5

I live in a country with censorship and was wondering if it's possible to bypass DPI by just enabling ESNI, DNS over HTTPS and Always HTTPS? If not, what else should I enable to bypass DPI firewall without having to go the VPN route?

daegontaven
  • 153
  • 4

1 Answers1

9

A DPI solution cannot do targeted blocking when ESNI is used just by looking at the TLS ClientHello. But it can simply block any use of ESNI - see China is now blocking all encrypted HTTPS traffic that uses TLS 1.3 and ESNI.

Apart from that ESNI is not a thing an end user could actually enable globally. ESNI needs support both by the HTTPS server itself (or the reverse proxy in front of it, like in case of a CDN) and must also be setup in the DNS for the domain. And even with ESNI enabled and not blocked one can still monitor which IP addresses get visited, which can often be mapped to one or few domains served on this IP.

... what else should I enable to bypass DPI firewall without having to go the VPN route?

The proposed solutions don't provide adequate protection as described. There is no additional thing to enable to bypass the DPI. Instead use a VPN, HTTP proxy over HTTPS, SOCKS proxy over TLS or similar which transfers all traffic encrypted to a trusted endpoint, bypassing the DPI.

nobody
  • 11,251
  • 1
  • 41
  • 60
Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • Actually there are tricks linked by that article to bypass it: https://geneva.cs.umd.edu/posts/china-censors-esni/esni/ so thorough research will always yield bypassing methods. – MCCCS Jan 08 '21 at 19:44
  • 3
    @MCCCS: *"... so thorough research will __always__ yield bypassing methods. ..."* - While this is fascinating research I think you come to the wrong conclusion by claiming that bypass methods will __always__ be found. Apart from this one need to look at the bigger picture and not only the technical details. These bypass methods have clear signatures which could be used to trigger extended observation of the traffic (and the person behind it), because obviously the person is not accidentally visiting the site but deliberately trying to bypass the system. – Steffen Ullrich Jan 08 '21 at 20:07
  • Agreed, while I still claim that vulnerabilities will always exist if you have infinite pentest budget, you're right - this is careless and it's a good way for evil isps/govts to detect hackers to blacklist. – MCCCS Jan 08 '21 at 20:13
  • Once the whole Internet supports ESNI other than dictatorships, I imagine browsers and servers will enable it for the entire Internet including dictatorships, so they'll have to allow it or break the Internet again. – user253751 Jan 08 '21 at 20:15
  • @user253751: Sounds good in theory but I have my doubts that theory will match practice. Dictatorships can have tight control and allow only law-abiding citizens to use outside parts of the internet. Law-abiding might involve to disable ESNI at the client so that normal SNI gets used or even to use a government run TLS intercepting proxy. – Steffen Ullrich Jan 08 '21 at 20:43
  • @SteffenUllrich why do they allow TLS at all? – user253751 Jan 08 '21 at 21:45
  • 1
    @user253751: There is no total freedom on one side and total control on the other, but its a gradient. TLS can be fine, as long at is limited to the accepted sites. And note that these problems of how much control is wanted and how it is enforced is not limited to dictatorships. There are similar problems in schools which want to prevent the visit of sites unsuitable for the children. Similar problems in companies which also restrict access for security reasons and often also do TLS interception. And in all of these cases there are users which try to bypass control and others which enforce it. – Steffen Ullrich Jan 08 '21 at 22:01