A new standard for cryptography is on the horizon, called Transport Level Security 1.3 (TLS 1.3).
TLS 1.3 is a major update to cryptography, and fundamentally changes how websites and services will handle negotiating and executing encrypted services.
Among the big improvements are faster handshakes with websites (meaning faster page load times), new ciphers (new and stronger types of encryption) and new hash functions (types of verification to check if data is genuine). It also features privacy improvements such as reducing the amount of metadata that is exposed to eavesdroppers, as all metadata that isn’t needed for the routing around the web itself is now hidden behind encryption.
But hidden among these broad strokes is an update that can cause big shakeups in countries that are conducting mass censorship of the internet. An update to how Server Name Indication works will allow services to easily impersonate one another.
Server Name Indication (SNI) is used for Domain Fronting, that is, making a web service look like it is coming from one service, when it is actually another service entirely. This is used to help Content Delivery Networks ensure fast network access around the world and helps eliminate downtime.
SNI is also used for another purpose. It allows censored services to “look like” uncensored ones to automated censorship systems. These systems mistake a banned website as a permitted one and allow it to load, rather than blocking the user or redirecting them to a more friendly government approved content.
Currently, SNI in TLS 1.2 has a flaw that allows censors to differentiate between a “real” service and a “fake” service if they are savvy enough to figure it out. Interestingly, SNI in TLS 1.3 fixes this problem by hiding all of the information about the service behind encryption.
This means that services like VPNs and Tor can bypass censorship systems entirely by impersonating servers at Google, Amazon, or Microsoft. These three names are actually very important to the censorship issues of 2018 and beyond, because they are, in essence, a majority of the Internet we know. If Google Cloud, Amazon Web Services, and Microsoft Azure allow domain fronting with TLS 1.3, censorship countries like China are faced with a binary choice. They can either block gigantic swaths of the Internet (and face enormous backlash) or allow SNI to work, which means a serious setback for censorship around the world.
The problem is that Amazon Web Services and Google Cloud currently do not allow domain fronting. Only Microsoft Azure does. This is problematic because it emboldens the censorship states by allowing them to simply block one cloud service instead of a majority of the Internet. It gives them an opportunity to punish an outlier rather than forcing them to choose between allowing free information or facing incredible internal pressure. Maximizing the collateral damage done by blocking anti-censorship services is the best way to dissuade censorship countries from continuing to suppress information.
Amazon and Google need to rethink their positions on this issue. Staying united behind the free web is an important issue to everyone and is in the interest of Internet companies and Internet citizens alike.
Derek is a cryptographer, security expert and privacy activist. He has twelve years of security experience and six years of experience designing and implementing privacy systems. He founded the Open Source Technology Improvement Fund (OSTIF) which focuses on creating and improving open-source security solutions through auditing, bug bounties, and resource gathering and management.