Jump to content

China is now blocking all encrypted HTTPS traffic that uses TLS 1.3 and ESNI

blackout19

@blackout19

This thread has been moved to General Discussion as it does not meet the requirements of Tech News subforum. Please edit the topic and report this reply when you are done. Requirements can be found here:

 

You are missing the quote and personal input. To be brutally honest, you just copypasted first paragraph and first sentence on 2nd. F- if you were in my school.

^^^^ That's my post ^^^^
<-- This is me --- That's your scrollbar -->
vvvv Who's there? vvvv

Link to comment
Share on other sites

Link to post
Share on other sites

12 minutes ago, Joseph K said:

Considering China and Taiwan would be producing at least half of those devices I'm not sure that's a great business move for China.

If Beijing has to make a choice between state cohesion (in other words: nothing short of the continued existence of the CCP) and integrating with the rest of the world... they will choose the former every single time. The general population is in their political calculus, expendable (a reminder that China has an excess male population they will need to "solve" sooner or later).

Quote

I have friends from China and almost all the young people in the urban areas know about the extent of the censorship and how to circumvent it. Especially if China never updates their shit and it's just a bunch of old farts trying to prevent their population from seeing a patch of blood or a black person in a movie I can't see their great firewall lasting more than a decade.

There are a limited number of physical connections (e.g. undersea cables) connecting each major geographic region with the rest of the larger network. They can be cut (or as currently, sat on and extensively monitored). The only question remaining is whether countries such as China or Russia will act to cut them first on their end.

Link to comment
Share on other sites

Link to post
Share on other sites

Just now, thorhammerz said:

If Beijing has to make a choice between state cohesion (in other words: nothing short of the continued existence of the CCP) and integrating with the rest of the world... they will choose the former every single time. The general population is in their political calculus, expendable (a reminder that China has an excess male population they will need to "solve" sooner or later).

There are a limited number of physical connections (e.g. undersea cables) connecting major countries with the rest of what we call the World Wide Web. They can be cut. The only question remaining is whether countries such as China or Russia will act to cut them first on their end.

China will never cut their connection to other countries. China is the biggest exporter on the planet. If they were to bar themselves from international trade, it would be Mao all over again. Mass starvation without any of the benefits of growing an industry. Plus, you can imagine since the floodgates have been opened and most young people have been brought up on the internet, it wouldn't be like North Korea, people would be upset enough to do something.

Link to comment
Share on other sites

Link to post
Share on other sites

23 minutes ago, leadeater said:

Then how do yo do URL filtering on TLS1.3+ESNI. Umbrella Proxy and AMP will not be able to do it like you say it can. With TLS1.3+ESNI all the proxy is going to see is a TLS data stream with only a source and destination IP for the connection attempt, where is it getting the URL information from?

Again, by URL do you mean the path as well? Because if you need to filter based on path then that will be far more challenging, but that's already a challenge for you even without ESNI and TLS 1.3. So how do you do it today?

TLS 1.3 and ESNI does not prevent your goal any more than plain text SNI and weaker TLS encryption does.

 

As for filtering based on domains and such (which in my experience is waaaaay more common than filtering on certain paths), that will continue to work because you can extract things like domain names from the certificates and, IPs.

 

Also, things like encrypted DNS or ESNI is not a problem if you yourself control the DNS, which you should do in an enterprise network. So for things like logging purposes (of domains) that will continue to work as well, even with ESNI.

Link to comment
Share on other sites

Link to post
Share on other sites

4 hours ago, PCGuy_5960 said:

"Hi Elon, nice satellites you got there, would be a damn shame if someone shot them down"

*Presses red button*

Knowing Elon, it'll be a drone swarm of the damn things and a few will just replace the shot down ones on their own. Which would be hilarious. 

 

4 hours ago, LAwLz said:

You mean satellite powered connections?

I think the most heavy-handed but effective method would be to make it illegal to sell or possess devices that can connect to those networks.

To my understanding, it's supposed to literally be a global wifi network. So that would mean outlawing all wifi devices.

 

Good luck with that. 

Ketchup is better than mustard.

GUI is better than Command Line Interface.

Dubs are better than subs

Link to comment
Share on other sites

Link to post
Share on other sites

10 minutes ago, CarlBar said:

But i think your both taking stances based on business realities when politics are likely to be far more likely to be the final say factor.

