5

I live in a country with censorship and was wondering if it's possible to bypass DPI by just enabling ESNI, DNS over HTTPS and Always HTTPS? If not, what else should I enable to bypass DPI firewall without having to go the VPN route?

Improve this question

1 Answer 1

Reset to default
9

A DPI solution cannot do targeted blocking when ESNI is used just by looking at the TLS ClientHello. But it can simply block any use of ESNI - see China is now blocking all encrypted HTTPS traffic that uses TLS 1.3 and ESNI.

Apart from that ESNI is not a thing an end user could actually enable globally. ESNI needs support both by the HTTPS server itself (or the reverse proxy in front of it, like in case of a CDN) and must also be setup in the DNS for the domain. And even with ESNI enabled and not blocked one can still monitor which IP addresses get visited, which can often be mapped to one or few domains served on this IP.

... what else should I enable to bypass DPI firewall without having to go the VPN route?

The proposed solutions don't provide adequate protection as described. There is no additional thing to enable to bypass the DPI. Instead use a VPN, HTTP proxy over HTTPS, SOCKS proxy over TLS or similar which transfers all traffic encrypted to a trusted endpoint, bypassing the DPI.

Improve this answer
7
  • Actually there are tricks linked by that article to bypass it: geneva.cs.umd.edu/posts/china-censors-esni/esni so thorough research will always yield bypassing methods.
    – MCCCS
    Commented Jan 8, 2021 at 19:44
  • 3
    @MCCCS: "... so thorough research will always yield bypassing methods. ..." - While this is fascinating research I think you come to the wrong conclusion by claiming that bypass methods will always be found. Apart from this one need to look at the bigger picture and not only the technical details. These bypass methods have clear signatures which could be used to trigger extended observation of the traffic (and the person behind it), because obviously the person is not accidentally visiting the site but deliberately trying to bypass the system.
    – Steffen Ullrich
    Commented Jan 8, 2021 at 20:07
  • Agreed, while I still claim that vulnerabilities will always exist if you have infinite pentest budget, you're right - this is careless and it's a good way for evil isps/govts to detect hackers to blacklist.
    – MCCCS
    Commented Jan 8, 2021 at 20:13
  • Once the whole Internet supports ESNI other than dictatorships, I imagine browsers and servers will enable it for the entire Internet including dictatorships, so they'll have to allow it or break the Internet again.
    – Stack Exchange Supports Israel
    Commented Jan 8, 2021 at 20:15
  • 1
    @user253751: There is no total freedom on one side and total control on the other, but its a gradient. TLS can be fine, as long at is limited to the accepted sites. And note that these problems of how much control is wanted and how it is enforced is not limited to dictatorships. There are similar problems in schools which want to prevent the visit of sites unsuitable for the children. Similar problems in companies which also restrict access for security reasons and often also do TLS interception. And in all of these cases there are users which try to bypass control and others which enforce it.
    – Steffen Ullrich
    Commented Jan 8, 2021 at 22:01

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .