rfc9505v1.txt   rfc9505.txt 
skipping to change at line 99 skipping to change at line 99
5.4.1. Distributed Denial of Service (DDoS) 5.4.1. Distributed Denial of Service (DDoS)
5.4.2. Censorship in Depth 5.4.2. Censorship in Depth
6. Non-technical Interference 6. Non-technical Interference
6.1. Manual Filtering 6.1. Manual Filtering
6.2. Self-Censorship 6.2. Self-Censorship
6.3. Server Takedown 6.3. Server Takedown
6.4. Notice and Takedown 6.4. Notice and Takedown
6.5. Domain Name Seizures 6.5. Domain Name Seizures
7. Future Work 7. Future Work
8. IANA Considerations 8. IANA Considerations
9. Informative References 9. Security Considerations
10. Informative References
Contributors Contributors
Authors' Addresses Authors' Addresses
1. Introduction 1. Introduction
Censorship is where an entity in a position of power -- such as a Censorship is where an entity in a position of power -- such as a
government, organization, or individual -- suppresses communication government, organization, or individual -- suppresses communication
that it considers objectionable, harmful, sensitive, politically that it considers objectionable, harmful, sensitive, or inconvenient
incorrect, or inconvenient [WP-Def-2020]. Although censors that [WP-Def-2020]. Although censors that engage in censorship must do so
engage in censorship must do so through legal, military, or other through legal, military, or other means, this document focuses
means, this document focuses largely on technical mechanisms used to largely on technical mechanisms used to achieve network censorship.
achieve network censorship.
This document describes technical mechanisms that censorship regimes This document describes technical mechanisms that censorship regimes
around the world use for blocking or impairing Internet traffic. See around the world use for blocking or impairing Internet traffic. See
[RFC7754] for a discussion of Internet blocking and filtering in [RFC7754] for a discussion of Internet blocking and filtering in
terms of implications for Internet architecture rather than end-user terms of implications for Internet architecture rather than end-user
access to content and services. There is also a growing field of access to content and services. There is also a growing field of
academic study of censorship circumvention (see the review article of academic study of censorship circumvention (see the review article of
[Tschantz-2016]), results from which we seek to make relevant here [Tschantz-2016]), results from which we seek to make relevant here
for protocol designers and implementers. for protocol designers and implementers.
skipping to change at line 142 skipping to change at line 142
2. Terminology 2. Terminology
We describe three elements of Internet censorship: prescription, We describe three elements of Internet censorship: prescription,
identification, and interference. This document contains three major identification, and interference. This document contains three major
sections, each corresponding to one of these elements. Prescription sections, each corresponding to one of these elements. Prescription
is the process by which censors determine what types of material they is the process by which censors determine what types of material they
should censor, e.g., classifying pornographic websites as should censor, e.g., classifying pornographic websites as
undesirable. Identification is the process by which censors classify undesirable. Identification is the process by which censors classify
specific traffic or traffic identifiers to be blocked or impaired, specific traffic or traffic identifiers to be blocked or impaired,
e.g., deciding that webpages containing "sex" in an HTTP header or e.g., deciding that webpages containing "sex" in an HTTP header or
that accept traffic through the URL www.sex.example are likely to be that accept traffic through the URL "www.sex.example" are likely to
undesirable. Interference is the process by which censors intercede be undesirable. Interference is the process by which censors
in communication and prevent access to censored materials by blocking intercede in communication and prevent access to censored materials
access or impairing the connection, e.g., implementing a technical by blocking access or impairing the connection, e.g., implementing a
solution capable of identifying HTTP headers or URLs and ensuring technical solution capable of identifying HTTP headers or URLs and
they are rendered wholly or partially inaccessible. ensuring they are rendered wholly or partially inaccessible.
3. Technical Prescription 3. Technical Prescription
Prescription is the process of figuring out what censors would like Prescription is the process of figuring out what censors would like
to block [Glanville-2008]. Generally, censors aggregate information to block [Glanville-2008]. Generally, censors aggregate information
"to block" in blocklists, databases of image hashes [ekr-2021], or "to block" in blocklists, databases of image hashes [ekr-2021], or
use real-time heuristic assessment of content [Ding-1999]. Some use real-time heuristic assessment of content [Ding-1999]. Some
national networks are designed to more naturally serve as points of national networks are designed to more naturally serve as points of
control [Leyba-2019]. There are also indications that online censors control [Leyba-2019]. There are also indications that online censors
use probabilistic machine learning techniques [Tang-2016]. Indeed, use probabilistic machine learning techniques [Tang-2016]. Indeed,
skipping to change at line 184 skipping to change at line 184
censors filter traffic from broad categories they would like to censors filter traffic from broad categories they would like to
block, such as gambling or pornography [Knight-2005]. In these block, such as gambling or pornography [Knight-2005]. In these
cases, these private services attempt to categorize every semi- cases, these private services attempt to categorize every semi-
questionable website to allow for meta-tag blocking. Similarly, they questionable website to allow for meta-tag blocking. Similarly, they
tune real-time content heuristic systems to map their assessments tune real-time content heuristic systems to map their assessments
onto categories of objectionable content. onto categories of objectionable content.
Countries that are more interested in retaining specific political Countries that are more interested in retaining specific political
control typically have ministries or organizations that maintain control typically have ministries or organizations that maintain
blocklists. Examples include the Ministry of Industry and blocklists. Examples include the Ministry of Industry and
Information Technology in China, Ministry of Culture and Islamic Information Technology in China, the Ministry of Culture and Islamic
Guidance in Iran, and specific to copyright in France [HADOPI] and Guidance in Iran, and the organizations specific to copyright law in
across the EU for consumer protection law [Reda-2017]. France [HADOPI] and consumer protection laaw across the EU
[Reda-2017].
Content-layer filtering of images and video requires institutions or Content-layer filtering of images and video requires institutions or
organizations to store hashes of images or videos to be blocked in organizations to store hashes of images or videos to be blocked in
databases, which can then be compared, with some degree of tolerance, databases, which can then be compared, with some degree of tolerance,
to content that is sent, received, or stored using centralized to content that is sent, received, or stored using centralized
content applications and services [ekr-2021]. content applications and services [ekr-2021].
4. Technical Identification 4. Technical Identification
4.1. Points of Control 4.1. Points of Control
skipping to change at line 329 skipping to change at line 330
these common behaviors for further reference. these common behaviors for further reference.
4.2.1. HTTP Request Header Identification 4.2.1. HTTP Request Header Identification
An HTTP header contains a lot of useful information for traffic An HTTP header contains a lot of useful information for traffic
identification. Although "host" is the only required field in an identification. Although "host" is the only required field in an
HTTP request header (for HTTP/1.1 and later), an HTTP method field is HTTP request header (for HTTP/1.1 and later), an HTTP method field is
necessary to do anything useful. As such, "method" and "host" are necessary to do anything useful. As such, "method" and "host" are
the two fields used most often for ubiquitous censorship. A censor the two fields used most often for ubiquitous censorship. A censor
can sniff traffic and identify a specific domain name (host) and can sniff traffic and identify a specific domain name (host) and
usually a page name (GET /page) as well. This identification usually a page name (for example, GET /page) as well. This
technique is usually paired with transport header identification (see identification technique is usually paired with transport header
Section 4.3.1) for a more robust method. identification (see Section 4.3.1) for a more robust method.
Trade-offs: Request Identification is a technically straightforward
identification method that can be easily implemented at the
backbone or ISP level. The hardware needed for
this sort of identification is cheap and easy to acquire, making it Trade-offs: HTTP request header identification is a technically
desirable when budget and scope are a concern. HTTPS (Hypertext straightforward identification method that can be easily implemented
Transport Protocol Secure) will encrypt the relevant request and at the backbone or ISP level. The hardware needed for this sort of
response fields, so pairing with transport identification (see identification is cheap and easy to acquire, making it desirable when
Section 4.3.1) is necessary for HTTPS filtering. However, some budget and scope are a concern. HTTPS (Hypertext Transport Protocol
countermeasures can trivially defeat simple forms of HTTP Request Secure) will encrypt the relevant request and response fields, so
Header Identification. For example, two cooperating endpoints -- an pairing with transport identification (see Section 4.3.1) is
instrumented web server and client -- could encrypt or otherwise necessary for HTTPS filtering. However, some countermeasures can
obfuscate the "host" header in a request, potentially thwarting trivially defeat simple forms of HTTP request header identification.
techniques that match against "host" header values. For example, two cooperating endpoints -- an instrumented web server
and client -- could encrypt or otherwise obfuscate the "host" header
in a request, potentially thwarting techniques that match against
"host" header values.
Empirical Examples: Studies exploring censorship mechanisms have Empirical Examples: Studies exploring censorship mechanisms have
found evidence of HTTP header/ URL filtering in many countries, found evidence of HTTP header and/or URL filtering in many countries,
including Bangladesh, Bahrain, China, India, Iran, Malaysia, including Bangladesh, Bahrain, China, India, Iran, Malaysia,
Pakistan, Russia, Saudi Arabia, South Korea, Thailand, and Turkey Pakistan, Russia, Saudi Arabia, South Korea, Thailand, and Turkey
[Verkamp-2012] [Nabi-2013] [Aryan-2013]. Commercial technologies are [Verkamp-2012] [Nabi-2013] [Aryan-2013]. Commercial technologies are
often purchased by censors [Dalek-2013]. These commercial often purchased by censors [Dalek-2013]. These commercial
technologies use a combination of HTTP Request Identification and technologies use a combination of HTTP request header identification
transport header identification to filter specific URLs. Dalek et and transport header identification to filter specific URLs. Dalek
al. and Jones et al. identified the use of these products in the wild et al. and Jones et al. identified the use of these products in the
[Dalek-2013] [Jones-2014]. wild [Dalek-2013] [Jones-2014].
4.2.2. HTTP Response Header Identification 4.2.2. HTTP Response Header Identification
While HTTP Request Header Identification relies on the information While HTTP request header identification relies on the information
contained in the HTTP request from client to server, response contained in the HTTP request from client to server, HTTP response
identification uses information sent in response by the server to header identification uses information sent in response by the server
client to identify undesirable content. to client to identify undesirable content.
Trade-offs: As with HTTP Request Header Identification, the Trade-offs: As with HTTP request header identification, the
techniques used to identify HTTP traffic are well-known, cheap, and techniques used to identify HTTP traffic are well-known, cheap, and
relatively easy to implement. However, they are made useless by relatively easy to implement. However, they are made useless by
HTTPS because HTTPS encrypts the response and its headers. HTTPS because HTTPS encrypts the response and its headers.
The response fields are also less helpful for identifying content The response fields are also less helpful for identifying content
than request fields, as "Server" could easily be identified using than request fields, as "Server" could easily be identified using
HTTP Request Header identification, and "Via" is rarely relevant. HTTP request header identification, and "Via" is rarely relevant.
HTTP Response censorship mechanisms normally let the first n packets HTTP response censorship mechanisms normally let the first n packets
through while the mirrored traffic is being processed; this may allow through while the mirrored traffic is being processed; this may allow
some content through, and the user may be able to detect that the some content through, and the user may be able to detect that the
censor is actively interfering with undesirable content. censor is actively interfering with undesirable content.
