China zvese zvinongedzo zveHTTPS zvinoshandisa TLS 1.3 protocol uye ESNI (Encrypted Server Name Indication) TLS yekuwedzera, iyo inopa encryption yedata nezve akakumbirwa mugamuchiri. Kuvharira kunoitwa pamatransit routers ese ekubatanidza akagadzwa kubva kuChina kuenda kunze kwenyika, uye kubva kunze kwenyika kuenda kuChina.
Kuvharira kunoitwa nekudonhedza mapaketi kubva kumutengi kuenda kune server, pane iyo RST packet inotsiva iyo yaimboitwa neSNI content-selective blocking. Mushure mekuvhara packet ne ESNI inokonzeresa, ese network mapaketi anoenderana nekubatanidzwa kweIP sosi, yekuenda IP uye yekuenda port nhamba inovharirwawo kwe120 kusvika 180 masekonzi. Kubatana kweHTTPS kunoenderana neshanduro dzekare dzeTLS neTLS 1.3 isina ESNI inotenderwa kuburikidza semazuva ese.
Ngatiyeukei kuti kuronga basa pane imwe kero yeIP yemasaiti akati wandei eHTTPS, iyo SNI yekuwedzera yakagadziridzwa, iyo inotumira zita remuenzi mune yakajeka mameseji muClientHello meseji inofambiswa isati yatanga yakavanzika nzira yekutaurirana. Iyi ficha inoita kuti ikwanise kudivi remupi weInternet kusarudza kusarudza HTTPS traffic uye kuongorora kuti ndedzipi masaiti anovhurwa nemushandisi, izvo zvisingabvumidze kuwana kuvanzika kuzere kana uchishandisa HTTPS.
Iyo itsva TLS yekuwedzera ECH (yaimbova ESNI), iyo inogona kushandiswa pamwe chete neTLS 1.3, inobvisa kukanganisa uku uye inobvisa zvachose kuburitswa kweruzivo nezve saiti yakakumbirwa paunenge uchiongorora kubatana kweHTTPS. Mukubatana nekuwana kuburikidza netiweki yekutumira zvinyorwa, kushandiswa kweECH / ESNI kunoitawo kuti zvikwanise kuvanza kero ye IP yechinyorwa chakakumbirwa kubva kumupi. Traffic yekuongorora masisitimu inongoona zvikumbiro kuCDN uye haizokwanise kushandisa kuvharira pasina TLS chikamu spoofing, mune iyo mamiriro chiziviso chinoenderana nezve chitupa spoofing chicharatidzwa mubrowser yemushandisi. DNS inoramba iri chiteshi chinobvinza, asi mutengi anogona kushandisa DNS-pamusoro-HTTPS kana DNS-pamusoro-TLS kuvanza kuwanikwa kweDNS nemutengi.
Vatsvakurudzi vakatoita Kune akati wandei maworkaround ekupfuura iyo yeChinese block pane mutengi uye server divi, asi anogona kunge asina basa uye anofanirwa kungoonekwa seyenguva pfupi. Semuenzaniso, parizvino mapaketi chete ane ESNI yekuwedzera ID 0xffce (encrypted_server_name), iyo yakashandiswa mukati. , asi pari zvino mapaketi ane chiziviso chazvino 0xff02 (encrypted_client_hello), inokurudzirwa mukati .
Imwe nzira yekushandisa ndeye kushandisa isiri-yakajairwa yekubatanidza kutaurirana maitiro, semuenzaniso, kuvharira hakushande kana imwe yekuwedzera SYN packet ine nhamba isiriyo yekutevedzana yakatumirwa kumberi, manipulations ane packet fragmentation mireza, kutumira pakiti ine zvese FIN uye SYN. mireza yakaiswa, kutsiva RST packet ine mari isiriyo yekudzora kana kutumira kusati kwaitwa packet yekubatanidza nhaurirano neSYN uye ACK mireza inotanga. Nzira dzakatsanangurwa dzakatoitwa muchimiro cheplugin yeturusi rekushandisa , kunzvenga nzira dzekuongorora.
Source: opennet.ru