I’ve probably mentioned in other threads how DNS over HTTPS (“DoH”) is important in our battle against governmental porn filters (it’s available if you use Firefox and will probably get more traction in the near future). I’m guessing it was the introduction of DoH that made the UK realize that the strategy they were pursuing to regulate porn would quickly fail because they were planning on blocking on blocking porn sites on the DNS level. DoH takes away DNS as a blocking tool for governments.
BUT, there still remains a way governments can rather easily block pornâ¦
If you remember back you’ll recall that not all that long ago you could only have one SSL certificate per IP address. So if you had multiple encrypted sites you had to have a dedicated IP address for each of them. IPv4 was running out of addresses, so encrypting your site was pretty cumbersome back then.
The solution to the problem was Server Name Identification (“SNI”). With SNI the first time the device connected to the web server it sent the name of the site it was trying to connect to in clear text. That let the server know which of the various encryption certs it had for that IP it should use.
SNI is still in use today. So all governments have to do is monitor for those initial connections, read the requested site, and block the request if the site is on their block list.
People have tried to work around this, but they could never come up with a solution they thought would work. Then one of the leading guys at CloudFlare tackled the problem and they’ve come up with “ESNI” (Encrypted SNI) and it looks like it might actually work.
Their approach is to put an encryption key in the DNS records for the site. This only makes sense if you’re running encrypted DNS (DoH or DoT). When the DNS request is made the DNS server will also return the encryption key along with the IP address for the site. That means that the site name can be encrypted with the initial request to the web server. Which means there’s nothing for governments to see and use to block requests.
All that sounds great, but there’s a bit of a problem⦠First, if only certain (“problem”) sites were using ESNI, the government could simply block all requests that use ESNI. And second, the government can still figure out the IP address and block the IP address.
That’s where having a big cloud company like CloudFlare comes in⦠If enough major cloud computing platforms adopt ESNI and deploy it to all their customers then that solves the first “do not stand out” problem. And if the cloud platform also runs a mishmash of sites all on the same IP, then any government that blocks IPs will block “legit” mainstream sites as well. They also have the capacity to frequently change site IPs, which would create a complicated game of cat and mouse which governments could never keep up with.
Now, even if ESNI gets deployed broadly (it’s still being tested, but the tests look promising), if you run your sites on static IP addresses eavesdroppers could still tell that people are going to a porn site (even if they don’t know which one they’re going to) because they would know that everything on that IP is a porn site. So there’s still that problem. But the hope is that if ESNI is deployed widely by the major cloud platforms, it will lower the success rate of any government porn block to a point that they wouldn’t bother to actually deploy the porn block.
And it’s worth mentioning that it’s not just porn that will benefit. (I doubt CloudFlare would do something this big just for porn). These developments will be a huge help for people like political dissidents, and generally increase the privacy level for everyone.