ACM Digital Library home
ACM home
Advanced Search
10.1145/3473604.3474564acmconferencesArticle/Chapter ViewAbstractPublication PagescommConference Proceedingsconference-collections
research-article
Open Access

BlindTLS: Circumventing TLS-based HTTPS censorship

FOCI '21: Proceedings of the ACM SIGCOMM 2021 Workshop on Free and Open Communications on the InternetAugust 2021 Pages 43–49https://doi.org/10.1145/3473604.3474564
Published:27 August 2021
  • 0citation
  • 157
    • Downloads
Metrics
Total Citations0
Total Downloads157
Last 12 Months157
Last 6 weeks55

ABSTRACT

Governments across the globe limit which sites their citizens can visit by employing multiple kinds of censorship techniques for different types of traffic. ISPs have been able to effectively censor HTTPS traffic by inspecting the TLS handshake which leaks the domain being visited. TLS1.3 attempts to solve this with a proposed ESNI extension which encrypts the SNI (server name indication) value. Since ESNI is optional, ISPs have been known to simply drop handshakes that attempt to use it; SNI based censorship is therefore still a problem even in TLS1.3. We present BlindTLS, a technique that hides the true SNI value in TLS1.2. BlindTLS requires no server modifications and expects only minimal (existing) external infrastructure to circumvent TLS-based censorship. We evaluate and show that BlindTLS is able to successfully provide access to a majority of websites blocked by a real-world ISP with minimal performance overhead.

