"《全球审查技术调查》是一份关于互联网审查方法的综合研究报告,主要关注用于阻止或损害互联网访问和通信的技术策略。报告分类讨论了互联网通信中的审查技术,包括网络层和应用层。它定义了与互联网审查相关的关键术语和概念,探讨了IP封锁、DNS篡改、数据包过滤和内容关键字过滤等方法。报告还讨论了深度包检测(DPI)和加密技术在规避审查中的作用,以及审查技术与对策之间的动态关系。此外,报告还考虑了审查的非技术方面,包括法律、政治和社会因素对审查技术实施的影响,以及这些方法对人权的影响。报告最后讨论了互联网审查的未来,强调了在这一领域继续进行研究和保持意识的必要性。"
文档中提到了中国审查技术的几个方面:
DNS响应操作:在中国,对某些被审查的域名进行查询会导致伪造的DNS响应。通过一个例子来演示,在中国查询一个被审查和未被审查的域名会产生不同的结果:未被审查的域名没有响应,而被审查的域名会返回一个伪造的IP地址。
主动探测规避工具:中国已经开发出一种称为"主动探测"或"主动扫描"的有效技术来识别使用规避工具的主机。这种方法涉及审查者使用规避协议发起通信,以确定主机是否运行此类工具。
封锁维基百科:截至2019年5月,中国已经封锁了维基百科的所有语言版本。
使用深度包检测(DPI):中国的防火长城(GFW),作为世界上最大的审查系统之一,使用DPI来识别HTTP和DNS上的受限内容。DPI用于向连接中注入TCP重置包和错误的DNS响应。
网络断连:2009年,在新疆地区发生骚乱期间,中国切断了网络连接,以防止抗议活动的蔓延。
手动过滤和自我审查:在中国,互联网内容提供商(如谷歌或微博)需要获得营业执照,其中包括签署一份名为“中国互联网行业自律公约”的“自愿承诺”。不遵守可能会导致因违规内容而承担责任。这导致了一种自我审查形式,不希望发布的内容不太可能被发布。
对ESNI的HTTPS残留审查:中国采用了3元组和4元组残留审查机制的混合体,用于HTTPS与加密服务器名称指示(ESNI)的审查。
DNS中毒事件:2014年1月,一个实施不当的DNS中毒尝试导致中国通过防火长城将所有请求重定向到单一域名,造成了重大的互联网服务中断。
使用“大炮”:中国使用一种名为“大炮”的系统发起分布式拒绝服务(DDoS)攻击,该系统与防火长城并列。这个系统将JavaScript代码注入到中国某搜索引擎的网页访问中,劫持这些用户代理向各种网站发送DDoS流量。
-------------------------------------
A Survey of Worldwide Censorship Techniques
Abstract
This document describes technical mechanisms employed in network censorship that regimes around the world use for blocking or impairing Internet traffic. It aims to make designers, implementers, and users of Internet protocols aware of the properties exploited and mechanisms used for censoring end-user access to information. This document makes no suggestions on individual protocol considerations, and is purely informational, intended as a reference. This document is a product of the Privacy Enhancement and Assessment Research Group (PEARG) in the IRTF.
Status of This Memo
This document is not an Internet Standards Track specification; it is published for informational purposes.
Copyright Notice
Copyright (c) 2023 IETF Trust and the persons identified as the document authors. All rights reserved.
This document describes technical mechanisms that censorship regimes around the world use for blocking or impairing Internet traffic. See [RFC7754] for a discussion of Internet blocking and filtering in terms of implications for Internet architecture rather than end-user access to content and services. There is also a growing field of academic study of censorship circumvention (see the review article of [Tschantz-2016]), results from which we seek to make relevant here for protocol designers and implementers.Censorship circumvention also impacts the cost of implementation of a censorship measure, and we include mentions of trade-offs in relation to such costs in conjunction with each technical method identified below.This document has seen extensive discussion and review in the IRTF Privacy Enhancement and Assessment Research Group (PEARG) and represents the consensus of that group. It is not an IETF product and is not a standard.1. Introduction
Censorship is where an entity in a position of power -- such as a government, organization, or individual -- suppresses communication that it considers objectionable, harmful, sensitive, or inconvenient [WP-Def-2020]. Although censors that engage in censorship must do so through legal, martial, or other means, this document focuses largely on technical mechanisms used to achieve network censorship.
2. Terminology
We describe three elements of Internet censorship: prescription, identification, and interference. This document contains three major sections, each corresponding to one of these elements. Prescription is the process by which censors determine what types of material they should censor, e.g., classifying pornographic websites as undesirable. Identification is the process by which censors classify specific traffic or traffic identifiers to be blocked or impaired, e.g., deciding that webpages containing "sex" in an HTTP header or that accept traffic through the URL "www.sex.example" are likely to be undesirable. Interference is the process by which censors intercede in communication and prevent access to censored materials by blocking access or impairing the connection, e.g., implementing a technical solution capable of identifying HTTP headers or URLs and ensuring they are rendered wholly or partially inaccessible.
3. Technical Prescription
Prescription is the process of figuring out what censors would like to block [Glanville-2008]. Generally, censors aggregate information "to block" in blocklists, databases of image hashes [ekr-2021], or use real-time heuristic assessment of content [Ding-1999]. Some national networks are designed to more naturally serve as points of control [Leyba-2019]. There are also indications that online censors use probabilistic machine learning techniques [Tang-2016]. Indeed, web crawling and machine learning techniques are an active research area in the effort to identify content deemed as morally or commercially harmful to companies or consumers in some jurisdictions [SIDN-2020].
4. Technical Identification
4.1. Points of Control
Internet censorship takes place in all parts of the network topology. It may be implemented in the network itself (e.g., local loop or backhaul), on the services side of communication (e.g., web hosts, cloud providers, or content delivery networks), in the ancillary services ecosystem (e.g., domain name system (DNS) or certificate authorities (CAs)), or on the end-client side (e.g., in an end-user device, such as a smartphone, laptop, or desktop, or software executed on such devices). An important aspect of pervasive technical interception is the necessity to rely on software or hardware to intercept the content the censor is interested in. There are various logical and physical points of control that censors may use for interception mechanisms, including, though not limited to, the following:
- Internet Backbone:
- If a censor controls elements of Internet network infrastructure, such as the international gateways into a region or Internet Exchange Points (IXPs), those choke points can be used to filter undesirable traffic that is traveling into and out of the region by packet sniffing and port mirroring. Censorship at gateways is most effective at controlling the flow of information between a region and the rest of the Internet, but is ineffective at identifying content traveling between the users within a region, which would have to be accomplished at exchange points or other network aggregation points. Some national network designs naturally serve as more effective choke points and points of control [Leyba-2019].
- Internet Service Providers (ISPs):
- ISPs are frequently exploited points of control. They have the benefit of being easily enumerable by a censor -- often falling under the jurisdictional or operational control of a censor in an indisputable way -- with the additional feature that an ISP can identify the regional and international traffic of all their users. The censor's filtration mechanisms can be placed on an ISP via governmental mandates, ownership, or voluntary/coercive influence.
- Institutions:
- Private institutions such as corporations, schools, and Internet cafes can use filtration mechanisms. These mechanisms are occasionally at the request of a government censor but can also be implemented to help achieve institutional goals, such as fostering a particular moral outlook on life by schoolchildren, independent of broader society or government goals.
