They just couldn't win and gave up. They accidentally crippled Github, large portions of google cloud and even their own government services while trying to blacklist Telegram and figured it was not worth the risk and getting laughed at.
The Skripal affair and other fuckups highlighted that Russia can't get away with threatening even a retiree's life, let alone millionaire's with some security.
Because SSL is SSL. They sure tried to block a lot of it.
I guess they could collect public keys and block them, but blocking itself is still done by ISP on Roskomnadzor's orders, and they didn't include this capability. That would be another cat and mouse game anyway, you can cut new keypairs faster than you can block them.
Domain fronting used to be quite effective at getting past SNI blocking. Extracting github.com out of a TLS packet is trivial but actually verifying the certificate requires compute power.
Major cloud providers have stopped making domain fronting an option (mostly because it was never supposed to happen anyway) but ISPs are never going to try to validate every single TLS certificate to see what traffic to block and what traffic to let through. The overhead would be enormous and people using custom certificate authorities (businesses and private persons) would get their communication blocked for no good reason.
It's also possible to get around SNI by using session resumption instead of doing a full handshake. 0-RTT TLS needs special attention because of replay attack risks, but it can speed up the network while at the same time avoiding SNI blocking once a session has been set up. QUIC offers a similar solution.
As far as I can tell, the tools normally used for traffic interception don't grow as fast as the tools for new communication. Support for certain protocols can take days to implement on the client side but weeks on the middlebox side, and that assumes your middleboxes get regular updates.
Worst case scenario, people just turn on a VPN to a place that doesn't block their apps and you lose all visibility of their network traffic. Implementing this stuff at scale isn't easy.
I'm pretty sure Telegram runs their own dns with dynamic addresses and you can create a bunch of certificates for weird host names to dupe SNI.
Russia dedicated quite some resources to it and couldn't win. I don't think it had any chance unless they're willing to DPI 100% of traffic China style, but even then it's fundamentally impossible to tell random google cloud/aws website api traffic from telegram.
The Skripal affair and other fuckups highlighted that Russia can't get away with threatening even a retiree's life, let alone millionaire's with some security.