References

  1. Giuseppe Aceto, Alessio Botta, Antonio Pescapè, Nick Feamster, M Faheem Awan, Tahir Ahmad, and Saad Qaisar. 2015. Monitoring Internet censorship with UBICA. In International Workshop on Traffic Monitoring and Analysis. Springer, 143--157.Google ScholarGoogle ScholarCross RefCross Ref
  2. Kevin Bock, Yair Fax, Kyle Reese, Jasraj Singh, and Dave Levin. 2020. Detecting and Evading Censorship-in-Depth: A Case Study of Iran's Protocol Whitelister. In 10th USENIX Workshop on Free and Open Communications on the Internet (FOCI 20). USENIX Association. https://www.usenix.org/conference/foci20/presentation/bockGoogle ScholarGoogle Scholar
  3. Zimo Chai, Amirhossein Ghafari, and Amir Houmansadr. 2019. On the importance of encrypted-SNI ({ESNI}) to censorship circumvention. In 9th {USENIX} Workshop on Free and Open Communications on the Internet ({FOCI} 19).Google ScholarGoogle Scholar
  4. CloudFlare Christopher Patton. 2020. Good-bye ESNI, hello ECH! https://blog.cloudflare.com/encrypted-client-hello/. (2020).Google ScholarGoogle Scholar
  5. Cloudflare. 2021. TLS Session Resumption: Full-speed and Secure. https://blog.cloudflare.com/tls-session-resumption-full-speed-and-secure/. (2021).Google ScholarGoogle Scholar
  6. Roger Dingledine, Nick Mathewson, and Paul Syverson. 2004. Tor: The Second-Generation Onion Router. In Proceedings of the 13th Conference on USENIX Security Symposium - Volume 13 (SSYM'04). USENIX Association, USA, 21.Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. Eric Doerr. 2021. Securing our approach to domain fronting within Azure. https://www.microsoft.com/security/blog/2021/03/26/securing-our-approach-to-domain-fronting-within-azure/. (2021).Google ScholarGoogle Scholar
  8. N. Sullivan E. Rescorla, K. Oku. 2020. TLS Encrypted Client Hello. RFC. https://tools.ietf.org/html/draft-ietf-tls-esni-08Google ScholarGoogle Scholar
  9. D. Eastlake. 2011. Transport Layer Security (TLS) Extensions: Extension Definitions. RFC 6066.Google ScholarGoogle Scholar
  10. David Fifield, Chang Lan, Rod Hynes, Percy Wegmann, and Vern Paxson. 2015. Blocking-resistant communication through domain fronting. Proceedings on Privacy Enhancing Technologies 2015, 2 (2015), 46--64.Google ScholarGoogle ScholarCross RefCross Ref
  11. P. Hoffman and P. McManus. 2018. DNS Queries over HTTPS (DoH). RFC 8484.Google ScholarGoogle Scholar
  12. Z. Hu, L. Zhu, J. Heidemann, A. Mankin, D. Wessels, and P. Hoffman. 2016. Specification for DNS over Transport Layer Security (TLS). RFC 7858.Google ScholarGoogle Scholar
  13. Erik Hunstad. 2020. New tool brings back 'domain fronting' as 'domain hiding'. https://www.zdnet.com/article/def-con-new-tool-brings-back-domain-fronting-as-domain-hiding/. (2020).Google ScholarGoogle Scholar
  14. Josh Karlin, Daniel Ellard, Alden W Jackson, Christine E Jones, Greg Lauer, David Mankins, and W Timothy Strayer. 2011. Decoy Routing: Toward Unblockable Internet Communication.. In FOCI.Google ScholarGoogle Scholar
  15. Dave Levin Kevin Bock. 2020. Exposing and Circumventing China's Censorship of ESNI. https://gfw.report/blog/gfw_esni_blocking/en/. (2020).Google ScholarGoogle Scholar
  16. David Lazar, Yossi Gilad, and Nickolai Zeldovich. 2018. Karaoke: Distributed Private Messaging Immune to Passive Traffic Analysis. In 13th USENIX Symposium on Operating Systems Design and Implementation (OSD1 18). USENIX Association, Carlsbad, CA, 711--725. https://www.usenix.org/conference/osdi18/presentation/lazarGoogle ScholarGoogle Scholar
  17. LetsEncrypt. 2021. HTTPS stats. https://letsencrypt.org/stats. (2021).Google ScholarGoogle Scholar
  18. Colm MacCarthaigh. 2018. Enhanced Domain Protections for Amazon CloudFront Requests. https://aws.amazon.com/blogs/security/enhanced-domain-protections-for-amazon-cloudfront-requests/. (2018).Google ScholarGoogle Scholar
  19. Victoria Manfredi and Pi Songkuntham. 2018. MultiFlow: Cross-Connection Decoy Routing using {TLS} 1.3 Session Resumption. In 8th {USENIX} Workshop on Free and Open Communications on the Internet ({FOCI} 18).Google ScholarGoogle Scholar
  20. Daiyuu Nobori and Yasushi Shinjo. 2014. VPN Gate: A Volunteer-Organized Public VPN Relay System with Blocking Resistance for Bypassing Government Censorship Firewalls. In 11th USENIX Symposium on Networked Systems Design and Implementation (NSD1 14). USENIX Association, Seattle, WA, 229--241. https://www.usenix.org/conference/nsdi14/technical-sessions/presentation/noboriGoogle ScholarGoogle Scholar
  21. Telecom Regulatory Authority of India. 2021. Telecom Subscription Data as on 28th February, 2021. https://www.trai.gov.in/sites/default/files/PR_No.27of2021_0.pdf. (2021).Google ScholarGoogle Scholar
  22. Proton. 2020. Proton VPN. https://protonvpn.com/. (2020).Google ScholarGoogle Scholar
  23. E. Rescorla. 2018. The Transport Layer Security (TLS) Protocol Version 1.3. RFC 8446.Google ScholarGoogle Scholar
  24. J. Salowey, H. Zhou, P. Eronen, and H. Tschofenig. 2008. Transport Layer Security (TLS) Session Resumption without Server-Side State. RFC 5077.Google ScholarGoogle Scholar
  25. Kushagra Singh, Gurshabad Grover, and Varun Bansal. 2020. How India Censors the Web. In 12th ACM Conference on Web Science (WebSci '20). Association for Computing Machinery, New York, NY, USA, 21--28. https://doi.org/10.1145/3394231.3397891Google ScholarGoogle Scholar
  26. The OpenSSL Project. 2003. OpenSSL: The Open Source toolkit for SSL/TLS. (April 2003). www.openssl.org.Google ScholarGoogle Scholar
  27. Tor. 2021. Tor BridgeDB. https://bridges.torproject.org/bridges. (2021).Google ScholarGoogle Scholar
  28. W3Techs. 2020. Usage statistics and market share of Cloudflare. https://w3techs.com/technologies/details/cn-cloudflare. (2020).Google ScholarGoogle Scholar
  29. Tarun Kumar Yadav, Akshat Sinha, Devashish Gosain, Piyush Kumar Sharma, and Sambuddho Chakravarty. 2018. Where The Light Gets In: Analyzing Web Censorship Mechanisms in India. In Proceedings of the Internet Measurement Conference 2018 (IMC '18). Association for Computing Machinery, New York, NY, USA, 252--264. https://doi.org/10.1145/3278532.3278555Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. BlindTLS: Circumventing TLS-based HTTPS censorship

      Comments

      Login options

      Check if you have access through your login credentials or your institution to get full access on this article.

      Sign in

      Full Access

      Get this Publication

      • Published in

        ACM Conferences cover image
        FOCI '21: Proceedings of the ACM SIGCOMM 2021 Workshop on Free and Open Communications on the Internet
        August 2021
        59 pages
        ISBN:9781450386401
        DOI:10.1145/3473604

        Copyright © 2021 Owner/Author

        Publisher

        Association for Computing Machinery

        New York, NY, United States

        Publication History

        • Published: 27 August 2021
        • Online: 23 August 2021

        Permissions

        Request permissions about this article.

        Request Permissions

        Author Tags

        Qualifiers

        • research-article
        • Research
        • Refereed limited

      • Article Metrics

        • Downloads (Last 12 months)157
        • Downloads (Last 6 weeks)55

        Other Metrics

        View Author Metrics

      PDF Format

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader
      About Cookies On This Site

      We use cookies to ensure that we give you the best experience on our website.

      Learn more

      Got it!