Censors Ignore Unencrypted HTTP/2 Traffic (2024)

Summary

Contents *Authors in alphabetical order – all contributed equally Abstract Censors worldwide have long censored unencrypted HTTP traffic. In this blog post, we show that a specific HTTP version—unencrypted HTTP/2—is unaffected by censorship in China and Iran. We access otherwise censored websites in both countries over unencrypted HTTP/2. Despite no web browser implementing unencrypted HTTP/2, we detect that up to 6.28% of websites support unencrypted HTTP/2 traffic. To aid the community and ease future research, we provide a tool that evaluates the unencrypted HTTP support of a website. Finally, we discuss the limitations and potential of unencrypted HTTP/2 for censorship circumvention. We consider our finding an interesting addition to current censorship circumvention techniques. Note: Do not send sensitive data over unencrypted HTTP/2, it can be eavesdropped! Introduction and Background In this section, we provide background information on HTTP and its censorship. We place special emphasis on HTTP/2 and its comparison to previous HTTP versions. HTTP (Censorship) HTTP can be considered the protocol for accessing websites on the Internet. While HTTP is usually used in conjunction with TLS, censorship of the plain HTTP protocol is still present and prior research analyzed the most common version HTTP/1.1 extensively . These works discovered that censors such as the ones in China and Iran use information in the Host header and request path to determine whether an HTTP request should be censored. The HTTP/1.1 GET request below shows that the requested path and domain name can be easily extracted by a censor: GET /<request path> HTTP/1.1 Host: <censored_domain> To censor a request, censors inject TCP RST packets, HTTP block pages, or null-route the whole connection . HTTP/2 As outlined above, HTTP/1.1 censorship has been widely analyzed. Nevertheless, there is a lack of research for the newer version: HTTP/2 . HTTP/2 maintains the same semantics as its predecessor: it ...