Web Censorship Measurements of HTTP/3 over QUIC
Kathrin Elmenhorst, Bertram Schütz, Nils Aschenbruck, Simone Basso
The paper is about extending OONI Probe with support for HTTP/3, and the results of testing HTTP/3 accessibility in four countries between January and March 2021. HTTP/3 is HTTP that runs over QUIC (UDP) rather than TCP+TLS. QUIC is newer than TCP and TLS (and therefore possibly less familiar to censors), and it has some features that make it naturally more resistant to blocking. For example, QUIC’s equivalent to the TCP RST flag, the RESET_STREAM frame, is authenticated, meaning it is not possible for a middlebox to tear down an established connection by injecting packets, as is often done with TCP. Also, while QUIC uses TLS and therefore includes SNI in its handshake, the SNI is not directly visible on the wire: it and other early handshake fields are encrypted with a non-secret key. Because the encryption key is not secret, a middlebox can recover the SNI by doing a decryption, but it needs to actually do the decryption.
The authors extended the URLGetter test with support for HTTP/3, using the quic-go package. They took the Citizen Lab test lists and the top 4000 sites from the Tranco list, and pre-filtered the URLs to remove the ones without HTTP/3 support, after which about 5% remained. For better safety of OONI Probe users, they removed all URLs in the categories XED, PORN, DATE, REL, and LGBT. They pre-resolved domain names to IP addresses, in order to eliminate any interference from DNS blocking. For each URL, they made two simultaneous requests, one using TCP and one using QUIC. They ran the experiment in 6 ASes in 4 countries. In some cases, they ran OONI Probe in the usual way, on the devices of volunteers, but they also augmented test coverage by running OONI Probe on VPNs and VPSes. After the OONI URLGetter experiments were finished, they did a second scan for HTTP/3 support among the target URLs, in order to remove any that had inconsistent HTTP/3 support.
|China||VPS||QUIC unblocks some URLs, but IP blocking affects TCP and QUIC equally.|
|India||VPS, user devices||QUIC unblocks some URLs, but IP blocking affects TCP and QUIC equally.|
|Iran||VPS||QUIC unblocks some URLs, and a small fraction of URLs is blocked only with QUIC.|
|Kazakhstan||VPN||No evidence of QUIC censorship, though TCP censorship is present.|
Figure 3 is a good summary of the results. In general, QUIC connections experienced somewhat less blocking than TCP connections. In China and India, many sites are blocked by IP address; those are inaccessible whether using TCP or QUIC. But some sites are blocked by other means, such as TCP+TLS SNI filtering, and these become accessible when using QUIC. In Iran, a large fraction of sites that are SNI-filtered become available over QUIC (the same sites are reachable over TCP, if you use a fake SNI). But in Iran there also appears to be UDP endpoint blocking; that is, blocking of IP addresses, but only in combination with use of UDP. This causes about 4% of sites to be reachable over TCP but not over QUIC.
The HTTP/3 test is still considered experimental, and is not run by default. To see the measurements in OONI Explorer, select the “URL Getter” test and uncheck the “Hide failed measurements” box:
In this measurement from China, for example, can see that a fetch of https://dns.google/ failed because the QUIC handshake timed out.
"failed_operation": "quic_handshake", "failure": "generic_timeout_error",