
Ask HN: Is TLS 1.2 broken (enough)? - brownianemotion
While reading about the Great Chinese Firewall blocking all TLS 1.3 traffic I was wondering why they allow TLS 1.2 traffic? My first guess would be that the web would be unusable without it ... but on the other hand, I can&#x27;t imagine they are allowing vast amounts of traffic that can&#x27;t be snooped on. Is TLS 1.2 broken enough, so that they are able to gather all (meta)data they need?
======
yorwba
According to [https://www.zdnet.com/article/china-is-now-blocking-all-
encr...](https://www.zdnet.com/article/china-is-now-blocking-all-encrypted-
https-traffic-using-tls-1-3-and-esni/) only the combination of TLS 1.3 with
ESNI (encrypted server name identification) is blocked completely. If you use
TLS 1.3 with unencrypted server names, the Great Firewall can decide whether
to allow a connection or not based on the website you want to visit, but with
ESNI, fine-grained blocking becomes impossible.

So yes, TLS 1.2 and TLS 1.3 without ESNI are revealing metadata about the
sites you visit, even though the connection itself is encrypted.

~~~
brownianemotion
It was not clear to me that it was specifically the combination with ESNI that
was being blocked.

