Russia wants to ban the use of secure protocols such as TLS 1.3, DoH, DoT, ESNI

Amendment to IT law would make it illegal to use encryption protocols that fully hide the traffic's destination.
Written by Catalin Cimpanu, Contributor
HTTPS TLS SSL website lock
Image: Kon Karampelas

The Russian government is working on updating its technology laws so it can ban the use of modern internet protocols that can hinder its surveillance and censorship capabilities.

According to a copy of the proposed law amendments and an explanatory note, the ban targets internet protocols and technologies such as TLS 1.3DoHDoT, and ESNI.

Moscow officials aren't looking to ban HTTPS and encrypted communications as a whole, as these are essential to modern-day financial transactions, communications, military, and critical infrastructure.

Instead, the government wants to ban the use of internet protocols that hide "the name (identifier) of a web page" inside HTTPS traffic.

HTTPS traffic has leaks

While HTTPS encrypts the content of an internet connection, there are various techniques that third-parties such as telcos can apply and determine to what site a user is connecting.

Third-parties may not be able to break the encryption and sniff on the traffic, but they can track or block users based on these leaks, and this is how some ISP-level parental control and copyright infringement blocklists work.

The primary two techniques used by telcos include (1) watching DNS traffic or (2) analyzing the SNI (Server Name Identification) field in HTTPS traffic.

The first technique works because browsers and apps make DNS queries in plaintext, revealing the user's intended site destination even before a future HTTPS connection is established.

The second technique works because the SNI field in HTTPS connections is left unencrypted and similarly allows third-parties to determine to what site an HTTPS connection is going.

New protocols are hindering surveillance and censorship

But over the past decade, new internet protocols have been created and released to address these two issues.

DoH (DNS over HTTPS) and DoT (DNS over TLS) can encrypt DNS queries.

And when combined, TLS 1.3 and ESNI (Server Name Identification) can also prevent SNI leaks.

These protocols are slowly gaining adoption, both in browsers and with cloud providers and websites across the globe, and there is no better sign that these new protocols work as advertised as the fact that China updated its Great Firewall censorship tool to block HTTPS traffic that relied on TLS 1.3 and ESNI.

Russia doesn't use a national firewall system, but the Moscow regime relies on a system called SORM that allows law enforcement to intercept internet traffic for law enforcement purposes right at the source, in telco data centers.

Furthermore, Russia's telecommunications ministry, the Roskomnadzor, has been running a de-facto national firewall through its regulatory power over the local ISPs. For the past decade, Roskomnadzor has been banning websites it deemed dangerous and asking ISPs to filter their traffic and block access to the respective sites.

With TLS 1.3, DoH, DoT, and ESNI gaining adoption, all of Russia's current surveillance and censorship tools will become useless, as they rely on having access to the website identifiers that leak from encrypted web traffic.

And just like China, Russia is cracking down on these new technologies. According to the proposed law amendment, any company or website that uses technology to hide its website identifier in encrypted traffic will be banned inside Russia after a one-day warning.

The proposed law is currently in open debate and awaiting public feedback until next month, on October 5.

Taking into account the strategic, political, and intelligence benefits that come with this law amendment, it's almost certain that the amendment will pass.

Minut privacy-based smart home sensor in pictures

Editorial standards