[jakewins]

How can they do that, the HTTP headers are encrypted by TLS?

[Nextgrid]

Until encrypted SNI/encrypted client hello is a thing, the hostname is still sent in the clear.

Also, it can still be DNS blocked - just because you use Cloudflare's DNS doesn't mean they can't rewrite the responses as they still transit unencrypted. You'd have to use DNS-over-HTTPS or DNS-over-TLS to work around that.

[1vuio0pswjnm7]

If it's TLS1.2, certificates containing CNs and/or SANs are sent in the clear too.

[foepys]

Luckily, ESNI is being supported by an increasing number of implementations.

[neilalexander]

I believe China's answer to ESNI is just to block all traffic that attempts to handshake with ESNI, so it still won't necessarily get you anywhere.

[foepys]

Once everything is using ESNI this isn't a problem anymore. It's the lack of implementation that is currently the problem.

[robertlagrant]

Maybe it's actually SNI.

[ShowalkKama]

not op, no idea how they do it but they COULD look at the SNI in the client hello