Russian DPI check supported_groups extension in ServerHello payload (byte 0x5a in udp packet).
It looks for DTLS packet header “magic” “16 FE FD” and then looks for “1D 00 17 00 18” at 0x5a offset.
But in this case, the offset of the byte pattern appears to be targeting the Snowflake Client Hello, not the Server Hello. Presence of supported_groups in Client Hello is not a bug, but the offset of the extension is still a fingerprinting feature.
At this point there is no information about which ISPs may be affected (whether it’s one ISP, all TSPU, etc.).
The filter is applied for both DTLS v1.0 in record (16 fe ff), which is used by both Chrome and Firefox in ClientHello, and DTLS v1.2 in record (16 fe fd), which is used at least by Jitsi Meet, all at offset 0. Then, 1D 00 17 00 18 at 0x6f offset is checked. This is indeed different than the previous offset 0x5a (which is also blocked).
I have tested filtering only by sending the packets from Russia, not to Russia.
So, in the end, as for 19 May 2022, the filter is applied to:
Thank you, that is interesting. I asked the Tor anti-censorship team to find out the offset to supported_groups produced by current versions of snowflake-client and the standalone proxy.
In February/March 2022 there was a report here about WebRTC in Chrome not working; it could be related?
There’s another dedicated topic for filtering WebRTC. Nobody so far had provided me an access/a link/whatsoever to reproduce the issue. All the services with WebRTC which I use work fine.