Empirical Examples: In 2009, Jong Park et al. at the University of Empirical Examples: In 2009, Jong Park et al. at the University of
New Mexico demonstrated that the Great Firewall of China (GFW) has New Mexico demonstrated that the Great Firewall of China (GFW) has
used this technique [Crandall-2010]. However, Jong Park et al. found used this technique [Crandall-2010]. However, Jong Park et al. found
that the GFW discontinued this practice during the course of the that the GFW discontinued this practice during the course of the
study. Due to the overlap in HTTP response filtering and keyword study. Due to the overlap in HTTP response filtering and keyword
filtering (see Section 4.2.4), it is likely that most censors rely on filtering (see Section 4.2.4), it is likely that most censors rely on
skipping to change at line 401 skipping to change at line 401
towards censoring TLS (and by extension HTTPS). Most of these towards censoring TLS (and by extension HTTPS). Most of these
techniques relate to the Server Name Indication (SNI) field, techniques relate to the Server Name Indication (SNI) field,
including censoring SNI, Encrypted SNI (ESNI), or omitted SNI. including censoring SNI, Encrypted SNI (ESNI), or omitted SNI.
Censors can also censor HTTPS content via server certificates. Note Censors can also censor HTTPS content via server certificates. Note
that TLS 1.3 acts as a security component of QUIC. that TLS 1.3 acts as a security component of QUIC.
4.2.3.1. Server Name Indication (SNI) 4.2.3.1. Server Name Indication (SNI)
In encrypted connections using TLS, there may be servers that host In encrypted connections using TLS, there may be servers that host
multiple "virtual servers" at a given network address, and the client multiple "virtual servers" at a given network address, and the client
will need to specify in the Client Hello message which domain name it will need to specify in the ClientHello message which domain name it
seeks to connect to (so that the server can respond with the seeks to connect to (so that the server can respond with the
appropriate TLS certificate) using, the SNI TLS extension [RFC6066]. appropriate TLS certificate) using, the SNI TLS extension [RFC6066].
The Client Hello message is unencrypted for TCP-based TLS. When The ClientHello message is unencrypted for TCP-based TLS. When using
using QUIC, the Client Hello message is encrypted, but its QUIC, the ClientHello message is encrypted, but its confidentiality
confidentiality is not effectively protected because the initial is not effectively protected because the initial encryption keys are
encryption keys are derived using a value that is visible on the derived using a value that is visible on the wire. Since SNI is
wire. Since SNI is often sent in the clear (as are the cert fields often sent in the clear (as are the cert fields sent in response),
sent in response), censors and filtering software can use it (and censors and filtering software can use it (and response cert fields)
response cert fields) as a basis for blocking, filtering, or as a basis for blocking, filtering, or impairment by dropping
impairment by dropping connections to domains that match prohibited connections to domains that match prohibited content (e.g.,
content (e.g., bad.foo.example may be censored while good.foo.example "bad.foo.example" may be censored while "good.foo.example" is not)
is not) [Shbair-2015]. There are ongoing standardization efforts in [Shbair-2015]. There are ongoing standardization efforts in the TLS
the TLS Working Group to encrypt SNI [RFC8744] [TLS-ESNI], and recent Working Group to encrypt SNI [RFC8744] [TLS-ESNI], and recent
research shows promising results in the use of ESNI in the face of research shows promising results in the use of ESNI in the face of
SNI-based filtering [Chai-2019] in some countries. SNI-based filtering [Chai-2019] in some countries.
Domain fronting has been one popular way to avoid identification by Domain fronting has been one popular way to avoid identification by
censors [Fifield-2015]. To avoid identification by censors, censors [Fifield-2015]. To avoid identification by censors,
applications using domain fronting put a different domain name in the applications using domain fronting put a different domain name in the
SNI extension than in the Host: header, which is protected by HTTPS. SNI extension than in the "host" header, which is protected by HTTPS.
The visible SNI would indicate an unblocked domain, while the blocked The visible SNI would indicate an unblocked domain, while the blocked
domain remains hidden in the encrypted application header. Some domain remains hidden in the encrypted application header. Some
encrypted messaging services relied on domain fronting to enable encrypted messaging services relied on domain fronting to enable
their provision in countries employing SNI-based filtering. These their provision in countries employing SNI-based filtering. These
services used the cover provided by domains for which blocking at the services used the cover provided by domains for which blocking at the
domain level would be undesirable to hide their true domain names. domain level would be undesirable to hide their true domain names.
However, the companies holding the most popular domains have since However, the companies holding the most popular domains have since
reconfigured their software to prevent this practice. It may be reconfigured their software to prevent this practice. It may be
possible to achieve similar results using potential future options to possible to achieve similar results using potential future options to
encrypt SNI. encrypt SNI.
Trade-offs: Some clients do not send the SNI extension (e.g., clients Trade-offs: Some clients do not send the SNI extension (e.g., clients
that only support versions of SSL and not TLS), rendering this method that only support versions of SSL and not TLS), rendering this method
ineffective (see Section 4.2.3.3). In addition, this technique ineffective (see Section 4.2.3.3). In addition, this technique
requires deep packet inspection (DPI) techniques that can be requires deep packet inspection (DPI) techniques that can be
computationally and infrastructurally expensive, especially when expensive in terms of computational complexity and infrastructure,
applied to QUIC where DPI requires key extraction and decryption of especially when applied to QUIC where DPI requires key extraction and
the Client Hello in order to read the SNI. Improper configuration of decryption of the ClientHello in order to read the SNI. Improper
an SNI-based block can result in significant over-blocking, e.g., configuration of an SNI-based block can result in significant over-
when a second-level domain like populardomain.example is blocking, e.g., when a second-level domain like
inadvertently blocked. In the case of ESNI, pressure to censor may "populardomain.example" is inadvertently blocked. In the case of
transfer to other points of intervention, such as content and ESNI, pressure to censor may transfer to other points of
application providers. intervention, such as content and application providers.
Empirical Examples: There are many examples of security firms that Empirical Examples: There are many examples of security firms that
offer SNI-based filtering products [Trustwave-2015] [Sophos-2015] offer SNI-based filtering products [Trustwave-2015] [Sophos-2023]
[Shbair-2015]. The governments of China, Egypt, Iran, Qatar, South [Shbair-2015]. The governments of China, Egypt, Iran, Qatar, South
Korea, Turkey, Turkmenistan, and the United Arab Emirates all do Korea, Turkey, Turkmenistan, and the United Arab Emirates all do
widespread SNI filtering or blocking [OONI-2018] [OONI-2019] widespread SNI filtering or blocking [OONI-2018] [OONI-2019]
[NA-SK-2019] [CitizenLab-2018] [Gatlan-2019] [Chai-2019] [NA-SK-2019] [CitizenLab-2018] [Gatlan-2019] [Chai-2019]
[Grover-2019] [Singh-2019]. SNI blocking against QUIC traffic was [Grover-2019] [Singh-2019]. SNI blocking against QUIC traffic was
first observed in Russia in March 2022 [Elmenhorst-2022]. first observed in Russia in March 2022 [Elmenhorst-2022].
4.2.3.2. Encrypted SNI (ESNI) 4.2.3.2. Encrypted SNI (ESNI)
With the data leakage present with the SNI field, a natural response With the data leakage present with the SNI field, a natural response
is to encrypt it, which is forthcoming in TLS 1.3 with Encrypted is to encrypt it, which is forthcoming in TLS 1.3 with Encrypted
Client Hello (ECH). Prior to ECH, the ESNI extension is available to Client Hello (ECH). Prior to ECH, the ESNI extension is available to
prevent the data leakage caused by SNI, which encrypts only the SNI prevent the data leakage caused by SNI, which encrypts only the SNI
field. Unfortunately, censors can target connections that use the field. Unfortunately, censors can target connections that use the
ESNI extension specifically for censorship. This guarantees over- ESNI extension specifically for censorship. This guarantees over-
blocking for the censor but can be worth the cost if ESNI is not yet blocking for the censor but can be worth the cost if ESNI is not yet
widely deployed within the country. ECH is the emerging standard for widely deployed within the country. ECH is the emerging standard for
protecting the entire TLS Client Hello, but it is not yet widely protecting the entire TLS ClientHello, but it is not yet widely
deployed. deployed.
Trade-offs: The cost to censoring ESNI is significantly higher than Trade-offs: The cost to censoring ESNI is significantly higher than
SNI to a censor, as the censor can no longer target censorship to SNI to a censor, as the censor can no longer target censorship to
specific domains and guarantees over-blocking. In these cases, the specific domains and guarantees over-blocking. In these cases, the
censor uses the over-blocking to discourage the use of ESNI entirely. censor uses the over-blocking to discourage the use of ESNI entirely.
Empirical Examples: In 2020, China began censoring all uses of ESNI Empirical Examples: In 2020, China began censoring all uses of ESNI
[Bock-2020b], even for innocuous connections. The censorship [Bock-2020b], even for innocuous connections. The censorship
mechanism for China's ESNI censorship differs from how China censors mechanism for China's ESNI censorship differs from how China censors
skipping to change at line 495 skipping to change at line 495
Trade-offs: The approach of censoring all connections that omit the Trade-offs: The approach of censoring all connections that omit the
SNI field is guaranteed to over-block, though connections that omit SNI field is guaranteed to over-block, though connections that omit
the SNI field should be relatively rare in the wild. the SNI field should be relatively rare in the wild.
Empirical Examples: In the past, researchers have observed censors in Empirical Examples: In the past, researchers have observed censors in
Russia blocking connections that omit the SNI field [Bock-2020b]. Russia blocking connections that omit the SNI field [Bock-2020b].
4.2.3.4. Server Response Certificate 4.2.3.4. Server Response Certificate
During the TLS handshake after the TLS Client Hello, the server will During the TLS handshake after the TLS ClientHello, the server will
respond with the TLS certificate. This certificate also contains the respond with the TLS certificate. This certificate also contains the
domain the client is trying to access, creating another avenue that domain the client is trying to access, creating another avenue that
censors can use to perform censorship. This technique will not work censors can use to perform censorship. This technique will not work
in TLS 1.3, as the certificate will be encrypted. in TLS 1.3, as the certificate will be encrypted.
Trade-offs: Censoring based on the server certificate requires DPI Trade-offs: Censoring based on the server certificate requires DPI
techniques that can be more computationally expensive compared to techniques that can be more computationally expensive compared to
other methods. Additionally, the certificate is sent later in the other methods. Additionally, the certificate is sent later in the
TLS handshake compared to the SNI field, forcing the censor to track TLS handshake compared to the SNI field, forcing the censor to track
the connection longer. the connection longer.
skipping to change at line 680 skipping to change at line 680
Port is useful for allowlisting certain applications. Port is useful for allowlisting certain applications.
By combining IP address, port, and protocol information found in the By combining IP address, port, and protocol information found in the
transport header, shallow packet inspection can be used by a censor transport header, shallow packet inspection can be used by a censor
to identify specific TCP or UDP endpoints. UDP endpoint blocking has to identify specific TCP or UDP endpoints. UDP endpoint blocking has
been observed in the context of QUIC blocking [Elmenhorst-2021]. been observed in the context of QUIC blocking [Elmenhorst-2021].
Trade-offs: Header identification is popular due to its simplicity, Trade-offs: Header identification is popular due to its simplicity,
availability, and robustness. availability, and robustness.
Header identification is trivial to implement, but is difficult to Header identification is trivial to implement in some routers, but is
implement in backbone or ISP routers at scale, and is therefore difficult to implement in backbone or ISP routers at scale, and is
typically implemented with DPI. Blocklisting an IP is equivalent to therefore typically implemented with DPI. Blocklisting an IP is
installing a specific route on a router (such as a /32 route for IPv4 equivalent to installing a specific route on a router (such as a /32
addresses and a /128 route for IPv6 addresses). However, due to route for IPv4 addresses and a /128 route for IPv6 addresses).
limited flow table space, this cannot scale beyond a few thousand IPs However, due to limited flow table space, this cannot scale beyond a
at most. IP blocking is also relatively crude. It often leads to few thousand IPs at most. IP blocking is also relatively crude. It
over-blocking and cannot deal with some services like Content often leads to over-blocking and cannot deal with some services like
Distribution Networks (CDNs) that host content at hundreds or Content Distribution Networks (CDNs) that host content at hundreds or
thousands of IP addresses. Despite these limitations, IP blocking is thousands of IP addresses. Despite these limitations, IP blocking is
extremely effective because the user needs to proxy their traffic extremely effective because the user needs to proxy their traffic
through another destination to circumvent this type of through another destination to circumvent this type of
identification. In addition, IP blocking is effective against all identification. In addition, IP blocking is effective against all
protocols above IP, e.g., TCP and QUIC. protocols above IP, e.g., TCP and QUIC.