- Content Distribution Network (CDN):
- CDNs seek to collapse network topology in order to better locate content closer to the service's users. This reduces content transmission latency and improves QoS. The CDN service's content servers, located "close" to the user in a network sense, can be powerful points of control for censors, especially if the location of CDN repositories allows for easier interference.
- CAs for Public Key Infrastructures (PKIs):
- Authorities that issue cryptographically secured resources can be a significant point of control. CAs that issue certificates to domain holders for TLS/HTTPS (the Web PKI) or Regional or Local Internet Registries (RIRs or LIRs) that issue Route Origin Authorizations (ROAs) to BGP operators can be forced to issue rogue certificates that may allow compromise, i.e., by allowing censorship software to engage in identification and interference where it may not have been possible before. CAs may also be forced to revoke certificates. This may lead to adversarial traffic routing, TLS interception being allowed, or an otherwise rightful origin or destination point of traffic flows being unable to communicate in a secure way.
- Services:
- Application service providers can be pressured, coerced, or legally required to censor specific content or data flows. Service providers naturally face incentives to maximize their potential customer base, and potential service shutdowns or legal liability due to censorship efforts may seem much less attractive than potentially excluding content, users, or uses of their service. Services have increasingly become focal points of censorship discussions as well as discussions of moral imperatives to use censorship tools.
- Content Sites:
- On the service side of communications lie many platforms that publish user-generated content and require terms of service compliance with all content and user accounts in order to avoid intermediary liability for the web hosts. In aggregate, these policies, actions, and remedies are known as content moderation. Content moderation happens above the services or application layer, but these mechanisms are built to filter, sort, and block content and users, thus making them available to censors through direct pressure on the private entity.
- Personal Devices:
- Censors can mandate censorship software be installed on the device level. This has many disadvantages in terms of scalability, ease of circumvention, and operating system requirements. (Of course, if a personal device is treated with censorship software before sale and this software is difficult to reconfigure, this may work in favor of those seeking to control information, say, for children, students, customers, or employees.) The emergence of mobile devices has exacerbated these feasibility problems. This software can also be mandated by institutional actors acting on non-governmentally mandated moral imperatives.
At all levels of the network hierarchy, the filtration mechanisms used to censor undesirable traffic are essentially the same: a censor either directly identifies undesirable content using the identifiers described below and then uses a blocking or shaping mechanism (such as the ones exemplified below to prevent or impair access), or requests that an actor ancillary to the censor (such as a private entity) perform these functions. Identification of undesirable traffic can occur at the application, transport, or network layer of the IP stack. Censors often focus on web traffic, so the relevant protocols tend to be filtered in predictable ways (see Sections 4.2.1 and 4.2.2). For example, a subversive image might make it past a keyword filter. However, if later the image is deemed undesirable, a censor may then blocklist the provider site's IP address.
4.2. Application Layer
The following subsections describe properties and trade-offs of common ways in which censors filter using application-layer information. Each subsection includes empirical examples describing these common behaviors for further reference.
4.2.1. HTTP Request Header Identification
An HTTP header contains a lot of useful information for traffic identification. Although "host" is the only required field in an HTTP request header (for HTTP/1.1 and later), an HTTP method field is necessary to do anything useful. As such, "method" and "host" are the two fields used most often for ubiquitous censorship. A censor can sniff traffic and identify a specific domain name (host) and usually a page name (for example, GET /page) as well. This identification technique is usually paired with transport header identification (see Section 4.3.1) for a more robust method.
4.2.2. HTTP Response Header Identification
While HTTP request header identification relies on the information contained in the HTTP request from client to server, HTTP response header identification uses information sent in response by the server to client to identify undesirable content.
4.2.3. Transport Layer Security (TLS)
Similar to HTTP, censors have deployed a variety of techniques towards censoring TLS (and by extension HTTPS). Most of these techniques relate to the Server Name Indication (SNI) field, including censoring SNI, Encrypted SNI (ESNI), or omitted SNI. Censors can also censor HTTPS content via server certificates. Note that TLS 1.3 acts as a security component of QUIC.
4.2.3.1. Server Name Indication (SNI)
In encrypted connections using TLS, there may be servers that host multiple "virtual servers" at a given network address, and the client will need to specify in the ClientHello message which domain name it seeks to connect to (so that the server can respond with the appropriate TLS certificate) using, the SNI TLS extension [RFC6066]. The ClientHello message is unencrypted for TCP-based TLS. When using QUIC, the ClientHello message is encrypted, but its confidentiality is not effectively protected because the initial encryption keys are derived using a value that is visible on the wire. Since SNI is often sent in the clear (as are the cert fields sent in response), censors and filtering software can use it (and response cert fields) as a basis for blocking, filtering, or impairment by dropping connections to domains that match prohibited content (e.g., "bad.foo.example" may be censored while "good.foo.example" is not) [Shbair-2015]. There are ongoing standardization efforts in the TLS Working Group to encrypt SNI [RFC8744] [TLS-ESNI], and recent research shows promising results in the use of ESNI in the face of SNI-based filtering [Chai-2019] in some countries.
4.2.3.2. Encrypted SNI (ESNI)
With the data leakage present with the SNI field, a natural response is to encrypt it, which is forthcoming in TLS 1.3 with Encrypted Client Hello (ECH). Prior to ECH, the ESNI extension is available to prevent the data leakage caused by SNI, which encrypts only the SNI field. Unfortunately, censors can target connections that use the ESNI extension specifically for censorship. This guarantees over-blocking for the censor but can be worth the cost if ESNI is not yet widely deployed within the country. ECH is the emerging standard for protecting the entire TLS ClientHello, but it is not yet widely deployed.
4.2.3.3. Omitted SNI
Researchers have observed that some clients omit the SNI extension entirely. This omitted-SNI approach limits the information available to a censor. Like with ESNI, censors can choose to block connections that omit the SNI, though this too risks over-blocking.
4.2.3.4. Server Response Certificate
During the TLS handshake after the TLS ClientHello, the server will respond with the TLS certificate. This certificate also contains the domain the client is trying to access, creating another avenue that censors can use to perform censorship. This technique will not work in TLS 1.3, as the certificate will be encrypted.
4.2.4. Instrumenting Content Distributors
Many governments pressure content providers to censor themselves, or provide the legal framework, within which content distributors are incentivized to follow the content restriction preferences of agents external to the content distributor [Boyle-1997]. Due to the extensive reach of such censorship, we define "content distributor" as any service that provides utility to users, including everything from websites to storage to locally installed programs.
4.2.5. DPI Identification
DPI technically is any kind of packet analysis beyond IP address and port number and has become computationally feasible as a component of censorship mechanisms in recent years [Wagner-2009]. Unlike other techniques, DPI reassembles network flows to examine the application "data" section, as opposed to only headers, and is therefore often used for keyword identification. DPI also differs from other identification technologies because it can leverage additional packet and flow characteristics, e.g., packet sizes and timings, when identifying content. To prevent substantial QoS impacts, DPI normally analyzes a copy of data while the original packets continue to be routed. Typically, the traffic is split using either a mirror switch or fiber splitter and analyzed on a cluster of machines running Intrusion Detection Systems (IDSs) configured for censorship.
4.3. Transport Layer
4.3.1. Shallow Packet Inspection and Transport Header Identification
Of the various shallow packet inspection methods, transport header identification is the most pervasive, reliable, and predictable type of identification. Transport headers contain a few invaluable pieces of information that must be transparent for traffic to be successfully routed: destination and source IP address and port. Destination and source IP are doubly useful, as not only do they allow a censor to block undesirable content via IP blocklisting but also allow a censor to identify the IP of the user making the request and the IP address of the destination being visited, which in most cases can be used to infer the domain being visited [Patil-2019]. Port is useful for allowlisting certain applications.
