2023-niere-poster
Poster: Circumventing the GFW with TLS Record Fragmentationcore
Abstract
State actors censor the HTTPS protocol to block access to certain
websites. While many circumvention strategies act on the TCP layer,
little emphasis has been placed on TLS — a complex protocol and
integral building block of HTTPS. In contrast to the TCP layer,
circumvention methods on the TLS layer do not require root
privileges since TLS operates on the application layer. The authors
present TLS record fragmentation as a novel circumvention technique
and demonstrate that it bypasses the Great Firewall of China by
splitting the ClientHello across multiple TLS records that the
censor's single-record SNI matcher fails to reassemble.
Team notes
Foundational result from the upb-syssec group at Paderborn
University: TLS *record-layer* fragmentation works for SNI evasion
even when TCP-segmentation tricks have been hardened against.
Operates entirely above TCP, so no kernel privileges required —
a userspace client can fragment ClientHello records itself.
This paper kicked off the group's TLS-as-a-circumvention-surface
research direction that culminated in the 2025 S&P Distinguished
Paper "Transport Layer Obscurity" (2025-niere-transport). Cite
both when discussing TLS-layer circumvention.
Implications for Lantern: TLS record fragmentation is a low-cost
capability to add to any TLS-using transport (REALITY, vmess,
domain-fronting). It hardens against the class of single-record
SNI matchers that DPI vendors deploy.