China is now blocking all encrypted HTTPS traffic using TLS 1.3 and ESNI (zdnet.com) 48 points by vayne 5y ago ↗ HN
[–] 1MachineElf 5y ago ↗ Up until now, I thought "The Great Firewall" was limited to layer 2, layer 3, and just layer-7 DNS controls.The capability described in this article sounds more like a full layer-7 MITM.That's terrifying. Is any HTTPS secure within mainlan China's networks?Or am I misunderstanding, and it's just the government websites that are blocking incoming TLS 1.3 connections? [–] Legogris 5y ago ↗ Some further explanation here: https://geneva.cs.umd.edu/posts/china-censors-esni/esni/Looks like it's L4? [–] msmith 5y ago ↗ That link was fascinating to me. For as long as I remember, there have been tools to evade network intrusion detection systems and stateful firewalls, but I never thought about how the same techniques can be used to evade censorship. [–] dylz 5y ago ↗ GFW has been all layer for a long time, including actively re-probing and connecting back to a server from random (really, virtually any CN IP space).HTTPS is somewhat secure, but subject to MITM. Most Chinese forks of browsers ignore certificate errors and allow everything through. [–] unicodepepper 5y ago ↗ Would I be safe from this type of MITM attack if my browser respects SSL warnings? (and I don't bypass them) [–] aaomidi 5y ago ↗ Generally yes.But remember with SNI they know exactly what website you're visiting.
[–] Legogris 5y ago ↗ Some further explanation here: https://geneva.cs.umd.edu/posts/china-censors-esni/esni/Looks like it's L4? [–] msmith 5y ago ↗ That link was fascinating to me. For as long as I remember, there have been tools to evade network intrusion detection systems and stateful firewalls, but I never thought about how the same techniques can be used to evade censorship.
[–] msmith 5y ago ↗ That link was fascinating to me. For as long as I remember, there have been tools to evade network intrusion detection systems and stateful firewalls, but I never thought about how the same techniques can be used to evade censorship.
[–] dylz 5y ago ↗ GFW has been all layer for a long time, including actively re-probing and connecting back to a server from random (really, virtually any CN IP space).HTTPS is somewhat secure, but subject to MITM. Most Chinese forks of browsers ignore certificate errors and allow everything through. [–] unicodepepper 5y ago ↗ Would I be safe from this type of MITM attack if my browser respects SSL warnings? (and I don't bypass them) [–] aaomidi 5y ago ↗ Generally yes.But remember with SNI they know exactly what website you're visiting.
[–] unicodepepper 5y ago ↗ Would I be safe from this type of MITM attack if my browser respects SSL warnings? (and I don't bypass them) [–] aaomidi 5y ago ↗ Generally yes.But remember with SNI they know exactly what website you're visiting.
[–] aaomidi 5y ago ↗ Generally yes.But remember with SNI they know exactly what website you're visiting.
7 comments
[ 1.6 ms ] story [ 33.6 ms ] threadThe capability described in this article sounds more like a full layer-7 MITM.
That's terrifying. Is any HTTPS secure within mainlan China's networks?
Or am I misunderstanding, and it's just the government websites that are blocking incoming TLS 1.3 connections?
Looks like it's L4?
HTTPS is somewhat secure, but subject to MITM. Most Chinese forks of browsers ignore certificate errors and allow everything through.
But remember with SNI they know exactly what website you're visiting.