4.3.2. Protocol Identification
Censors sometimes identify entire protocols to be blocked using a variety of traffic characteristics. For example, Iran impairs the performance of HTTPS traffic, a protocol that prevents further analysis, to encourage users to switch to HTTP, a protocol that they can analyze [Aryan-2013]. A simple protocol identification would be to recognize all TCP traffic over port 443 as HTTPS, but a more sophisticated analysis of the statistical properties of payload data and flow behavior would be more effective, even when port 443 is not used [Hjelmvik-2010] [Sandvine-2015].
4.4. Residual Censorship
Another feature of some modern censorship systems is residual censorship, a punitive form of censorship whereby after a censor disrupts a forbidden connection, the censor continues to target subsequent connections, even if they are innocuous [Bock-2021]. Residual censorship can take many forms and often relies on the methods of technical interference described in the next section.
5. Technical Interference
5.1. Application Layer
5.1.1. DNS Interference
There are a variety of mechanisms that censors can use to block or filter access to content by altering responses from the DNS [AFNIC-2013] [ICANN-SSAC-2012], including blocking the response, replying with an error message, or responding with an incorrect address. Note that there are now encrypted transports for DNS queries in DNS over HTTPS [RFC8484] and DNS over TLS [RFC7858] that can mitigate interference with DNS queries between the stub and the resolver.
% dig +short +nodnssec @192.0.2.2 A www.uncensored.example ;; connection timed out; no servers could be reached % dig +short +nodnssec @192.0.2.2 A www.censored.example 198.51.100.0
DNS cache poisoning happens off-path and refers to a mechanism where a censor interferes with the response sent by an authoritative DNS name server to a recursive resolver by responding more quickly than the authoritative name server can respond with an alternative IP address [Halley-2008]. Cache poisoning occurs after the requested site's name servers resolve the request and attempt to forward the true IP back to the requesting device. On the return route, the resolved IP is recursively cached by each DNS server that initially forwarded the request. During this caching process if an undesirable keyword is recognized, the resolved IP is "poisoned", and an alternative IP (or NXDOMAIN error) is returned more quickly than the upstream resolver can respond, causing a forged IP address to be cached (and potentially recursively so). The alternative IPs usually direct to a nonsense domain or a warning page. Alternatively, Iranian censorship appears to prevent the communication en route, preventing a response from ever being sent [Aryan-2013].There are also cases of what is colloquially called "DNS lying", where a censor mandates that the DNS responses provided -- by an operator of a recursive resolver such as an Internet Access Provider -- be different than what an authoritative name server would provide [Bortzmeyer-2015].Trade-offs: These forms of DNS interference require the censor to force a user to traverse a controlled DNS hierarchy (or intervening network on which the censor serves as an active pervasive attacker [RFC7624] to rewrite DNS responses) for the mechanism to be effective. DNS interference can be circumvented by using alternative DNS resolvers (such as any of the public DNS resolvers) that may fall outside of the jurisdictional control of the censor or Virtual Private Network (VPN) technology. DNS mangling and cache poisoning also imply returning an incorrect IP to those attempting to resolve a domain name, but in some cases the destination may be technically accessible. For example, over HTTP, the user may have another method of obtaining the IP address of the desired site and may be able to access it if the site is configured to be the default server listening at this IP address. Target blocking has also been a problem, as occasionally users outside of the censor's region will be directed through DNS servers or DNS-rewriting network equipment controlled by a censor, causing the request to fail. The ease of circumvention paired with the large risk of content blocking and target blocking make DNS interference a partial, difficult, and less-than-ideal censorship mechanism.Additionally, the above mechanisms rely on DNSSEC not being deployed or DNSSEC validation not being active on the client or recursive resolver (neither of which is hard to imagine given limited deployment of DNSSEC and limited client support for DNSSEC validation). Note that an adversary seeking to merely block resolution can serve a DNSSEC record that doesn't validate correctly, assuming of course that the client or recursive resolver validates.Previously, techniques were used for censorship that relied on DNS requests being passed in cleartext over port 53 [SSAC-109-2020]. With the deployment of encrypted DNS (e.g., DNS over HTTPS [RFC8484]) these requests are now increasingly passed on port 443 with other HTTPS traffic, or in the case of DNS over TLS [RFC7858] no longer passed in the clear (see also Section 4.3.1).Empirical Examples: DNS interference, when properly implemented, is easy to identify based on the shortcomings identified above. Turkey relied on DNS interference for its country-wide block of websites, including Twitter and YouTube, for almost a week in March of 2014. The ease of circumvention resulted in an increase in the popularity of Twitter until Turkish ISPs implemented an IP blocklist to achieve the governmental mandate [Zmijewski-2014]. Ultimately, Turkish ISPs started hijacking all requests to Google and Level 3's international DNS resolvers [Zmijewski-2014]. DNS interference, when incorrectly implemented, has resulted in some of the largest censorship disasters. In January 2014, China started directing all requests passing through the Great Fire Wall to a single domain "dongtaiwang.com", due to an improperly configured DNS poisoning attempt. This incident is thought to be the largest Internet service outage in history [AFP-2014] [Anon-SIGCOMM12]. Countries such as China, Turkey, and the United States have discussed blocking entire Top-Level Domains (TLDs) as well [Albert-2011]. DNS blocking is commonly deployed in European countries to deal with undesirable content, such as- child abuse content (Norway, United Kingdom, Belgium, Denmark, Finland, France, Germany, Ireland, Italy, Malta, the Netherlands, Poland, Spain, and Sweden [Wright-2013] [Eneman-2010]),
- online gambling (Belgium, Bulgaria, Czech Republic, Cyprus, Denmark, Estonia, France, Greece, Hungary, Italy, Latvia, Lithuania, Poland, Portugal, Romania, Slovakia, Slovenia, and Spain (see Section 6.3.2 of [EC-gambling-2012], [EC-gambling-2019])),
- copyright infringement (all European Economic Area countries),
- hate speech and extremism (France [Hertel-2015]), and
- terrorism content (France [Hertel-2015]).
5.2. Transport Layer
5.2.1. Performance Degradation
While other interference techniques outlined in this section mostly focus on blocking or preventing access to content, it can be an effective censorship strategy in some cases to not entirely block access to a given destination or service but instead to degrade the performance of the relevant network connection. The resulting user experience for a site or service under performance degradation can be so bad that users opt to use a different site, service, or method of communication or may not engage in communication at all if there are no alternatives. Traffic-shaping techniques that rate-limit the bandwidth available to certain types of traffic is one example of a performance degradation.
5.2.2. Packet Dropping
Packet dropping is a simple mechanism to prevent undesirable traffic. The censor identifies undesirable traffic and chooses to not properly forward any packets it sees associated with the traversing undesirable traffic instead of following a normal routing protocol. This can be paired with any of the previously described mechanisms so long as the censor knows the user must route traffic through a controlled router.
5.2.3. RST Packet Injection
Packet injection, generally, refers to a machine-in-the-middle (MITM) network interference technique that spoofs packets in an established traffic stream. RST packets are normally used to let one side of a TCP connection know the other side has stopped sending information and that the receiver should close the connection. RST packet injection is a specific type of packet injection attack that is used to interrupt an established stream by sending RST packets to both sides of a TCP connection; as each receiver thinks the other has dropped the connection, the session is terminated.
