According to the latest data, Roskomnadzor (RKN) has probably started blocking sites that use Cloudflare with ECH (Encrypted Client Hello) encryption technology. This technology is critical for broadcasting offers to buy and sell crops to countries such as China and neighboring countries, and its use has become an important part of the work of many online resources, including Forcagro.
Among other things, popular sites such as OpenStreetMap were blocked. Forcagro, for example, uses data from these maps to display offers to buy and sell crops, as well as to plot routes and collect geographic addresses. This may become a problem, since services such as Yandex also actively use this technology for their needs, but ask for “money”.
How does blocking work and why is it important?
Experts believe that Roskomnadzor has started restricting access to resources using TLS ECH, including through Cloudflare. This is due to Cloudflare's recent inclusion of the SNI (Server Name Indication) header encryption feature. This makes it impossible to determine which site a user is trying to connect to via HTTPS, which helps bypass blocking.
Without ECH, all intermediate nodes see the domain names of the sites that users are accessing, but with ECH, this data is hidden. As a result, many blocked sites have become accessible again in Russia if they use Cloudflare with ECH support.
However, since midnight, as reported on habr.com, the blocking has affected such sites as OpenStreetMap, Diary.ru, KopilkaUrokov.ru, Uchitelya.com and OpenSubtitles.org.
Impact on users
When trying to access sites using Cloudflare with TLS 1.3, the Chrome search engine stops working. However, as soon as TLS 1.3 is disabled on the Cloudflare side, access is restored within a few minutes. It is noteworthy that these sites remain accessible without restrictions using a VPN. Sites using TLS 1.2 and older protocol versions continue to work without changes.
Which sites are at risk?
Of the ten thousand most popular sites, about 2,500 use Cloudflare, and about 700 of them support ECH. This means that hundreds of thousands of sites that rely on this technology to ensure user privacy and security could potentially be blocked.
P.S. YouTube, Telegram, OpenStreetMap, ECH, Cloudflare, SMS, Push, and so on... what's next for Roskomnadzor?