Port blocking is generally not useful because many types of content Port blocking is generally not useful because many types of content
share the same port, and it is possible for censored applications to share the same port, and it is possible for censored applications to
change their port. For example, most HTTP traffic goes over port 80, change their port. For example, most HTTP traffic goes over port 80,
so the censor cannot differentiate between restricted and allowed web so the censor cannot differentiate between restricted and allowed web
skipping to change at line 721 skipping to change at line 721
4.3.2. Protocol Identification 4.3.2. Protocol Identification
Censors sometimes identify entire protocols to be blocked using a Censors sometimes identify entire protocols to be blocked using a
variety of traffic characteristics. For example, Iran impairs the variety of traffic characteristics. For example, Iran impairs the
performance of HTTPS traffic, a protocol that prevents further performance of HTTPS traffic, a protocol that prevents further
analysis, to encourage users to switch to HTTP, a protocol that they analysis, to encourage users to switch to HTTP, a protocol that they
can analyze [Aryan-2013]. A simple protocol identification would be can analyze [Aryan-2013]. A simple protocol identification would be
to recognize all TCP traffic over port 443 as HTTPS, but a more to recognize all TCP traffic over port 443 as HTTPS, but a more
sophisticated analysis of the statistical properties of payload data sophisticated analysis of the statistical properties of payload data
and flow behavior would be more effective, even when port 443 is not and flow behavior would be more effective, even when port 443 is not
used [Hjelmvik-2010] [Sandvine-2014]. used [Hjelmvik-2010] [Sandvine-2015].
If censors can detect circumvention tools, they can block them. If censors can detect circumvention tools, they can block them.
Therefore, censors like China are extremely interested in identifying Therefore, censors like China are extremely interested in identifying
the protocols for censorship circumvention tools. In recent years, the protocols for censorship circumvention tools. In recent years,
this has devolved into a competition between censors and this has devolved into a competition between censors and
circumvention tool developers. As part of this competition, China circumvention tool developers. As part of this competition, China
developed an extremely effective protocol identification technique developed an extremely effective protocol identification technique
that researchers call "active probing" or "active scanning". that researchers call "active probing" or "active scanning".
In active probing, the censor determines whether hosts are running a In active probing, the censor determines whether hosts are running a
skipping to change at line 787 skipping to change at line 787
Another feature of some modern censorship systems is residual Another feature of some modern censorship systems is residual
censorship, a punitive form of censorship whereby after a censor censorship, a punitive form of censorship whereby after a censor
disrupts a forbidden connection, the censor continues to target disrupts a forbidden connection, the censor continues to target
subsequent connections, even if they are innocuous [Bock-2021]. subsequent connections, even if they are innocuous [Bock-2021].
Residual censorship can take many forms and often relies on the Residual censorship can take many forms and often relies on the
methods of technical interference described in the next section. methods of technical interference described in the next section.
An important facet of residual censorship is precisely what the An important facet of residual censorship is precisely what the
censor continues to block after censorship is initially triggered. censor continues to block after censorship is initially triggered.
There are three common options available to an adversary: 2-tuple There are three common options available to an adversary: 2-tuple
(client IP, server IP), 3-tuple (client IP, server IP+port), or (client IP, server IP), 3-tuple (client IP, server IP, server port),
4-tuple (client IP+port, server IP+port). Future connections that or 4-tuple (client IP, client port, server IP, server port). Future
match the tuple of information the censor records will be disrupted connections that match the tuple of information the censor records
[Bock-2021]. will be disrupted [Bock-2021].
Residual censorship can sometimes be difficult to identify and can Residual censorship can sometimes be difficult to identify and can
often complicate censorship measurement. often complicate censorship measurement.
Trade-offs: The impact of residual censorship is to provide users Trade-offs: The impact of residual censorship is to provide users
with further discouragement from trying to access forbidden content, with further discouragement from trying to access forbidden content,
though it is not clear how successful it is at accomplishing this. though it is not clear how successful it is at accomplishing this.
Empirical Examples: China has used 3-tuple residual censorship in Empirical Examples: China has used 3-tuple residual censorship in
conjunction with their HTTP censorship for years, and researchers conjunction with their HTTP censorship for years, and researchers
skipping to change at line 823 skipping to change at line 823
There are a variety of mechanisms that censors can use to block or There are a variety of mechanisms that censors can use to block or
filter access to content by altering responses from the DNS filter access to content by altering responses from the DNS
[AFNIC-2013] [ICANN-SSAC-2012], including blocking the response, [AFNIC-2013] [ICANN-SSAC-2012], including blocking the response,
replying with an error message, or responding with an incorrect replying with an error message, or responding with an incorrect
address. Note that there are now encrypted transports for DNS address. Note that there are now encrypted transports for DNS
queries in DNS over HTTPS [RFC8484] and DNS over TLS [RFC7858] that queries in DNS over HTTPS [RFC8484] and DNS over TLS [RFC7858] that
can mitigate interference with DNS queries between the stub and the can mitigate interference with DNS queries between the stub and the
resolver. resolver.
Responding to a DNS query with an incorrect address can be achieved Responding to a DNS query with an incorrect address can be achieved
with on-path interception, off-path cache poisoning, and lying by the with on-path interception, off-path cache poisoning, or lying by the
name server. name server.
"DNS mangling" is a network-level technique of on-path interception "DNS mangling" is a network-level technique of on-path interception
where an incorrect IP address is returned in response to a DNS query where an incorrect IP address is returned in response to a DNS query
to a censored destination. Some Chinese networks, for example, do to a censored destination. Some Chinese networks, for example, do
this. (We are not aware of any other wide-scale uses of mangling.) this. (We are not aware of any other wide-scale uses of mangling.)
On those Chinese networks, each DNS request in transit is examined On those Chinese networks, each DNS request in transit is examined
(presumably by network inspection technologies such as DPI), and if (presumably by network inspection technologies such as DPI), and if
it matches a censored domain, a false response is injected. End it matches a censored domain, a false response is injected. End
users can see this technique in action by simply sending DNS requests users can see this technique in action by simply sending DNS requests
skipping to change at line 875 skipping to change at line 875
There are also cases of what is colloquially called "DNS lying", There are also cases of what is colloquially called "DNS lying",
where a censor mandates that the DNS responses provided -- by an where a censor mandates that the DNS responses provided -- by an
operator of a recursive resolver such as an Internet Access Provider operator of a recursive resolver such as an Internet Access Provider
-- be different than what an authoritative name server would provide -- be different than what an authoritative name server would provide
[Bortzmeyer-2015]. [Bortzmeyer-2015].
Trade-offs: These forms of DNS interference require the censor to Trade-offs: These forms of DNS interference require the censor to
force a user to traverse a controlled DNS hierarchy (or intervening force a user to traverse a controlled DNS hierarchy (or intervening
network on which the censor serves as an active pervasive attacker network on which the censor serves as an active pervasive attacker
[RFC7624] to rewrite DNS responses) for the mechanism to be [RFC7624] to rewrite DNS responses) for the mechanism to be
effective. It can be circumvented by using alternative DNS resolvers effective. DNS interference can be circumvented by using alternative
(such as any of the public DNS resolvers) that may fall outside of DNS resolvers (such as any of the public DNS resolvers) that may fall
the jurisdictional control of the censor or Virtual Private Network outside of the jurisdictional control of the censor or Virtual
(VPN) technology. DNS mangling and cache poisoning also imply Private Network (VPN) technology. DNS mangling and cache poisoning
returning an incorrect IP to those attempting to resolve a domain also imply returning an incorrect IP to those attempting to resolve a
name, but in some cases the destination may be technically domain name, but in some cases the destination may be technically
accessible. For example, over HTTP, the user may have another method accessible. For example, over HTTP, the user may have another method
of obtaining the IP address of the desired site and may be able to of obtaining the IP address of the desired site and may be able to
access it if the site is configured to be the default server access it if the site is configured to be the default server
listening at this IP address. Target blocking has also been a listening at this IP address. Target blocking has also been a
problem, as occasionally users outside of the censor's region will be problem, as occasionally users outside of the censor's region will be
directed through DNS servers or DNS-rewriting network equipment directed through DNS servers or DNS-rewriting network equipment
controlled by a censor, causing the request to fail. The ease of controlled by a censor, causing the request to fail. The ease of
circumvention paired with the large risk of content blocking and circumvention paired with the large risk of content blocking and
target blocking make DNS interference a partial, difficult, and less- target blocking make DNS interference a partial, difficult, and less-
than-ideal censorship mechanism. than-ideal censorship mechanism.
skipping to change at line 916 skipping to change at line 916
Empirical Examples: DNS interference, when properly implemented, is Empirical Examples: DNS interference, when properly implemented, is
easy to identify based on the shortcomings identified above. Turkey easy to identify based on the shortcomings identified above. Turkey
relied on DNS interference for its country-wide block of websites, relied on DNS interference for its country-wide block of websites,
including Twitter and YouTube, for almost a week in March of 2014. including Twitter and YouTube, for almost a week in March of 2014.
The ease of circumvention resulted in an increase in the popularity The ease of circumvention resulted in an increase in the popularity
of Twitter until Turkish ISPs implemented an IP blocklist to achieve of Twitter until Turkish ISPs implemented an IP blocklist to achieve
the governmental mandate [Zmijewski-2014]. Ultimately, Turkish ISPs the governmental mandate [Zmijewski-2014]. Ultimately, Turkish ISPs
started hijacking all requests to Google and Level 3's international started hijacking all requests to Google and Level 3's international
DNS resolvers [Zmijewski-2014]. DNS interference, when incorrectly DNS resolvers [Zmijewski-2014]. DNS interference, when incorrectly
implemented, has resulted in some of the largest "censorship implemented, has resulted in some of the largest censorship
disasters". In January 2014, China started directing all requests disasters. In January 2014, China started directing all requests
passing through the Great Fire Wall to a single domain passing through the Great Fire Wall to a single domain
"dongtaiwang.com", due to an improperly configured DNS poisoning "dongtaiwang.com", due to an improperly configured DNS poisoning
attempt. This incident is thought to be the largest Internet service attempt. This incident is thought to be the largest Internet service
outage in history [AFP-2014] [Anon-SIGCOMM12]. Countries such as outage in history [AFP-2014] [Anon-SIGCOMM12]. Countries such as
China, Iran, Turkey, and the United States have discussed blocking China, Turkey, and the United States have discussed blocking entire
entire Top-Level Domains (TLDs) as well, but only Iran has acted by Top-Level Domains (TLDs) as well [Albert-2011]. DNS blocking is
blocking all Israeli (.il) domains [Albert-2011]. DNS blocking is
commonly deployed in European countries to deal with undesirable commonly deployed in European countries to deal with undesirable
content, such as child abuse content (Norway, United Kingdom, content, such as
Belgium, Denmark, Finland, France, Germany, Ireland, Italy, Malta,
the Netherlands, Poland, Spain, and Sweden [Wright-2013] * child abuse content (Norway, United Kingdom, Belgium, Denmark,
[Eneman-2010]), online gambling (Belgium, Bulgaria, Czech Republic, Finland, France, Germany, Ireland, Italy, Malta, the Netherlands,
Cyprus, Denmark, Estonia, France, Greece, Hungary, Italy, Latvia, Poland, Spain, and Sweden [Wright-2013] [Eneman-2010]),
Lithuania, Poland, Portugal, Romania, Slovakia, Slovenia, and Spain
(see Section 6.3.2 of [EC-gambling-2012], [EC-gambling-2019])), * online gambling (Belgium, Bulgaria, Czech Republic, Cyprus,
copyright infringement (all European Economic Area countries), hate- Denmark, Estonia, France, Greece, Hungary, Italy, Latvia,
speech and extremism (France [Hertel-2015]), and terrorism content Lithuania, Poland, Portugal, Romania, Slovakia, Slovenia, and
(France [Hertel-2015]). Spain (see Section 6.3.2 of [EC-gambling-2012],
[EC-gambling-2019])),
* copyright infringement (all European Economic Area countries),
* hate speech and extremism (France [Hertel-2015]), and
* terrorism content (France [Hertel-2015]).