5.3. Routing Layer
5.3.1. Network Disconnection
While it is perhaps the crudest of all techniques employed for censorship, there is no more effective way of making sure undesirable information isn't allowed to propagate on the web than by shutting off the network. The network can be logically cut off in a region when a censoring entity withdraws all of the Border Gateway Protocol (BGP) prefixes routing through the censor's country.
5.3.2. Adversarial Route Announcement
More fine-grained and potentially wide-spread censorship can be achieved with BGP hijacking, which adversarially re-routes BGP IP prefixes incorrectly within a region and beyond. This restricts and effectively censors the correctly known location of information that flows into or out of a jurisdiction and will similarly prevent people from outside your jurisdiction from viewing content generated outside that jurisdiction as the adversarial route announcement propagates. The first can be achieved by an adversarial BGP announcement of incorrect routes that are not intended to leak beyond a jurisdiction, where the latter attacks traffic by deliberately introducing bogus BGP announcements that reach the global Internet.
5.4. Multi-layer and Non-layer
5.4.1. Distributed Denial of Service (DDoS)
Distributed Denial of Service attacks are a common attack mechanism used by "hacktivists" and malicious hackers. Censors have also used DDoS in the past for a variety of reasons. There is a wide variety of DDoS attacks [Wikip-DoS]. However, at a high level, two possible impacts from the attack tend to occur: a flood attack results in the service being unusable while resources are being spent to flood the service, and a crash attack aims to crash the service so resources can be reallocated elsewhere without "releasing" the service.
5.4.2. Censorship in Depth
Often, censors implement multiple techniques in tandem, creating "censorship in depth". Censorship in depth can take many forms; some censors block the same content through multiple techniques (such as blocking a domain by DNS, IP blocking, and HTTP simultaneously), some deploy parallel systems to improve censorship reliability (such as deploying multiple different censorship systems to block the same domain), and others can use complimentary systems to limit evasion (such as by blocking unwanted protocols entirely, forcing users to use other filtered protocols).
6. Non-technical Interference
6.1. Manual Filtering
As the name implies, sometimes manual labor is the easiest way to figure out which content to block. Manual filtering differs from the common tactic of building up blocklists in that it doesn't necessarily target a specific IP or DNS but instead removes or flags content. Given the imprecise nature of automatic filtering, manually sorting through content and flagging dissenting websites, blogs, articles, and other media for filtration can be an effective technique on its own or combined with other automated techniques of detection that are then followed by an action that would require manual confirmation. This filtration can occur on the backbone or ISP level. China's army of monitors is a good example [BBC-2013b], but more commonly, manual filtering occurs on an institutional level. ICPs, such as Google or Weibo, require a business license to operate in China. One of the prerequisites for a business license is an agreement to sign a "voluntary pledge" known as the "Public Pledge on Self-discipline for the Chinese Internet Industry". The failure to "energetically uphold" the pledged values can lead to the ICPs being held liable for the offending content by the Chinese government [BBC-2013b].
6.2. Self-Censorship
Self-censorship is difficult to document as it manifests primarily through a lack of undesirable content. Tools that encourage self-censorship may lead a prospective speaker to believe that speaking increases the risk of unfavorable outcomes for the speaker (technical monitoring, identification requirements, etc.). Reporters Without Borders exemplify methods of imposing self-censorship in their annual World Press Freedom Index reports [RWB-2020].
6.3. Server Takedown
As mentioned in passing by [Murdoch-2008], servers must have a physical location somewhere in the world. If undesirable content is hosted in the censoring country, the servers can be physically seized, or -- in cases where a server is virtualized in a cloud infrastructure where it may not necessarily have a fixed physical location -- the hosting provider can be required to prevent access.
6.4. Notice and Takedown
In many countries, legal mechanisms exist where an individual or other content provider can issue a legal request to a content host that requires the host to take down content. Examples include the systems employed by companies like Google to comply with "Right to be Forgotten" policies in the European Union [Google-RTBF], intermediary liability rules for electronic platform providers [EC-2012], or the copyright-oriented notice and takedown regime of the United States Digital Millennium Copyright Act (DMCA) Section 512 [DMLP-512].
6.5. Domain Name Seizures
Domain names are catalogued in name servers operated by legal entities called registries. These registries can be made to cede control over a domain name to someone other than the entity that registered the domain name through a legal procedure grounded in either private contracts or public law. Domain name seizure is increasingly used by both public authorities and private entities to deal with undesired content dissemination [ICANN-2012] [EFF-2017].
7. Future Work
In addition to establishing a thorough resource for describing censorship techniques, this document implicates critical areas for future work.
8. IANA Considerations
This document has no IANA actions.
9. Security Considerations
This document is a survey of existing literature on network censorship techniques. As such, it does not introduce any new security considerations to be taken into account beyond what is already discussed in each paper surveyed.
10. Informative References
- [AFNIC-2013]
- AFNIC, "Report of the AFNIC Scientific Council: Consequences of DNS-based Internet filtering", , <http://www.afnic.fr/medias/documents/conseilscientifique/SC-consequences-of-DNS-based-Internet-filtering.pdf>.
- [AFP-2014]
- AFP, "China Has Massive Internet Breakdown Reportedly Caused By Their Own Censoring Tools", , <http://www.businessinsider.com/chinas-internet-breakdown-reportedly-caused-by-censoring-tools-2014-1>.
- [Albert-2011]
- Albert, K., "DNS Tampering and the new ICANN gTLD Rules", , <https://opennet.net/blog/2011/06/dns-tampering-and-new-icann-gtld-rules>.
- [Anon-SIGCOMM12]
- Anonymous, "The Collateral Damage of Internet Censorship by DNS Injection", , <http://www.sigcomm.org/sites/default/files/ccr/papers/2012/July/2317307-2317311.pdf>.
- [Anonymous-2013]
- Anonymous, "GitHub blocked in China - how it happened, how to get around it, and where it will take us", , <https://en.greatfire.org/blog/2013/jan/github-blocked-china-how-it-happened-how-get-around-it-and-where-it-will-take-us>.
- [Anonymous-2014]
- Anonymous, "Towards a Comprehensive Picture of the Great Firewall's DNS Censorship", , <https://www.usenix.org/system/files/conference/foci14/foci14-anonymous.pdf>.
- [Aryan-2013]
- Aryan, S., Aryan, H., and J. A. Halderman, "Internet Censorship in Iran: A First Look", , <https://jhalderm.com/pub/papers/iran-foci13.pdf>.
- [BBC-2013]
- BBC News, "Google and Microsoft agree steps to block abuse images", , <http://www.bbc.com/news/uk-24980765>.
- [BBC-2013b]
- BBC, "China employs two million microblog monitors state media say", , <https://www.bbc.com/news/world-asia-china-24396957>.
- [Bock-2019]
- Bock, K., Hughey, G., Qiang, X., and D. Levin, "Geneva: Evolving Censorship Evasion Strategies", DOI 10.1145/3319535.3363189, , <https://geneva.cs.umd.edu/papers/geneva_ccs19.pdf>.
- [Bock-2020]
- Bock, K., Fax, Y., Reese, K., Singh, J., and D. Levin, "Detecting and Evading Censorship-in-Depth: A Case Study of Iran's Protocol Filter", , <https://geneva.cs.umd.edu/papers/evading-censorship-in-depth.pdf>.
