One for the FOH Tech Brigade

[El Presidente]

We have plenty of tech brains on the forum. 

Ken, no need to help. 

What would be the work around for our china based members 

_________________________________________________________

China is now blocking all encrypted HTTPS traffic that uses TLS 1.3 and ESNI

The block was put in place at the end of July and is enforced via China's Great Firewall.

By Catalin Cimpanu for Zero Day | August 8, 2020 -- 18:04 GMT (11:04 PDT) | Topic: Security

https://www.zdnet.com/google-amp/article/china-is-now-blocking-all-encrypted-https-traffic-using-tls-1-3-and-esni/

The Chinese government has deployed an update to its national censorship tool, known as the Great Firewall (GFW), to block encrypted HTTPS connections that are being set up using modern, interception-proof protocols and technologies.

The ban has been in place for at least a week, since the end of July, according to a joint report published this week by three organizations tracking Chinese censorship -- iYouPort, the University of Maryland, and the Great Firewall Report.

China now blocking HTTPS+TLS1.3+ESNI

Through the new GFW update, Chinese officials are only targeting HTTPS traffic that is being set up with new technologies like TLS 1.3 and ESNI (Encrypted Server Name Indication).

 

Other HTTPS traffic is still allowed through the Great Firewall, if it uses older versions of the same protocols -- such as TLS 1.1 or 1.2, or SNI (Server Name Indication).

For HTTPS connections set up via these older protocols, Chinese censors can infer to what domain a user is trying to connect. This is done by looking at the (plaintext) SNI field in the early stages of an HTTPS connections.

In HTTPS connections set up via the newer TLS 1.3, the SNI field can be hidden via ESNI, the encrypted version of the old SNI. As TLS 1.3 usage continues to grow around the web, HTTPS traffic where TLS 1.3 and ESNI is used is now giving Chinese sensors headaches, as they're now finding it harder to filter HTTPS traffic and control what content the Chinese population can access.

 

[BrightonCorgi]

That sucks for them.  They'd have to use a Jump Box outside of China or similar remote desktop method to utilize increased security protocols.

[ATGroom]

Servers can be configured to host multiple versions of SSL and TLS (and usually are set to do so by default). The practical purpose of this is that when someone running IE7 on Windows XP comes along and their browser doesn't support the latest version of TLS, their traffic from the server will be sent using their older version. Most "best practice" guides to server config will tell you to forget about those users and disable all the older TLS versions, but plenty of sites still leave them on.

Not sure how browsers would handle it if the network was blocking a specific version of TLS, but I would think it would be relatively trivial to have some kind of plugin on your browser that would downgrade all requests to an old TLS version. Some sites would stop working... but many wouldn't. The main security issues that enabling old versions opens up is that someone (ie, the Chinese government) might be able to intercept and decrypt traffic between the server and a user. If anyone is running their Falun Gong club through the FoH DMs they should probably stop, but I wouldn't think most users would be too troubled if their FoH data got intercepted.

If it's not possible for Chinese users to downgrade the requests on their end or you don't want to enable old TLS versions on the FoH end... well... I have no idea, but this basically constitutes a blocking of the entire internet, so I'd say that the ingenuity of 1.2 billion people will come up with a workaround before too long.

The main place you encounter issues like this as a software dev is when you're doing something for a bank or the army or similar and they have an extremely rigid IT upgrade policy and hence are using very outdated browser software, while also demanding high levels of server security.

[ayepatz]

I understood precisely none of the above. Where do I put the coal again?

[99call]

3 minutes ago, ayepatz said:

I understood precisely none of the above. Where do I put the coal again?

I thought exactly the same thing.  If post nuclear blast survival depends on a certain degree of technical savvy...........then I'm absolute toast!.

I can however hit things with hammers.....very......very hard!,  thats the super power i've got my hopes invested in

[ATGroom]

3 hours ago, ayepatz said:

I understood precisely none of the above. Where do I put the coal again?

Haha, I actually got about halfway through writing that answer and thought "nobody is going to understand this mumbo jumbo unless they already know a bunch about this problem and how to solve it, why am I posting this?"

I guess the short answer is "it's solvable. Ask your tech person."

[benfica_77]

Wait until Lord Elon Musk's satellite internet comes out and use that. The satellites revolve around the world and won't be bound by any borders. 

[Habana Mike]

42 minutes ago, ATGroom said:

Haha, I actually got about halfway through writing that answer and thought "nobody is going to understand this mumbo jumbo unless they already know a bunch about this problem and how to solve it, why am I posting this?"

