As of the end of July 2020, China is blocking encrypted HTTPS traffic that uses TLS 1.3 and ESNI. These changes from the Chinese Government came in after an update to its national censorship tool, known as the Great Firewall (GFW) kicked in.
Chinese officials are targeting connections that are being set up using modern, interception-proof protocols and technologies such as TLS 1.3 and ESNI (Encrypted Server Name Indication).
Other HTTPS traffic that uses older versions of the same protocols such as TLS 1.1 or 1.2, or SNI (Server Name Indication) are still allowed through the Great Firewall.
TLS is the protocol used for secure communication on the web (HTTPS). It provides authenticated encryption so that users know that they are communicating with the right service. It also ensures that an intermediary does not read or tamper with your information through Man-in-the-middle attacks.
In HTTPS connections set up via the newer TLS 1.3, the SNI field can be hidden via ESNI that is the encrypted version of the old SNI. With HTTPS traffic using TLS 1.3 and ESNI, it makes it harder for Chinese officials to filter HTTPS traffic and control what content the Chinese population can access.
But even though TLS hides the content of a user’s communication, it does not always conceal with whom the user is communicating. The TLS handshake, a process that kicks off a communication session, optionally contains a Server Name Indication (SNI) field that allows the user’s client to inform the server which website it wishes to communicate with.
China blocking encrypted https traffic is not exactly new. Nation-based censors can use and have used the SNI field to block users from being able to communicate with certain destinations, and China has long been censoring HTTPS in this manner.
Because with ESNI, this information is encrypted, therefore the Great Firewall of China blocks ESNI connections by dropping packets from client to server, it added without knowing who one is trying to communicate with.