- [Bock-2020b]
- Bock, K., iyouport, Anonymous, Merino, L-H., Fifield, D., Houmansadr, A., and D. Levin, "Exposing and Circumventing China's Censorship of ESNI", , <https://geneva.cs.umd.edu/posts/china-censors-esni/esni/>.
- [Bock-2021]
- Bock, K., Bharadwaj, P., Singh, J., and D. Levin, "Your Censor is My Censor: Weaponizing Censorship Infrastructure for Availability Attacks", DOI 10.1109/SPW53761.2021.00059, , <https://geneva.cs.umd.edu/papers/woot21-weaponizing-availability.pdf>.
- [Bock-2021b]
- Bock, K., Naval, G., Reese, K., and D. Levin, "Even Censors Have a Backup: Examining China's Double HTTPS Censorship Middleboxes", FOCI '21: Proceedings of the ACM SIGCOMM 2021 Workshop on Free and Open Communications on the Internet, Pages 1-7, DOI 10.1145/3473604.3474559, , <https://geneva.cs.umd.edu/papers/foci21.pdf>.
- [Bortzmeyer-2015]
- Bortzmeyer, S., "DNS Censorship (DNS Lies) As Seen By RIPE Atlas", , <https://labs.ripe.net/Members/stephane_bortzmeyer/dns-censorship-dns-lies-seen-by-atlas-probes>.
- [Boyle-1997]
- Boyle, J., "Foucault in Cyberspace: Surveillance, Sovereignty, and Hardwired Censors", 66 University of Cincinnati Law Review 177-205, , <https://scholarship.law.duke.edu/faculty_scholarship/619/>.
- [Cao-2016]
- Cao, Y., Qian, Z., Wang, Z., Dao, T., Krishnamurthy, S., and L. Marvel, "Off-Path TCP Exploits: Global Rate Limit Considered Dangerous", , <https://www.usenix.org/system/files/conference/usenixsecurity16/sec16_paper_cao.pdf>.
- [CERT-2000]
- CERT, "CERT Advisory CA-1996-21 TCP SYN Flooding and IP Spoofing Attacks", , <https://vuls.cert.org/confluence/display/historical/CERT+Advisory+CA-1996-21+TCP+SYN+Flooding+and+IP+Spoofing+Attacks>.
- [Chai-2019]
- Chai, Z., Ghafari, A., and A. Houmansadr, "On the Importance of Encrypted-SNI (ESNI) to Censorship Circumvention", , <https://www.usenix.org/system/files/foci19-paper_chai_update.pdf>.
- [Cheng-2010]
- Cheng, J., "Google stops Hong Kong auto-redirect as China plays hardball", , <http://arstechnica.com/tech-policy/2010/06/google-tweaks-china-to-hong-kong-redirect-same-results/>.
- [Cimpanu-2019]
- Cimpanu, C., "Russia to disconnect from the internet as part of a planned test", , <https://www.zdnet.com/article/russia-to-disconnect-from-the-internet-as-part-of-a-planned-test/>.
- [CitizenLab-2018]
- Marczak, B., Dalek, J., McKune, S., Senft, A., Scott-Railton, J., and R. Deibert, "Bad Traffic: Sandvine's PacketLogic Devices Used to Deploy Government Spyware in Turkey and Redirect Egyptian Users to Affiliate Ads?", , <https://citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria/>.
- [Clayton-2006]
- Clayton, R., Murdoch, S.J., and R.N.M. Watson, "Ignoring the Great Firewall of China", Lecture Notes in Computer Science, Volume 4258, DOI 10.1007/11957454_2, , <https://link.springer.com/chapter/10.1007/11957454_2>.
- [Condliffe-2013]
- Condliffe, J., "Google Announces Massive New Restrictions on Child Abuse Search Terms", , <http://gizmodo.com/google-announces-massive-new-restrictions-on-child-abus-1466539163>.
- [Cowie-2011]
- Cowie, J., "Egypt Leaves The Internet", NANOG 51, , <https://archive.nanog.org/meetings/nanog51/presentations/Tuesday/LT-Cowie-Egypt%20Leaves%20The%20Internet.pdf>.
- [Crandall-2010]
- Park, J.C. and J. Crandall, "Empirical Study of a National-Scale Distributed Intrusion Detection System: Backbone-Level Filtering of HTML Responses in China", , <http://www.cs.unm.edu/~crandall/icdcs2010.pdf>.
- [Dada-2017]
- Dada, T. and P. Micek, "Launching STOP: the #KeepItOn internet shutdown tracker", , <https://www.accessnow.org/keepiton-shutdown-tracker/>.
- [Dalek-2013]
- Dalek, J., Haselton, B., Noman, H., Senft, A., Crete-Nishihata, M., Gill, P., and R. J. Deibert, "A Method for Identifying and Confirming the Use of URL Filtering Products for Censorship", IMC '13: Proceedings of the 2013 conference on Internet measurement conference, Pages 23-30, DOI 10.1145/2504730.2504763, , <http://conferences.sigcomm.org/imc/2013/papers/imc112s-dalekA.pdf>.
- [Ding-1999]
- Ding, C., Chi, C. H., Deng, J., and C. L. Dong, "Centralized Content-Based Web Filtering and Blocking: How Far Can It Go?", IEEE SMC'99 Conference Proceedings, DOI 10.1109/ICSMC.1999.825218, , <http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.132.3302&rep=rep1&type=pdf>.
- [DMLP-512]
- Digital Media Law Project, "Protecting Yourself Against Copyright Claims Based on User Content", , <https://www.dmlp.org/legal-guide/protecting-yourself-against-copyright-claims-based-user-content>.
- [Dobie-2007]
- Dobie, M., "Junta tightens media screw", BBC News, , <http://news.bbc.co.uk/2/hi/asia-pacific/7016238.stm>.
- [EC-2012]
- European Commission, "Summary of the results of the Public Consultation on the future of electronic commerce in the Internal Market and the implementation of the Directive on electronic commerce (2000/31/EC)", , <https://ec.europa.eu/information_society/newsroom/image/document/2017-4/consultation_summary_report_en_2010_42070.pdf>.
- [EC-gambling-2012]
- European Commission, "Online gambling in the Internal Market Accompanying the document Communication from the Commission to the European Parliament, the Council, the Economic and Social Committee and the Committee of the Regions Towards a comprehensive framework for online gambling", , <https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:52012SC0345>.
- [EC-gambling-2019]
- European Commission, "Evaluation of regulatory tools for enforcing online gambling rules and channelling demand towards controlled offers", , <https://ec.europa.eu/growth/content/evaluation-regulatory-tools-enforcing-online-gambling-rules-and-channelling-demand-towards-1_en>.
- [EFF-2017]
- Malcom, J., Rossi, G., and M. Stoltz, "Which Internet registries offer the best protection for domain owners?", Electronic Frontier Foundation, , <https://www.eff.org/files/2017/08/02/domain_registry_whitepaper.pdf>.
- [ekr-2021]
- Rescorla, E., "Overview of Apple's Client-side CSAM Scanning", , <https://educatedguesswork.org/posts/apple-csam-intro/>.
- [Elmenhorst-2021]
- Elmenhorst, K., Schuetz, B., Aschenbruck, N., and S. Basso, "Web Censorship Measurements of HTTP/3 over QUIC", IMC '21: Proceedings of the 21st ACM Internet Measurement Conference, Pages 276-282, DOI 10.1145/3487552.3487836, , <https://dl.acm.org/doi/pdf/10.1145/3487552.3487836>.
