Trouble on the way for internet censorship?

Guest Author

TLS error

Cloudflare, the website performance and security company, have unveiled the latest iteration of TLS (aka https) security standards, called ECH. Cloudflare worked together with Fastly, who are another CDN and website acceleration platform, as well as popular software manufacturer Mozilla, to create the new ECH standard.

ECH offers a number of performance and security enhancements over its ESNI predecessor, including a faster handshake which allows website content to load faster, and full encryption of the entire domain name by encrypting the SNI part of the handshake too. The latter is our focal point, because for years, the unencrypted nature of SNI has allowed governments and ISPs to censor access to websites and servers based on their domain names, rather than just IP addresses. Countries like China, UAE, and countries within the EU are frequented by internet censorship, whether to block piracy and copyright theft, or to “protect” nations from potentially harmful content. However, with ECH coming into fruition, internet censorship may soon be impossible.

Back in ‘the old days’ of the internet, every https website required its own dedicated IP address to function, because the SSL protocol that secured it had no way of telling apart domain names. Then in 2003, along came SNI (Server Name Indication), which allowed the web browser to indicate which https domain name it was trying to access, and so multiple https sites could share the same IP address. As the years progressed, SNI became universally supported, and nowadays underpins modern CDN platforms like Cloudflare, whose IP addresses are shared by tens of millions of websites at the same time. It is therefore impossible – or incredibly silly and dangerous – for an ISP or government to order a website block based on its IP address, since doing so might affect a massive proportion of internet access.

ISPs currently use specialised router software to ‘snoop’ on their user traffic, specifically looking for SNI handhakes, and then checking each domain name against a blocklist to see whether access should be approved or denied. But with ECH removing the ISP’s ability to see this information, what will happen to internet censorship? Do you think that ISPs will be forced to block the old-school way by IP address, or do you think that ISPs and governments will come to accept that censorship is approaching the end of an era and give up?

2 comments

What’s your take?

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  1. Imi vanhu musadaro

    Censorship will always be there. Unfortunately, the article treats censorship as an oppressive action, yet it is used quite often in a protective context for kids, corporate bandwidth even firewalls.

    The nature of the content one wants to censure/allow will govern the best action to apply.

    Reply
    1. Olly

      Actually the type of censorship you’re referring to, such as in homes, schools and businesses, is safe for now. These typically operate at the DNS level, and on school/business networks, DNS is force-proxied through filtered DNS resolvers that prevent access to the bad content.

      Once you get outside of this realm and onto the ISP level, ECH makes network-level filtering with DPI impossible. ISPs could try to enforce DNS filtering and proxying, but a lot of applications would break, and using DNS-over-HTTPS DNS-over-TLS protocols override DNS censorship.

      Reply

Connect with us

2023 © Techzim All rights reserved. Hosted By Cloud Unboxed

Privacy Policy

Share
Home
Exit mobile version