China is now blocking all encrypted HTTPS traffic that uses TLS 1.3 and ESNI

[blackout19]

The Chinese government has deployed an update to its national censorship tool, known as the Great Firewall (GFW), to block encrypted HTTPS connections that are being set up using modern, interception-proof protocols and technologies.

 

The ban has been in place for at least a week, since the end of July 

 

Sources

 https://www.zdnet.com/article/china-is-now-blocking-all-encrypted-https-traffic-using-tls-1-3-and-esni/

[LAwLz]

So in summary, since they can't verify which domain someone is trying to access, they block the entire connection.

Since non-ESNI connections contain some plaintext info about which domain the connection is made to, they can verify that the domain is on their approved list and the connection (might) be allowed.

 

I wonder how they will handle it if sites start dropping support for the older, less encrypted, standards. Will they just require websites allowed from inside China to stick with the old protocols? Will they MITM all encrypted connections? That would be a massive security risk.

With a bit of luck, the great firewall of China might be starting to fail. But my guess is that the Chinese government will take to very radical changes and legislation to keep the wall from falling.

 

You can't just give people access to uncensored and unfiltered knowledge, right!? That would be a disaster!

(sarcasm)

[Trik'Stari]

2 minutes ago, LAwLz said:

So in summary, since they can't verify which domain someone is trying to access, they block the entire connection.

Since non-ESNI connections contain some plaintext info about which domain the connection is made to, they can verify that the domain is on their approved list and the connection (might) be allowed.

 

I wonder how they will handle it if sites start dropping support for the older, less encrypted, standards. Will they just require websites allowed from inside China to stick with the old protocols? Will they MITM all encrypted connections? That would be a massive security risk.

With a bit of luck, the great firewall of China might be starting to fail. But my guess is that the Chinese government will take to very radical changes and legislation to keep the wall from falling.

 

You can't just give people access to uncensored and unfiltered knowledge, right!? That would be a disaster!

(sarcasm)

I find myself wondering how they will deal with a global wifi network. That's going to happen sooner or later.

 

That's honestly something I think our governments should absolutely be funding.

[LAwLz]

3 minutes ago, Trik'Stari said:

I find myself wondering how they will deal with a global wifi network. That's going to happen sooner or later.

 

That's honestly something I think our governments should absolutely be funding.

You mean satellite powered connections?

I think the most heavy-handed but effective method would be to make it illegal to sell or possess devices that can connect to those networks.

[leadeater]

11 minutes ago, LAwLz said:

I wonder how they will handle it if sites start dropping support for the older, less encrypted

Doubt that will happen any time soon since enterprise firewalls currently use DNS/Domain and URL filtering so if all that information is non readable during connection attempt all that stops. HTTPS inspection isn't that favorable because of the performance overhead and potential issues and compatibility problems.

 

Will need a way to enable sessions hints by policy or something so these things can stay working for those that want it, otherwise it's off by default. Not sure, it'll be solved that I'm certain of just not sure how/when.

[PCGuy_5960]

8 minutes ago, Trik'Stari said:

I find myself wondering how they will deal with a global wifi network.

"Hi Elon, nice satellites you got there, would be a damn shame if someone shot them down"

*Presses red button*

[LAwLz]

Just now, leadeater said:

Doubt that will happen any time soon since enterprise firewalls currently use DNS/Domain and URL filtering so if all that information is non readable during connection attempt all that stops. HTTPS inspection isn't that favorable because of the performance overhead and potential issues and compatibility problems.

 

Will need a way to enable sessions hits by policy or something so these things can stay working for those that want it, otherwise it's off by default. Not sure, it'll be solved that I'm certain of just not sure how/when.

I don't think URL filtering will last in the long run. You can achieve the same results by having managed devices (which enterprise should use) talk to the DNS, which in turn talks to the firewall. Or just do blocking on the DNS level.

[leadeater]

31 minutes ago, LAwLz said:

I don't think URL filtering will last in the long run. You can achieve the same results by having managed devices (which enterprise should use) talk to the DNS, which in turn talks to the firewall. Or just do blocking on the DNS level.

Well no you can't actually, you can get close but not the same.

 

DNS blocking is flawed and has too many problems and isn't flexible enough. If you think about how websites and web servers are configured you'll start to realize the pitfalls there. DNS blocking doesn't work when multiple domains resolve to the same IP as the blocking is based on IP returned.