- [Elmenhorst-2022]
- Elmenhorst, K., "A Quick Look at QUIC Censorship", , <https://www.opentech.fund/news/a-quick-look-at-quic/>.
- [Eneman-2010]
- Eneman, M., "Internet service provider (ISP) filtering of child-abusive material: A critical reflection of its effectiveness", DOI 10.1080/13552601003760014, , <https://www.tandfonline.com/doi/abs/10.1080/13552601003760014>.
- [Ensafi-2013]
- Ensafi, R., Knockel, J., Alexander, G., and J.R. Crandall, "Detecting Intentional Packet Drops on the Internet via TCP/IP Side Channels: Extended Version", DOI 10.48550/arXiv.1312.5739, , <http://arxiv.org/pdf/1312.5739v1.pdf>.
- [Fifield-2015]
- Fifield, D., Lan, C., Hynes, R., Wegmann, P., and V. Paxson, "Blocking-resistant communication through domain fronting", DOI 10.1515/popets-2015-0009, , <https://petsymposium.org/2015/papers/03_Fifield.pdf>.
- [Gatlan-2019]
- Gatlan, S., "South Korea is Censoring the Internet by Snooping on SNI Traffic", , <https://www.bleepingcomputer.com/news/security/south-korea-is-censoring-the-internet-by-snooping-on-sni-traffic/>.
- [Gilad]
- Gilad, Y. and A. Herzberg, "Off-Path TCP Injection Attacks", ACM Transactions on Information and System Security, Volume 16, Issue 4, Article No.: 13, pp. 1-32, DOI 10.1145/2597173, , <https://doi.org/10.1145/2597173>.
- [Glanville-2008]
- Glanville, J., "The big business of net censorship", The Guardian, , <http://www.theguardian.com/commentisfree/2008/nov/17/censorship-internet>.
- [Google-2018]
- "Google Cloud Networking Incident #18018", , <https://status.cloud.google.com/incident/cloud-networking/18018>.
- [Google-RTBF]
- Google, Inc., "Search removal request under data protection law in Europe", , <https://support.google.com/legal/contact/lr_eudpa?product=websearch>.
- [Grover-2019]
- Grover, G., Singh, K., and E. Hickok, Ed., "Reliance Jio is using SNI inspection to block websites", , <https://cis-india.org/internet-governance/blog/reliance-jio-is-using-sni-inspection-to-block-websites>.
- [HADOPI]
- Hadopi, "Hadopi | Haute Autorité pour la diffusion des oeuvres et la protection des droits sur internet", <https://www.hadopi.fr/>.
- [Halley-2008]
- Halley, B., "How DNS cache poisoning works", , <https://www.networkworld.com/article/2277316/tech-primers/tech-primers-how-dns-cache-poisoning-works.html>.
- [Heacock-2009]
- Heacock, R., "China shuts down Internet in Xinjiang region after riots", OpenNet Initiative, , <https://opennet.net/blog/2009/07/china-shuts-down-internet-xinjiang-region-after-riots>.
- [Hepting-2011]
- Wikipedia, "Hepting v. AT&T", , <https://en.wikipedia.org/wiki/Hepting_v._AT%26T&oldid=1175143505>.
- [Hertel-2015]
- Hertel, O., "Comment les autorités peuvent bloquer un site Internet" [How authorities can block a website], , <https://www.sciencesetavenir.fr/high-tech/comment-les-autorites-peuvent-bloquer-un-site-internet_35828>.
- [Hjelmvik-2010]
- Hjelmvik, E. and W. John, "Breaking and Improving Protocol Obfuscation", Technical Report No. 2010-05, ISSN 1652-926X, , <https://www.iis.se/docs/hjelmvik_breaking.pdf>.
- [Husak-2016]
- Husák, M., Čermák, M., Jirsík, T., and P. Čeleda, "HTTPS traffic analysis and client identification using passive SSL/TLS fingerprinting", DOI 10.1186/s13635-016-0030-7, , <https://link.springer.com/article/10.1186/s13635-016-0030-7>.
- [ICANN-2012]
- ICANN Security and Stability Advisory Committee, "Guidance for Preparing Domain Name Orders, Seizures & Takedowns", , <https://www.icann.org/en/system/files/files/guidance-domain-seizures-07mar12-en.pdf>.
- [ICANN-SSAC-2012]
- ICANN Security and Stability Advisory Committee (SSAC), "SAC 056: SSAC Advisory on Impacts of Content Blocking via the Domain Name System", , <https://www.icann.org/en/system/files/files/sac-056-en.pdf>.
- [Jones-2014]
- Jones, B., Lee, T-W., Feamster, N., and P. Gill, "Automated Detection and Fingerprinting of Censorship Block Pages", IMC '14: Proceedings of the 2014 Conference on Internet Measurement Conference, Pages 299-304, DOI 10.1145/2663716.2663722, , <http://conferences2.sigcomm.org/imc/2014/papers/p299.pdf>.
- [Khattak-2013]
- Khattak, S., Javed, M., Anderson, P.D., and V. Paxson, "Towards Illuminating a Censorship Monitor's Model to Facilitate Evasion", , <http://0b4af6cdc2f0c5998459-c0245c5c937c5dedcca3f1764ecc9b2f.r43.cf2.rackcdn.com/12389-foci13-khattak.pdf>.
- [Knight-2005]
- Knight, W., "Iranian net censorship powered by US technology", , <https://www.newscientist.com/article/dn7589-iranian-net-censorship-powered-by-us-technology/>.
- [Knockel-2021]
- Knockel, J. and L. Ruan, "Measuring QQMail's automated email censorship in China", FOCI '21: Proceedings of the ACM SIGCOMM 2021 Workshop on Free and Open Communications on the Internet, Pages 8-15, DOI 10.1145/3473604.3474560, , <https://dl.acm.org/doi/10.1145/3473604.3474560>.
- [Kravtsova-2012]
- Kravtsova, Y., "Cyberattacks Disrupt Opposition's Election", The Moscow Times, , <http://www.themoscowtimes.com/news/article/cyberattacks-disrupt-oppositions-election/470119.html>.
- [Leyba-2019]
- Leyba, K., Edwards, B., Freeman, C., Crandall, J., and S. Forrest, "Borders and gateways: measuring and analyzing national as chokepoints", COMPASS '19: Proceedings of the 2nd ACM SIGCAS Conference on Computing and Sustainable Societies, pages 184-194, DOI 10.1145/3314344.3332502, , <https://doi.org/10.1145/3314344.3332502>.
- [Li-2017]
- Li, F., Razaghpanah, A., Molavi Kakhki, A., Akhavan Niaki, A., Choffnes, D., Gill, P., and A. Mislove, "lib•erate, (n): a library for exposing (traffic-classification) rules and avoiding them efficiently", DOI 10.1145/3131365.3131376, , <https://david.choffnes.com/pubs/liberate-imc17.pdf>.
- [Lomas-2019]
- Lomas, N., "Github removes Tsunami Democràtic's APK after a takedown order from Spain", , <https://techcrunch.com/2019/10/30/github-removes-tsunami-democratics-apk-after-a-takedown-order-from-spain/>.
- [Marczak-2015]
- Marczak, B., Weaver, N., Dalek, J., Ensafi, R., Fifield, D., McKune, S., Rey, A., Scott-Railton, J., Deibert, R., and V. Paxson, "An Analysis of China's "Great Cannon"", , <https://www.usenix.org/system/files/conference/foci15/foci15-paper-marczak.pdf>.
