Sitemap
A list of all the posts and pages found on the site. For you robots out there is an XML version available for digesting as well.
Pages
Posts
China Extended its SNI Censorship to QUIC
Published:
QUIC, the successor to TLS over TCP, has become popular in recent years. Despite its increase in popularity, QUIC has remained largely uncensored: Only Russian TSPU devices analyzed QUIC connections and could extract the server’s hostname from the SNI extension. Other censors—such as China’s GFW—have not been found capable of sophisticated QUIC analysis; in January 2025, we noticed sophisticated QUIC censorship in China.
Censors Ignore Unencrypted HTTP/2 Traffic
Published:
Censors worldwide have long censored unencrypted HTTP traffic. In this blog post, we show that a specific HTTP version—unencrypted HTTP/2—is unaffected by censorship in China and Iran. We access otherwise censored websites in both countries over unencrypted HTTP/2. Despite no web browser implementing unencrypted HTTP/2, we detect that up to 6.28% of websites support unencrypted HTTP/2 traffic. To aid the community and ease future research, we provide a tool that evaluates the unencrypted HTTP support of a website. Finally, we discuss the limitations and potential of unencrypted HTTP/2 for censorship circumvention. We consider our finding an interesting addition to current censorship circumvention techniques.
Russia Censors the Encrypted Client Hello(ECH)
Published:
Last week, Russia started blocking the Encrypted Client Hello (ECH). This prevents Russian internet users from utilizing ECH for censorship circumvention. It also blocks otherwise uncensored websites such as SteamDB. Below, I summarize ECH, detail Russia’s ECH censorship, and discuss possible remedies for affected users and ECH in general.
Circumventing the GFW with TLS Record Fragmentation
Published:
TCP fragmentation has long been known as a viable deep packet inspection (DPI) circumvention technique. However, censors are increasingly aware of this technique. We propose TLS record fragmentation as a new censorship circumvention technique on the TLS layer that functions analogously to TCP fragmentation. Using TLS record fragmentation, we successfully circumvented the DPI of the Great Firewall of China (GFW). We also found that over 90% of TLS servers support this new circumvention technique. To contextualize TLS record fragmentation for future work, we discuss its possibilities and limitations.
portfolio
Portfolio item number 1
Short description of portfolio item number 1
Portfolio item number 2
Short description of portfolio item number 2
publications
✏Poster: Circumventing the GFW with TLS Record Fragmentation
ACM CCS, 2023
Abstract
State actors around the world censor the HTTPS protocol to block access to certain websites. While many circumvention strategies utilize the TCP layer only little emphasis has been placed on the analysis of TLS-a complex protocol and integral building block of HTTPS. In contrast to the TCP layer, circumvention methods on the TLS layer do not require root privileges since TLS operates on the application layer. With this proposal, we want to motivate a deeper analysis of TLS in regard to censorship circumvention techniques. To prove the existence of such techniques, we present TLS record fragmentation as a novel circumvention technique and circumvent the Great Firewall of China (GFW) using this technique. We hope that our research fosters collaboration between censorship and TLS researchers.Turning Attacks into Advantages: Evading HTTP Censorship with HTTP Request Smuggling
Free and Open Communications on the Internet (FOCI), 2024
Abstract
Many countries limit their residents' access to various websites. As a substantial number of these websites do not support TLS encryption, censorship of unencrypted HTTP requests remains prevalent. Accordingly, circumvention techniques can and have been found for the HTTP protocol. In this paper, we infer novel circumvention techniques on the HTTP layer from a web security vulnerability by utilizing HTTP request smuggling (HRS). To demonstrate the viability of our techniques, we collected various test vectors from previous work about HRS and evaluated them on popular web servers and censors in China, Russia, and Iran. Our findings show that HRS can be successfully employed as a censorship circumvention technique against multiple censors and web servers. We also discover a standard-compliant circumvention technique in Russia, unusually inconsistent censorship in China, and an implementation bug in Iran. The results of this work imply that censorship circumvention techniques can successfully be constructed from existing vulnerabilities. We conjecture that this implication provides insights to the censorship circumvention community beyond the viability of specific techniques presented in this work.TLS-Attacker: A Dynamic Framework for Analyzing TLS Implementations (2nd Place Impact Award)
ACSAC, 2024
Abstract
TLS-Attacker is an open-source framework for analyzing Transport Layer Security (TLS) implementations. The framework allows users to specify custom protocol flows and provides modification hooks to manipulate message contents. Since its initial publication in 2016 by Juraj Somorovsky, TLS-Attacker has been used in numerous studies published at well-established conferences and helped to identify vulnerabilities in well-known open-source TLS libraries. To enable automated analyses, TLS-Attacker has grown into a suite of projects, each designed as a building block that can be applied to facilitate various analysis methodologies. The framework still undergoes continuous improvements with feature extensions, such as DTLS 1.3 or the addition of new dialects such as QUIC, to continue its effectiveness and relevancy as a security analysis framework.I(ra)nconsistencies: Novel Insights into Iran’s Censorship
Free and Open Communications on the Internet (FOCI), 2025
Abstract
Iran employs one of the most prominent Internet censors in the world. An important part of Iran’s censorship apparatus is its analysis of unencrypted protocols such as HTTP and DNS. During routine evaluations of Iran’s HTTP and DNS censorship, we noticed several properties we believe to be unknown today. For instance, we found injections of correct static IPs for some domains such as google.com on the DNS level, unclear HTTP version parsing, and correlations between DNS and HTTP censorship. In this paper, we present our findings to the community and discuss possible takeaways for affected people and the censorship circumvention community. As some of our findings left us bewildered, we hope to ignite a discussion about Iran’s censorship behavior. We aim to use the discussion of our work to execute a thorough analysis and explanation of Iran’s censorship behavior in the future.✏Transport Layer Obscurity: Circumventing SNI Censorship on the TLS-Layer (Distinguished Paper Award)
IEEE Symposium on Security and Privacy (SP), 2025
Abstract
HTTPS composes large parts of today’s Internet traffic and has long been subject to censorship efforts in different countries. While censors analyze the Transport Layer Security (TLS) protocol to block encrypted HTTP traffic, censorship circumvention efforts have primarily focused on other protocols such as TCP. In this paper, we hypothesize that the TLS protocol offers previously unseen opportunities for censorship circumvention techniques. We tested our hypothesis by proposing possible censorship circumvention techniques that act on the TLS protocol. To validate the effectiveness of these techniques, we evaluate their acceptance by popular TLS servers and successfully demonstrate that these techniques can circumvent censors in China and Iran. In our evaluations, we discovered 38—partially standard-compliant—distinct censorship circumvention techniques, which we could group into 11 unique categories. Additionally, we provide novel insights into how China censors TLS traffic by presenting evidence of at least three distinct censorship appliances. We suspect that other parts of China’s censorship apparatus and other censors exhibit similar structures and advocate future censorship research to anticipate them. With this work, we hope to aid people affected by censorship and stimulate further research into censorship circumvention using cryptographic protocols.✏Encrypted Client Hello (ECH) in Censorship Circumvention
Free and Open Communications on the Internet (FOCI), 2025