On the Importance of Encrypted-SNI (ESNI) to Censorship Circumvention

With the increasing use of TLS encryption over web traffic, censors increasingly deploy SNI filtering to be able to censor encrypted connections. Specifically, a censor can identify the web domain being accessed by a client via the SNI extension in the TLS ClientHello message. In response, in August 2018, a new extension called ESNI (Encrypted-SNI) is proposed for TLS 1.3, aiming at preventing such server name leakage. In this paper, we study the implications of ESNI for censorship. We first characterize SNI-based censorship in China by measuring its prevalence and effectiveness. We outline the assisting role played by SNI-filtering in censorship by comparing it with other commonly used censorship techniques. We then measure the extent of deployment of ESNI, and discuss ESNI’s promise in helping censorship circumvention tools. We monitor the censorship associated with ESNI within 14 geographic regions around the world. Based on our measurements, we discuss the key factors to the potential success of ESNI for censorship evasion and the upcoming challenges.

[1]  Srikanth V. Krishnamurthy,et al.  Your state is not mine: a closer look at evading stateful internet censorship , 2017, Internet Measurement Conference.

[2]  Ian Goldberg,et al.  Slitheen: Perfectly Imitated Decoy Routing through Traffic Replacement , 2016, CCS.

[3]  Eric Wustrow,et al.  The use of TLS in Censorship Circumvention , 2019, NDSS.

[4]  Nick Feamster,et al.  Examining How the Great Firewall Discovers Hidden Circumvention Servers , 2015, Internet Measurement Conference.

[5]  Vitaly Shmatikov,et al.  The Parrot Is Dead: Observing Unobservable Network Communications , 2013, 2013 IEEE Symposium on Security and Privacy.

[6]  Donald Eastlake rd,et al.  Transport Layer Security (TLS) Extensions: Extension Definitions , 2011 .

[7]  J. Alex Halderman,et al.  Quack: Scalable Remote Measurement of Application-Layer Censorship , 2018, USENIX Security Symposium.

[8]  Vern Paxson,et al.  An Analysis of China's "Great Cannon" , 2015 .

[9]  Xiao Qiang,et al.  The Road to Digital Unfreedom: President Xi's Surveillance State , 2019, Journal of Democracy.

[10]  Craig A. Shue,et al.  The web is smaller than it seems , 2007, IMC '07.

[11]  Gordon Fyodor Lyon,et al.  Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning , 2009 .

[12]  David G. Robinson,et al.  An ISP-Scale Deployment of TapDance , 2018, FOCI @ USENIX Security Symposium.

[13]  Vern Paxson,et al.  Blocking-resistant communication through domain fronting , 2015, Proc. Priv. Enhancing Technol..

[14]  Narseo Vallina-Rodriguez,et al.  A Long Way to the Top: Significance, Structure, and Stability of Internet Top Lists , 2018, Internet Measurement Conference.

[15]  Amir Houmansadr,et al.  CacheBrowser: Bypassing Chinese Censorship without Proxies Using Cached Content , 2015, CCS.

[16]  Nick Mathewson,et al.  Tor: The Second-Generation Onion Router , 2004, USENIX Security Symposium.

[17]  Eric Rescorla,et al.  The Transport Layer Security (TLS) Protocol Version 1.3 , 2018, RFC.

[18]  Milad Nasr,et al.  The Waterfall of Liberty: Decoy Routing Circumvention that Resists Routing Attacks , 2017, CCS.

[19]  A. Houmansadr,et al.  MassBrowser : Unblocking the Web for the Masses , By the Masses , 2018 .

[20]  Neo,et al.  The collateral damage of internet censorship by DNS injection , 2012, Comput. Commun. Rev..

[21]  Amir Houmansadr,et al.  Practical Censorship Evasion Leveraging Content Delivery Networks , 2016, CCS.

[22]  David Fifield,et al.  Threat modeling and circumvention of Internet censorship , 2017 .

[23]  Vyas Sekar,et al.  How to Catch when Proxies Lie: Verifying the Physical Locations of Network Proxies with Active Geolocation , 2018, Internet Measurement Conference.

[24]  Philipp Winter,et al.  Analyzing the Great Firewall of China Over Space and Time , 2015, Proc. Priv. Enhancing Technol..

[25]  Ian Goldberg,et al.  Telex: Anticensorship in the Network Infrastructure , 2011, USENIX Security Symposium.

[26]  Nick Sullivan,et al.  403 Forbidden: A Global View of CDN Geoblocking , 2018, Internet Measurement Conference.

[27]  Eric Rescorla,et al.  Encrypted Server Name Indication for TLS 1.3 , 2000 .

[28]  Towards a Comprehensive Picture of the Great Firewall's DNS Censorship , 2014, FOCI.