on the importance of encrypted-sni (esni) to censorship ......websites among alexa top 1m are...
TRANSCRIPT
On the Importance of Encrypted-SNI (ESNI) to
Censorship Circumvention
Zimo Chai, Amirhossein Ghafari, Amir Houmansadr
University of Massachusetts Amherst
1
2
What is SNI?
3
Server Name Indication (SNI) allows web-hosts to render the correct certificate
a.comb.com
4
Server Name Indication (SNI) allows web-hosts to render the correct certificate
ClientHello,SNI="a.com"
a.comb.com
5
Server Name Indication (SNI) allows web-hosts to render the correct certificate
Website A'sDigital
Certificate
ClientHello,SNI="a.com"
a.comb.com
6
Server Name Indication (SNI) allows web-hosts to render the correct certificate
Website A'sDigital
Certificate
ClientHello,SNI="a.com"
ClientHello,
SNI='b.com'
a.comb.com
7
Server Name Indication (SNI) allows web-hosts to render the correct certificate
Website A'sDigital
Certificate
Website B'sDigital
Certificate
ClientHello,SNI="a.com"
ClientHello,
SNI='b.com'
a.comb.com
8
TLS 1.2: SNI and CA are NOT encrypted...
Website A'sDigital
Certificate
Website B'sDigital
Certificate
ClientHello,SNI="a.com"
ClientHello,
SNI='b.com'
unencryptedencrypted TLS 1.2
a.comb.com
9
TLS 1.2: SNI and CA are NOT encrypted...
Website A'sDigital
Certificate
ClientHello,SNI="a.com"
unencryptedencrypted
a.comb.com
SNI=a.comCA=a.com
10
TLS 1.2: SNI and CA are NOT encrypted...
Website A'sDigital
Certificate
ClientHello,SNI="a.com"
unencryptedencrypted
a.comb.com
SNI=a.comCA=a.com
RST
RST
Timeline: TLS 1.3 is finalized
11
3/21/2018
TLS 1.3 finalized
12
TLS 1.3: SNI is still NOT encrypted...
Website A'sDigital
Certificate
Website B'sDigital
Certificate
ClientHello,SNI="a.com"
ClientHello,
SNI='b.com'
unencryptedencrypted TLS 1.3
Censors exploit SNI for censorship
13
Circumvention: Domain Fronting
ServerClient
TLS ServerHello with Certificate
TLS 1.2
TLS ClientHello with SNI
server_name: unblocked.comcertificate: unblocked.com
CensorEncrypted
Unencrypted
14
Circumvention: Domain Fronting
ServerClient
TLS ServerHello with Certificate
GET / HTTP/1.1Host: blocked.com
TLS 1.2
TLS ClientHello with SNI
server_name: unblocked.comcertificate: unblocked.com
CensorEncrypted
Unencrypted
15
HTTP Response
Timeline: CDNs Cease Domain Fronting
16
DNS-over-HTTPS added to Firefox 60.0
3/21/2018 4/13/2018
4/2/2018
TLS 1.3 finalized
Amazon announced an end to Domain Fronting
Timeline: CDNs cease domain fronting
17
DNS-over-HTTPS added to Firefox 60.0
3/21/2018
4/30/2018
4/13/2018
4/2/2018
TLS 1.3 finalized
Amazon announced an end to Domain Fronting
Google announced an end to Domain Fronting
Timeline: ESNI is proposed for TLS 1.3
18
DNS-over-HTTPS added to Firefox 60.0
3/21/2018
4/30/2018
4/13/2018 7/2/2018
4/2/2018
TLS 1.3 finalized
Amazon announced an end to Domain Fronting
Google announced an end to Domain Fronting
First ESNI Internet Draft
Timeline: Cloudflare supports ESNI
19
DNS-over-HTTPS added to Firefox 60.0
3/21/2018
4/30/2018 9/24/2018
4/13/2018 7/2/2018
4/2/2018
TLS 1.3 finalized
Amazon announced an end to Domain Fronting
Google announced an end to Domain Fronting
First ESNI Internet Draft
Cloudflare started supporting ESNI
Timeline: Firefox supports ESNI
20
DNS-over-HTTPS added to Firefox 60.0
3/21/2018
4/30/2018 9/24/2018
4/13/2018 7/2/2018 10/18/2018
4/2/2018
TLS 1.3 finalized
Amazon announced an end to Domain Fronting
Google announced an end to Domain Fronting
First ESNI Internet Draft
Cloudflare started supporting ESNI
ESNI added to Firefox Nightly
21
How ESNI works?
