Censorship advancements, such as carrier-grade deep-packet inspection (DPI), equip censors with the ability to perform more sophisticated modes of detecting censorship-circumvention efforts. The result is an ongoing arms race between circumvention proxy developers, who implement obfuscation mechanisms to protect proxy traffic from detection, and censors seeking to penetrate these obfuscation layers. Censors are constantly looking for design and implementation flaws in proxy protocols to fingerprint and block, and developers are constantly patching the flaws to avoid detection.

The shared belief in the circumvention community has been that a diverse set of cover protocols can effectively overwhelm a resource-limited censor, preventing them from detecting and blocking all circumvention protocols at once. However, we are seeing a pivot in blocking strategy by the Great Firewall of China (GFW). In 2022 Chinese censors aggressively blocked various TLS-based circumvention tools (CTs). A member of the CT community suggested that the GFW detected TLS-based proxies using an approach that was novel to the community: “TLS-in-TLS.” Instead of targeting specific CTs, the approach focuses on the unusual pattern of nesting one TLS layer within another, a behavior shared among TLS-based proxies but rare in standard web browsing. This is a novel strategy of protocol-agnostic detection.

The “TLS-in-TLS” detection method targets the very act of tunneling, irrespective of individual protocol features. This new angle in CT detection, which exploits the intrinsic nature of tunneling, potentially presents a greater threat and challenge to the CT community than any protocol-specific vulnerabilities identified in past studies, and requires a more principled and systematic response from the CT community in devising countermeasures.

To address this emerging threat, this project will conduct a comprehensive analysis of the risks of censors targeting encapsulated layers within the cover circumvention protocols (as opposed to the cover protocols themselves) to detect and disrupt circumvention-tool usage. This will entail:

  • designing proof-of-concept fingerprinting attacks and their subsequent testing against popular obfuscated proxies and actual ISP traffic in order to evaluate the potential impact and collateral damage should such an approach be broadly deployed by censors;
  • examining how nested TLS stacks, commonly used in obfuscated proxies, and their layer-3 counterparts—nested TCP stacks—can be exploited for detecting and blocking proxies and VPNs;
  • exploring how proxying and tunneling activities intrinsically generate patterns in packet timings—an aspect significantly overlooked by previous research; and
  • communicating findings to the circumvention community and engaging them to discuss the best way to deal with these vulnerabilities.