Not allowing TLS 1.3 means nothing (no modern web sites) works. Modern browsers and servers both speak TLS 1.3 and if they can't they give up. Some things don't work in China, but China wouldn't have a thriving economy if nothing was working. So no, they did not block TLS 1.3 although it's interesting how this rumour seems to have self-popularised. China blocks certain popular sites, but it does not block whole protocols or protocol versions.
This is actually a small triumph for the people responsible for RFC 8446. With previous iterations of TLS it was always discovered shortly after release that idiots broke stuff and so a "fallback" was necessary to allow you to speak the previous version. Such fallback is dangerous because an adversary can thus forcibly downgrade you to an older protocol, and thus attack old protocols even if the new protocol is safe.
How is it done? That is, how does TLS 1.3 avoid downgrade attacks?
When a TLS 1.3 server finds itself talking to somebody over TLS 1.2 (for example maybe a rather archaic web browser is connecting) it scribbles over some of the bytes labelled "random" in its Hello message. It scribbles 44 4F 57 4E 47 52 44 01. Which in ASCII spells "DOWNGRD".
Those bytes don't mean anything special in TLS 1.2, they're just a strange coincidence. But if you're a TLS 1.3 client, seeing those bytes means a Downgrade attack was attempted. So you immediately give up, you are being attacked.
So you might think well, a bad guy could just change those bytes blind right? Nope. The "random" field is used by both parties to choose parameters they're going to verify in a moment to check everything is safe. If you can change the bytes the values will be different and the connection fails anyway.
tialaramex|3 years ago
This is actually a small triumph for the people responsible for RFC 8446. With previous iterations of TLS it was always discovered shortly after release that idiots broke stuff and so a "fallback" was necessary to allow you to speak the previous version. Such fallback is dangerous because an adversary can thus forcibly downgrade you to an older protocol, and thus attack old protocols even if the new protocol is safe.
How is it done? That is, how does TLS 1.3 avoid downgrade attacks?
When a TLS 1.3 server finds itself talking to somebody over TLS 1.2 (for example maybe a rather archaic web browser is connecting) it scribbles over some of the bytes labelled "random" in its Hello message. It scribbles 44 4F 57 4E 47 52 44 01. Which in ASCII spells "DOWNGRD".
Those bytes don't mean anything special in TLS 1.2, they're just a strange coincidence. But if you're a TLS 1.3 client, seeing those bytes means a Downgrade attack was attempted. So you immediately give up, you are being attacked.
So you might think well, a bad guy could just change those bytes blind right? Nope. The "random" field is used by both parties to choose parameters they're going to verify in a moment to check everything is safe. If you can change the bytes the values will be different and the connection fails anyway.
psyfi|3 years ago
Any company who does not want to lose a market of ~18% of global population will make sure it complies (example: Apple).
We need to think about real life here and not just technical implementation
badrabbit|3 years ago