 

DNS filtering works in the general sense but cannot handle blocking example.org/donations but then not block example.org/information or any other URL for example.org.

 

And then you have the issue of DNS over HTTPS etc, bypassing client/system configured DNS setting is trivial and some applications don't even use those at all.

 

Edit:

If all session information becomes encrypted and unreadable you will push enterprises down the HTTPS inspection path and that is worse for security. We've been on the fence for a long time about whether to do it or not and the reason we don't is because we are not feature or function limited without it.

[LAwLz]

23 minutes ago, leadeater said:

Well no you can't actually, you can get close but not the same.

 

DNS blocking is flawed and has too many problems and isn't flexible enough. If you think about how websites and web servers are configured you'll start to realize the pitfalls there. DNS filtering doesn't work when multiple domains resolve to the same IP as the blocking is based on IP returned.

 

DNS filtering works in the general sense but cannot handle blocking example.org/donations but then not block example.org/information or any other URL for example.org.

 

And then you have the issue of DNS over HTTPS etc, bypassing client/system configured DNS setting is trivial and some applications don't even use those at all.

I am not sure why you are trying to lecture me on this. As you have probably heard me say before, I am a networking consultant. I know how DNS works. Here is a post from last year where I talked about the same stuff you are talking about now (DNS only looks at the domain for example and not the path).

 

 

Reread what I said in my post and I think it will make sense to you. I said the firewall and DNS communicate with each other, and the device has to be managed so that settings can be enforced.

 

 

 

23 minutes ago, leadeater said:

If all session information becomes encrypted and unreadable you will push enterprises down the HTTPS inspection path and that is worse for security. We've been on the fence for a long time about whether to do it or not and the reason we don't is because we are not feature or function limited without it.

Well you better get used to it, because we are quickly moving towards everything being encrypted. No point in trying to fight it. Talk to some security vendor like Cisco and they will tell you that the future of enterprise security is not to fight encryption, or do bulk decryption. It will be through techniques like those employed by Stealthwatch (encrypted traffic analytics), Umbrella (DNS-layer security as well as some other stuff) and on-device policy enforcement.

 

If you have an enterprise network and don't do some kind of device management, and instead try and rely on some URL filter in the firewall then you're doing it all wrong.

 

 

Talk to some vendor like Cisco and they will all tell you the same thing. More and more things will become encrypted, and rather than fight the inevitable like a Luddite, you have to work around and come up with solutions to new problems.

At least if you're talking about enterprise networks, which seems to be your POV in this thread.

[leadeater]

Just now, LAwLz said:

I am not sure why you are trying to lecture me on this. As you have probably heard me say before, I am a networking consultant. I know how DNS works. Here is a post from last year where I talked about the same stuff you are talking about now (DNS only looks at the domain for example and not the path).

 

 

Reread what I said in my post and I think it will make sense to you. I said the firewall and DNS communicate with each other, and the device has to be managed so that settings can be enforced.

Yes but you said the same, like I said you can get close but not the same. If you want the same you need URL filtering not DNS. No DNS filtering of any kind currently can do URL filtering.

[HarryNyquist]

Does this affect the functionality of VPNs over there? I'm not sure on how those work.

[leadeater]

13 minutes ago, LAwLz said:

If you have an enterprise network and don't do some kind of device management, and instead try and rely on some URL filter in the firewall then you're doing it all wrong.

So then literally everyone is doing it wrong and you are right? There isn't working solutions to these problems yet. Obviously we have managed devices, who doesn't but you don't get what you think you get doing that. Not without pushing out firewall agent software or heavy handed control software that is typically used in schools on computer labs so you can give teachers control of computers in the labs.

 

Client agent based internet filtering is a giant pain with nobody offering anything currently that is stable and reliable enough to replace current firewalls, any problems with that agent on the device and you'll have either no internet at all or no network at all which would be a heavy increase of service desk calls and desktop support.

 

You should know I have extensive background in desktop management and also server management. How and what exact enterprise do you think exist that don't have device management, it's just not what you think it is.

 

Edit:

Spoiler

Even Umbrella does it the same why I talked about and will have the same problem.

[LAwLz]

23 minutes ago, leadeater said:

-snip-

I think we need to clear some things up. Let's start with the basics.

