Blocking of Cloudflare ECH in Russia, 2024-11-05 #417
Description
[Discussion moved from #393 (comment). NTC threads are https://ntc.party/t/12837 (technical information) and https://ntc.party/t/12732 (discussion).]
Cloudflare's deployment of Encrypted Client Hello (ECH) is blocked in multiple networks in Russia since 2024-11-05. The blocking trigger is the presence of both of the following two elements in the Client Hello:
- An SNI extension with the value
cloudflare-ech.com. - An ECH extension.
Neither of these elements on its own is sufficient. That is, an SNI of cloudflare-ech.com without an ECH extension is not blocked, and ECH extensions that use an SNI other than cloudflare-ech.com are not blocked. In particular, you can still make ECH connections to servers that use a different public_name, such as defo.ie and tls-ech.dev; and GREASE ECH with SNI different from cloudflare-ech.com is not blocked.
Both TCP-based HTTP/2 and UDP-based HTTP/3 (QUIC) are affected. The blocking mechanism is packet dropping on the connection after the signature is detected (i.e., not a TCP RST or other overt teardown).
It seems that Firefox, at least, will retry the connection without ECH after a long delay (about a minute). Such a fallback to plaintext SNI apparently violates the ECH specification: "the client MUST NOT fall back to using unencrypted ClientHellos, as this allows a network attacker to disclose the contents of this ClientHello, including the SNI."
The blocking of ECH was officially acknowledged in a notice from the Public Communications Network Monitoring and Control Center (ЦМУ ССОП):
https://cmu.gov.ru/ru/news/2024/11/07/рекомендуем-отказаться-от-cdn-сервиса-cloudflare/ (archive)
Рекомендуем отказаться от CDN-сервиса CloudFlare
Американская компания CloudFlare, поставщик услуг CDN, включила в октябре применение по умолчанию на своих серверах расширение TLS ECH (Encrypted Client Hello). Эта технология – средство обхода ограничений доступа к запрещенной в России информации. Его использование нарушает российское законодательство и ограничивается техническими средствами противодействия угрозам (ТСПУ).
Рекомендуем владельцам информационных ресурсов отключить расширение TLS ECH или, что правильнее, использовать отечественные CDN-сервисы, которые обеспечивают надежное и безопасное функционирование ресурсов и защиту от компьютерных атак.
В частности, защиту от DDoS-атак может обеспечить Национальная система противодействия DDoS-атакам (НСПА). За время ее работы (с марта 2024 года) отражено более 10,5 тыс. DDoS-атак на различные организации страны.
Обращаем внимание, что CloudFlare была одной из компаний BigTech, которые собирал Госдеп США в сентябре для обсуждения комплексного и организованного противодействия странам, активно защищающим свой информационный суверенитет (источник).
It is recommended to opt out of CloudFlare's CDN service
The American company CloudFlare, a provider of CDN services, in October enabled the default use of the TLS ECH (Encrypted Client Hello) extension on its servers. This technology is a means of circumventing restrictions on access to information banned in Russia. Its use violates Russian law and is restricted by the Technical Measure to Combat Threats (TSPU).
We recommend that owners of information resources disable the TLS ECH extension or, more correctly, use domestic CDN services that ensure reliable and secure functioning of resources and protection from computer attacks.
In particular, protection from DDoS attacks can be provided by the National System for Countering DDoS Attacks (NSPA). During its operation (since March 2024), more than 10.5 thousand DDoS-attacks on various organizations of the country have been reflected.
Note that CloudFlare was one of the BigTech companies that the U.S. State Department gathered in September to discuss a comprehensive and organized response to countries actively defending their information sovereignty (source).
OONI tests web connectivity to the SNI cloudflare-ech.com, and similarly GlobalCheck, but the measurements do not show blocking. That is because these tests do not have the other necessary part of the signature, the ECH extension. OONI is working on a dedicated ECH test.
Can you share some more details and possibly data supporting the claim that "All Cloudflare ECH-enabled services are blocked"? The
cloudflare-ech.comdomain has been added to OONI testing, however we do not see it blocked in the 23 networks it's been tested in so far: https://explorer.ooni.org/chart/mat?probe_cc=RU&since=2024-10-08&until=2024-11-08&time_grain=day&axis_x=measurement_start_day&test_name=web_connectivity&domain=cloudflare-ech.com.…
We have an upcoming test in OONI Probe that should be able to test this, so it would be useful to collect some information on that once we have it out: ooni/probe#1453.