2024-xue-fingerprinting

Fingerprinting Obfuscated Proxy Traffic with Encapsulated TLS Handshakes

Diwen Xue, Michalis Kallitsis, Amir Houmansadr, Roya Ensafi · USENIX Security Symposium · 2024

canonical link →

Tags

censors: generic
techniques: tls-fingerprint

findings extracted from this paper

Obfuscated proxy traffic (including Shadowsocks, VMess, VLESS, Trojan, obfs4, and REALITY) can be reliably fingerprinted by detecting encapsulated TLS handshakes — the inner TLS ClientHello that appears inside an outer encrypted tunnel. This fingerprint is protocol-agnostic: any proxy that wraps TLS-bearing application traffic will produce it. The authors deployed a similarity-based classifier within a mid-size ISP serving over one million users and demonstrated detection with minimal collateral damage.

Abstract, §5, §7 detection dpitls-fingerprintml-classifier generic
While stream multiplexing reduces the visibility of encapsulated TLS handshakes by merging inner connections, the paper cautions that multiplexing plus random padding alone is "inherently limited" as a long-term countermeasure. Censors can adapt by monitoring burst sizes and round-trip counts at the outer-connection level, which remain correlated with the number of inner TLS sessions regardless of padding.

§7 (Limitations and Future Work) detection dpitls-fingerprinttraffic-shape generic