I guess the short answer is "it's solvable. Ask your tech person."

Actually I got through the entire post, understanding every word. Almost grasped how you solved (elegantly worked around as long as nobody f*ks it up beforehand).

Trust I will explore the nuances so I know in case needed in the future.

I'd probably just go with VSAT broadband.

[Habana Mike]

3 hours ago, 99call said:

I thought exactly the same thing.  If post nuclear blast survival depends on a certain degree of technical savvy...........then I'm absolute toast!.

I can however hit things with hammers.....very......very hard!,  thats the super power i've got my hopes invested in

Post nuclear will require basic survival skills. No electricity!

[GavLew79]

7 hours ago, benfica_77 said:

Wait until Lord Elon Musk's satellite internet comes out and use that. The satellites revolve around the world and won't be bound by any borders. 

You'd still need firewalls and switches and everything else to access internet sites though wouldn't you?

The firewall isn't a physical 'wall' that satellite internet can 'hop over'. It's just an alternative bearer like wireless, fibre or copper cable, I thought??

[Fuzz]

13 hours ago, benfica_77 said:

Wait until Lord Elon Musk's satellite internet comes out and use that. The satellites revolve around the world and won't be bound by any borders. 

Just hardwire the satellite transceivers to block all those pesky sites. Govt finds you have an unlicenced transceiver? Off to a little "re-education" in buying only Govt approved equipment.

[El Presidente]

.....waiting on Ken for his input ......

[ATGroom]

1 hour ago, GavLew79 said:

You'd still need firewalls and switches and everything else to access internet sites though wouldn't you?

The firewall isn't a physical 'wall' that satellite internet can 'hop over'. It's just an alternative bearer like wireless, fibre or copper cable, I thought??

The wall is on the Chinese network. It would be implemented via Chinese internet providers who would have to reroute all their traffic via a government server of some kind after it comes into China via satellite, undersea cable etc.

At the moment the standard solution to getting around the firewall is a VPN. Basically, you route your connection to a provider outside of China, who then looks up sites for you and sends them back. So as far as the Chinese government is concerned, you're only dealing with that one server and they don't have oversight as to what that server is looking at on your behalf. This new restriction blocking the latest types of SSL would enable the government to snoop on that connection.

Lord Elon's network will be satellites in space providing internet access via a ground station presumably in the US. So yes, your internet provider would be a US company and wouldn't have any obligation to reroute their traffic through the firewall. I would say chances of it being legal to have a Starlink connection in China are pretty much 0.

Although, given that Tesla has a factory in China and has enjoyed a lot of Chinese government support, it doesn't seem out of the realms of possibility that they would put all their Chinese users through the great firewall anyway. Or if that was considered a bad PR move, they could easily just refuse any connections from users in China.

[BrightonCorgi]

Chinese will be one step ahead should satellite internet or whatever comes online.   China could mandate only certain hardware be sold in China that has a backdoor to do what they deem necessary,  In the end, their government will maintain control and oversight of what people can see and how they will see it.  Just the way it is.

The only way users will be able to free access of the internet is to view the internet over a proxy connection of some kind or a remote session to a computer outside of China.  The latter being more likely.

[Puros Y Vino]

Hmm.  The following comes to mind. 

• Setup a reverse proxy for Chinese users. This will somewhat obfuscate FOH site.  
• Setup Access through some terminal app. Either Citrix based, MS Terminal Services or some similar PC/screen sharing program.  
• SSH VPN session to a Linux/UNIX host on the same network as FOH then forward graphics over an X-Terminal (yeah it's a bit much but probably the most versatile).

As I am not behind the Great Firewall of China, I cannot say if any of these will work.  ?

[mrmessy]

Are you getting reports that people aren't able to get to your site? The foh site already supports 1.2. and i doubt that the Chinese browsers are using esni.

Sent from my SM-N976U using Tapatalk

[dageshi]

Generally ssl protocol versions are not mandatory until the big browsers (chrome basically) decides they won't support anything lower. But even then it'll depend on what your cny based users are using for browsers.

You can probably support 1.2 and 1.3 and the browser will use the relevant one. That being said at one point you might consider making a subdomain on foh like cnyonly.friendsofhabanos.com which only supports 1.2, and pass through everything from the main site to that for chinese users.

There are potential SEO issues with that but it rather depends on how much you care about search rankings and the traffic that comes from them.