TL; DR: TLS only ensures the content of a message. No metadata
When communicating through the clear network, it is important to remember that there are some parts of a particular communication that cannot be secured using standard technologies. Unless you use something like TOR, your ISP can determine who you are talking to, even if you are using TLS.
To use an analogy, imagine sending an envelope through the postal service. The content of the envelope is completely inaccessible to anyone other than the recipient. Even if a mailman saw the content in some way, he would not be able to understand it (perhaps he first found it through a César encryption? Hehe).
However, for the postal service to send it to the correct address, the outside of the envelope must be marked with a clearly legible representation of the destination address. If the postal service did not want anyone to send letters to "Joe Schmoe, 123 Fake Street", they simply could not deliver any letter with that address.
Since the postal service cannot read the content of the message, it has no way of identifying the intention of the letter. The only information they have is the fact that the intended recipient is Joe Schmoe. They cannot filter only the letters they consider malicious; It is all or nothing.
Similarly, the IP protocol (the routing protocol that TCP executes over) has clearly marked the "sender" and "receiver" fields. TLS cannot encrypt this for two reasons:
- TLS runs over TCP / IP and, therefore, cannot modify parts of the packets that belong to those protocols.
- If the IP section was encrypted, then the operator service (ISP routers) could not identify where the packets should go.
The firewall through which your ISP or country is forcing all your traffic cannot inspect TLS traffic. They only know the metadata provided by the TCP / IP protocol. They have also considered that the site you want to access is more bad than good, so they eliminate all traffic to and from the site, regardless of the content.
There is a method to protect even metadata from online communications, but it is slow and not scalable. TOR's hidden services are an attempt to implement this. Of course, hidden services only work within the TOR network, which can only be accessed by first connecting to a machine through the clear network. This means that the ISP or the firewall still knows that you are sending data through the onion. No matter how you try, you will always leak Some metadata If they wanted, they could reestablish all connections to TOR nodes in addition to the site they are currently blocking.
If you are trying to establish a direct connection to a specific IP through a firewall, and the firewall has explicit rules to eliminate any traffic to or from that given IP, then connecting to that IP directly will always be unsuccessful. You will have to connect indirectly, either through TOR, a VPN or some other proxy service.