Well I mentioned it because URL filtering and logging is part of our security policy as it is because it's not considered enough to simply know the domains people go to for auditing purposes. Those kinds of obsessive auditing requirements aren't that uncommon and large organizations, who tend to have them, have a lot of say and sway on how things go. It's for the similar reasons these places also keep getting data breaches so 🤷‍♂️. Old shit sticks around for a long time because the business demands it so they get it.

Link to comment
Share on other sites

Link to post
Share on other sites

Don't firewalls already have the ability to block DoH? Does that traffic still have a fixed (limited) number of destinations to fulfill the name resolution?

 

I get the concept of DNS over HTTPS (DoH), but I'm not well informed as to how the entire session terminates and paths out. But, I would think there's a fixed amount of IPs and their ranges performing the DoH service back to the requesting client. Would seem trivial to have firewall rules to block the route back. Dropped packets trumps all.

Link to comment
Share on other sites

Link to post
Share on other sites

5 hours ago, wkdpaul said:

* thread cleaned *

 

Please stay on-topic and avoid political discussion.

What was wrong with my post? it was  not political. 

Grammar and spelling is not indicative of intelligence/knowledge.  Not having the same opinion does not always mean lack of understanding.  

Link to comment
Share on other sites

Link to post
Share on other sites

6 hours ago, Trik'Stari said:

Knowing Elon, it'll be a drone swarm of the damn things and a few will just replace the shot down ones on their own. Which would be hilarious. 

 

To my understanding, it's supposed to literally be a global wifi network. So that would mean outlawing all wifi devices.

 

Good luck with that. 

Re: red button

Elon has already publicly brought up this possibility, and has said he is willing to comply and cooperate with with whatever government structures are required.  How this will be gone about I don’t know.  I suspect he’s wanting to sell stuff in China so it would be something on the order of a separate condoned off system that would have specific and specifically different hardware requirements to use.  
 

 

Not a pro, not even very good.  I’m just old and have time currently.  Assuming I know a lot about computers can be a mistake.

 

Life is like a bowl of chocolates: there are all these little crinkly paper cups everywhere.

Link to comment
Share on other sites

Link to post
Share on other sites

15 minutes ago, Bombastinator said:

Re: red button

Elon has already publicly brought up this possibility, and has said he is willing to comply and cooperate with with whatever government structures are required.  How this will be gone about I don’t know.  I suspect he’s wanting to sell stuff in China so it would be something on the order of a separate condoned off system that would have specific and specifically different hardware requirements to use.  
 

 

I have now lost respect for Elon Musk.

 

The better solution would be to deny the Chinese government access to this network, but allow its citizens to use it for non-governmental purposes.

 

Force them to adapt, rather than being forced to adapt to their..... backwardsness.

Ketchup is better than mustard.

GUI is better than Command Line Interface.

Dubs are better than subs

Link to comment
Share on other sites

Link to post
Share on other sites

16 minutes ago, Trik'Stari said:

I have now lost respect for Elon Musk.

 

The better solution would be to deny the Chinese government access to this network, but allow its citizens to use it for non-governmental purposes.

 

Force them to adapt, rather than being forced to adapt to their..... backwardsness.

Hence the red button comment.  He said it came up but if that happened China would just shoot down his satellites so all it would do is destroy the world network.  Easier to just not put it up in the first place.  Apparently due to their low orbit they’re not just easy to shoot down there extremely easy to shoot down.  With 1980’s tech even.

Not a pro, not even very good.  I’m just old and have time currently.  Assuming I know a lot about computers can be a mistake.

 

Life is like a bowl of chocolates: there are all these little crinkly paper cups everywhere.

Link to comment
Share on other sites

Link to post
Share on other sites

23 minutes ago, Bombastinator said:

Hence the red button comment.  He said it came up but if that happened China would just shoot down his satellites so all it would do is destroy the world network.  Easier to just not put it up in the first place.  Apparently due to their low orbit they’re not just easy to shoot down there extremely easy to shoot down.  With 1980’s tech even.

Xi Jinping might want to 'read the room' on that one, since there are other countries over there that would probably like access to that network, and he doesn't make that decision for them. Also, China's been pushing enough figurative buttons as of late, they should chill out on the literal ones. 

