China’s “Great Firewall” Gets Upgrade for TLS 1.3 and ESNI Traffic Blocking

Last updated September 27, 2021
Written by:
Bill Toulas
Bill Toulas
Infosec Writer

The Chinese state has decided to upgrade the “Great Firewall” and make it capable of blocking HTTPS traffic that passes through TLS 1.3 and ESNI. The latest versions of the TLS (Transport Layer Security) and the ESNI (Encrypted Server Name Indication) are tech that is deployed in conjunction with HTTPS to add layers of encryption to the user’s internet data traffic.

Unencrypted SNI and HTTP are revealing which websites the user is attempting to visit, so not many internet users in China are relying on these technologies anymore.

The state is deploying deep packet inspection (DPI) to analyze internet traffic and figure out when people use VPN tools to circumvent the imposed access restrictions. ESNI remained a reliable method in helping users bypass SNI-based blocks and censorship in general, so the Great Firewall is now empowered with features that address this gap.

As the objective observers of the Chinese internet report, every method that users in the country have to help them get through restrictions is short-term. And, as the cat and mouse game progresses, the situation gets harder for the citizens.

So, from now on, anyone using ESNI will get a wide spectrum blockage that occurs on all ports, from 1 to 65535. Additionally, all TCP traffic related to the IPs that attempted to exchange encrypted handshakes will be blocked for 180 seconds. Circumventing all that, or tricking the Great Firewall in some cases, is possible. Still, the state’s internet engineers are constantly patching the blocking system to address new gaps, so there are no permanent solutions.

For example, there’s a project from the University of Maryland called “Geneva” (Genetic Evasion) that provides six individual methods of circumvention even in the current situation. The team is developing targeted DPI evasion countermeasures that work against the Great Firewall without risking to expose the user’s identity. How well these audit evasion strategies will work in the near future remains doubtful, but researchers will continue to put their minds into this problem.

Related: Hong Kong’s New National Security Law Explained – The Internet Is Changing Drastically in Hong Kong, So Should You Still Use a VPN?

The Chinese blockage methods have now gotten so advanced that other oppressive regimes in the world are straight-out adopting them without much change. This also means the research that goes into circumvention is becoming increasingly important.

Finally, we should not forget about the latest developments in Hong Kong, where we expect that the reach of the Great Firewall will soon be extended to encircle the area that used to be under “special administration.”



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: