The Russian Ministry of Digital Development, Communications, and Mass Media or Minkomsvyaz wants to prohibit the use of experimental and advanced protocols for encryption of DNS over TLS, DNS over HTTPS and Encrypted SNI, which can be used to bypass the blocking of access to banned sites. Experts warn that to implement such a ban will need to block the servers of Google, Cloudflare and Cisco.
A bill to ban encryption protocols that hide site visits
The Russian government has proposed amendments to the article 2 and 10 of Federal law of information, information technology and information protection, in order to prohibit the use of above encryption protocols in Russia that allows you to hide the name of the Internet page or site address that you visit. The corresponding document was published on regulation.gov.ru portal. A copy of which can also be found here.
The above said document defines that, “an encryption protocol that allows you to hide the name of an Internet page or site on the Internet is an abstract or specific protocol that includes a set of rules governing the use of cryptographic transformations and algorithms in information processes”.
The use of such protocols on the territory of Russia Federation is prohibited, except for the cases established by law. Violation of this prohibition shall result in suspension of the functioning of the Internet resource within one working day from the date of detection of such violation by the authorized executive authority. It should be noted that previously such punishment norm as suspension of the Internet resource functioning was not applied in Russia.
Encrypted DNS queries has also caused issues last year only in United Kingdom after Mozilla enabled DNS over HTTPS by default. UK’s authorities, Ministers immediately frowned upon this move. It went so berserk that Internet Service Provider Associations in United Kingdom encroached all limits by calling Mozilla a leading Internet villain in 2019. It was a foolish move to call Mozilla that, in my opinion. When you introduce secure things by default that actually bring privacy to all users alike, governments do not tend to like it. They have small old lame excuses for not allowing it. In the end, Mozilla had to drop their plans to enable DoH or DNS over HTTPS by default for its UK users.
Similarly these security tools are an issue in Russia too because it makes Roskomnadzor’s job of blocking websites more technically difficult.
Why should new encryption protocols be banned as per the RU government?
According to an explanatory note to the bill, there is an increasing number of cases of using masking protocols to hide the actual network addresses of devices from external systems and encryption protocols. “Protocols using cryptographic algorithms and encryption methods TLS 1.3, ESNI, DoH (DNS over HTTPS), DoT (DNS over TLS) are becoming more and more widespread”, the authors of the document claim. Yes, the note is not nonfactual because after Snowden’s revelation a lot of people expected use to encryption protocols and were seriously concerned about their privacy.
“The use of these algorithms and encryption methods can reduce the efficiency of existing filtering systems, which, in turn, will significantly hinder the identification of resources on the Internet, containing information whose distribution in Russia is limited or prohibited,” says the explanatory note.
The bill’s authors from the Digital Development Ministry also added that the Unified Register of Russian Computer Programs and Databases contains information about protocols using cryptographic algorithms and encryption methods that can be used in accordance with Russian legislation. What it essentially means is there are alternative technologies for encryption available in Russia, which won’t interfere with Internet blocks.
What are the protocols that are proposed to be banned?
TLS, a basic encryption protocol in the Internet. DNS, a service for determining the IP address of a host on the Internet by its domain name. DNS is accessed every time a domain name is requested by a user. HTTPS, is a version of the HTTP protocol, through which web pages are transmitted, with encryption. Encryption is performed by exchanging certificates between the user and servers.
DoH and DoT – experimental encrypted versions of DNS, which work over HTTPS and TLS protocols respectively. When using such protocols, the Internet provider does not see which domain the user addresses, which makes it difficult to block access to forbidden resources. SNI – technology that allows you to transfer the name of the domain requested by the user while working over the HTTPS protocol.
As explained by Russian cybersecurity expert Dmitry Artimovich, before SNI all headers in HTTPS were encrypted. As a result, it was difficult to place several encrypted resources on the same server, it was not clear which domain the user needed, and therefore it was not clear which certificate to use.
SNI solves this problem by transmitting domain information in an unencrypted form. ESNI, on the other hand, allows passing the domain name to be encrypted. The mentioning of the TLS 1.3 protocol in the explanatory note to the bill was most likely an error, according to Philippe Coulin, CEO of the hosting provider Dark Forest and author of the Escher II Telegram Channel. Apparently, the authors of the document meant ESNI, which was supposed to be released together with the TLS 1.3 protocol, but was not.
