2019-chai-importance

On the Importance of Encrypted-SNI (ESNI) to Censorship Circumvention

Zimo Chai, Amirhossein Ghafari, Amir Houmansadr · Free and Open Communications on the Internet · 2019

canonical link →

Tags

censors: generic
techniques: sni-blocking esni-eh-blocking
defenses: ech-esni

findings extracted from this paper

As of July 2019, approximately 10.93% of the Alexa top 1 million websites support ESNI (all via Cloudflare CDN, which enabled ESNI across all its platforms in September 2018), with 92.56% of Cloudflare-hosted sites using encrypted SNI over TLS 1.3. However, fewer than 0.01% of observed TLS ClientHello messages in the wild contained an ESNI extension, revealing a severe gap between server-side readiness and client-side adoption.

§4.2, §5.1 evaluation sni-blockingtls-fingerprint cn
The paper identifies 47 Cloudflare IP addresses that are already blocked by the GFW despite being shared by at least 85 websites, contradicting the prior assumption that censors avoid blocking shared CDN IPs due to collateral damage. This suggests censors will accept significant collateral damage to block CDN-hosted content when the set of co-hosted non-forbidden pages is deemed manageable.

§4.3 detection ip-blocking cn
Of the Alexa top 1 million websites censored in China, 84.5% are blocked by IP address, meaning that even if both DNS hijacking and SNI filtering are fully circumvented, the vast majority of blocked sites remain inaccessible. Only 66 currently censored sites can be unblocked by ESNI alone (combined with an encrypted DNS channel), while 101,049 ESNI-supported sites remain blocked by IP.

§4.1, §4.3 evaluation ip-blockingsni-blockingdns-poisoning cn
Monitoring ESNI-related censorship across 14 geographic regions — including Mainland China, Iran, UAE, South Korea, and 10 others — found no blocking of ESNI traffic or interference with ESNIKey retrieval via DNS TXT records as of mid-2019, contradicting a widely circulated report claiming South Korea had already blocked ESNI. Additionally, the GFW's residual censorship window after a triggered RST was measured at 60 seconds (down from the previously reported 90 seconds).

§4.4, §6 evaluation sni-blockingrst-injection cnirae
In China's Great Firewall, SNI filtering is almost never the sole blocking mechanism: only 70 of the 21,446 SNI-filtered sites are exclusively censored via SNI. The GFW uses SNI filtering as a 'third gatekeeper' — applied after DNS hijacking and IP blocking — and maintains separate blacklists for SNI filtering and DNS hijacking, evidenced by 2,764 sites under DNS injection but not SNI filtering.

§4.1 detection sni-blockingdns-poisoningip-blocking cn