TL; DR: TLS only saves the content of a message. Not the metadata.
When communicating over the clear network, it should be noted that some parts of a particular communication with standard technologies can not be secured. Unless you use TOR, your ISP can tell who you are talking to, even if you use TLS.
To use an analogy, imagine you send an envelope through the post office. The contents of the envelope are completely inaccessible to anyone other than the recipient. Even if a postman somehow saw the content, he would not be able to understand it (maybe you first drew it through a Caesar cipher? Hehe).
However, in order for the post office to send them to the correct address, the outside of the envelope must be marked with a legible representation of the destination address. If the postal service did not want someone to send letters to "Joe Schmoe, 123 Fake Street," he simply could not deliver letters with that address.
Since the postal service can not read the content of the message, he can not identify the intention of the letter. The only information they have is the fact that the intended recipient is Joe Schmoe. Not only can you check the letters that they think are malicious. All or nothing.
Similarly, in the IP protocol (the routing protocol that TCP is running on), the sender and recipient fields are clearly marked. TLS can not encrypt this for two reasons:
- TLS runs over TCP / IP and therefore can not change any parts of the packages that belong to those protocols.
- If the IP section were encrypted, the carrier service (ISP router) might not know where to go.
The firewall that forces your ISP or your country to handle all traffic can not validate TLS traffic. You only know the metadata provided by the TCP / IP protocol. They also believe that the website you are trying to access is rather bad than good, so they manage all traffic from and to the website, regardless of content.
There is a way to secure even the metadata of online communication, but this is slow and not very scalable. TOR Hidden Services are an attempt to implement this. Of course, hidden services only work within the TOR network, which can only be accessed when connecting to a machine through the Clear network first. This means that the ISP or the firewall will continue to know that you are forwarding your data via the onion. No matter how you try, you will always leak something Metadata. If they wish, they can reset all connections to TOR nodes in addition to the site they are currently blocking.
When you try to connect directly to a specific IP address through a firewall, and the firewall has explicit rules to block traffic to or from that particular IP address, a direct connection to that IP address is always unsuccessful. You must establish an indirect connection, either via TOR, a VPN, or another proxy service.