What exactly do you want to achieve by doing URL filtering in your firewall and in what way does encryption prevent you from doing so?

[MyName13]

38 minutes ago, LAwLz said:

I am a networking consultant.

Could you share how you became a networking consultant (I'm interested in information security, system administration, systems engineering, network administration....)?

[leadeater]

14 minutes ago, LAwLz said:

I think we need to clear some things up. Let's start with the basics.

What exactly do you want to achieve by doing URL filtering in your firewall and in what way does encryption prevent you from doing so?

I already told you what, URL filtering which is used and is needed by a lot of people and DNS filtering of any kind is not equivalent. Even your reference Umbrella Secure Web Gateway acts and functions like every other firewall and security device on the market, because why wouldn't it, and their DNS layer security is not a replacement of that feature.

 

Umbrella Secure Web Gateway will have the same problem with TLS1.3+ESNI and DNS over TLS/HTTPS as everyone else will and will, if it doesn't currently, resort to  interception and inspection of HTTPS.

 

The basics are simple, if you aren't filtering at the device end which almost nobody does and are doing it over the network then no vendor can do anything different or extra to anyone else if you cannot read connection information like URL if you need URL filtering. If you don't need URL filtering then you don't have a problem.

 

That's why I commented on the question you posed in your original comment. No I don't think that will happen soon because people do utilize URL filtering and DNS anything currently is not a replacement for it.

 

Edit:

Spoiler

URL filtering is a big sticking point for a lot of people.

 

[LAwLz]

8 minutes ago, MyName13 said:

Could you share how you became a networking consultant (I'm interested in information security, system administration, systems engineering, network administration....)?

Went to uni and studied computer communication. Got a degree. Saw that a consulting firm was looking for people with networking knowledge. Applied for the job. Went to the interview and got the job.

 

 

7 minutes ago, leadeater said:

I already told you what, URL filtering which is used and is needed by a lot of people and DNS filtering of any kind is not equivalent. Even your reference Umbrella Secure Web Gateway acts and functions like every other firewall and security device on the market, because why wouldn't it, and there DNS layer security is not a replacement of that feature.

Gonna need to specify a bit more precise when you describe what you want and need.

When you say URL do you mean the path as well, or just the domain?

What kind of filtering and for what purpose? Do you want to prevent malware or do you just want to prevent people from for example visiting port sites?

[leadeater]

15 minutes ago, LAwLz said:

Gonna need to specify a bit more precise when you describe what you want and need.

When you say URL do you mean the path as well, or just the domain?

Was the example.org/donation vs example.org/information or any other URL for example.org I gave not clear enough? You should probably read that edit I just added on the last post. Umbrella's got a lot of specific URL filtering and logging features so isn't some kind of future replacement like you said it is and caters to the people that need and want those features.

 

I know I didn't mention if before but if you can't do URL filtering then you can't do URL logging and that's actually rather important for auditing and security purposes. Example of that would be the person who was accessing and posting on neo nazi websites (think it's now ok to mention that, that's all I'll talk about that one).

 

A more practical example to the question was in the past when I had to allow access to Facebook but block Facebook chat, URL filtering was required for that. At the time Facebook hadn't moved that over to the messenger.com domain.

 

If I say I need URL filtering then I need URL filtering, not DNS.

 

You should be more careful about buying in to vendor marketing because what they say and what it is can not quite be or live up to that marketing, or actually be any different to competing vendors who are all vying for the same customers and due to necessity offer the same features as each other, even if one gets it first.

[LAwLz]

1 hour ago, leadeater said:

Was the example.org/donation vs example.org/information or any other URL for example.org I gave not clear enough? You should probably read that edit I just added on the last post. Umbrella's got a lot of specific URL filtering and logging features so isn't some kind of future replacement like you said it is and caters to the people that need and want those features.

So if I understand you correctly, you want to block certain websites based on stuff like "it has the word donation" in the URL. Correct?

So you want example.com/donation blocked but not example.com/contact-us? Yeah, that will be an issue with HTTPS. But instead of trying to fight the inevitable you should focus on working around it and finding solutions.

 

I don't even think FTD supports URL filtering in that way because it is rare and kind of unnecessary to do.

