- The new proposed law also would have penalties for the violators.
- This is just another step to eliminate privacy.
- The decision on the proposed law will be made this year.
A public discussion has begun in Russia on the draft legal act on amendments to the federal law “on information, information technologies and information protection,” developed by the Russian Ministry of Digital Development, Communications, and Mass Communications.
The law proposed to introduce a ban on the use of “encryption protocols that allow you to hide the name (identifier) on the territory of the Russian Federation, an Internet page or site on the Internet, except for cases established by the legislation of the Russian Federation.”
This is just another step to eliminate privacy. Last year, a new law came into effect that every online user in Russia has to register with their own phone number and submit government ID, and a provider needs to verify this information in order to use social media.
The new proposed law also would have penalties for the violators. For violation of the prohibition of using encryption protocols that allow you to hide the site name, it is proposed to suspend the operation of the Internet resource no later than one business day from the date of detection of this violation by the authorized Federal Executive Body.
The main purpose of blocking is the TLS extension ECH (formerly known as ESNI), which can be used in conjunction with TLS 1.3 and is already blocked in China.
Since the wording in the bill is vague and there are no specifics, except for ECH/ESNI, almost any protocols that provide full encryption of the communication channel, as well as DNS protocols over HTTPS (DoH) and DNS over TLS (DoT), can be formally blocked.
China has one of the most ruthless internet monitoring and censorship regimes in the world. However, the Kremlin has been changing Russian internet use and slowly implementing more and more restrictions.
In order to organize work on the same IP address of several HTTPS sites, the SNI extension was developed at one time, which transmits the host name in plain text in the ClientHello message transmitted before the encrypted communication channel is installed.
This feature makes it possible for the Internet provider to selectively filter HTTPS traffic and analyze which sites the user opens, which does not allow for complete privacy when using HTTPS. ECH/ESNI completely eliminates the leakage of information about the requested site when analyzing HTTPS connections.
In combination with access via the content delivery network, the use of ECH/ESNI also makes it possible to hide the IP address of the requested resource from the provider-traffic inspection systems only see accesses to the CDN and cannot apply blocking without spoofing the TLS session, in which case the user’s browser will display a corresponding notification about certificate spoofing.
If an ECH/ESNI ban is introduced to counter this possibility, only a complete restriction of access to content delivery networks (CDNs) that support ECH/ESNI can help. Otherwise, blocking will be ineffective and can be easily circumvented using CDNs.
When using ECH/ESNI, the host name is transmitted in the ClientHello message, as in SNI, but the content of the data transmitted in this message is encrypted. For encryption uses the secret calculated on the basis of the keys of server and client.
To decrypt the intercepted or received value of the ECH/ESNI field, you must know the private key of the client or server (plus the public keys of the server or client). Information about public keys is transmitted for the server key in DNS, and for the client key in the ClientHello message.
Decryption is also possible using a shared secret that is only known to the client and server and is agreed upon during the installation of the TLS connection.
Overall, it is another step to eliminate privacy in Russia. There are more of such proposals are expected, especially since Russian President Vladimir Putin’s proposed constitutional amendments passed in July.