
China is now blocking all encrypted HTTPS traffic using TLS 1.3 and ESNI - vayne
https://www.zdnet.com/article/china-is-now-blocking-all-encrypted-https-traffic-using-tls-1-3-and-esni/
======
1MachineElf
Up until now, I thought "The Great Firewall" was limited to layer 2, layer 3,
and just layer-7 DNS controls.

The capability described in this article sounds more like a full layer-7 MITM.

That's terrifying. Is any HTTPS secure within mainlan China's networks?

Or am I misunderstanding, and it's just the government websites that are
blocking incoming TLS 1.3 connections?

~~~
dylz
GFW has been all layer for a long time, including actively re-probing and
connecting back to a server from random (really, virtually any CN IP space).

HTTPS is somewhat secure, but subject to MITM. Most Chinese forks of browsers
ignore certificate errors and allow everything through.

~~~
unicodepepper
Would I be safe from this type of MITM attack if my browser respects SSL
warnings? (and I don't bypass them)

~~~
aaomidi
Generally yes.

But remember with SNI they know exactly what website you're visiting.

------
aaomidi
This is our fault for taking so long with ESNI.