Quote

• Manual URL Filtering
  • Wildcard isn't support
  • When configuring Manual URLs, any match of the URL string will trigger action. For example, if you allow all traffic to example.com, your users could browse to URLs including:
    • http://example.com/
    • http://example.com/newexample
    • http://www.example.com/

Other vendors supports it though, like Fortigate. Not sure which vendor you use at your job, but be prepared to rework your security methodology in the near future, because the way you do it now will be outdated and broken.

 

I don't think any of my clients do filtering that way. The ones that do filtering do it though DNS, web proxy and/or an agent running on machines. Not through some hand-written list of domains or words that should be blocked in the firewall.

 

 

1 hour ago, leadeater said:

Umbrella's got a lot of specific URL filtering and logging features so isn't some kind of future replacement like you said it is and caters to the people that need and want those features.

Not sure what you mean with this. I never said Umbrella was a be-all and end-all solution to all your problems. I mentioned it because Umbrella is a pretty good security solution which includes things like DNS based protection. Worth noting that some of the Umbrella features specified there rely on Cisco AMP, which is a client-based

Also, in case you are getting a bit confused, Cisco Umbrella is not a firewall (although the "Secure Internet Gateway" is part of Umbrella). So when it says in the marketing material "URL filtering" it's not "with this firewall you can do URL filtering!". It means "at least one of our products can do this".

 

For example you can do URL filtering without the Secure Internet Gateway, if you get the Umbrella proxy and AMP. That way you can get URL filtering with the path included, without the traffic even needing to touch a firewall, and it can work even if the traffic is encrypted! Amazing, right?

 

 

 

1 hour ago, leadeater said:

If I say I need URL filtering then I need URL filtering, not DNS.

The reason why I asked you several times what you meant was because "URL filtering" is not a well defined thing. URL filtering might be "I want to block domains", or it might be "I want to block certain paths". I wanted you to elaborate on what you meant because as I mentioned earlier, Cisco's FTD url filter for example can handle domains, sub domains, TLD and I believe it can do certs as well (filtering based on what cert the domain presents), but it can not do paths. So I wanted you to clarify if you needed filtering based on paths or domains.

 

 

1 hour ago, leadeater said:

You should be more careful about buying in to vendor marketing because what they say and what it is can not quite be or live up to that marketing, or actually be any different to competing vendors who are all vying for the same customers and due to necessity offer the same features as each other, even if one gets it first.

Of course. But my point is that when pretty much all security vendors all say the same thing, that encrypted traffic is already the majority and it will just keep being bigger and we need to change the way we approach network security, then I think it is foolish to just go "baww this new technology breaks how I have traditionally done things so I dislike it!", which is the impression I get from you in this thread.

Sorry but the Internet is going dark. You either adapt and learn how to live and deal with encrypted web traffic, or you need to get a new job. Because it won't stop just because you want traffic to be in clear text.

 

Want to block all URLs with a specific word in them, even if it's in the path? Then get a proxy, or something end-point based. Or some other way of getting around the fact that you will not be able to see the content of the IP packets in-transit. You don't really have a choice.

[leadeater]

8 minutes ago, LAwLz said:

Other vendors supports it htough, like Fortigate. Not sure which vendor you use at your job, but be prepared to rework your security methodology in the near future, because the way you do it now will be outdated and broken.

Fortigate.

 

Well it won't be broken either it'll just force people to start breaking HTTPS altogether which is worse, I do think you agree with that, that it is worse?

 

Honestly I have no intention of really debating this at all or starting said argument, my first post explains why I don't think it'll happen soon and for the reasons I gave. Those requirements are not going away just because there are efforts to increase security and encryption which is not a bad thing but there can be unintended outcomes from that that need solutions that don't yet exist, which I said will at some point but they don't right now.

 

8 minutes ago, LAwLz said:

Also, in case you are getting a bit confused, Cisco Umbrella is not a firewall (although the "Secure Internet Gateway" is part of Umbrella). So when it says in the marketing material "URL filtering" it's not "with this firewall you can do URL filtering!". It means "at least one of our products can do this".

No I wasn't confused, you proposed it as a solution or alternative new way of being able to do or replace URL filtering and it's not. It has the exact same DNS filtering and blocking capabilities and Fortigate does and a worse old style proxy based URL filtering method rather than modern flow based transparent URL filtering, which won't work with TLS1.3+ESNI. So you're correct that this is a dead end currently but that does not mean the need goes away and that is the problem. 

[leadeater]

17 minutes ago, LAwLz said:

Because it won't stop just because you want traffic to be in clear text.

We don't want or need traffic to be clear text, we need some of the meta data only. That is all that is required to get URL filtering working as it is right now. We do not break HTTPS, we cannot see any content on HTTPS pages but we can URL filter HTTPS websites.

 

Edit:

The adaption you talk about is the fundamental breaking of the entire thing by way of HTTPS inspection, that's how enterprises will adapt to the change without an alternative solution on offer. It not a matter of sticking my head in the sand, that's the reality and it would be a good idea to not do the same.

[LAwLz]

2 minutes ago, leadeater said:

Well it won't be broken either it'll just force people to start breaking HTTPS altogether which is worse, I do think you agree with that, that it is worse?

I agree that breaking HTTPS is a very bad idea. I don't agree that you need to break HTTPS to do URL filtering, nor do I agree that you need to break HTTPS to have security (IF that is something you have implied).

 

 

4 minutes ago, leadeater said:

No I wasn't confused, you proposed it as a solution or alternative new way of being able to do or replace URL filtering and it's not.

That was not my intention. My intention was to mention a few new security products that tackle things in other ways without having to break encryption. I mentioned Umbrella and Stealthwatch not because I thought "these products will do whatever you want or need!" but because those are examples of such products that increases security while leaving encryption alone. They are designed around the idea that the web is going dark so we can't assume we know what traffic is on the network.

[leadeater]

2 minutes ago, LAwLz said:

I agree that breaking HTTPS is a very bad idea. I don't agree that you need to break HTTPS to do URL filtering, nor do I agree that you need to break HTTPS to have security (IF that is something you have implied).

Then how do yo do URL filtering on TLS1.3+ESNI. Umbrella Proxy and AMP will not be able to do it like you say it can. With TLS1.3+ESNI all the proxy is going to see is a TLS data stream with only a source and destination IP for the connection attempt, where is it getting the URL information from?

[StDragon]

There's all sorts of routing issues while inside the mainland. Rumor has it, that China is moving to a paradigm of white-listing IPs / CIDR. Rather then reactive censoring, as an international business, you will (at some point) petition to be on the approval list.

 

 

[leadeater]

7 minutes ago, StDragon said:

There's all sorts of routing issues while inside the mainland. Rumor has it, that China is moving to a paradigm of white-listing IPs / CIDR. Rather then reactive censoring, as an international business, you will (at some point) petition to be on the approval list.

Yep can confirm we've had many problems with Chinese students in China getting reliable access to our services in NZ. I'll grab what I posted on Linus's profile when he was talking about it on WAN show. China internet is just not as "centrally managed" as people think, at least not from what we've encountered.

 

Quote

I feel your pain though, we've got Chinese students that study remotely from China as well as ones that come over to NZ. One of the biggest problems is ensure good service quality and providing support along with investigating issues. What we used to do was get staff members or partner organizations who were over in China to do tests for us but one problem we hit is that the Chinese firewall and the internet within China isn't actually the same across the regions so you'll get slow performance for students living in one area but it'll be fine for others, or blocked one day then not block another. There never seemed to be any real central management or reasoning to anything.

 

What we ended up doing was applying for a special VPN service that has an entry point located in China with a dedicated Site-to-Site VPN link to a Hong Kong datacenter and then a Site-to-Site VPN back to our datacenters in NZ. That actually solved all our problems and now students studying in China get the same experience as any other student from other countries. Have to tell you though the application process is long and complex with very strict rules around what you are allowed to let through that connection.

 

Basically there is no quick easy way for general people to be able to test services from within China and that is exactly how they want it. It can be quicker and easier to just fly there

 

[Joseph K]

3 hours ago, LAwLz said:

You mean satellite powered connections?

I think the most heavy-handed but effective method would be to make it illegal to sell or possess devices that can connect to those networks.

Considering China and Taiwan would be producing at least half of those devices I'm not sure that's a great business move for China. I have friends from China and almost all the young people in the urban areas know about the extent of the censorship and how to circumvent it. Especially if China never updates their shit and it's just a bunch of old farts trying to prevent their population from seeing a patch of blood or a black person in a movie I can't see their great firewall lasting more than a decade.