Comments for /publications/usenixsecurity25/en/

Comment #1025

2025-11-09T11:23:08.088527Z

Notably, a substantial number of googlevideo.com subdomains (35,443) appeared on the blocklist, suggesting a broader blocking rule targeting *.googlevideo.com

Hi, could you publish a list of possible blocking rules? I found a useful script:

https://github.com/ooni/probe/issues/2834#issuecomment-2564856033

Comment #670

2025-08-06T06:46:16.702291Z

Thanks for your presentation of freedom of expression.

Comment #669

2025-08-05T17:11:34.193392Z

希⁢望⁢这⁢攻⁢击⁢漏⁢洞⁢早⁢日⁢修⁢复⁢，⁢以⁢及⁢强⁢化⁢可⁢预⁢见⁢未⁢来⁢会⁢大⁢规⁢模⁢使⁢用⁢的⁢Q⁢U⁢I⁢C⁢审⁢查⁢，⁢ ⁢在⁢防⁢火⁢墙⁢防⁢护⁢下⁢都⁢有⁢这⁢么⁢多⁢傻⁢逼⁢，⁢可⁢预⁢见⁢没⁢有⁢防⁢火⁢墙⁢傻⁢逼⁢只⁢会⁢更⁢多

Comment #657

2025-08-01T08:32:46.034435Z

Thank you for sharing your test. We only contacted Fang Binxing once on Thu, 23 Jan 2025. At that time, our email was not bounced back. It's possible that this email address got more attentions and has thus been removed.

Comment #656

2025-08-01T08:28:56.616812Z

That's true. A few line of code using python scapy sendpfast/tcpreplay to send a recorded QUIC Initial should be enough. In the paper, we demonstrated that it's feasible to overwhelm the censor empirically, however, we don't think it's necessary or the most effective to overwhelm the censor for censorship circumvention:

The GFW's slowness in decryption could be improved if the censor got enough time, resources, and motivation. It will likely take the censor quiet some time to actually improve it, given its fundamental inflexibility (see our essay: https://github.com/net4people/bbs/issues/136);
In terms of censorship circumvention, there's better censorship circumvention strategies. For example, one may first send legitimate QUIC Initials with wrong but uncensored SNI (e.g. baidu.com), and then send the real intended QUIC Initial with the censored SNI (e.g. google.com). The destination server will ignore the first packet since it's SNI doesn't match the server's domain name, but will accept the second one. The GFW, however, will have to make sure to inspect more packets after a QUIC Initial for each connection, which may be costly to track flows.

Comment #655

2025-08-01T08:12:55.920020Z

Have you noticed that the PGP key CNCERT published on their site since 2003 is too weak to be trusted now?

Good catch. We indeed noticed that, and that's part of the reason why we didn't use PGP encryption on the email to CNCERT: we were not even sure if they still had the private key to decrypt our message, should we send an encrypted message.

Comment #654

2025-08-01T08:10:15.489333Z

Looking at the Venn diagram at 4.1, I had a feeling that such domain blacklists are decentralized among different entities, like the sensitive keyword list also varies among different Chinese social platforms. For example, the TLS SNI list is probably managed by cybersecurity company Q, and the QUIC one is done by Z... CNCERT's cooperation companies: https://web.archive.org/web/20250315145412/https://www.cert.org.cn/publish/main/32/10.html

It's a very plausible hypothesis that difference companies and groups are maintaining different censorship devices as part of the GFW. Anonymous et al. found that even for DNS censorship, there are at least three difference DNS Injectors that have different parsing logic, different packet fingerprints, and different block lists (see Table 3 of Anonymous et al. https://gfw.report/publications/foci20_dns/en/#tbl:3-summary-dns-injectors-dns-aa-ip-df-flags).

Comment #652

2025-08-01T07:25:26.251933Z

Did your email arrive his mailbox?

fangbx@iie.ac.cn

I tried sending to this address but got a <fangbx@iie.ac.cn>: host mx.cstnet.cn[159.226.251.12] said: 550 User not found: fangbx@iie.ac.cn (in reply to RCPT TO command).

Comment #649

2025-08-01T02:56:19.758640Z

Given that it takes a very small amount of bandwidth to disrupt the GFW, I suppose someone can come up with a easier-to-deploy version of the degradation attack to really do some distributed damage. Doing the public some good for a low cost.

Comment #648

2025-08-01T01:35:15.599879Z

Xiausescu? In topic please.

Comment #646

2025-08-01T01:13:52.706515Z

习近平死！！！

Comment #645

2025-07-31T06:50:27.314968Z

Looking at the Venn diagram at 4.1, I had a feeling that such domain blacklists are decentralized among different entities, like the sensitive keyword list also varies among different Chinese social platforms.

For example, the TLS SNI list is probably managed by cybersecurity company Q, and the QUIC one is done by Z...

CNCERT's cooperation companies: https://web.archive.org/web/20250315145412/https://www.cert.org.cn/publish/main/32/10.html

Responsible Disclosure. We shared our findings on China’s QUIC censorship and the circumvention strategies with the anti-censorship and open-source communities. In specific, we contacted

~~lol, the only entities you didn't contact is leaders and operators of Great Firewall, says Cyberspace Administration of China.~~ No, you actually did at the end.

Have you noticed that the PGP key CNCERT published on their site since 2003 is too weak to be trusted now?