How ESNI works?
CDN Edge ServerClient
TLS 1.3
CensorDNS over HTTPS/TLS
DNS Server
Encrypted
22
How ESNI works?
CDN Edge ServerClient
TLS 1.3
DNS query: saf3241@vasdf3213ff....
Censor
DNS TXT QueryDNS TXT Result
DNS over HTTPS/TLS
DNS Server
Encrypted
23
How ESNI works?
CDN Edge ServerClient
TLS 1.3
DNS query: saf3241@vasdf3213ff....
Censor
DNS TXT QueryDNS TXT Result
DNS over HTTPS/TLS
DNS Server
Encrypted
24
How ESNI works?
CDN Edge ServerClientTLS ServerHello
TLS 1.3
TLS ClientHello with ESNI
DNS query: [email protected]_server_name: f9jkls3zq....
Censor
DNS TXT QueryDNS TXT Result
DNS over HTTPS/TLS
DNS Server
Encrypted
25
26
Research Questions
Research Questions
27
● How many websites are supporting ESNI?
● How many currently censored websites in Chinacan be unblocked with the help of ESNI?
● Is there any censor already censoring ESNI traffic?
28
How many websites are supporting ESNI?
How many sites are supporting ESNI?
As of August 2019, Cloudflare is the only CDN provider supporting ESNI.
Cloudflare provides an informative debugging page for every site using its CDN service.
29
How to know if a site supports ESNI?
30
Cloudflare debugging page
31
Cloudflare debugging page
32
How many sites are supporting ESNI?
33
Location: On a VPS located in US
ESNI Enabled
How many sites are supporting ESNI?
34
Location: On a VPS located in US
Alexa Top 1 Million Sites
ESNI Enabled
Websites Supporting ESNI
35
More than
10% of Alexa Top 1 Million sites are supporting ESNI!
Result: SNI Status and TLS Version
36
ESNI adoption with Sites Popularity
37
0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9Websites Grouped by Rank
0
2.5
5.0
7.5
10.0
12.5
15.0
% W
ebsi
tes S
uppo
rting
ESN
I
Ranking (Millions)1
Research Questions
38
● How many websites are supporting ESNI?
● How many currently censored websites in China can be unblocked with the help of ESNI?
39
How websites are censored in China?
