion detection systems and stateful firewalls, but I never thought about how the same techniques can be used to evade censorship.
Up until now, I thought "The Great Firewall" was limited to layer 2, layer 3, and just layer-7 DNS controls.
The capability described in this article sounds more like a full layer-7 MITM.
That's terrifying. Is any HTTPS secure within mainlan China's networks?
Or am I misunderstanding, and it's just the government websites that are blocking incoming TLS 1.3 connections?
GFW has been all layer for a long time, including actively re-probing and connecting back to a server from random (really, virtually any CN IP space).
HTTPS is somewhat secure, but subject to MITM. Most Chinese forks of browsers ignore certificate errors and allow everything through.
Would I be safe from this type of MITM attack if my browser respects SSL warnings? (and I don't bypass them)
1 reply →
Some further explanation here: https://geneva.cs.umd.edu/posts/china-censors-esni/esni/
Looks like it's L4?
That link was fascinating to me. For as long as I remember, there have been tools to evade network intrusion detection systems and stateful firewalls, but I never thought about how the same techniques can be used to evade censorship.
This is our fault for taking so long with ESNI.