I haven’t posted in a while, but today I have something interesting to share. Recently, multiple service providers that I use have started blocking some websites using deep packet inspection firewalls. Earlier, these firewalls would only block traffic by examining hostname in GET requests (which is easy to bypass by just using the https version of the target website), but now they employ some more techniques. Specifically, they block based on the SNI field of the TLS client hello, and sometimes also block on the basis of DNS queries. I was looking for ways to bypass these using custom extensions on my browser, but found out that it’ll be a very non-trivial problem. Then I looked around and found that-
Latest firefox Nightly builds (and maybe even mainline firefox) have support for DNS over HTTPS (so no DNS based blocking)
Firefox has implemented the ESNI feature discussed in the drafts of TLS 1.3 (again, only available in Nightly build so far)
Cloudflare has enabled ESNI.
I won’t retell the whole tale, here are quick links-
The first link also has detailed steps on how to enable these features (plus explanation of what’s actually happening). I’ll surmise them quickly-
0. Get firefox nightly1. Type about:config on the url bar.
2. Search for network.trr, change network.trr.mode to 2
3. Search for network.security.esni.enabled and set it to true
In all likelihood, your ISP/institution/etc will now not be able to block any website on cloudflare (a LOT of websites use cloudflare), as long as you use firefox nightly. With increased adoption of ESNI, more websites will be able to evade blocking.(These steps won’t work if you are in a workplace and the employer has installed his own certificate on the machines and uses a ssl proxy in conjunction with the firewall)