1850504 - Firefox TLS Fingerprint blocked in Turkmenistan

Status: RESOLVED WONTFIX

(Core :: Security: PSM, defect)

Description

[B.J. Herbison]

The title is from a Discourse post:

Hi, not a bug report, but still worth noting: Turkmenistan has blocked Firefox TLS Fingerprint.
You can no longer access any HTTPS website using Firefox in Turkmenistan, as well as you can’t open Turkmenistanian websites using Firefox from elsewhere.

Try https://telecom.tm for example. It works in Chrome but not in Firefox.

This filter has been applied since the end of July.

https://discourse.mozilla.org/t/firefox-tls-fingerprint-blocked-in-turkmenistan/122148

I can't reach https://telecom.tm/ from Firefox 116.0.3 (Secure Connection Failed / PR_CONNECT_RESET_ERROR) but I can from Nightly. I tried mozregression and couldn't find any builds that can't display the site.

Comment 1

[BugBot [:suhaib / :marco/ :calixte]]

The Bugbug bot thinks this bug should belong to the 'Core::DOM: Security' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Comment 2

[Kai Engert [:KaiE:]]

I'm curious, what mechanism do they use to block it?
Are they blocking it based on known properties of a Firefox TLS handshake?

Comment 3

[Daniel Veditz [:dveditz]]

djackson found setting security.tls.ech.grease_probability to 100 (that is, enabling grease) solves the problem. They appear to be detecting the order of TLS extensions in the handshake. Possibly as an anti-Tor measure

Comment 4

[BugBot [:suhaib / :marco/ :calixte]]

The severity field is not set for this bug.
:keeler, could you have a look please?

For more information, please visit BugBot documentation.

Comment 5

[Dana Keeler (she/her) (use needinfo) [:keeler]]

We discussed this, and my understanding is that while we may start moving more towards making Firefox's TLS handshake look like Chrome's, there's not much we can do to directly address this, so I think this is a wontfix for now. We certainly appreciate the heads-up, though.