Russia wants to ban the use of secure protocols such as TLS 1.3, DoH, DoT, ESNI:
The Russian government is working on updating its technology laws so it can ban the use of modern internet protocols that can hinder its surveillance and censorship capabilities.
According to a copy of the proposed law amendments and an explanatory note, the ban targets internet protocols and technologies such as TLS 1.3, DoH, DoT, and ESNI.
Moscow officials aren't looking to ban HTTPS and encrypted communications as a whole, as these are essential to modern-day financial transactions, communications, military, and critical infrastructure.
Instead, the government wants to ban the use of internet protocols that hide "the name (identifier) of a web page" inside HTTPS traffic.
While HTTPS encrypts the content of an internet connection, there are various techniques that third-parties such as telcos can apply and determine to what site a user is connecting.
Third-parties may not be able to break the encryption and sniff on the traffic, but they can track or block users based on these leaks, and this is how some ISP-level parental control and copyright infringement blocklists work.
The primary two techniques used by telcos include (1) watching DNS traffic or (2) analyzing the SNI (Server Name Identification) field in HTTPS traffic.
The first technique works because browsers and apps make DNS queries in plaintext, revealing the user's intended site destination even before a future HTTPS connection is established.
The second technique works because the SNI field in HTTPS connections is left unencrypted and similarly allows third-parties to determine to what site an HTTPS connection is going.
But over the past decade, new internet protocols have been created and released to address these two issues.
DoH (DNS over HTTPS) and DoT (DNS over TLS) can encrypt DNS queries.
And when combined, TLS 1.3 and ESNI (Server Name Identification(sic)) can also prevent SNI leaks.
These protocols are slowly gaining adoption, both in browsers and with cloud providers and websites across the globe, and there is no better sign that these new protocols work as advertised as the fact that China updated its Great Firewall censorship tool to block HTTPS traffic that relied on TLS 1.3 and ESNI.
(Score: 0) by Anonymous Coward on Tuesday September 29, @05:43PM (4 children)
Sure why not. Go for it Russia!
(Score: 0) by Anonymous Coward on Tuesday September 29, @05:45PM (3 children)
The Internet will route around the damage!
(Score: 0) by Anonymous Coward on Tuesday September 29, @05:47PM (1 child)
We will get our titty pics.
(Score: 2) by Gaaark on Tuesday September 29, @05:56PM
Titty pics or it didn't happen..... 8)
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 1) by fustakrakich on Tuesday September 29, @05:57PM
Yeah, but your ISP won't. They control everything that passes over their wire
Trump v. Biden! Don't look at me! REDЯUM
(Score: 2) by JoeMerchant on Tuesday September 29, @05:48PM (2 children)
If they permit ANY encryption, then ANY content will be deliverable inside the encrypted stream.
We have a (lame) vendor who supplies just such a product to use for devices inside private networks like hospitals or corporate settings with restrictions on port numbers and traffic. The device makes encrypted outbound requests to port 443 on their server which then replies with whatever you want, including inbound requests, opening VNC sessions, you name it.
For more information, deposit 0.25BTC to 29e051c90531025e6edca9c8e9376005
(Score: 0) by Anonymous Coward on Tuesday September 29, @06:34PM (1 child)
I assume the reasoning for this is to help make their metadata/deep packet inspection filters easier to deal with on the huge western cloud services, where knowing what node the user is accessing, even if you don't have the actual encrypted content available, makes it easier to narrow down which size matching algorithm you need to see if their data follows a pattern that warrants further surveillance. Like for example if someone appears to be conntecting to a website on azure cloud, but is actually using the Tor browser, for instance.
This ties in with the Tor 0day commentary from that guy working for internet archive a few weeks back: if you can profile match the packet stream and timing characteristics of TCP connections, you can oftentimes very accurately decipher what application is initiating the connection and perhaps even the content of the steam even without having the actual unencrypted data available. For Russian intelligence this is probably all they need. If they KNOW someone's data profile is suspect they can begin targetting a server/client exploit, or if the subjects are particularly hardened, fall back on physical intelligence gather techniques (whether clandestine, or rubber hose varieties.)
I assume the same holds true for Western governments, although for now at least they only use the former techniques and not the latter, along with some 'commercial compromise' by just paying off the companies to 'legitimately spy'.
(Score: 2) by JoeMerchant on Tuesday September 29, @06:47PM
IMO it's just going to lead to whack-a-mole for their intelligence services. New website pops up (foreign or domestic) that looks like somebody's Etsy shop or whatever, secure connections to that site carry traffic to/from TOR nodes, and there you go. It will slow down the undetermined, but wrapper apps aren't hard to write at all, and can probably be distributed as Javascript on the contact sites.
For more information, deposit 0.25BTC to 29e051c90531025e6edca9c8e9376005
(Score: 1, Touché) by Anonymous Coward on Tuesday September 29, @05:50PM (3 children)
It's too bad the Russian government is so heavy handed, as otherwise Russia might be a nice cheap place to live. The whole world is turning into one big prison colony. Time to tear some shit down.
(Score: 3, Funny) by Gaaark on Tuesday September 29, @05:59PM (2 children)
Surprised Putin hasn't said "Mr. Trump, tear down that wall" just for gits and shiggles.
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 2) by JoeMerchant on Tuesday September 29, @06:06PM
If Trump wins in 2020, be ready for a shill named Boris Vasilyev to run (with a good chance of winning) in 2024.
For more information, deposit 0.25BTC to 29e051c90531025e6edca9c8e9376005
(Score: 0) by Anonymous Coward on Tuesday September 29, @06:11PM
That might finally show some people just what a place we have found ourselves in.
(Score: 2) by tangomargarine on Tuesday September 29, @06:16PM (1 child)
Powerful people over on this side of the Atlantic are trying to force backdoors into the encryption tools we use too, at the risk of whataboutism
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 1) by fustakrakich on Tuesday September 29, @06:23PM
But on this side we can vote out the dictators and crooks.
Or, maybe we can't. We never tried. The coalition party always receives ~95% of the vote
Trump v. Biden! Don't look at me! REDЯUM
(Score: 2) by Azuma Hazuki on Tuesday September 29, @06:36PM
I, too, want Russia to ban the use of secure protocols and cypher-suites. As does every other spy agency on the planet aside the GRU!
I am "that girl" your mother warned you about...