China maulumikizidwe onse a HTTPS omwe amagwiritsa ntchito protocol ya TLS 1.3 ndi ESNI (Encrypted Server Name Indication) TLS extension, yomwe imapereka kubisa kwa data ya omwe adafunsidwa. Kutsekereza kumachitika pa ma routers onse pamalumikizidwe okhazikitsidwa kuchokera ku China kupita kudziko lakunja, komanso kuchokera kudziko lakunja kupita ku China.
Kuletsa kumachitika ndikugwetsa mapaketi kuchokera kwa kasitomala kupita ku seva, m'malo mwa paketi ya RST yomwe idachitidwa kale ndi SNI content-selective blocking. Pambuyo poletsa paketi ndi ESNI imayambitsidwa, mapaketi onse a netiweki omwe amagwirizana ndi kuphatikiza kwa IP gwero, IP komwe akupita ndi nambala ya doko amatsekedwanso kwa masekondi 120 mpaka 180. Malumikizidwe a HTTPS kutengera mitundu yakale ya TLS ndi TLS 1.3 popanda ESNI amaloledwa kudzera mwanthawi zonse.
Tikumbukenso kuti pokonzekera ntchito pa adilesi imodzi ya IP ya masamba angapo a HTTPS, kukulitsa kwa SNI kudapangidwa, komwe kumatumiza dzina la wolandilayo m'mawu omveka bwino muuthenga wa ClientHello womwe umaperekedwa musanakhazikitse njira yolumikizirana yobisika. Izi zimapangitsa kuti pagulu la omwe amapereka pa intaneti azitha kusefa mayendedwe a HTTPS ndikuwunika malo omwe wogwiritsa ntchito amatsegula, zomwe sizimalola kukwaniritsa chinsinsi chonse mukamagwiritsa ntchito HTTPS.
ECH yatsopano ya TLS (yomwe kale inali ESNI), yomwe ingagwiritsidwe ntchito molumikizana ndi TLS 1.3, imachotsa cholakwika ichi ndikuchotsa kwathunthu kutulutsa kwa chidziwitso cha tsamba lomwe adafunsidwa posanthula kulumikizana kwa HTTPS. Kuphatikizana ndi mwayi wopezeka kudzera pa intaneti yobweretsera zinthu, kugwiritsa ntchito ECH / ESNI kumapangitsanso kubisala adilesi ya IP yazomwe zafunsidwa kuchokera kwa wothandizira. Machitidwe oyendera magalimoto adzangowona zopempha ku CDN ndipo sangathe kugwiritsa ntchito kutsekereza popanda kusokoneza gawo la TLS, pomwe zidziwitso zofananira za spoofing ya satifiketi zidzawonetsedwa mumsakatuli wa wogwiritsa ntchito. DNS imakhalabe njira yodutsira, koma kasitomala amatha kugwiritsa ntchito DNS-over-HTTPS kapena DNS-over-TLS kubisa DNS kupeza ndi kasitomala.
Ofufuza achita kale Pali njira zingapo zodutsira chipika chaku China pa kasitomala ndi mbali ya seva, koma zitha kukhala zopanda ntchito ndipo ziyenera kuwonedwa ngati kwakanthawi. Mwachitsanzo, pakali pano mapaketi okha okhala ndi ID yowonjezera ya ESNI 0xffce (encrypted_server_name), yomwe idagwiritsidwa ntchito , koma pakali pano mapaketi omwe ali ndi chizindikiritso chaposachedwa 0xff02 (encrypted_client_hello), aperekedwa mu .
Njira inanso ndiyo kugwiritsa ntchito njira yolumikizirana yosagwirizana, mwachitsanzo, kutsekereza sikugwira ntchito ngati paketi yowonjezera ya SYN yokhala ndi nambala yolondola yotsatizana imatumizidwa pasadakhale, zosintha ndi mbendera zogawika paketi, kutumiza paketi ndi FIN ndi SYN. mbendera zoyikidwa, m'malo mwa paketi ya RST yokhala ndi ndalama zowongolera zolakwika kapena kutumiza isanayambe kukambirana kwa paketi ndi mbendera za SYN ndi ACK. Njira zomwe zafotokozedwazo zakhazikitsidwa kale ngati pulogalamu yowonjezera ya zida , kulambalala njira zowunikira.
Source: opennet.ru