2015-frolov-the-use-of-tls

The use of TLS in censorship circumventioncore

Sergey Frolov, Eric Wustrow · NDSS · 2019

canonical link → · doi: 10.14722/ndss.2019.23511

Abstract

We measure how circumvention tools use TLS, identify divergences from real browser fingerprints (the "uTLS" project), and evaluate the detectability of these fingerprints by a passive observer.

Team notes

Origin of uTLS. Required reading for anyone touching Lantern's TLS- mimicking code paths. The "you must mimic Chrome's TLS fingerprint exactly" mandate that every TLS-based pluggable transport now follows comes from this paper.

Tags

censors: cn ir ru
techniques: tls-fingerprint dpi traffic-shape
defenses: mimicry meek obfs4 shadowsocks tunneling
method: measurement-studyml-evaluation

findings extracted from this paper

Frolov and Wustrow show that every major TLS-based circumvention tool (Tor Browser, Lantern, OpenVPN, Psiphon, etc.) produces a TLS ClientHello fingerprint that is statistically distinguishable from real Chrome or Firefox: differences include cipher-suite ordering, extension set, extension ordering, ALPN values, and curve preferences. A passive observer with a classifier over ClientHello fields can identify the tool with high precision without decrypting any traffic.

§3–4 detection tls-fingerprintdpiml-classifier cnirru
Beyond the ClientHello, circumvention tools diverge from real browsers in TLS record-layer behavior: Go's crypto/tls splits the first application-data write differently than NSS or BoringSSL, and Go does not send a TLS ChangeCipherSpec in the same byte sequence as Chrome. These post-handshake divergences are detectable even when the ClientHello has been patched with uTLS, requiring record-layer mimicry in addition to hello-field mimicry for full fingerprint resistance.

§4.3 detection tls-fingerprintdpitraffic-shape cnirru
The paper introduces the uTLS library, which allows a Go TLS client to impersonate a specific browser's TLS fingerprint by replaying a recorded ClientHello template (including exact cipher suites, extensions, and GREASE bytes) rather than constructing one from Go's crypto/tls. Using a Chrome 70 uTLS template reduces fingerprint-distinctiveness to near zero against a passive classifier trained on real Chrome traffic.

§5 defense tls-fingerprint cnirru