Niklas Niere

Niklas Niere

he/him

Ph.D. student at Paderborn University. TLS/Censorship/Cryptography 🐢

Russia Censors the Encrypted Client Hello(ECH)

3 minute read

Published:

Last week, Russia started blocking the Encrypted Client Hello (ECH). This prevents Russian internet users from utilizing ECH for censorship circumvention. It also blocks otherwise uncensored websites such as SteamDB. Below, I summarize ECH, detail Russia’s ECH censorship, and discuss possible remedies for affected users and ECH in general.

When, Who, and What

On November 7th, Russian authorities announced the beginning censorship of ECH1. This development is a reaction to Cloudflare’s ECH activation roughly two months prior2. Russia now blocks all ECH connections from Russian Internet users to Cloudflare with dedicated censorship devices (TSPU)3. This led to Russian Internet users being unable to connect to some Cloudflare websites.

What is ECH?

The Encrypted Client Hello (ECH) is an extension to TLS, the protocol that encrypts most Internet connections. Due to their prevalence, TLS connections are widely analyzed by Internet censors such as the one in Russia. Key to censors’ analysis of TLS connections is the Server Name Indication (SNI) extension containing the hostname of the accessed website in plaintext. The ECH extension encrypts the SNI alongside other information that could compromise the server. This prevents censors from determining the servers’ identity, making ECH a viable censorship circumvention technique. Further hardening ECH against censorship, a bogus ECH extension can be included in TLS connections to servers without ECH support. This way, censors can not block all ECH connections as they are indistinguishable from non-ECH connections.

How Russia Censors ECH

Despite its best efforts, ECH is still censorable. While ECH encrypts the original SNI extension, it introduces another, again unencrypted, SNI extension. The so-called public hostname in the unencrypted SNI is defined by the server and usually shared by multiple domains. For instance, Cloudflare specifies cloudflare-ech.com as the public hostname for all ECH connections. This makes ECH traffic to Cloudflare detectable and, thus, censorable. Taking advantage of the situation, Russia now blocks all TLS connections to Cloudflare with an ECH extension and an SNI extension containing cloudflare-ech.com.

Consequences for Russian Internet Users

Russia’s blocking of ECH has two main consequences for Russian Internet users. First, censored websites made accessible by ECH are now inaccessible again. To access them, users have to resort to other circumvention methods. Second, uncensored websites behind Cloudflare’s ECH mechanism such as SteamDB4 are also inaccessible. To access them, users can disable ECH in Firefox and Chrome to make them accessible again.

Tackling the General Problem

To prevent censors from blocking all ECH connections, ECH connections must be truly indistinguishable from non-ECH connections. This cannot be achieved as long as a static and easily detectable public hostname such as cloudflare-ech.com is transmitted in plaintext alongside any ECH connection. Randomizing this hostname or replacing it with an uncensored hostname would solve the problem from a censorship point of view. While the standard allows such behavior it advises against it5 and Cloudflare rejects all ECH connections with hostnames other than cloudflare-ech.com. To make ECH more resilient against censorship, I advertise a discussion about the problems of ECH’s public hostname.

  1. https://cmu.gov.ru/ru/news/2024/11/07/%D1%80%D0%B5%D0%BA%D0%BE%D0%BC%D0%B5%D0%BD%D0%B4%D1%83%D0%B5%D0%BC-%D0%BE%D1%82%D0%BA%D0%B0%D0%B7%D0%B0%D1%82%D1%8C%D1%81%D1%8F-%D0%BE%D1%82-cdn-%D1%81%D0%B5%D1%80%D0%B2%D0%B8%D1%81%D0%B0-cloudflare/ 

  2. https://github.com/net4people/bbs/issues/393 

  3. https://github.com/net4people/bbs/issues/417 

  4. https://x.com/SteamDB/status/1854552613435383836 

  5. https://www.ietf.org/archive/id/draft-ietf-tls-esni-22.html#name-offering-ech 

You May Also Enjoy

Censors Ignore Unencrypted HTTP/2 Traffic

less than 1 minute read

Published:

Censors worldwide have long censored unencrypted HTTP traffic. In this blog post, we show that a specific HTTP version—unencrypted HTTP/2—is unaffected by censorship in China and Iran. We access otherwise censored websites in both countries over unencrypted HTTP/2. Despite no web browser implementing unencrypted HTTP/2, we detect that up to 6.28% of websites support unencrypted HTTP/2 traffic. To aid the community and ease future research, we provide a tool that evaluates the unencrypted HTTP support of a website. Finally, we discuss the limitations and potential of unencrypted HTTP/2 for censorship circumvention. We consider our finding an interesting addition to current censorship circumvention techniques.

Circumventing the GFW with TLS Record Fragmentation

less than 1 minute read

Published:

TCP fragmentation has long been known as a viable deep packet inspection (DPI) circumvention technique. However, censors are increasingly aware of this technique. We propose TLS record fragmentation as a new censorship circumvention technique on the TLS layer that functions analogously to TCP fragmentation. Using TLS record fragmentation, we successfully circumvented the DPI of the Great Firewall of China (GFW). We also found that over 90% of TLS servers support this new circumvention technique. To contextualize TLS record fragmentation for future work, we discuss its possibilities and limitations.