Blockade by censorship authority: Russia censors Cloudflare websites

Russian website operators and users should refrain from using services from the US provider Cloudflare, recommends the censorship and supervisory authority Roskomnadzor. The reason for this is the introduction of a TLS extension called Encrypted Client Hello (ECH) by Cloudflare. The Russian supervisory authority sees this as a threat to security in the country, as it can no longer block certain websites. It is therefore blocking all websites with ECH delivered by Cloudflare outright.

Its use is illegal and violates "technical measures to combat threats" ("техническими средствами противодействия угрозам"), Rozkomnadzor said in a statement. The ECH extension encrypts the domain name when a website is accessed via HTTPS in such a way that listening firewalls or censorship authorities can no longer see it, but can only determine a generic domain (in the case of Cloudflare, "cloudflare-ech.com"). It replaces the insecure SNI (Server Name Indication), which transmitted this domain name unencrypted between client and server.

Russian providers now block the Cloudflare ECH domain if a second criterion also applies: the ECH protocol extension is set. If one of the two criteria does not apply, the Russian censorship mechanisms allow the packet to pass. This means that all websites delivered via Cloudflare's CDN (Content Delivery Network) inside and outside Russia are potentially affected.

Effects unclear

The extent of the impact of this blockade is unclear: Cloudflare has not yet responded to an inquiry from the heise editorial team. We will update this report as soon as we receive a statement from San Francisco.

Not all browsers currently support ECH. The protocol extension is activated by default in Firefox from version 119 and in Google's Chrome browser from version 117. Microsoft's Chromium-based Edge browser also works with ECH, but Safari apparently does not at present.

Russian companies under pressure

Roskomnadzor's unsurprising suggestion is that anyone who needs a CDN should look for a domestic provider. In order to protect themselves against DDoS attacks, they can fall back on the "National System for Defense against DDoS Attacks", the authority promises.

Cloudflare customers in Russia now have the choice of switching to a domestic CDN as "suggested" by RKN or deactivating the TLS extension for ECH. However, this is not possible for users of free Cloudflare accounts, as the provider apparently hides the corresponding option behind a paid add-on module called "Advanced Certificate Manager". In our self-experiment, we only found a switch to deactivate TLS 1.3 in the heise Security test account. Although this also deactivates ECH, it brings further security disadvantages and requires careful consideration.

Russian companies and experts expressed different opinions to the business newspaper RBK. Evgeny Martynov from RU-Center IT estimated that Cloudflare has a 44 percent market share of CDNs in Russia. However, there are good Russian alternatives. The managing director of a Russian CDN provider even stated that most Russian website operators had already withdrawn from Cloudflare by the beginning of 2022. He is alluding to the Russian war of aggression against Ukraine, which violated international law and began in February 2022 and resulted in broad Western sanctions.

According to other sources, Cloudflare's free offer is still very popular in Russia. A manager at the Russian provider Selectel also believes that completely replacing the American CDN provider's wide range of functions would be time-consuming and expensive for some users.

(cku)