2023-wu-fully-encrypted-detect
How the Great Firewall of China detects and blocks fully encrypted trafficcore
Abstract
The GFW deploys a new censorship technique that passively detects—and
then blocks—fully encrypted traffic in real time. The detector is
designed to detect any "fully encrypted" protocol—one whose entire
byte stream looks uniformly random. Three exemption rules built into
the detector are responsible for the bulk of false negatives.
Team notes
Along with the 2015 active-probing paper, this is the most important
recent threat-model paper for our work. The "popcount in the first
packet" detector specifically: any new Lantern protocol that produces
uniformly-random first packets gets blocked in CN within seconds.
Reflex's threat model targets this directly. Every protocol we ship
needs to be designed with this detector in mind.