Began a draft legal act on amendments to the Federal Law “On Information, Information Technologies and Information Protection”, developed by the Ministry of Digital Development, Communications and Mass Media. It is proposed to introduce into the law a ban on the use on the territory of the Russian Federation of "encryption protocols that allow you to hide the name (identifier) of an Internet page or site on the Internet, except for cases established by the legislation of the Russian Federation."
For violation of the prohibition on the use of encryption protocols that allow you to hide the name of the site, it is proposed to suspend the operation of the Internet resource no later than 1 (one) business day from the date of detection of this violation by the authorized federal executive body. The main purpose of blocking is TLS extension (formerly known as ESNI), which can be used in conjunction with TLS 1.3 and already in China. Since the wording in the bill is vague and there is no specifics, except for ECH / ESNI, virtually any protocols that provide full encryption of the communication channel, as well as protocols (DoH) and (DoT).
Recall that in order to organize the work of several HTTPS sites on the same IP address, the SNI extension was developed at one time, which transmits the host name in clear text in the ClientHello message transmitted before setting up an encrypted communication channel. This feature makes it possible on the ISP side to selectively filter HTTPS traffic and analyze which sites the user opens, which does not allow achieving complete confidentiality when using HTTPS.
ECH/ESNI completely eliminates the leakage of information about the requested site when analyzing HTTPS connections. In combination with access through the content delivery network, the use of ECH / ESNI also makes it possible to hide from the provider the IP address of the requested resource - traffic inspection systems see only calls to the CDN and cannot apply blocking without TLS session spoofing, in which case the user's browser a corresponding certificate substitution notification will be displayed. In the case of an ECH / ESNI ban, only a complete restriction of access to content delivery networks (CDNs) that support ECH / ESNI can help to counter this possibility, otherwise the blocking will be ineffective and can be easily bypassed using a CDN.
When using ECH/ESNI, the hostname is sent in the ClientHello message as in SNI, but the content of the data sent in this message is encrypted. For encryption, a secret is used, calculated on the basis of the keys of the server and client. To decrypt the intercepted or received value of the ECH/ESNI field, you need to know the private key of the client or server (plus the public keys of the server or client). Information about public keys is transmitted for the server key in DNS, and for the client key in the ClientHello message. Decryption is also possible using a shared secret negotiated during the TLS connection setup, known only to the client and server.
Source: opennet.ru