net4people
Exposing and Circumventing SNI-based QUIC Censorship of the Great Firewall of China (USENIX Security 2025)
Title: Exposing and Circumventing SNI-based QUIC Censorship of the Great Firewall of China Authors: Ali Zohaib*, Qiang Zao*, Jackson Sippe, Abdulrahman Alaraj, Amir Houmansadr, Zakir Durumeric, Eric Wustrow Paper (HTML): https://gfw.report/publications/usenixsecurity25/en/ Chinese translation (HTML): 揭示并绕过中国防火长城基于SNI的QUIC封锁机制 Source code and open dataset Slides (PDF)
Abstract
Despite QUIC handshake packets being encrypted, the Great Firewall of China (GFW) has begun blocking QUIC connections to specific domains since April 7, 2024. In this work, we measure and characterize the GFW’s censorship of QUIC to understand how and what it blocks. Our measurements reveal that the GFW decrypts QUIC Initial packets at scale, applies heuristic filtering rules, and uses a blocklist distinct from its other censorship mechanisms. We expose a critical flaw in this new system: the computational overhead of decryption reduces its effectiveness under moderate traffic loads. We also demonstrate that this censorship mechanism can be weaponized to block UDP traffic between arbitrary hosts in China and the rest of the world. We collaborate with various open-source communities to integrate circumvention strategies into Mozilla Firefox, the quic-go library, and all major QUIC-based circumvention tools.
摘要
尽管 QUIC 握手数据包是加密的,中国防火长城(GFW)自2024年4月7日起,已开始封锁针对特定域名的 QUIC 连接。在此次研究中,我们对 GFW 针对 QUIC 的审查行为进行了测量与分析,以理解其封锁方式以及封锁对象。我们的测量结果显示,GFW 能够大规模解密 QUIC Initial 数据包,应用启发式过滤规则,并采用与其他审查机制不同的封锁名单。我们揭示了这一新系统的一个关键缺陷:解密带来的计算开销在中等流量负载下即会削弱其封锁效果。我们还展示了该审查机制如何被滥用,以阻断中国与全球任意主机之间的 UDP 流量。我们与多个开源社区合作,将绕过封锁的策略集成进 Mozilla Firefox、quic-go 库以及所有基于 QUIC 的主流翻墙工具中。
The SNI-slicing feature (implemented through client Initial Fragmentation) was included in the Neqo v0.12.0 release on January 27, 2025 [24, 50]. Mozilla Firefox has since integrated this feature and shipped it as a default feature in version 137 on April 30, 2025 [24, 47] (configurable via the network.http.http3.sni-slicing parameter in the about:config page).
As of June 2025, we are working with the Mozilla Neqo and Firefox team to integrate a complementary circumvention technique (prepending dummy payload before the handshake) in Mozilla Firefox for more resilience against the GFW [72].
My goddess, you have turned Mozilla Firerox a wall-climbing browser?
Is this the reason why Mozilla's Beijing branch, Mouzhi announced shutting down 1 week later after the version 137?
On May 8, 2025, Mozilla and Beijing (Mouzhi) Firefox reached an agreement that Beijing (Mouzhi) Firefox will no longer operate the Firefox browser and any Firefox-related business in mainland China. www.firefox.com.cn (archived)
@gfw-report @wkrp I believe that adding functionality solely for anti-censorship purposes to general-purpose libraries like quic-go is questionable. Hastily integrating anti-censorship functionality into general-purpose libraries like quic-go and Mozilla Firefox could potentially worsen relations between the government and the project owners, leading to restrictions on widely used software and technologies like QUIC. This is a questionable ethical consideration.
worsen relations between the government...
It would be more questionable if project owner had a good guanxi (relations) with an evil government.
Ghost? Don't even dare to keep your account after defending for Beijjng.
Beijing Mouzhi is not a respectful company anyway, their version of Firefox is always shipped with closed-source extensions and found with affiliate hijacking malware in 2013 (they even stated it as "do some evil here" themselves in code comments).
The top result is how to avoid downloading chinese edition searching Mouzhi Firefox in Google.
To @wkrp: I don't think @UjuiUjuMandan's comments are appropriate for this community.
I also don't want to debate the morality of "Beijing Mouzhi"'s actions, as it's pointless and I have no interest in researching and proving them.
Technology neutrality is a consensus among most open source communities, and integrating anti-censorship features into QUIC-Go may violate this principle because RFC 9000 itself does not define the SNI slicing feature integrated in quic-go v0.52.0.
The article also states:
As of June 2025, we are working with a major open-source web browser to integrate a complementary circumvention technique (prepending a dummy payload before the handshake) for greater resilience against the GFW.
Integrating anti-censorship projects into "mainstream browsers" is also unwise. This could result in the browser being banned in mainland China and other regions, or in the emergence of government-backed pirated or regionalized versions, such as the mainland China version of Mozilla led by "Beijing Mouzhi," as mentioned by @UjuiUjuMandan.
@ CensorCN Stop mentioning me already. "Joined 2 hours ago" and will delete account in 1 day. Blocked.
Wow, already deleted themself just after I reply.
Archived: https://archive.today/2025.08.12-114300/https://github.com/CensorCN
Guess you're now registering more accounts for propaganda, but I won't reply anymore on you.
Technology neutrality
Talking about technology neutrality only when it defended for your censorship. Kick out network neutrality when it harms local big techs.
I believe that adding functionality solely for anti-censorship purposes to general-purpose libraries like quic-go is questionable.
I agree that everyone in the field should ask themselves questions like these. I agree that the outcome of an experiment like this is uncertain, and that there are tactical considerations behind what circumvention ideas to try and when. (You can see some thinking along these lines in "Censorship Resistance: Let a Thousand Flowers Bloom?".)
But the argument cuts both ways. It is equally a debatable ethical claim that one should try to anticipate what the state will want from you, and fit yourself into that mold before even being asked. Carrying out the will of the state is not an ethically neutral act—if you decide to do it, it should be with proper forethought and evaluation of alternatives. And consider that you have more power than you think. The fact that QUIC is not blocked outright is not only by grace of the censors—even governments are subject to practical constraints on what they may accomplish.
On Tyranny says:
Do not obey in advance.
Most of the power of authoritarianism is freely given. In times like these, individuals think ahead about what a more repressive government will want, and then offer themselves without being asked. A citizen who adapts in this way is teaching power what it can do.
If our tools are only for bypassing censorship, it’s easy to block and politically costly to defend. If our protocol carries everything — from political speech to cute cat pics — we create the Dictator’s Dilemma:
- Block it, and they break the internet for everyone, costing themselves.
- Leave it, and the information they want to suppress still gets through.
It's how Cute Cat Theory in action: make free expression ride along with the everyday things people love and need. The goal isn’t to hide activism — it’s to make it part of the internet’s ordinary operation, so censorship always comes with a heavy economy.
