Presented at
DEF CON 33 (2025),
Aug. 9, 2025, 2 p.m.
(45 minutes).
When the first measurement studies of the GFW came out in the early 2000s, computation and power consumption were 30,000X greater than they are today. Because of this, China’s GFW resided deeper in the network and further away from homes and data centers. The substantial increase in computational efficiency has made processing and filtering in-path and near connection end-points viable while the volume of network traffic in today’s Internet has made this design a virtual necessity. Russia’s censorship apparatus, the TSPU, has emerged as a state-of-the-art system, on par with the GFW, and a potentially more significant threat, particularly for users of Russian apps and data centers. There are two reasons for this. First, Russia’s design, which places censors in-path and closer to end-hosts (residential modems and data center connections), permits more granular, targeted attacks. Second, according to the Russian government, sanctions have compelled them to build their own certificate authority and require all Russian software to trust this certificate authority. Combining these two factors implies major threats to users interacting with Russian data centers and software. Fortunately, research has identified cases where the TSPU can be circumvented. New tools based on these ideas could be the future of circumvention.
References:
[1](https://web.archive.org/web/20050421044024/http://www.opennetinitiative.net/studies/china/)
[2](https://murdoch.is/papers/is07ignoring.pdf)
[3](https://dl.acm.org/doi/pdf/10.1145/1315245.1315290?casa_token=8NvzVMTTf9UAAAAA:9S1zIULGEg5gvhnrgwFSGo_nMb_p_Se9M_SwbEqMPG6RgZVtaJ0yM2pojDMg2H8lYexX2C4125Gb)
[4](https://tadviser.com/index.php/Article:Autonomous_Sovereign_Internet_in_Russia)
[5](https://web.archive.org/web/20200808160155/https://dosje.org/0day_Technologies#.D0.A1.D0.9E.D0.A0.D0.9C-2_.C2.AB.D0.9C.D0.B5.D1.82.D0.BA.D0.B0.C2.BB)
[6](https://tadviser.com/index.php/Product:EcoFilter)
[7](https://dl.acm.org/doi/pdf/10.1145/3517745.3561461)
[8](https://web.archive.org/web/20210811003253/https://www.interfax.ru/russia/683093)
[9](https://ensa.fi/papers/HTTPSKaz.pdf)
[10](https://tadviser.com/index.php/Project:National_System_for_Countering_DDoS_Attacks#.2A_Requirement_for_connection_of_160_state.2C_financial_and_transport_companies_to_the_system)
[11](https://github.com/CertIZDAT/russian-trusted-root-ca-analyzer/blob/master/article_en.pdf)
[12](https://www.keyfactor.com/blog/russia-creates-its-own-certificate-authority-ca-to-issue-tls-certificates/)
Censorship of VPNs today, [link](https://ntc.party/t/%D0%B1%D0%BB%D0%BE%D0%BA%D0%B8%D1%80%D0%BE%D0%B2%D0%BA%D0%B0-vless-xtls-rprx-vision-reality-%D0%B2-%D1%80%D0%BE%D1%81%D1%81%D0%B8%D0%B8/16061/12)
Presenters:
-
Benjamin "bmixonbaca" Mixon-Baca
I am a security researcher focused on Internet Freedom, censorship circumvention, and pwning middleboxes, firewalls, and other devices that are supposed to keep me "safe". I have developed attacks against VPN software. The one relevant to this presentation is CVE-2021-3773. This vulnerability affects VPNs but is actually because of issues in the firewall/connection tracking framework (e.g., Netfilter) of the underlying OS running the VPN. An attacker can use this vulnerability to redirect packets in various ways and can even let an attacker escalate from adjacent to-in-path between the victim and VPN server. I applied insights I gained while developing this attack to testing the TSPU and was able to develop bypass strategies. This is because the underlying design of connection tracking frameworks, such as how they track TCP states and direction, is basically the same for both network layer VPNs like OpenVPN and WireGuard and firewalls like the TSPU.
Similar Presentations: