27 Aug 2020
Bulletproof TLS Newsletter is a free periodic newsletter bringing you commentary and news surrounding SSL/TLS and Internet PKI, designed to keep you informed about the latest developments in this space. Received monthly by more than 50,000 subscribers. Written by Hanno Böck.
According to a joint report from iYouPort, the University of Maryland, and the Great Firewall Report, TLS connections using the preliminary encrypted SNI (ESNI) extension are being blocked in China.
Traditional SNI allows sending a hostname within a TLS handshake, which allows multiple TLS hosts with different certificates to run on the same IP address and port. But the original SNI is unencrypted, which has sometimes been used to censor connections to certain hosts.
Encrypted SNI is an attempt to change this. The concept is to fetch an encryption key via DNS (which itself can be secured via DNS over HTTPS). It’s currently in draft form, but some hosters implement it already, such as Cloudflare.
According to the report, TLS packages containing the extension for ESNI are dropped. However, only an older extension ID is currently dropped; a newer ID of a mechanism called encrypted client hello (ECH), which is simply the latest version of ESNI, is currently still usable.
The report discusses various ways to evade the blocking, but it’s likely that the blocking will be adapted to thwart those methods if they’re adopted. Whether ESNI will succeed may depend on whether it will be used widely enough to make complete blocking infeasible.
This subscription is just for the newsletter; we won't send you anything else.
Designed by Ivan Ristić, the author of SSL Labs, Bulletproof TLS and PKI, and Hardenize, our course covers everything you need to know to deploy secure servers and encrypted web applications.
Remote and trainer-led, with small classes and a choice of timezones.
Join over 1,500 students who have benefited from more than a decade of deep TLS and PKI expertise.