5.2. Transport Layer 5.2. Transport Layer
5.2.1. Performance Degradation 5.2.1. Performance Degradation
While other interference techniques outlined in this section mostly While other interference techniques outlined in this section mostly
focus on blocking or preventing access to content, it can be an focus on blocking or preventing access to content, it can be an
effective censorship strategy in some cases to not entirely block effective censorship strategy in some cases to not entirely block
access to a given destination or service but instead to degrade the access to a given destination or service but instead to degrade the
performance of the relevant network connection. The resulting user performance of the relevant network connection. The resulting user
skipping to change at line 997 skipping to change at line 1003
one of its primary technical censorship mechanisms [Ensafi-2013]. one of its primary technical censorship mechanisms [Ensafi-2013].
Iran has also used packet dropping as the mechanism for throttling Iran has also used packet dropping as the mechanism for throttling
SSH [Aryan-2013]. These are but two examples of a ubiquitous SSH [Aryan-2013]. These are but two examples of a ubiquitous
censorship practice. Notably, packet dropping during the handshake censorship practice. Notably, packet dropping during the handshake
or working connection is the only interference technique observed for or working connection is the only interference technique observed for
QUIC traffic to date (e.g., in India, Iran, Russia, and Uganda QUIC traffic to date (e.g., in India, Iran, Russia, and Uganda
[Elmenhorst-2021] [Elmenhorst-2022]). [Elmenhorst-2021] [Elmenhorst-2022]).
5.2.3. RST Packet Injection 5.2.3. RST Packet Injection
Packet injection, generally, refers to a man-in-the-middle (MITM) Packet injection, generally, refers to a machine-in-the-middle (MITM)
network interference technique that spoofs packets in an established network interference technique that spoofs packets in an established
traffic stream. RST packets are normally used to let one side of a traffic stream. RST packets are normally used to let one side of a
TCP connection know the other side has stopped sending information TCP connection know the other side has stopped sending information
and that the receiver should close the connection. RST packet and that the receiver should close the connection. RST packet
injection is a specific type of packet injection attack that is used injection is a specific type of packet injection attack that is used
to interrupt an established stream by sending RST packets to both to interrupt an established stream by sending RST packets to both
sides of a TCP connection; as each receiver thinks the other has sides of a TCP connection; as each receiver thinks the other has
dropped the connection, the session is terminated. dropped the connection, the session is terminated.
QUIC is not vulnerable to these types of injection attacks once the QUIC is not vulnerable to these types of injection attacks once the
skipping to change at line 1025 skipping to change at line 1031
Trade-offs: Although ineffective against non-TCP protocols (QUIC, Trade-offs: Although ineffective against non-TCP protocols (QUIC,
IPsec), RST packet injection has a few advantages that make it IPsec), RST packet injection has a few advantages that make it
extremely popular as a technique employed for censorship. RST packet extremely popular as a technique employed for censorship. RST packet
injection is an out-of-band interference mechanism, allowing the injection is an out-of-band interference mechanism, allowing the
avoidance of the QoS bottleneck that one can encounter with inline avoidance of the QoS bottleneck that one can encounter with inline
techniques such as packet dropping. This out-of-band property allows techniques such as packet dropping. This out-of-band property allows
a censor to inspect a copy of the information, usually mirrored by an a censor to inspect a copy of the information, usually mirrored by an
optical splitter, making it an ideal pairing for DPI and protocol optical splitter, making it an ideal pairing for DPI and protocol
identification [Weaver-2009]. (This asynchronous version of a MITM identification [Weaver-2009]. (This asynchronous version of a MITM
is often called a man-on-the-side (MOTS).) RST packet injection also is often called a machine-on-the-side (MOTS).) RST packet injection
has the advantage of only requiring one of the two endpoints to also has the advantage of only requiring one of the two endpoints to
accept the spoofed packet for the connection to be interrupted. accept the spoofed packet for the connection to be interrupted.
The difficult part of RST packet injection is spoofing "enough" The difficult part of RST packet injection is spoofing "enough"
correct information to ensure one endpoint accepts a RST packet as correct information to ensure one endpoint accepts a RST packet as
legitimate; this generally implies a correct IP, port, and TCP legitimate; this generally implies a correct IP, port, and TCP
sequence number. The sequence number is the hardest to get correct, sequence number. The sequence number is the hardest to get correct,
as [RFC0793] specifies a RST packet should be in sequence to be as [RFC9293] specifies that a RST packet should be in sequence to be
accepted, although that RFC also recommends allowing in-window accepted, although that RFC also recommends allowing in-window
packets as "good enough". This in-window recommendation is packets. This in-window recommendation is important; if it is
important; if it is implemented, it allows for successful Blind RST implemented, it allows for successful Blind RST Injection attacks
Injection attacks [Netsec-2011]. When in-window sequencing is [Netsec-2011]. When in-window sequencing is allowed, it is trivial
allowed, it is trivial to conduct a Blind RST Injection. While the to conduct a Blind RST Injection. While the term "blind" injection
term "blind" injection implies the censor doesn't know any sensitive implies the censor doesn't know any sensitive sequencing information
sequencing information about the TCP stream they are injecting into, about the TCP stream they are injecting into, they can simply
they can simply enumerate all ~70000 possible windows. This is enumerate all ~70000 possible windows. This is particularly useful
particularly useful for interrupting encrypted/obfuscated protocols for interrupting encrypted/obfuscated protocols such as SSH or Tor
such as SSH or Tor [Gilad]. Some censorship evasion systems work by [Gilad]. Some censorship evasion systems work by trying to confuse
trying to confuse the censor into tracking incorrect information, the censor into tracking incorrect information, rendering their RST
rendering their RST packet injection useless [Khattak-2013] packet injection useless [Khattak-2013] [Wang-2017] [Li-2017]
[Wang-2017] [Li-2017] [Bock-2019] [Wang-2020]. [Bock-2019] [Wang-2020].
RST packet injection relies on a stateful network, making it useless RST packet injection relies on a stateful network, making it useless
against UDP connections. RST packet injection is among the most against UDP connections. RST packet injection is among the most
popular censorship techniques used today given its versatile nature popular censorship techniques used today given its versatile nature
and effectiveness against all types of TCP traffic. Recent research and effectiveness against all types of TCP traffic. Recent research
shows that a TCP RST packet injection attack can even work in the shows that a TCP RST packet injection attack can even work in the
case of an off-path attacker [Cao-2016]. case of an off-path attacker [Cao-2016].
Empirical Examples: RST packet injection, as mentioned above, is most Empirical Examples: RST packet injection, as mentioned above, is most
often paired with identification techniques that require splitting, often paired with identification techniques that require splitting,
skipping to change at line 1131 skipping to change at line 1137
because incorrect BGP routes that leak globally can be fixed, but because incorrect BGP routes that leak globally can be fixed, but
leaks within a jurisdiction can only be corrected by an ISP/IXP for leaks within a jurisdiction can only be corrected by an ISP/IXP for
local users. local users.
Empirical Examples: In 2008, Pakistan Telecom censored YouTube at the Empirical Examples: In 2008, Pakistan Telecom censored YouTube at the
request of the Pakistan government by changing its BGP routes for the request of the Pakistan government by changing its BGP routes for the
website. The new routes were announced to the ISP's upstream website. The new routes were announced to the ISP's upstream
providers and beyond. The entire Internet began directing YouTube providers and beyond. The entire Internet began directing YouTube
routes to Pakistan Telecom and continued doing so for many hours. In routes to Pakistan Telecom and continued doing so for many hours. In
2018, nearly all Google services and Google Cloud customers, like 2018, nearly all Google services and Google Cloud customers, like
Spotify, all lost more than one hour of service after it lost control Spotify, all lost more than one hour of service after Google lost
of several million of its IP addresses. Those IP prefixes were being control of several million of its IP addresses. Those IP prefixes
misdirected to China Telecom, a Chinese government-owned ISP were being misdirected to China Telecom, a Chinese government-owned
[Google-2018], in a manner similar to the BGP hijacking of US ISP [Google-2018], in a manner similar to the BGP hijacking of US
government and military websites by China Telecom in 2010. ISPs in government and military websites by China Telecom in 2010. ISPs in
both Russia (2022) and Myanmar (2021) have tried to hijack the same both Russia (2022) and Myanmar (2021) have tried to hijack the same
Twitter prefix more than once [MANRS]. Twitter prefix more than once [MANRS].
5.4. Multi-layer and Non-layer 5.4. Multi-layer and Non-layer
5.4.1. Distributed Denial of Service (DDoS) 5.4.1. Distributed Denial of Service (DDoS)
Distributed Denial of Service attacks are a common attack mechanism Distributed Denial of Service attacks are a common attack mechanism
used by "hacktivists" and malicious hackers. Censors have also used used by "hacktivists" and malicious hackers. Censors have also used
DDoS in the past for a variety of reasons. There is a wide variety DDoS in the past for a variety of reasons. There is a wide variety
of DDoS attacks [Wikip-DoS]. However, at a high level, two possible of DDoS attacks [Wikip-DoS]. However, at a high level, two possible
impacts from the attack tend to occur: a flood attack results in the impacts from the attack tend to occur: a flood attack results in the
service being unusable while resources are being spent to flood the service being unusable while resources are being spent to flood the
service, and a crash attack aims to crash the service so resources service, and a crash attack aims to crash the service so resources
can be reallocated elsewhere without "releasing" the service. can be reallocated elsewhere without "releasing" the service.
Trade-offs: DDoS is an appealing mechanism when a censor would like Trade-offs: DDoS is an appealing mechanism when a censor would like
to prevent all access to undesirable content, instead of only to prevent all access (not just regional access) to undesirable
preventing access in their region for a limited period of time. The content for a limited period of time. Temporal impermanence is
latter is really the only uniquely beneficial feature for DDoS as a really the only uniquely beneficial feature of DDoS as a technique
technique employed for censorship. The resources required to carry employed for censorship. The resources required to carry out a
out a successful DDoS against major targets are computationally successful DDoS against major targets are computationally expensive,
expensive, usually requiring rental or ownership of a malicious usually requiring rental or ownership of a malicious distributed
distributed platform such as a botnet, and they are imprecise. DDoS platform such as a botnet, and they are imprecise. DDoS is an
is an incredibly crude censorship technique and appears to largely be incredibly crude censorship technique and appears to largely be used
used as a timely, easy-to-access mechanism for blocking undesirable as a timely, easy-to-access mechanism for blocking undesirable
content for a limited period of time. content for a limited period of time.
