Abstract:
Transport Layer Security (TLS) is a cryptographic protocol that aims to protect users’ traffic on the internet. The main goals of TLS are the protection of the traffic’s authenticity and the confidentiality of its contents. Contrary, TLS does not necessarily conceal the destination of a user’s traffic. Specifically, TLS leaks the hostname of the server a user connects to. This allows a Malicious-in-the-Middle (MitM) to read and interpret the hostname of the server. Moreover, state actor censors can utilize the hostname of the server to decide whether or not to censor the traffic.
To mitigate this shortcoming, the Internet Engineering Task Force (IETF) introduced the Encrypted Server Name Indication (ESNI) extension in 2019 [Res+18]. In its first versions, the ESNI extension was designed to encrypt the hostname of the server. Since then, the ESNI extension turned into the EncryptedClientHello (ECH) extension[Res+20]. In its current form [Res+22], the ECH extension encrypts the complete first message of a TLS handshake to protect all information about the connection’s destination. Facing the ESNI/ECH extension, a censor cannot intercept a connection based on the server’s hostname anymore. Rather, a censor has to intercept all connections that use the ESNI/ECH extension. However, this approach is only feasible as long as only a small amount of connections use the ESNI/ECH extension.
In this thesis, we analyze the current support of TLS servers for the ESNI/ECH extension. We find that the ESNI/ECH extension was only completely supported by Cloudflare which has removed its global support over the course of this thesis. Other servers indicate ESNI or ECH support but lack the keys necessary for complete support. Besides global ESNI/ECH support, we evaluate countries’ censors based on their censoring and circumventability of the ESNI/ECH extension. We carry out our evaluations with an automatic tool we introduce in this thesis. Confirming previous research by Bock et al. [Boc+20], we detect ESNI censoring in China. Furthermore, we introduce a new form of TLS censorship circumvention in this thesis by fragmenting TLS messages over multiple TLS records. Additionally, we discover the censorship of DNS over HTTPS (DoH) and DNS over TLS (DoT) to happen in both China and Iran. We consider this relevant as both DoH and DoT censorship complement the censorship of the ESNI and ECH extension. As our last contribution, we present our so-called ESNI-Proxy in this thesis. It allows querying websites using ESNI that do not support ESNI themselves. As proof-of-work, we use the ESNI-Proxy to query a censored Wikipedia page from China using ESNI and the circumvention we introduce in this thesis.