2015-aceto-internet

Internet Censorship detection: A survey

Giuseppe Aceto, Antonio Pescapè · Computer Networks · 2015

canonical link →

Tags

censors: generic
techniques: measurement-platform

findings extracted from this paper

Winter and Lindskog [157] (2012) documented that the GFW used TLS SNI inspection in combination with IP/port filtering and TCP disruption to block Tor, as recorded in the survey's Table 1. This is one of the earliest published accounts of the GFW applying SNI-based blocking specifically to a circumvention protocol, demonstrating that the GFW correlated multiple detection signals rather than relying on any single technique.

Table 1 detection sni-blockingip-blockingport-blockingrst-injection cn
Table 1 of the survey documents that by 2013–2014 censors were deploying simultaneous blocking across BGP, DNS, IP/port filtering, TCP disruption, TLS, and application-layer keyword filtering. No single detection tool in the survey covers all six layers; the most comprehensive, OONI (2012), covers DNS, IP/port, TCP, TLS, keyword, and HTTP but notes only partial BGP coverage.

Table 1 detection bgp-hijackdns-poisoningport-blockingip-blockingrst-injectiontls-fingerprintkeyword-filteringdpi cnir
The survey identifies 'soft censorship' — including throttling, packet-loss injection, and quality-of-experience degradation — as detected by only 2 of 13 surveyed platforms (rTurtle and UBICA) as of 2015. The paper explicitly flags this as a measurement gap, noting that soft censorship symptoms are indistinguishable from ordinary network congestion without ground-truth probes placed outside the censor's network.

§3 / Table 2 detection throttlingmiddlebox-interference
As of 2015, TLS tampering detection was implemented by only a small minority of surveyed censorship measurement tools: explicitly by Holz et al.'s Crossbear (2012) and OONI (2012), and partially by Soghoian and Stamm (2011) and UBICA (2013). The majority of the 13+ surveyed platforms detected DNS tampering and HTTP manipulation but lacked TLS coverage, creating a systematic blind spot in published censorship measurement.

Table 2 evaluation tls-fingerprintsni-blocking
The paper formally defines circumvention as either preventing the trigger from being seen by the surveillance device, or countering the effects of the censoring action. This two-path decomposition — hide the trigger vs. nullify the enforcement — provides a clean design framework: a circumvention tool can succeed by making traffic unrecognizable (no trigger fires) or by routing around the blocking device (action nullified).

§2.1 defense dpikeyword-filtering