Empirical Examples: In 2012, the U.K.'s signals intelligence Empirical Examples: In 2012, the U.K.'s signals intelligence
organization, the Government Communications Headquarters (GCHQ), used organization, the Government Communications Headquarters (GCHQ), used
DDoS to temporarily shutdown Internet Relay Chat (IRC) chat rooms DDoS to temporarily shutdown Internet Relay Chat (IRC) chat rooms
frequented by members of Anonymous using the Syn Flood DDoS method; frequented by members of Anonymous using the Syn Flood DDoS method;
Syn Flood exploits the handshake used by TCP to overload the victim Syn Flood exploits the handshake used by TCP to overload the victim
server with so many requests that legitimate traffic becomes slow or server with so many requests that legitimate traffic becomes slow or
impossible [Schone-2014] [CERT-2000]. Dissenting opinion websites impossible [NBC-2014] [CERT-2000]. Dissenting opinion websites are
are frequently victims of DDoS around politically sensitive events frequently victims of DDoS around politically sensitive events like
like the DDoS in Burma [Villeneuve-2011]. Controlling parties in the DDoS in Burma [Villeneuve-2011]. Controlling parties in Russia
Russia [Kravtsova-2012], Zimbabwe [Orion-2013], and Malaysia [Kravtsova-2012], Zimbabwe [Orion-2013], and Malaysia
[Muncaster-2013] have been accused of using DDoS to interrupt [Muncaster-2013] have been accused of using DDoS to interrupt
opposition support and access during elections. In 2015, China opposition support and access during elections. In 2015, China
launched a DDoS attack using a true MITM system (dubbed "Great launched a DDoS attack using a true MITM system (dubbed "Great
Cannon"), collocated with the Great Firewall, that was able to inject Cannon"), collocated with the Great Firewall, that was able to inject
JavaScript code into web visits to a Chinese search engine that JavaScript code into web visits to a Chinese search engine that
commandeered those user agents to send DDoS traffic to various sites commandeered those user agents to send DDoS traffic to various sites
[Marczak-2015]. [Marczak-2015].
5.4.2. Censorship in Depth 5.4.2. Censorship in Depth
skipping to change at line 1247 skipping to change at line 1253
Self-censorship is difficult to document as it manifests primarily Self-censorship is difficult to document as it manifests primarily
through a lack of undesirable content. Tools that encourage self- through a lack of undesirable content. Tools that encourage self-
censorship may lead a prospective speaker to believe that speaking censorship may lead a prospective speaker to believe that speaking
increases the risk of unfavorable outcomes for the speaker (technical increases the risk of unfavorable outcomes for the speaker (technical
monitoring, identification requirements, etc.). Reporters Without monitoring, identification requirements, etc.). Reporters Without
Borders exemplify methods of imposing self-censorship in their annual Borders exemplify methods of imposing self-censorship in their annual
World Press Freedom Index reports [RWB-2020]. World Press Freedom Index reports [RWB-2020].
6.3. Server Takedown 6.3. Server Takedown
As mentioned in passing by [Murdoch-2011], servers must have a As mentioned in passing by [Murdoch-2008], servers must have a
physical location somewhere in the world. If undesirable content is physical location somewhere in the world. If undesirable content is
hosted in the censoring country, the servers can be physically hosted in the censoring country, the servers can be physically
seized, or -- in cases where a server is virtualized in a cloud seized, or -- in cases where a server is virtualized in a cloud
infrastructure where it may not necessarily have a fixed physical infrastructure where it may not necessarily have a fixed physical
location -- the hosting provider can be required to prevent access. location -- the hosting provider can be required to prevent access.
6.4. Notice and Takedown 6.4. Notice and Takedown
In many countries, legal mechanisms exist where an individual or In many countries, legal mechanisms exist where an individual or
other content provider can issue a legal request to a content host other content provider can issue a legal request to a content host
skipping to change at line 1312 skipping to change at line 1318
Lastly, the empirical examples demonstrate that censorship techniques Lastly, the empirical examples demonstrate that censorship techniques
can evolve quickly, and experience shows that this document can only can evolve quickly, and experience shows that this document can only
be a point-in-time statement. Future work might extend this document be a point-in-time statement. Future work might extend this document
with updates and new techniques described using a comparable with updates and new techniques described using a comparable
methodology. methodology.
8. IANA Considerations 8. IANA Considerations
This document has no IANA actions. This document has no IANA actions.
9. Informative References 9. Security Considerations
This document is a survey of existing literature on network
censorship techniques. As such, it does not introduce any new
security considerations to be taken into account beyond what is
already discussed in each paper surveyed.
10. Informative References
[AFNIC-2013] [AFNIC-2013]
AFNIC, "Report of the AFNIC Scientific Council: AFNIC, "Report of the AFNIC Scientific Council:
Consequences of DNS-based Internet filtering", January Consequences of DNS-based Internet filtering", January
2013, 2013,
<http://www.afnic.fr/medias/documents/conseilscientifique/ <http://www.afnic.fr/medias/documents/conseilscientifique/
SC-consequences-of-DNS-based-Internet-filtering.pdf>. SC-consequences-of-DNS-based-Internet-filtering.pdf>.
[AFP-2014] AFP, "China Has Massive Internet Breakdown Reportedly [AFP-2014] AFP, "China Has Massive Internet Breakdown Reportedly
Caused By Their Own Censoring Tools", January 2014, Caused By Their Own Censoring Tools", January 2014,
skipping to change at line 1350 skipping to change at line 1363
2013, <https://en.greatfire.org/blog/2013/jan/github- 2013, <https://en.greatfire.org/blog/2013/jan/github-
blocked-china-how-it-happened-how-get-around-it-and-where- blocked-china-how-it-happened-how-get-around-it-and-where-
it-will-take-us>. it-will-take-us>.
[Anonymous-2014] [Anonymous-2014]
Anonymous, "Towards a Comprehensive Picture of the Great Anonymous, "Towards a Comprehensive Picture of the Great
Firewall's DNS Censorship", August 2014, Firewall's DNS Censorship", August 2014,
<https://www.usenix.org/system/files/conference/foci14/ <https://www.usenix.org/system/files/conference/foci14/
foci14-anonymous.pdf>. foci14-anonymous.pdf>.
[AP-2012] Associated Press, "Sattar Beheshit, Iranian Blogger, Was
Beaten In Prison According To Prosecutor", 2012,
<http://www.huffingtonpost.com/2012/12/03/sattar-beheshit-
iran_n_2233125.html>.
[Aryan-2013] [Aryan-2013]
Aryan, S., Aryan, H., and J. A. Halderman, "Internet Aryan, S., Aryan, H., and J. A. Halderman, "Internet
Censorship in Iran: A First Look", 2012, Censorship in Iran: A First Look", 2012,
<https://jhalderm.com/pub/papers/iran-foci13.pdf>. <https://jhalderm.com/pub/papers/iran-foci13.pdf>.
[BBC-2013] BBC News, "Google and Microsoft agree steps to block abuse [BBC-2013] BBC News, "Google and Microsoft agree steps to block abuse
images", November 2013, images", November 2013,
<http://www.bbc.com/news/uk-24980765>. <http://www.bbc.com/news/uk-24980765>.
[BBC-2013b] [BBC-2013b]
BBC, "China employs two million microblog monitors state BBC, "China employs two million microblog monitors state
media say", 2013, media say", 2013,
<http://www.bbc.com/news/world-asia-china-2439695>. <https://www.bbc.com/news/world-asia-china-24396957>.
[Bentham-1791]
Bentham, J., "Panopticon Or the Inspection House", 1791,
<https://www.google.com/books/edition/_/
Ec4TAAAAQAAJ?hl=en>.
[Bock-2019] [Bock-2019]
Bock, K., Hughey, G., Qiang, X., and D. Levin, "Geneva: Bock, K., Hughey, G., Qiang, X., and D. Levin, "Geneva:
Evolving Censorship Evasion Strategies", Evolving Censorship Evasion Strategies",
DOI 10.1145/3319535.3363189, November 2019, DOI 10.1145/3319535.3363189, November 2019,
<https://geneva.cs.umd.edu/papers/geneva_ccs19.pdf>. <https://geneva.cs.umd.edu/papers/geneva_ccs19.pdf>.
[Bock-2020] [Bock-2020]
Bock, K., Fax, Y., Reese, K., Singh, J., and D. Levin, Bock, K., Fax, Y., Reese, K., Singh, J., and D. Levin,
"Detecting and Evading Censorship-in-Depth: A Case Study "Detecting and Evading Censorship-in-Depth: A Case Study
skipping to change at line 1424 skipping to change at line 1427
<https://labs.ripe.net/Members/stephane_bortzmeyer/dns- <https://labs.ripe.net/Members/stephane_bortzmeyer/dns-
censorship-dns-lies-seen-by-atlas-probes>. censorship-dns-lies-seen-by-atlas-probes>.
[Boyle-1997] [Boyle-1997]
Boyle, J., "Foucault in Cyberspace: Surveillance, Boyle, J., "Foucault in Cyberspace: Surveillance,
Sovereignty, and Hardwired Censors", 66 University of Sovereignty, and Hardwired Censors", 66 University of
Cincinnati Law Review 177-205, 1997, Cincinnati Law Review 177-205, 1997,
<https://scholarship.law.duke.edu/ <https://scholarship.law.duke.edu/
faculty_scholarship/619/>. faculty_scholarship/619/>.
[Bristow-2008]
Bristow, M., "China's internet 'spin doctors'", BBC News,
December 2008,
<http://news.bbc.co.uk/2/hi/asia-pacific/7783640.stm>.
[Calamur-2013]
Calamur, K., "Prominent Egyptian Blogger Arrested",
November 2013, <http://www.npr.org/blogs/thetwo-
way/2013/11/29/247820503/prominent-egyptian-blogger-
arrested>.
[Cao-2016] Cao, Y., Qian, Z., Wang, Z., Dao, T., Krishnamurthy, S., [Cao-2016] Cao, Y., Qian, Z., Wang, Z., Dao, T., Krishnamurthy, S.,
and L. Marvel, "Off-Path TCP Exploits: Global Rate Limit and L. Marvel, "Off-Path TCP Exploits: Global Rate Limit
Considered Dangerous", August 2016, Considered Dangerous", August 2016,
<https://www.usenix.org/system/files/conference/ <https://www.usenix.org/system/files/conference/
usenixsecurity16/sec16_paper_cao.pdf>. usenixsecurity16/sec16_paper_cao.pdf>.
[CERT-2000] [CERT-2000]
CERT, "TCP SYN Flooding and IP Spoofing Attacks", 2000, CERT, "CERT Advisory CA-1996-21 TCP SYN Flooding and IP
<http://www.cert.org/historical/advisories/CA- Spoofing Attacks", 2000,
1996-21.cfm>. <https://vuls.cert.org/confluence/display/historical/
CERT+Advisory+CA-
1996-21+TCP+SYN+Flooding+and+IP+Spoofing+Attacks>.
[Chai-2019] [Chai-2019]
Chai, Z., Ghafari, A., and A. Houmansadr, "On the Chai, Z., Ghafari, A., and A. Houmansadr, "On the
Importance of Encrypted-SNI (ESNI) to Censorship Importance of Encrypted-SNI (ESNI) to Censorship
Circumvention", 2019, Circumvention", 2019,
<https://www.usenix.org/system/files/ <https://www.usenix.org/system/files/
foci19-paper_chai_update.pdf>. foci19-paper_chai_update.pdf>.
