New Russian Legislation Would Outlaw Tor And Sites Using Encrypted ClientHello
The Russian Ministry of Digital Development, Communications and Mass Media has proposed amendments to a law that would ban "encryption protocols that allow Internet sites or pages to hide their name except in cases established in legislation by the Russian Federation." The proposal targets the Encrypted ClientHello TLS extension but the implications are broader than that.
China has outlawed the use of a HTTPS encryption extension called Encrypted ClientHello (ECH) which is documented in the IETF document TLS Encrypted Client Hello draft-ietf-tls-esni-07. Russia may follow suit with very broad and general legislation aimed at discouraging sites from using Encrypted ClientHello. The proposed legislation would, with the current wording, outlaw all encryption systems that allow websites and other services to hide their identity using encryption schemes. Tor hidden services comes to mind as one obvious example of a service that would become illegal in Russia as a side-effect.
Why They Care
Imagine you're an eavesdropper and you hear the following:
"Hello, dear web server. I would like to establish an encrypted connection to linuxreviews.org."
You can't tell what pages whoever said that is interested in, but you can conclude that "She's interested in Linux, get her!". This is how HTTPS works with the The Server Name Indication (SNI) TLS extension everyone uses today: The web browser sends a plain-text
ClientHello message asking for an encrypted channel to a domain name and the server and client agree on the best mutually supported means of establishing a encrypted connection.
Now, compare that to this more vague statement:
"Hello, dear web server. I would like to establish an encrypted connection."
That last statement is far less incriminating because one crucial detail is omitted from the request: What site the person wanting an encrypted connection is actually interested in. Having that detail is not always all that important to a country-level adversary who is eavesdropping on everyone's Internet connections since the IP addresses involved at the transport layer remain known. If the web server is at IPv6 IP
2001:470:6c:b7::10 and there is just one website at that IP then it's easy to know what website someone is trying to connect to. But that's not always the case.
The IEFT TLS Encrypted Client Hello draft happens to be co-authored by Nick Sullivan and Christopher A. Wood from an American outfit called Cloudflare. Cloudflare operates a gigantic reverse proxy network with millions of websites behind it. Knowing that someone is establishing an encrypted connection to some website within their network tells you very little about their interests or intentions.
This is where two proposed amendments to article 2 and 10 of the federal Russian "On information, information technologies and information protection" comes in. The proposed legislation would outlaw any and all encryption schemes that hide a websites name or "identifier" from the benevolent Russian government.
"Encryption protocol that allows to hide the name (identifier) of a web page or site in the "Internet" - is an abstract or concrete protocol that includes a set of rules governing the use of cryptographic algorithms and transformations in the information processes.""
The wording does not specifically target the HTTPS Encrypted ClientHello (ECH) extension. That is the intent behind it, but the practical implications are much broader. Tor hidden services would also be affected. It could also, potentially, be used to prohibit protocols like DNS over HTTPS.
The Penalty For Violating The New Law
The penalty for violating the proposed new legislation is simple: Your Internet connection is terminated within a day.
"Violation (..) shall entail the suspension of the functioning of the Internet resource no later than 1 (one) business day from the day the violation was discovered by the authorized federal executive body."
Encrypted ClientHello (ECH) will simply not be a thing in Russia if the proposed legislation goes into effect. Web servers can not hide that they have support for it and it would be real easy to scan for it. No business will risk being kicked off the Internet within a day for having a slightly more secure web server configuration.
If Encrypted ClientHello becomes a thing outside of Russia is yet to be seen. The TLS Encrypted Client Hello draft was written in June 2020. There is no support in the Apache 2.5 mod_ssl module. It would be nice if it becomes a standard commonplace part of HTTPS because the current method of sending insecure plain-text ClientHello messages is a security flaw most people are blissfully unaware of.