Paper summary: BlindTLS: Circumventing TLS-based HTTPS censorship (FOCI 2021)

BlindTLS: Circumventing TLS-based HTTPS censorship
Sambhav Satija, Rahul Chatterjee
https://dl.acm.org/doi/10.1145/3473604.3474564

The paper presents a way to protect TLS connections from certain forms of blocking, making use of TLS 1.2 session resumption. The most highly distinguishing features of a TLS connection come at the very beginning, during the handshake. This is when the client reveals the destination host in its DNS query and TLS SNI, and the server reveals its identity in the certificate (which is plaintext in TLS 1.2 and earlier). The idea of BlindTLS is to do the TLS handshake—and only the handshake—over an encrypted, unblockable proxy, letting the connection persist just long enough to acquire a session ticket. Then, disconnect from the proxy, connect directly to the TLS server, and resume the session already started. Session resumption does not involve a new DNS query or the sending of the server certificate, so those features are not available to a censor. Resuming a session does require sending an SNI, so it is necessary to use a false SNI.

The authors’ experiments find that BlindTLS works with about 50% of TLS 1.2 servers, whether sampled from Alexa top sites or from sites known to be blocked by Jio, an ISP in India. The main causes of failure were that the server did not support session resumption (did not issue the client a session ticket), or that the server enforced an SNI match in the resumed session.

The benefit of BlindTLS, compared to using the encrypted proxy for the entire connection, is better performance, as the bulk of communication is carried out directly with the destination TLS server, with no intermediary. Compared to domain fronting, BlindTLS has the benefit that the client may authenticate against the destination TLS server’s own certificate (not the certificate of a front domain). Compared to proposed TLS 1.3 protocol extensions like ESNI and ECH, which would also hide the SNI value but whose deployment is uncertain, session resumption is already widely used and difficult to block.

Thanks to the authors for reviewing a draft of this summary.