[Cheng-2010] [Cheng-2010]
Cheng, J., "Google stops Hong Kong auto-redirect as China Cheng, J., "Google stops Hong Kong auto-redirect as China
skipping to change at line 1541 skipping to change at line 1535
[EC-2012] European Commission, "Summary of the results of the Public [EC-2012] European Commission, "Summary of the results of the Public
Consultation on the future of electronic commerce in the Consultation on the future of electronic commerce in the
Internal Market and the implementation of the Directive on Internal Market and the implementation of the Directive on
electronic commerce (2000/31/EC)", January 2012, electronic commerce (2000/31/EC)", January 2012,
<https://ec.europa.eu/information_society/newsroom/image/ <https://ec.europa.eu/information_society/newsroom/image/
document/2017-4/ document/2017-4/
consultation_summary_report_en_2010_42070.pdf>. consultation_summary_report_en_2010_42070.pdf>.
[EC-gambling-2012] [EC-gambling-2012]
European Commission, "Online gambling in the Internal European Commission, "Online gambling in the Internal
Market", 2012, <https://eur-lex.europa.eu/legal- Market Accompanying the document Communication from the
Commission to the European Parliament, the Council, the
Economic and Social Committee and the Committee of the
Regions Towards a comprehensive framework for online
gambling", 2012, <https://eur-lex.europa.eu/legal-
content/EN/TXT/?uri=CELEX:52012SC0345>. content/EN/TXT/?uri=CELEX:52012SC0345>.
[EC-gambling-2019] [EC-gambling-2019]
European Commission, "Evaluation of regulatory tools for European Commission, "Evaluation of regulatory tools for
enforcing online gambling rules and channelling demand enforcing online gambling rules and channelling demand
towards controlled offers", January 2019, towards controlled offers", January 2019,
<https://ec.europa.eu/growth/content/evaluation- <https://ec.europa.eu/growth/content/evaluation-
regulatory-tools-enforcing-online-gambling-rules-and- regulatory-tools-enforcing-online-gambling-rules-and-
channelling-demand-towards-1_en>. channelling-demand-towards-1_en>.
[EFF-2017] Malcom, J., Rossi, G., and M. Stoltz, "Which Internet [EFF-2017] Malcom, J., Rossi, G., and M. Stoltz, "Which Internet
registries offer the best protection for domain owners?", registries offer the best protection for domain owners?",
Electronic Frontier Foundation, July 2017, Electronic Frontier Foundation, July 2017,
<https://www.eff.org/files/2017/08/02/ <https://www.eff.org/files/2017/08/02/
domain_registry_whitepaper.pdf>. domain_registry_whitepaper.pdf>.
[ekr-2021] Rescorla, E., "Overview of Apple's Client-side CSAM [ekr-2021] Rescorla, E., "Overview of Apple's Client-side CSAM
Scanning", August 2021, Scanning", August 2021,
<https://educatedguesswork.org/posts/apple-csam-intro/>. <https://educatedguesswork.org/posts/apple-csam-intro/>.
[Ellul-1973]
Ellul, J., "Propaganda: The Formation of Men's Attitudes",
1973, <https://www.penguinrandomhouse.com/books/46234/
propaganda-by-jacques-ellul/>.
[Elmenhorst-2021] [Elmenhorst-2021]
Elmenhorst, K., Schuetz, B., Aschenbruck, N., and S. Elmenhorst, K., Schuetz, B., Aschenbruck, N., and S.
Basso, "Web Censorship Measurements of HTTP/3 over QUIC", Basso, "Web Censorship Measurements of HTTP/3 over QUIC",
IMC '21: Proceedings of the 21st ACM Internet Measurement IMC '21: Proceedings of the 21st ACM Internet Measurement
Conference, Pages 276-282, DOI 10.1145/3487552.3487836, Conference, Pages 276-282, DOI 10.1145/3487552.3487836,
November 2021, November 2021,
<https://dl.acm.org/doi/pdf/10.1145/3487552.3487836>. <https://dl.acm.org/doi/pdf/10.1145/3487552.3487836>.
[Elmenhorst-2022] [Elmenhorst-2022]
Elmenhorst, K., "A Quick Look at QUIC Censorship", April Elmenhorst, K., "A Quick Look at QUIC Censorship", April
2022, 2022,
<https://www.opentech.fund/news/a-quick-look-at-quic/>. <https://www.opentech.fund/news/a-quick-look-at-quic/>.
[Eneman-2010] [Eneman-2010]
Eneman, M., "ISPs filtering of child abusive material: A Eneman, M., "Internet service provider (ISP) filtering of
critical reflection of its effectiveness", 2010, child-abusive material: A critical reflection of its
<https://www.gu.se/forskning/ effectiveness", DOI 10.1080/13552601003760014, June 2010,
publikation/?publicationId=96592>. <https://www.tandfonline.com/doi/
abs/10.1080/13552601003760014>.
[Ensafi-2013] [Ensafi-2013]
Ensafi, R., Knockel, J., Alexander, G., and J.R. Crandall, Ensafi, R., Knockel, J., Alexander, G., and J.R. Crandall,
"Detecting Intentional Packet Drops on the Internet via "Detecting Intentional Packet Drops on the Internet via
TCP/IP Side Channels: Extended Version", TCP/IP Side Channels: Extended Version",
DOI 10.48550/arXiv.1312.5739, December 2013, DOI 10.48550/arXiv.1312.5739, December 2013,
<http://arxiv.org/pdf/1312.5739v1.pdf>. <http://arxiv.org/pdf/1312.5739v1.pdf>.
[Fareed-2008]
Fareed, M., "China joins a turf war", The Guardian,
September 2008,
<http://www.theguardian.com/media/2008/sep/22/
chinathemedia.marketingandpr>.
[Fifield-2015] [Fifield-2015]
Fifield, D., Lan, C., Hynes, R., Wegmann, P., and V. Fifield, D., Lan, C., Hynes, R., Wegmann, P., and V.
Paxson, "Blocking-resistant communication through domain Paxson, "Blocking-resistant communication through domain
fronting", DOI 10.1515/popets-2015-0009, May 2015, fronting", DOI 10.1515/popets-2015-0009, May 2015,
<https://petsymposium.org/2015/papers/03_Fifield.pdf>. <https://petsymposium.org/2015/papers/03_Fifield.pdf>.
[Gao-2014] Gao, H., "Tiananmen, Forgotten", The New York Times, June
2014, <http://www.nytimes.com/2014/06/04/opinion/
tiananmen-forgotten.html>.
[Gatlan-2019] [Gatlan-2019]
Gatlan, S., "South Korea is Censoring the Internet by Gatlan, S., "South Korea is Censoring the Internet by
Snooping on SNI Traffic", February 2019, Snooping on SNI Traffic", February 2019,
<https://www.bleepingcomputer.com/news/security/south- <https://www.bleepingcomputer.com/news/security/south-
korea-is-censoring-the-internet-by-snooping-on-sni- korea-is-censoring-the-internet-by-snooping-on-sni-
traffic/>. traffic/>.
[Gilad] Gilad, Y. and A. Herzberg, "Off-Path TCP Injection [Gilad] Gilad, Y. and A. Herzberg, "Off-Path TCP Injection
Attacks", ACM Transactions on Information and System Attacks", ACM Transactions on Information and System
Security, Volume 16, Issue 4, Article No.: 13, pp. 1-32, Security, Volume 16, Issue 4, Article No.: 13, pp. 1-32,
skipping to change at line 1645 skipping to change at line 1629
protection law in Europe", 2015, protection law in Europe", 2015,
<https://support.google.com/legal/contact/ <https://support.google.com/legal/contact/
lr_eudpa?product=websearch>. lr_eudpa?product=websearch>.
[Grover-2019] [Grover-2019]
Grover, G., Singh, K., and E. Hickok, Ed., "Reliance Jio Grover, G., Singh, K., and E. Hickok, Ed., "Reliance Jio
is using SNI inspection to block websites", November 2019, is using SNI inspection to block websites", November 2019,
<https://cis-india.org/internet-governance/blog/reliance- <https://cis-india.org/internet-governance/blog/reliance-
jio-is-using-sni-inspection-to-block-websites>. jio-is-using-sni-inspection-to-block-websites>.
[Guardian-2014]
The Guardian, "Chinese blogger jailed under crackdown on
'internet rumours'", April 2014,
<http://www.theguardian.com/world/2014/apr/17/chinese-
blogger-jailed-crackdown-internet-rumours-qin-zhihui>.
[HADOPI] Hadopi, "Hadopi | Haute Autorité pour la diffusion des [HADOPI] Hadopi, "Hadopi | Haute Autorité pour la diffusion des
oeuvres et la protection des droits sur internet", oeuvres et la protection des droits sur internet",
<https://www.hadopi.fr/>. <https://www.hadopi.fr/>.
[Halley-2008] [Halley-2008]
Halley, B., "How DNS cache poisoning works", October 2008, Halley, B., "How DNS cache poisoning works", October 2008,
<https://www.networkworld.com/article/2277316/tech- <https://www.networkworld.com/article/2277316/tech-
primers/tech-primers-how-dns-cache-poisoning-works.html>. primers/tech-primers-how-dns-cache-poisoning-works.html>.
[Heacock-2009] [Heacock-2009]
Heacock, R., "China shuts down Internet in Xinjiang region Heacock, R., "China shuts down Internet in Xinjiang region
after riots", OpenNet Initiative, July 2009, after riots", OpenNet Initiative, July 2009,
<https://opennet.net/blog/2009/07/china-shuts-down- <https://opennet.net/blog/2009/07/china-shuts-down-
internet-xinjiang-region-after-riots>. internet-xinjiang-region-after-riots>.
[Hepting-2011] [Hepting-2011]
Wikipedia, "Hepting v. AT&T", 2011, Wikipedia, "Hepting v. AT&T", September 2023,
<https://en.wikipedia.org/wiki/Hepting_v._AT%26T>. <https://en.wikipedia.org/wiki/
Hepting_v._AT%26T&oldid=1175143505>.
[Hertel-2015] [Hertel-2015]
Hertel, O., "Comment les autorités peuvent bloquer un site Hertel, O., "Comment les autorités peuvent bloquer un site
Internet" [How authorities can block a website], March Internet" [How authorities can block a website], March
2015, <https://www.sciencesetavenir.fr/high-tech/comment- 2015, <https://www.sciencesetavenir.fr/high-tech/comment-
les-autorites-peuvent-bloquer-un-site-internet_35828>. les-autorites-peuvent-bloquer-un-site-internet_35828>.
[Hjelmvik-2010] [Hjelmvik-2010]
Hjelmvik, E. and W. John, "Breaking and Improving Protocol Hjelmvik, E. and W. John, "Breaking and Improving Protocol
Obfuscation", Technical Report No. 2010-05, ISSN Obfuscation", Technical Report No. 2010-05, ISSN
1652-926X, July 2010, 1652-926X, July 2010,
<https://www.iis.se/docs/hjelmvik_breaking.pdf>. <https://www.iis.se/docs/hjelmvik_breaking.pdf>.
[Hopkins-2011]
Hopkins, C., "Communications Blocked in Libya, Qatari
Blogger Arrested: This Week in Online Tyranny", ReadWrite,
March 2011, <http://readwrite.com/2011/03/03/
communications_blocked_in_libya_this_week_in_onlin>.
[Husak-2016] [Husak-2016]
Husák, M., Čermák, M., Jirsík, T., and P. Čeleda, "HTTPS Husák, M., Čermák, M., Jirsík, T., and P. Čeleda, "HTTPS
traffic analysis and client identification using passive traffic analysis and client identification using passive
SSL/TLS fingerprinting", DOI 10.1186/s13635-016-0030-7, SSL/TLS fingerprinting", DOI 10.1186/s13635-016-0030-7,
February 2016, <https://link.springer.com/article/10.1186/ February 2016, <https://link.springer.com/article/10.1186/
s13635-016-0030-7>. s13635-016-0030-7>.