The authorities began to understand the danger of these protocols quite a long time ago. According to the plan approved by the Ministry of Communications in early 2020 to conduct exercises on the “sovereign Internet” in 2020 should be worked out the possibility of blocking traffic protected using DoT and DoH technologies.
Expert opinions
According to an encryption systems developer, Dmitry Belyavsky, when the Roskomnadzor blocking system originally initiated functioning in Russia, all of the addresses of sites and pages on the Internet were transmitted in plain text, not encrypted, it was assumed that the filter would work according to URL, that is, the addresses of individual pages on Internet sites. However, one year after its implementation, largely under the influence of Edward Snowden’s revelations, the whole world began rapidly switching to using HTTPS — a protocol that provides encryption between the site and the user’s device. Rendering it impossible to block the individual pages of sites that are using HTTPS according to URL.
Owing to the above said changes, according to Belyavsky, it was time to block according to “hostname” — the name of the server where the site is located, which needs to be “turned off,” since the hostname is still transmitted in plain text to establish a connection. However, a hostname being publicly available resource also frames the users in some respects and gives out the site in more ways than one. But people in the West are used to thinking that companies don’t care about their confidentiality. Therefore, advanced technologies are now being developed and deployed, like DNS over TLS, DNS over HTTPS, and Encrypted Client Hello, which now encrypts the hostname from an external observer, thereby making it more difficult to find out which sites the user is visiting, and [complicating] the procedure for blocking any Internet sites.
It is theoretically possible to prohibit the DNS over TLS protocol – to do this you need to block connections to port “853”. But in the case of the protocol DNS over HTTPS traffic of this protocol is difficult to distinguish from third-party traffic. The only way to solve the problem is to block popular or publicly available DoH servers supported by Google, Cisco and Cloudflare.
Dmitry Artimovich believes that the DoT or DoH ban can only be implemented by an intelligent firewall that can distinguish between an ordinary DNS query and an encrypted one. The story is similar with the ESNI ban. But if strict ESNI lockdown is set up, it will lead to the inaccessibility of many sites rendering a huge chunk of Internet not very useful.
Who’s behind the idea to ban new encryption protocols
Mikhail Klimarev, executive director of the Internet Protection Society, a Russian NGO, also author of the Telegram-channel “ZaTelecom”, notes that the bill offers punishment for the use of these protocols for site owners. But the use of protocols primarily depends on users. As a result, officials will be able to punish any site on the Internet, the expert believes.
Klimarev believes that responsibility for the development of this bill is Deputy Minister of Digital Development Oleg Ivanov, whose surname and initials are in the field “name of the head (deputy head) who decided not to post a notice” card bill on the site regulation.gov.ru.
In 2018, Oleg Ivanov was deputy head of Roskomnadzor and led the blocking of Telegram messenger, which led to disruptions in a large number of Internet resources and this year was completely canceled. Now Ivanov supervises the telecommunications industry in the Ministry of Education. Recently he also became the curator of the “Information Security” federal project of the “Digital Economy” national program.
“Either Ivanov is incompetent in proposing such a bill, or someone framed him,” concludes Mikhail Klimarev.
Remember, how Russia wanted to ban the UDP protocol?
This is not the first time in Russia that the idea of blocking individual Internet protocols is being considered. In 2015, The Institute of Internet Development (IRI) by order of Russian President Vladimir Putin prepared the Program of Internet Development and the corresponding road maps. One of the points of the road map, “Internet + Media”, was the idea to ban the UDP protocol, targeting the basic functionality of torrent trackers. The authors of the document supposed to solve the Internet piracy problem in this way.
UDP and TCP are two basic Internet protocols related to the transport layer of the TCP/IP protocol stack. Blocking this protocol could lead to disastrous consequences for the Internet, and IRI refused this idea.
In addition, the “Voskhod” Research Institute (which is subordinate to the Digital Development Ministry) is creating a certification center in Russia, which intends to issue SSL certificates for encrypting connections on sites using the Russian crypto algorithms “Magma” and “Kuznechik.”
As per Filipp Kulin, a Russian internet expert also former co-owner of the hosting provider, “Diphost,” the Russian authorities have wanted to replace foreign encryption protocols on the RuNet with domestic ones for a long time, but there’s an obstacle, the majority of operating systems and browsers don’t work with Russian cryptographic algorithms.
In my opinion, Russian government is being obnoxious time and again. It would not be wrong to say that it looks at China and wants power like Chinese government. Albeit, Russia is not alone. Attacking open protocols that actually protects privacy and security of user data has been in vogue, lately.