- [Muncaster-2013]
- Muncaster, P., "Malaysian election sparks web blocking/DDoS claims", The Register, , <http://www.theregister.co.uk/2013/05/09/malaysia_fraud_elections_ddos_web_blocking/>.
- [Murdoch-2008]
- Murdoch, S. J. and R. Anderson, "Tools and Technology of Internet Filtering" in "Access Denied: The Practice and Policy of Global Internet Filtering", DOI 10.7551/mitpress/7617.003.0006, , <https://doi.org/10.7551/mitpress/7617.003.0006>.
- [NA-SK-2019]
- Morgus, R., Sherman, J., and S. Nam, "Analysis: South Korea's New Tool for Filtering Illegal Internet Content", , <https://www.newamerica.org/cybersecurity-initiative/c2b/c2b-log/analysis-south-koreas-sni-monitoring/>.
- [Nabi-2013]
- Nabi, Z., "The Anatomy of Web Censorship in Pakistan", , <http://0b4af6cdc2f0c5998459-c0245c5c937c5dedcca3f1764ecc9b2f.r43.cf2.rackcdn.com/12387-foci13-nabi.pdf>.
- [NBC-2014]
- NBC News, "Exclusive: Snowden Docs Show UK Spies Attacked Anonymous, Hackers", , <http://www.nbcnews.com/feature/edward-snowden-interview/exclusive-snowden-docs-show-uk-spies-attacked-anonymous-hackers-n21361>.
- [Netsec-2011]
- n3t2.3c, "TCP-RST Injection", , <https://nets.ec/TCP-RST_Injection>.
- [OONI-2018]
- Evdokimov, L., "Iran Protests: DPI blocking of Instagram (Part 2)", , <https://ooni.org/post/2018-iran-protests-pt2/>.
- [OONI-2019]
- Singh, S., Filastò, A., and M. Xynou, "China is now blocking all language editions of Wikipedia", , <https://ooni.org/post/2019-china-wikipedia-blocking/>.
- [Orion-2013]
- Orion, E., "Zimbabwe election hit by hacking and DDoS attacks", Wayback Machine archive, , <https://web.archive.org/web/20130825010947/http://www.theinquirer.net/inquirer/news/2287433/zimbabwe-election-hit-by-hacking-and-ddos-attacks>.
- [Patil-2019]
- Patil, S. and N. Borisov, "What can you learn from an IP?", Proceedings of the Applied Networking Research Workshop, Pages 45-51, DOI 10.1145/3340301.3341133, , <https://irtf.org/anrw/2019/anrw2019-final44-acmpaginated.pdf>.
- [Porter-2005]
- Porter, T., "The Perils of Deep Packet Inspection", , <http://www.symantec.com/connect/articles/perils-deep-packet-inspection>.
- [Rambert-2021]
- Rampert, R., Weinberg, Z., Barradas, D., and N. Christin, "Chinese Wall or Swiss Cheese? Keyword filtering in the Great Firewall of China", DOI 10.1145/3442381.3450076, , <https://www.andrew.cmu.edu/user/nicolasc/publications/Rambert-WWW21.pdf>.
- [Reda-2017]
- Reda, F., "New EU law prescribes website blocking in the name of "consumer protection"", , <https://felixreda.eu/2017/11/eu-website-blocking/>.
- [RFC6066]
- Eastlake 3rd, D., "Transport Layer Security (TLS) Extensions: Extension Definitions", RFC 6066, DOI 10.17487/RFC6066, , <https://www.rfc-editor.org/info/rfc6066>.
- [RFC7624]
- Barnes, R., Schneier, B., Jennings, C., Hardie, T., Trammell, B., Huitema, C., and D. Borkmann, "Confidentiality in the Face of Pervasive Surveillance: A Threat Model and Problem Statement", RFC 7624, DOI 10.17487/RFC7624, , <https://www.rfc-editor.org/info/rfc7624>.
- [RFC7754]
- Barnes, R., Cooper, A., Kolkman, O., Thaler, D., and E. Nordmark, "Technical Considerations for Internet Service Blocking and Filtering", RFC 7754, DOI 10.17487/RFC7754, , <https://www.rfc-editor.org/info/rfc7754>.
- [RFC7858]
- Hu, Z., Zhu, L., Heidemann, J., Mankin, A., Wessels, D., and P. Hoffman, "Specification for DNS over Transport Layer Security (TLS)", RFC 7858, DOI 10.17487/RFC7858, , <https://www.rfc-editor.org/info/rfc7858>.
- [RFC8484]
- Hoffman, P. and P. McManus, "DNS Queries over HTTPS (DoH)", RFC 8484, DOI 10.17487/RFC8484, , <https://www.rfc-editor.org/info/rfc8484>.
- [RFC8744]
- Huitema, C., "Issues and Requirements for Server Name Identification (SNI) Encryption in TLS", RFC 8744, DOI 10.17487/RFC8744, , <https://www.rfc-editor.org/info/rfc8744>.
- [RFC9000]
- Iyengar, J., Ed. and M. Thomson, Ed., "QUIC: A UDP-Based Multiplexed and Secure Transport", RFC 9000, DOI 10.17487/RFC9000, , <https://www.rfc-editor.org/info/rfc9000>.
- [RFC9293]
- Eddy, W., Ed., "Transmission Control Protocol (TCP)", STD 7, RFC 9293, DOI 10.17487/RFC9293, , <https://www.rfc-editor.org/info/rfc9293>.
- [Rushe-2014]
- Rushe, D., "Bing censoring Chinese language search results for users in the US", The Guardian, , <http://www.theguardian.com/technology/2014/feb/11/bing-censors-chinese-language-search-results>.
- [RWB-2020]
- Reporters Without Borders (RSF), "2020 World Press Freedom Index: 'Entering a decisive decade for journalism, exacerbated by coronavirus'", , <https://rsf.org/en/2020-world-press-freedom-index-entering-decisive-decade-journalism-exacerbated-coronavirus>.
- [Sandvine-2015]
- Sandvine, "Internet Traffic Classification: A Sandvine Technology Showcase", , <https://www.researchgate.net/profile/Nirmala-Svsg/post/Anybody-working-on-Internet-traffic-classification/attachment/59d63a5779197b807799782d/AS%3A405810988503040%401473764287142/download/traffic-classification-identifying-and-measuring-internet-traffic.pdf>.
- [Satija-2021]
- Satija, S. and R. Chatterjee, "BlindTLS: Circumventing TLS-based HTTPS censorship", FOCI '21: Proceedings of the ACM SIGCOMM 2021 Workshop on Free and Open Communications on the Internet, Pages 43-49, DOI 10.1145/3473604.3474564, , <https://sambhav.info/files/blindtls-foci21.pdf>.
- [Schoen-2007]
- Schoen, S., "EFF tests agree with AP: Comcast is forging packets to interfere with user traffic", , <https://www.eff.org/deeplinks/2007/10/eff-tests-agree-ap-comcast-forging-packets-to-interfere>.
- [Senft-2013]
- Crete-Nishihata, M., Dalek, J., Hardy, S., Hilts, A., Kleemola, K., Ng, J., Poetranto, I., Senft, A., Sinpeng, A., Sonne, B., and G. Wiseman, "Asia Chats: Analyzing Information Controls and Privacy in Asian Messaging Applications", , <https://citizenlab.org/2013/11/asia-chats-analyzing-information-controls-privacy-asian-messaging-applications/>.
