![]() ![]() We show evidence that the rules we inferred have good coverage of what the GFW actually uses. We simulate the inferred GFW’s detection algorithm on live traffic at a university network tap to evaluate its comprehensiveness and false positives. Our Internet scans reveal what traffic and which IP addresses the GFW inspects. ![]() These heuristics are based on the fingerprints of common protocols, the fraction of set bits, and the number, fraction, and position of printable ASCII characters. We find that, instead of directly defining what fully encrypted traffic is, the censor applies crude but efficient heuristics to exempt traffic that is unlikely to be fully encrypted traffic it then blocks the remaining non-exempted traffic. In this paper, we measure and characterize the GFW’s new system for censoring fully encrypted traffic. Although China had long actively probed such protocols, this was the first report of purely passive detection, leading the anti-censorship community to ask how detection was possible. The GFW’s new censorship capability affects a large set of popular censorship circumvention protocols, including but not limited to Shadowsocks, VMess, and Obfs4. In early November 2021, the Great Firewall of China (GFW) deployed a new censorship technique that passively detects-and subsequently blocks-fully encrypted traffic in real time. One of the cornerstones in censorship circumvention is fully encrypted protocols, which encrypt every byte of the payload in an attempt to “look like nothing”. ![]()
0 Comments
Leave a Reply. |