Major Censorship techniques in China
● DNS Hijacking
● IP Blocking
● SNI Filtering
40
Detect DNS Hijacking - Result
41
located in China Alexa Top 1 Million Sites
Detect DNS Hijacking - Result
42
24,128 domains under DNS-Hijacking
located in China
Detect SNI Filtering - Setup
43
located in China Alexa Top 1 Million Sites
Detect SNI Filtering - Result
44
21,446 domains under SNI-Filtering
located in China
Detect IP Blocking - IP List
45
Alexa Top 1 Million Sites
DNS
Resolve from Hong Kong
Select the first IP in an answer
Detect IP Blocking - IP List
46
Alexa Top 1 Million Sites
DNS
Resolve from Hong Kong
Select the first IP in an answer
539,456 unique IPs
Detect IP Blocking - Setup
47
Detect IP Blocking - Result
48
39,787 domains under
IP-Blocking
47,069 sites censored among Alexa Top 1M
49
39,787 domains under
IP-Blocking (84.5%)
24,128 domains under DNS-Hijacking
(51.2%)
21,446 domains under SNI-Filtering (45.6%)
Blocked by DNS HijackingFiltered by SNIBlocked by IP
Domains under different censorship
2514 704698
22,859
250 12
16,666
50
Blocked by DNS HijackingFiltered by SNIBlocked by IP
2514 704698
22,859
250 12
16,666
70 sites are exclusively under SNI - Filtering
51
Domains under different censorship
Blocked by DNS HijackingFiltered by SNIBlocked by IP
84.5% censored websites remain blocked in China
2514 704698
22859
250 12
16666
52
Domains under different censorship
Blocked by DNS HijackingFiltered by SNIBlocked by IP
53
Effectiveness of ESNI
DNS HijackingSNI FilteringIP Blocking
Effectiveness of ESNI
54
101,200 domains
supporting ESNI
24,128 domains under DNS-Hijacking
39,787 domains under
IP-Blocking
ESNI Supported
21,446 domains under SNI-Filtering
DNS HijackingSNI FilteringIP Blocking
Assume DNS-based censorship evaded
55
101,200 domains
supporting ESNI
0 domains under DNS-Hijacking
39,787 domains under
IP-Blocking
ESNI Supported
21,446 domains under SNI-Filtering
66 sites can be unblocked by ESNI
101,049 4,70266
23,024
85 16,678
0
56
Current Effectiveness of ESNI
Support ESNIFiltered by SNIBlocked by IP
Censored websites VS. ESNI supporting websites
66 sites can be unblocked by ESNI
101,049 4,70266
23,024
85 16,678
0
57
Current Effectiveness of ESNI
medium.comboxun.comchinadigitaltimes.netbannedbook.orgrsf.orgamnesty.org.au….
Support ESNIFiltered by SNIBlocked by IP
Censored websites VS. ESNI supporting websites
ESNI increases the cost of blocking 101k sites
101,049 4,70266
23,024
85 16,678
0
58
Support ESNIFiltered by SNIBlocked by IP
Censored websites VS. ESNI supporting websites
IPs belong to CDN edge server are blocked
101,049 4,70266
23,024
85 16,678
0
59
Support ESNIFiltered by SNIBlocked by IP
Censored websites VS. ESNI supporting websites
60
Monitoring ESNI-based Censorship
Any area already censoring ESNI traffic?
61
Monitoring ESNI-based Censorship from 14 Different Areas
62
Monitoring ESNI-based Censorship - Setup
63
Sites supporting ESNI
ESNI Enabled
64
Monitoring from 14 Different Areas
No ESNI-based Censorship Detected!
65
Conclusions
Conclusions
66
● 10% websites among Alexa Top 1M are supporting ESNI.
Conclusions
67
● 10% websites among Alexa Top 1M are supporting ESNI.
● 84.5% currently censored websites will remain blocked in China even if DNS- and SNI-based censorship are evaded.
Conclusions
68
● 10% websites among Alexa Top 1M are supporting ESNI.
● 84.5% currently censored websites will remain blocked in China even if DNS- and SNI-based censorship are evaded.
● Only 66 websites currently censored in China can be unblocked by ESNI.
Conclusions
69
● 10% websites among Alexa Top 1M are supporting ESNI.
● 84.5% currently censored websites will remain blocked in China even if DNS- and SNI-based censorship are evaded.
● Only 66 websites currently censored in China can be unblocked by ESNI.
● No ESNI-based censorship is detected in our experiment across 14 different areas.
ContactsZimo Chai - CS MS/PhD [email protected]
SPIN Lab, with Amir Houmansadrhttps://people.cs.umass.edu/~amir/Research.html
We have released all our probing tools and datasets at http://traces.cs.umass.edu/index.php/Network, to maintain reproducibility and to benefit future research works.
70
Let’s Enable ESNI Now!1. Open about:config in Firefox2. Set network.security.esni.enabled to true3. Set network.trr.mode to 34. Set network.trr.uri to
https://1.1.1.1/dns-query5. Check if it works:
https://www.cloudflare.com/ssl/encrypted-sni
71