China’s Great Firewall“is now blocking HTTPS connections set up via the new TLS 1.3 encryption protocol and which use ESNI (Encrypted Server Name Indication),” reports ZDNet:

The block has been in place for more than a week, according to a joint report authored by three organizations tracking Chinese censorship — iYouPort, the University of Maryland, and the Great Firewall Report.

ZDNet also confirmed the report’s findings with two additional sources — namely members of a U.S. telecommunications provider and an internet exchange point (IXP) — using instructions provided in a mailing list

The reason for the ban is obvious for experts. HTTPS connections negotiated via TLS 1.3 and ESNI prevent third-party observers from detecting what website a user is attempting to access. This effectively blinds the Chinese government’s Great Firewall surveillance tool from seeing what users are doing online.

Through the new GFW update, Chinese officials are only targeting HTTPS traffic that is being set up with new technologies like TLS 1.3 and ESNI (Encrypted Server Name Indication).

Other HTTPS traffic is still allowed through the Great Firewall, if it uses older versions of the same protocols — such as TLS 1.1 or 1.2, or SNI (Server Name Indication).

In HTTPS connections negotiated via older versions of the TLS protocol (such as TLS 1.1 and TLS 1.2), the SNI field is visible in plaintext.