My Current Setup:

AMD Ryzen 5900X

Kingston HyperX Fury 3200mhz 2x16GB

MSI B450 Gaming Plus

Cooler Master Hyper 212 Evo

EVGA RTX 3060 Ti XC

Samsung 970 EVO Plus 2TB

WD 5400RPM 2TB

EVGA G3 750W

Corsair Carbide 300R

Arctic Fans 140mm x4 120mm x 1

 

Link to comment
Share on other sites

Link to post
Share on other sites

54 minutes ago, atxcyclist said:

Xi Jinping might want to 'read the room' on that one, since there are other countries over there that would probably like access to that network, and he doesn't make that decision for them. Also, China's been pushing enough figurative buttons as of late, they should chill out on the literal ones. 

The satellites are too low orbit to be geosynchronous.   Area doesn’t matter.

Not a pro, not even very good.  I’m just old and have time currently.  Assuming I know a lot about computers can be a mistake.

 

Life is like a bowl of chocolates: there are all these little crinkly paper cups everywhere.

Link to comment
Share on other sites

Link to post
Share on other sites

4 minutes ago, BlueScope819 said:

 Yeah but I don't think the Chinese would have the stones to destroy a global internet network, it's the same with with GPS, they can, but they don't.

Go tell Elon that then.  Lack of stones is not something China has something China has shown lately.  Look at the China sea island thing.  Or the behavior regarding the trade war, or the treatment of its moslem population.  China has not shown a shortage of “stones” lately.  Kinda the reverse actually.

Not a pro, not even very good.  I’m just old and have time currently.  Assuming I know a lot about computers can be a mistake.

 

Life is like a bowl of chocolates: there are all these little crinkly paper cups everywhere.

Link to comment
Share on other sites

Link to post
Share on other sites

13 hours ago, LAwLz said:

So in summary, since they can't verify which domain someone is trying to access, they block the entire connection.

Since non-ESNI connections contain some plaintext info about which domain the connection is made to, they can verify that the domain is on their approved list and the connection (might) be allowed.

 

I wonder how they will handle it if sites start dropping support for the older, less encrypted, standards. Will they just require websites allowed from inside China to stick with the old protocols? Will they MITM all encrypted connections? That would be a massive security risk.

With a bit of luck, the great firewall of China might be starting to fail. But my guess is that the Chinese government will take to very radical changes and legislation to keep the wall from falling.

 

You can't just give people access to uncensored and unfiltered knowledge, right!? That would be a disaster!

(sarcasm)

This affects only cloudflare right now... any anyone using cloudflare. Eggs Basket. Like this forum.

Link to comment
Share on other sites

Link to post
Share on other sites

My bet is the CCP will invent then mandate the use of some internal protocol to replace what they have broken.  This protocol will make it easy for them to decrypt whatever is encrypted and track who sent what to whom.  It will also break compatibility with the outside internet...unless outside servers and browsers use their protocol with the built in back door.  

 

They already do something like this with map data. 

 

Go to Google maps and look at a map inside China, look at the satelite view.  Notice how the streets and images don't line up.  Even right at the border.  China has its own standard for geospatial data which shifts places in a random direction and cannot be corrected for.  Basically scrambling the information.  Unless you use an app that is inside China like Baidu maps. 

So it really isn't all the shocking they'd want to basically make their "internet" more of a nationwide intranet. (Remember when intranet was a buzz word?  You know back before every house with a wifi router, smart devices,  and a printer that all had webservers built into them basically gave every home an intranet.  China is like the whole country has a firewall and Norton on every PC.)  

Link to comment
Share on other sites

Link to post
Share on other sites

13 minutes ago, BlueScope819 said:

 Yeah but I don't think the Chinese would have the stones to destroy a global internet network, it's the same with with GPS, they can, but they don't.

I'm pretty sure they would blow GPS/GLONASS and any other satellite if PRC residents could access it in a two-way fashion without going through them.

 

http://www.lamit.ro/satellite-coverage-maps.htm

 

Take note of NSS-6 North East Asia Ku-band Spot Beam

Covers all of East Asia, but only the coastal region of PRC.

 

China needs satellite access for the rural region, but that doesn't mean they would allow birds to pro-taiwan independence broadcast into PRC on something that can actually be received. Like I imagine an analog C-Band receiver is unheard of in PRC.

Link to comment
Share on other sites

Link to post
Share on other sites

Since the OP isn't likely to come back to fix this thread to be moved back into the TN section (his last post prior to this was 2016), and since this keeps derailing into political arguments ...

 

* thread locked *

If you need help with your forum account, please use the Forum Support form !

Link to comment
Share on other sites

Link to post
Share on other sites

Guest
This topic is now closed to further replies.

×