On Lawfare, Valentin Weber discusses the security balloon that is the Chinese Web:
Ironically, while the U.S. government pushed to get HTTPS in place after a high-profile cyberattack by China, HTTPS is rarely used within China itself. HTTPS traffic that uses both TLS1.3—the newest version of Transport Layer Security, which provides secure communication between web browsers and servers and the specific content visited on a website—and ESNI—Encrypted Server Name Indication, which prevents third parties from seeing what websites a user visits—is blocked entirely in the country. The Chinese government imposed the ban because TLS1.3, when run via ESNI, makes it difficult for Chinese censors to see what sites a user is visiting and thereby reduces the government’s information control capabilities. Even foreign platforms such as the BBC or Wikipedia were banned as soon as they migrated to HTTPS.
Yet the Chinese government’s efforts to disincentivize encryption—to allow for censorship and surveillance—have created an online environment where even websites that carry sensitive government, health and commercial data remain unencrypted. This leaves them open to exploitation by intelligence agencies and cybercriminals.
Does this suggest that the Chinese Communist Party (CCP) is more worried about their own citizens than about leaking information, as well as potential weaknesses in critical systems?
Or does the CCP differently value such leaks compared to Westerners? For example, it sometimes seems to me that the concerns placed on leaks of health information of individuals is approaching paranoiac levels. If Chinese culture designates such information as being in the public domain, then it would make sense that the Chinese wouldn’t care if such information was intercepted, even by foreign intruders.
In the end, the part of the balloon they’re trying to squeeze is the part most likely to boot them out of control of the country, and if it bulges somewhere else, so be it.