[ICANN-2012] [ICANN-2012]
ICANN Security and Stability Advisory Committee, "Guidance ICANN Security and Stability Advisory Committee, "Guidance
for Preparing Domain Name Orders, Seizures & Takedowns", for Preparing Domain Name Orders, Seizures & Takedowns",
skipping to change at line 1739 skipping to change at line 1712
censorship-powered-by-us-technology/>. censorship-powered-by-us-technology/>.
[Knockel-2021] [Knockel-2021]
Knockel, J. and L. Ruan, "Measuring QQMail's automated Knockel, J. and L. Ruan, "Measuring QQMail's automated
email censorship in China", FOCI '21: Proceedings of the email censorship in China", FOCI '21: Proceedings of the
ACM SIGCOMM 2021 Workshop on Free and Open Communications ACM SIGCOMM 2021 Workshop on Free and Open Communications
on the Internet, Pages 8-15, DOI 10.1145/3473604.3474560, on the Internet, Pages 8-15, DOI 10.1145/3473604.3474560,
April 2021, April 2021,
<https://dl.acm.org/doi/10.1145/3473604.3474560>. <https://dl.acm.org/doi/10.1145/3473604.3474560>.
[Kopel-2013]
Kopel, K., "Operation Seizing Our Sites: How the Federal
Government is Taking Domain Names Without Prior Notice",
Berkeley Technology Law Journal, DOI 10.15779/Z384Q3M,
September 2013, <https://doi.org/10.15779/Z384Q3M>.
[Kravtsova-2012] [Kravtsova-2012]
Kravtsova, Y., "Cyberattacks Disrupt Opposition's Kravtsova, Y., "Cyberattacks Disrupt Opposition's
Election", October 2012, Election", The Moscow Times, October 2012,
<http://www.themoscowtimes.com/news/article/cyberattacks- <http://www.themoscowtimes.com/news/article/cyberattacks-
disrupt-oppositions-election/470119.html>. disrupt-oppositions-election/470119.html>.
[Leyba-2019] [Leyba-2019]
Leyba, K., Edwards, B., Freeman, C., Crandall, J., and S. Leyba, K., Edwards, B., Freeman, C., Crandall, J., and S.
Forrest, "Borders and Gateways: Measuring and Analyzing Forrest, "Borders and gateways: measuring and analyzing
National AS Chokepoints", 2019, national as chokepoints", COMPASS '19: Proceedings of the
<https://forrest.biodesign.asu.edu/data/publications/2019- 2nd ACM SIGCAS Conference on Computing and Sustainable
compass-chokepoints.pdf>. Societies, pages 184–194, DOI 10.1145/3314344.3332502,
July 2019, <https://doi.org/10.1145/3314344.3332502>.
[Li-2017] Li, F., Razaghpanah, A., Molavi Kakhki, A., Akhavan Niaki, [Li-2017] Li, F., Razaghpanah, A., Molavi Kakhki, A., Akhavan Niaki,
A., Choffnes, D., Gill, P., and A. Mislove, "lib•erate, A., Choffnes, D., Gill, P., and A. Mislove, "lib•erate,
(n): a library for exposing (traffic-classification) rules (n): a library for exposing (traffic-classification) rules
and avoiding them efficiently", and avoiding them efficiently",
DOI 10.1145/3131365.3131376, November 2017, DOI 10.1145/3131365.3131376, November 2017,
<https://david.choffnes.com/pubs/liberate-imc17.pdf>. <https://david.choffnes.com/pubs/liberate-imc17.pdf>.
[Lomas-2019] [Lomas-2019]
Lomas, N., "Github removes Tsunami Democràtic's APK after Lomas, N., "Github removes Tsunami Democràtic's APK after
skipping to change at line 1790 skipping to change at line 1758
August 2015, August 2015,
<https://www.usenix.org/system/files/conference/foci15/ <https://www.usenix.org/system/files/conference/foci15/
foci15-paper-marczak.pdf>. foci15-paper-marczak.pdf>.
[Muncaster-2013] [Muncaster-2013]
Muncaster, P., "Malaysian election sparks web blocking/ Muncaster, P., "Malaysian election sparks web blocking/
DDoS claims", The Register, May 2013, DDoS claims", The Register, May 2013,
<http://www.theregister.co.uk/2013/05/09/ <http://www.theregister.co.uk/2013/05/09/
malaysia_fraud_elections_ddos_web_blocking/>. malaysia_fraud_elections_ddos_web_blocking/>.
[Murdoch-2011] [Murdoch-2008]
Murdoch, S. J. and R. Anderson, "Tools and Technology of Murdoch, S. J. and R. Anderson, "Tools and Technology of
Internet Filtering", DOI 10.7551/mitpress/7617.003.0006, Internet Filtering" in "Access Denied: The Practice and
2011, <http://access.opennet.net/wp- Policy of Global Internet Filtering",
content/uploads/2011/12/accessdenied-chapter-3.pdf>. DOI 10.7551/mitpress/7617.003.0006, 2008,
<https://doi.org/10.7551/mitpress/7617.003.0006>.
[NA-SK-2019] [NA-SK-2019]
Morgus, R., Sherman, J., and S. Nam, "Analysis: South Morgus, R., Sherman, J., and S. Nam, "Analysis: South
Korea's New Tool for Filtering Illegal Internet Content", Korea's New Tool for Filtering Illegal Internet Content",
March 2019, <https://www.newamerica.org/cybersecurity- March 2019, <https://www.newamerica.org/cybersecurity-
initiative/c2b/c2b-log/analysis-south-koreas-sni- initiative/c2b/c2b-log/analysis-south-koreas-sni-
monitoring/>. monitoring/>.
[Nabi-2013] [Nabi-2013]
Nabi, Z., "The Anatomy of Web Censorship in Pakistan", Nabi, Z., "The Anatomy of Web Censorship in Pakistan",
August 2013, <http://0b4af6cdc2f0c5998459-c0245c5c937c5ded August 2013, <http://0b4af6cdc2f0c5998459-c0245c5c937c5ded
cca3f1764ecc9b2f.r43.cf2.rackcdn.com/12387-foci13-nabi.pdf cca3f1764ecc9b2f.r43.cf2.rackcdn.com/12387-foci13-nabi.pdf
>. >.
[NBC-2014] NBC News, "Exclusive: Snowden Docs Show UK Spies Attacked
Anonymous, Hackers", February 2014,
<http://www.nbcnews.com/feature/edward-snowden-interview/
exclusive-snowden-docs-show-uk-spies-attacked-anonymous-
hackers-n21361>.
[Netsec-2011] [Netsec-2011]
n3t2.3c, "TCP-RST Injection", October 2011, n3t2.3c, "TCP-RST Injection", October 2011,
<https://nets.ec/TCP-RST_Injection>. <https://nets.ec/TCP-RST_Injection>.
[OONI-2018] [OONI-2018]
Evdokimov, L., "Iran Protests: DPI blocking of Instagram Evdokimov, L., "Iran Protests: DPI blocking of Instagram
(Part 2)", February 2018, (Part 2)", February 2018,
<https://ooni.org/post/2018-iran-protests-pt2/>. <https://ooni.org/post/2018-iran-protests-pt2/>.
[OONI-2019] [OONI-2019]
Singh, S., Filastò, A., and M. Xynou, "China is now Singh, S., Filastò, A., and M. Xynou, "China is now
blocking all language editions of Wikipedia", May 2019, blocking all language editions of Wikipedia", May 2019,
<https://ooni.org/post/2019-china-wikipedia-blocking/>. <https://ooni.org/post/2019-china-wikipedia-blocking/>.
[Orion-2013] [Orion-2013]
Orion, E., "Zimbabwe election hit by hacking and DDoS Orion, E., "Zimbabwe election hit by hacking and DDoS
attacks", 2013, attacks", Wayback Machine archive, August 2013, <https://w
<http://www.theinquirer.net/inquirer/news/2287433/ eb.archive.org/web/20130825010947/http://www.theinquirer.n
zimbabwe-election-hit-by-hacking-and-ddos-attacks>. et/inquirer/news/2287433/zimbabwe-election-hit-by-hacking-
and-ddos-attacks>.
[Patil-2019] [Patil-2019]
Patil, S. and N. Borisov, "What can you learn from an Patil, S. and N. Borisov, "What can you learn from an
IP?", Proceedings of the Applied Networking Research IP?", Proceedings of the Applied Networking Research
Workshop, Pages 45-51, DOI 10.1145/3340301.3341133, July Workshop, Pages 45-51, DOI 10.1145/3340301.3341133, July
2019, <https://irtf.org/anrw/2019/ 2019, <https://irtf.org/anrw/2019/
anrw2019-final44-acmpaginated.pdf>. anrw2019-final44-acmpaginated.pdf>.
[Porter-2005] [Porter-2005]
Porter, T., "The Perils of Deep Packet Inspection", 2010, Porter, T., "The Perils of Deep Packet Inspection", 2010,
skipping to change at line 1854 skipping to change at line 1830
Great Firewall of China", DOI 10.1145/3442381.3450076, Great Firewall of China", DOI 10.1145/3442381.3450076,
April 2021, April 2021,
<https://www.andrew.cmu.edu/user/nicolasc/publications/ <https://www.andrew.cmu.edu/user/nicolasc/publications/
Rambert-WWW21.pdf>. Rambert-WWW21.pdf>.
[Reda-2017] [Reda-2017]
Reda, F., "New EU law prescribes website blocking in the Reda, F., "New EU law prescribes website blocking in the
name of "consumer protection"", November 2017, name of "consumer protection"", November 2017,
<https://felixreda.eu/2017/11/eu-website-blocking/>. <https://felixreda.eu/2017/11/eu-website-blocking/>.
[RFC0793] Postel, J., "Transmission Control Protocol", RFC 793,
DOI 10.17487/RFC0793, September 1981,
<https://www.rfc-editor.org/info/rfc793>.
[RFC6066] Eastlake 3rd, D., "Transport Layer Security (TLS) [RFC6066] Eastlake 3rd, D., "Transport Layer Security (TLS)
Extensions: Extension Definitions", RFC 6066, Extensions: Extension Definitions", RFC 6066,
DOI 10.17487/RFC6066, January 2011, DOI 10.17487/RFC6066, January 2011,
<https://www.rfc-editor.org/info/rfc6066>. <https://www.rfc-editor.org/info/rfc6066>.
[RFC7624] Barnes, R., Schneier, B., Jennings, C., Hardie, T., [RFC7624] Barnes, R., Schneier, B., Jennings, C., Hardie, T.,
Trammell, B., Huitema, C., and D. Borkmann, Trammell, B., Huitema, C., and D. Borkmann,
"Confidentiality in the Face of Pervasive Surveillance: A "Confidentiality in the Face of Pervasive Surveillance: A
Threat Model and Problem Statement", RFC 7624, Threat Model and Problem Statement", RFC 7624,
DOI 10.17487/RFC7624, August 2015, DOI 10.17487/RFC7624, August 2015,
skipping to change at line 1894 skipping to change at line 1866
[RFC8744] Huitema, C., "Issues and Requirements for Server Name [RFC8744] Huitema, C., "Issues and Requirements for Server Name
Identification (SNI) Encryption in TLS", RFC 8744, Identification (SNI) Encryption in TLS", RFC 8744,
DOI 10.17487/RFC8744, July 2020, DOI 10.17487/RFC8744, July 2020,
<https://www.rfc-editor.org/info/rfc8744>. <https://www.rfc-editor.org/info/rfc8744>.
