Even Censors Have a Backup: Examining China's Double HTTPS Censorship Middleboxes

The Great Firewall of China (GFW) has long censored HTTPS (via the Server Name Indication field, or SNI). Its mechanism for doing so has been studied, with various evasion strategies discovered in recent years. In this paper, we have evidence that suggests the GFW has deployed a second HTTPS censorship middlebox that runs in parallel to the first. We present a detailed analysis of this secondary censorship middlebox---how it operates, the content it blocks, and how it interacts with the primary middlebox---and present evidence that this has been in operation since at least September 2019. We also present several packet-based evasion strategies for the secondary middlebox and demonstrate that the primary censorship middlebox can be defeated independently from the secondary. Our code is publicly available.

[1]  Vern Paxson,et al.  Characterizing the Nature and Dynamics of Tor Exit Blocking , 2018, USENIX Security Symposium.

[2]  Nick Feamster,et al.  Examining How the Great Firewall Discovers Hidden Circumvention Servers , 2015, Internet Measurement Conference.

[3]  Alan Mislove,et al.  lib•erate, (n): a library for exposing (traffic-classification) rules and avoiding them efficiently , 2017, Internet Measurement Conference.

[4]  Anna Feldman,et al.  Detecting Censorable Content on Sina Weibo: A Pilot Study , 2018, SETN.

[5]  Dave Levin,et al.  Detecting and Evading Censorship-in-Depth: A Case Study of Iran's Protocol Whitelister , 2020, FOCI @ USENIX Security Symposium.

[6]  J. Alex Halderman,et al.  Quack: Scalable Remote Measurement of Application-Layer Censorship , 2018, USENIX Security Symposium.

[7]  Zubair Nabi The Anatomy of Web Censorship in Pakistan , 2013, FOCI.

[8]  Sambuddho Chakravarty,et al.  Where The Light Gets In: Analyzing Web Censorship Mechanisms in India , 2018, Internet Measurement Conference.

[9]  Dave Levin,et al.  Come as You Are: Helping Unmodified Clients Bypass Censorship with Server-side Evasion , 2020, SIGCOMM.

[10]  Amir Houmansadr,et al.  On the Importance of Encrypted-SNI (ESNI) to Censorship Circumvention , 2019, FOCI @ USENIX Security Symposium.

[11]  anonymous,et al.  The collateral damage of internet censorship by DNS injection , 2012, CCRV.

[12]  Katharina Kohls,et al.  Censored Planet: An Internet-wide, Longitudinal Censorship Observatory , 2020, CCS.

[13]  Vern Paxson,et al.  Towards Illuminating a Censorship Monitor's Model to Facilitate Evasion , 2013, FOCI.

[14]  Amir Houmansadr,et al.  Triplet Censors: Demystifying Great Firewall's DNS Censorship Behavior , 2020, FOCI @ USENIX Security Symposium.

[15]  Zhuoqing Morley Mao,et al.  Internet Censorship in China: Where Does the Filtering Occur? , 2011, PAM.

[16]  J. Alex Halderman,et al.  Internet Censorship in Iran: A First Look , 2013, FOCI.

[17]  Dave Levin,et al.  Your Censor is My Censor: Weaponizing Censorship Infrastructure for Availability Attacks , 2021, 2021 IEEE Security and Privacy Workshops (SPW).

[18]  Nicholas Weaver,et al.  Autosonda: Discovering Rules and Triggers of Censorship Devices , 2017, FOCI @ USENIX Security Symposium.

[19]  Zhongjie Wang,et al.  SymTCP: Eluding Stateful Deep Packet Inspection with Automated Discrepancy Discovery , 2020, NDSS.

[20]  Srikanth V. Krishnamurthy,et al.  Your state is not mine: a closer look at evading stateful internet censorship , 2017, Internet Measurement Conference.

[21]  Neo,et al.  The collateral damage of internet censorship by DNS injection , 2012, Comput. Commun. Rev..