- [Shbair-2015]
- Shbair, W. M., Cholez, T., Goichot, A., and I. Chrisment, "Efficiently Bypassing SNI-based HTTPS Filtering", , <https://hal.inria.fr/hal-01202712/document>.
- [Siddiqui-2022]
- Siddiqui, A., "Lesson Learned: Twitter Shored Up Its Routing Security", , <https://www.manrs.org/2022/03/lesson-learned-twitter-shored-up-its-routing-security/>.
- [SIDN-2020]
- Moura, G., "Detecting and Taking Down Fraudulent Webshops at the .nl ccTLD", , <https://labs.ripe.net/Members/giovane_moura/detecting-and-taking-down-fraudulent-webshops-at-a-cctld>.
- [Singh-2019]
- Singh, K., Grover, G., and V. Bansal, "How India Censors the Web", DOI 10.48550/arXiv.1912.08590, , <https://arxiv.org/abs/1912.08590>.
- [Sophos-2023]
- Sophos, "Sophos Firewall: Web filtering basics", , <https://support.sophos.com/support/s/article/KB-000036518?language=en_US>.
- [SSAC-109-2020]
- ICANN Security and Stability Advisory Committee (SSAC), "SAC109: The Implications of DNS over HTTPS and DNS over TLS", , <https://www.icann.org/en/system/files/files/sac-109-en.pdf>.
- [Tang-2016]
- Tang, C., "In-depth analysis of the Great Firewall of China", , <https://www.cs.tufts.edu/comp/116/archive/fall2016/ctang.pdf>.
- [Thomson-2012]
- Thomson, I., "Syria cuts off internet and mobile communication", The Register, , <http://www.theregister.co.uk/2012/11/29/syria_internet_blackout/>.
- [TLS-ESNI]
- Rescorla, E., Oku, K., Sullivan, N., and C. A. Wood, "TLS Encrypted Client Hello", Work in Progress, Internet-Draft, draft-ietf-tls-esni-17, , <https://datatracker.ietf.org/doc/html/draft-ietf-tls-esni-17>.
- [Tor-2019]
- Tor, "Tor: Pluggable Transports", , <https://2019.www.torproject.org/docs/pluggable-transports.html.en>.
- [Trustwave-2015]
- Trustwave, "Filter : SNI extension feature and HTTPS blocking", , <https://www3.trustwave.com/software/8e6/hlp/r3000/files/1system_filter.html>.
- [Tschantz-2016]
- Tschantz, M., Afroz, S., Anonymous, and V. Paxson, "SoK: Towards Grounding Censorship Circumvention in Empiricism", DOI 10.1109/SP.2016.59, , <https://oaklandsok.github.io/papers/tschantz2016.pdf>.
- [Van-der-Sar-2007]
- Van der Sar, E., "How To Bypass Comcast's BitTorrent Throttling", , <https://torrentfreak.com/how-to-bypass-comcast-bittorrent-throttling-071021>.
- [Verkamp-2012]
- Verkamp, J. P. and M. Gupta, "Inferring Mechanics of Web Censorship Around the World", , <https://www.usenix.org/system/files/conference/foci12/foci12-final1.pdf>.
- [Victor-2019]
- Victor, D., "Blizzard Sets Off Backlash for Penalizing Hearthstone Gamer in Hong Kong", The New York Times, , <https://www.nytimes.com/2019/10/09/world/asia/blizzard-hearthstone-hong-kong.html>.
- [Villeneuve-2011]
- Villeneuve, N. and M. Crete-Nishihata, "Open Access: Chapter 8, Control and Resistance, Attacks on Burmese Opposition Media", , <http://access.opennet.net/wp-content/uploads/2011/12/accesscontested-chapter-08.pdf>.
- [VonLohmann-2008]
- VonLohmann, F., "FCC Rules Against Comcast for BitTorrent Blocking", , <https://www.eff.org/deeplinks/2008/08/fcc-rules-against-comcast-bit-torrent-blocking>.
- [Wagner-2009]
- Wagner, B., "Deep Packet Inspection and Internet Censorship: International Convergence on an 'Integrated Technology of Control'", Global Voices Advocacy, , <http://advocacy.globalvoicesonline.org/wp-content/uploads/2009/06/deeppacketinspectionandinternet-censorship2.pdf>.
- [Wagstaff-2013]
- Wagstaff, J., "In Malaysia, online election battles take a nasty turn", NBC News, , <https://www.nbcnews.com/tech/tech-news/malaysia-online-election-battles-take-nasty-turn-flna6c9783842>.
- [Wang-2017]
- Wang, Z., Cao, Y., Qian, Z., Song, C., and S.V. Krishnamurthy, "Your State is Not Mine: A Closer Look at Evading Stateful Internet Censorship", DOI 10.1145/3131365.3131374, , <https://www.cs.ucr.edu/~zhiyunq/pub/imc17_censorship_tcp.pdf>.
- [Wang-2020]
- Wang, Z., Zhu, S., Cao, Y., Qian, Z., Song, C., Krishnamurthy, S.V., Chan, K.S., and T.D. Braun, "SYMTCP: Eluding Stateful Deep Packet Inspection with Automated Discrepancy Discovery", DOI 10.14722/ndss.2020.24083, , <https://www.cs.ucr.edu/~zhiyunq/pub/ndss20_symtcp.pdf>.
- [Weaver-2009]
- Weaver, N., Sommer, R., and V. Paxson, "Detecting Forged TCP Reset Packets", , <http://www.icir.org/vern/papers/reset-injection.ndss09.pdf>.
- [Whittaker-2013]
- Whittaker, Z., "1,168 keywords Skype uses to censor, monitor its Chinese users", , <http://www.zdnet.com/1168-keywords-skype-uses-to-censor-monitor-its-chinese-users-7000012328/>.
- [Wikip-DoS]
- Wikipedia, "Denial-of-service attack", , <https://en.wikipedia.org/w/index.php?title=Denial-of-service_attack&oldid=710558258>.
- [Wilde-2012]
- Wilde, T., "Knock Knock Knockin' on Bridges Doors", The Tor Project, , <https://blog.torproject.org/blog/knock-knock-knockin-bridges-doors>.
- [Winter-2012]
- Winter, P. and S. Lindskog, "How China Is Blocking Tor", , <http://arxiv.org/pdf/1204.0447v1.pdf>.
- [WP-Def-2020]
- Wikipedia, "Censorship", , <https://en.wikipedia.org/w/index.php?title=Censorship&oldid=943938595>.
- [Wright-2013]
- Wright, J. and Y. Breindl, "Internet filtering trends in liberal democracies: French and German regulatory debates", DOI 10.14763/2013.2.122, , <https://policyreview.info/articles/analysis/internet-filtering-trends-liberal-democracies-french-and-german-regulatory-debates>.
- [Zhu-2011]
- Zhu, T., Bronk, C., and D.S. Wallach, "An Analysis of Chinese Search Engine Filtering", DOI 10.48550/arXiv.1107.3794, , <http://arxiv.org/ftp/arxiv/papers/1107/1107.3794.pdf>.
- [Zmijewski-2014]
- Zmijewski, E., "Turkish Internet Censorship Takes a New Turn", Wayback Machine archive, , <http://web.archive.org/web/20200726222723/https://blogs.oracle.com/internetintelligence/turkish-internet-censorship-takes-a-new-turn>.
- from https://datatracker.ietf.org/doc/html/rfc9505.txt
No comments:
Post a Comment