[RFC9000] Iyengar, J., Ed. and M. Thomson, Ed., "QUIC: A UDP-Based [RFC9000] Iyengar, J., Ed. and M. Thomson, Ed., "QUIC: A UDP-Based
Multiplexed and Secure Transport", RFC 9000, Multiplexed and Secure Transport", RFC 9000,
DOI 10.17487/RFC9000, May 2021, DOI 10.17487/RFC9000, May 2021,
<https://www.rfc-editor.org/info/rfc9000>. <https://www.rfc-editor.org/info/rfc9000>.
[RSF-2005] Reporters Sans Frontieres, "Technical ways to get around [RFC9293] Eddy, W., Ed., "Transmission Control Protocol (TCP)",
censorship", 2005, <http://archives.rsf.org/print- STD 7, RFC 9293, DOI 10.17487/RFC9293, August 2022,
blogs.php3?id_article=15013>. <https://www.rfc-editor.org/info/rfc9293>.
[Rushe-2014] [Rushe-2014]
Rushe, D., "Bing censoring Chinese language search results Rushe, D., "Bing censoring Chinese language search results
for users in the US", The Guardian, February 2014, for users in the US", The Guardian, February 2014,
<http://www.theguardian.com/technology/2014/feb/11/bing- <http://www.theguardian.com/technology/2014/feb/11/bing-
censors-chinese-language-search-results>. censors-chinese-language-search-results>.
[RWB-2020] Reporters Without Borders (RSF), "2020 World Press Freedom [RWB-2020] Reporters Without Borders (RSF), "2020 World Press Freedom
Index: Entering a decisive decade for journalism, Index: 'Entering a decisive decade for journalism,
exacerbated by coronavirus", <https://rsf.org/en/2020- exacerbated by coronavirus'", April 2020,
world-press-freedom-index-entering-decisive-decade- <https://rsf.org/en/2020-world-press-freedom-index-
journalism-exacerbated-coronavirus>. entering-decisive-decade-journalism-exacerbated-
coronavirus>.
[Sandvine-2014] [Sandvine-2015]
Sandvine, "Technology Showcase on Traffic Classification: Sandvine, "Internet Traffic Classification: A Sandvine
Why Measurements and Freeform Policy Matter", 2014, Technology Showcase", 2015,
<https://www.sandvine.com/downloads/general/technology/ <https://www.researchgate.net/profile/Nirmala-Svsg/post/
sandvine-technology-showcases/sandvine-technology- Anybody-working-on-Internet-traffic-
showcase-traffic-classification.pdf>. classification/attachment/59d63a5779197b807799782d/
AS%3A405810988503040%401473764287142/download/traffic-
classification-identifying-and-measuring-internet-
traffic.pdf>.
[Satija-2021] [Satija-2021]
Satija, S. and R. Chatterjee, "BlindTLS: Circumventing Satija, S. and R. Chatterjee, "BlindTLS: Circumventing
TLS-based HTTPS censorship", FOCI '21: Proceedings of the TLS-based HTTPS censorship", FOCI '21: Proceedings of the
ACM SIGCOMM 2021 Workshop on Free and Open Communications ACM SIGCOMM 2021 Workshop on Free and Open Communications
on the Internet, Pages 43-49, DOI 10.1145/3473604.3474564, on the Internet, Pages 43-49, DOI 10.1145/3473604.3474564,
August 2021, August 2021,
<https://sambhav.info/files/blindtls-foci21.pdf>. <https://sambhav.info/files/blindtls-foci21.pdf>.
[Schoen-2007] [Schoen-2007]
Schoen, S., "EFF tests agree with AP: Comcast is forging Schoen, S., "EFF tests agree with AP: Comcast is forging
packets to interfere with user traffic", October 2007, packets to interfere with user traffic", October 2007,
<https://www.eff.org/deeplinks/2007/10/eff-tests-agree-ap- <https://www.eff.org/deeplinks/2007/10/eff-tests-agree-ap-
comcast-forging-packets-to-interfere>. comcast-forging-packets-to-interfere>.
[Schone-2014]
Schone, M., Esposito, R., Cole, M., and G. Greenwald,
"Exclusive: Snowden Docs Show UK Spies Attacked Anonymous,
Hackers", February 2014, <http://www.nbcnews.com/feature/
edward-snowden-interview/exclusive-snowden-docs-show-uk-
spies-attacked-anonymous-hackers-n21361>.
[Senft-2013] [Senft-2013]
, Crete-Nishihata, M., Dalek, J., Hardy, S., Hilts, A., , Crete-Nishihata, M., Dalek, J., Hardy, S., Hilts, A.,
Kleemola, K., Ng, J., Poetranto, I., Senft, A., Sinpeng, Kleemola, K., Ng, J., Poetranto, I., Senft, A., Sinpeng,
A., Sonne, B., and G. Wiseman, "Asia Chats: Analyzing A., Sonne, B., and G. Wiseman, "Asia Chats: Analyzing
Information Controls and Privacy in Asian Messaging Information Controls and Privacy in Asian Messaging
Applications", November 2013, Applications", November 2013,
<https://citizenlab.org/2013/11/asia-chats-analyzing- <https://citizenlab.org/2013/11/asia-chats-analyzing-
information-controls-privacy-asian-messaging- information-controls-privacy-asian-messaging-
applications/>. applications/>.
skipping to change at line 1964 skipping to change at line 1933
Moura, G., "Detecting and Taking Down Fraudulent Webshops Moura, G., "Detecting and Taking Down Fraudulent Webshops
at the .nl ccTLD", February 2020, at the .nl ccTLD", February 2020,
<https://labs.ripe.net/Members/giovane_moura/detecting- <https://labs.ripe.net/Members/giovane_moura/detecting-
and-taking-down-fraudulent-webshops-at-a-cctld>. and-taking-down-fraudulent-webshops-at-a-cctld>.
[Singh-2019] [Singh-2019]
Singh, K., Grover, G., and V. Bansal, "How India Censors Singh, K., Grover, G., and V. Bansal, "How India Censors
the Web", DOI 10.48550/arXiv.1912.08590, December 2019, the Web", DOI 10.48550/arXiv.1912.08590, December 2019,
<https://arxiv.org/abs/1912.08590>. <https://arxiv.org/abs/1912.08590>.
[Sophos-2015] [Sophos-2023]
Sophos, "Understanding Sophos Web Filtering", 2015, Sophos, "Sophos Firewall: Web filtering basics", 2023,
<https://www.sophos.com/en-us/support/ <https://support.sophos.com/support/s/article/KB-
knowledgebase/115865.aspx>. 000036518?language=en_US>.
[SSAC-109-2020] [SSAC-109-2020]
ICANN Security and Stability Advisory Committee (SSAC), ICANN Security and Stability Advisory Committee (SSAC),
"SAC109: The Implications of DNS over HTTPS and DNS over "SAC109: The Implications of DNS over HTTPS and DNS over
TLS", March 2020, TLS", March 2020,
<https://www.icann.org/en/system/files/files/sac- <https://www.icann.org/en/system/files/files/sac-
109-en.pdf>. 109-en.pdf>.
[Tang-2016] [Tang-2016]
Tang, C., "In-depth analysis of the Great Firewall of Tang, C., "In-depth analysis of the Great Firewall of
skipping to change at line 2044 skipping to change at line 2013
[VonLohmann-2008] [VonLohmann-2008]
VonLohmann, F., "FCC Rules Against Comcast for BitTorrent VonLohmann, F., "FCC Rules Against Comcast for BitTorrent
Blocking", August 2008, Blocking", August 2008,
<https://www.eff.org/deeplinks/2008/08/fcc-rules-against- <https://www.eff.org/deeplinks/2008/08/fcc-rules-against-
comcast-bit-torrent-blocking>. comcast-bit-torrent-blocking>.
[Wagner-2009] [Wagner-2009]
Wagner, B., "Deep Packet Inspection and Internet Wagner, B., "Deep Packet Inspection and Internet
Censorship: International Convergence on an 'Integrated Censorship: International Convergence on an 'Integrated
Technology of Control'", 2009, Technology of Control'", Global Voices Advocacy, 2009,
<http://advocacy.globalvoicesonline.org/wp- <http://advocacy.globalvoicesonline.org/wp-
content/uploads/2009/06/deeppacketinspectionandinternet- content/uploads/2009/06/deeppacketinspectionandinternet-
censorship2.pdf>. censorship2.pdf>.
[Wagstaff-2013] [Wagstaff-2013]
Wagstaff, J., "In Malaysia, online election battles take a Wagstaff, J., "In Malaysia, online election battles take a
nasty turn", Reuters, 2013, nasty turn", NBC News, May 2013,
<http://www.reuters.com/article/2013/05/04/uk-malaysia- <https://www.nbcnews.com/tech/tech-news/malaysia-online-
election-online-idUKBRE94309G20130504>. election-battles-take-nasty-turn-flna6c9783842>.
[Wang-2017] [Wang-2017]
Wang, Z., Cao, Y., Qian, Z., Song, C., and S.V. Wang, Z., Cao, Y., Qian, Z., Song, C., and S.V.
Krishnamurthy, "Your State is Not Mine: A Closer Look at Krishnamurthy, "Your State is Not Mine: A Closer Look at
Evading Stateful Internet Censorship", Evading Stateful Internet Censorship",
DOI 10.1145/3131365.3131374, November 2017, DOI 10.1145/3131365.3131374, November 2017,
<https://www.cs.ucr.edu/~zhiyunq/pub/ <https://www.cs.ucr.edu/~zhiyunq/pub/
imc17_censorship_tcp.pdf>. imc17_censorship_tcp.pdf>.
[Wang-2020] [Wang-2020]
skipping to change at line 2117 skipping to change at line 2086
filtering-trends-liberal-democracies-french-and-german- filtering-trends-liberal-democracies-french-and-german-
regulatory-debates>. regulatory-debates>.
[Zhu-2011] Zhu, T., Bronk, C., and D.S. Wallach, "An Analysis of [Zhu-2011] Zhu, T., Bronk, C., and D.S. Wallach, "An Analysis of
Chinese Search Engine Filtering", Chinese Search Engine Filtering",
DOI 10.48550/arXiv.1107.3794, July 2011, DOI 10.48550/arXiv.1107.3794, July 2011,
<http://arxiv.org/ftp/arxiv/papers/1107/1107.3794.pdf>. <http://arxiv.org/ftp/arxiv/papers/1107/1107.3794.pdf>.
[Zmijewski-2014] [Zmijewski-2014]
Zmijewski, E., "Turkish Internet Censorship Takes a New Zmijewski, E., "Turkish Internet Censorship Takes a New
Turn", 2014, Turn", Wayback Machine archive, March 2014,
<https://blogs.oracle.com/internetintelligence/turkish- <http://web.archive.org/web/20200726222723/
https://blogs.oracle.com/internetintelligence/turkish-
internet-censorship-takes-a-new-turn>. internet-censorship-takes-a-new-turn>.
Contributors Contributors
This document benefited from discussions with and input from David This document benefited from discussions with and input from David
Belson, Stéphane Bortzmeyer, Vinicius Fortuna, Gurshabad Grover, Belson, Stéphane Bortzmeyer, Vinicius Fortuna, Gurshabad Grover,
Andrew McConachie, Martin Nilsson, Michael Richardson, Patrick Vacek, Andrew McConachie, Martin Nilsson, Michael Richardson, Patrick Vacek,
and Chris Wood. and Chris Wood.
Authors' Addresses Authors' Addresses
 End of changes. 63 change blocks. 
250 lines changed or deleted 220 lines changed or added

This html diff was produced by rfcdiff 1.48.