> Despite no web browser implementing unencrypted HTTP/2, we detect that up to 6.28% of websites support unencrypted HTTP/2 traffic.
My own experience with trying to use unencrypted http/2 between two docker containers was that it was easier to use a self-signed certificate than to get my libraries to use unencrypted http/2. If I was in charge of the Chinese firewall this would be pretty far down on my list of holes to close up
I imagine a forward proxy that attempts to connect to a remote host via unencrypted HTTP/2 would make it trivial to access 6.28% of websites, regardless of whether web browsers support it?
No idea whether this is going to be a priority for censoring states to prevent though... wasn't there already talk that China is poised to lift the great firewall anyway?
>wasn't there already talk that China is poised to lift the great firewall anyway?
considering what happened in Hong Kong, I can't imagine the lifted firewall decision would last very long at all. But for that window, it would be the best of both worlds, with the rest of us enjoying eternal jiǔyuè (九月)
It's clear you never lived in an authoritarian country. It's not how it works.
There are teams who's job is to serve their leaders. And leaders make their demands (like close up the dissent, stop "misinformation" spread etc). So teams are very incentivized to live up to their demands, show increasing number of "work" done (e.g. # jailed, # websites closed etc). And they get pretty good salary and are constantly hungry for work and to show their loyalty. They are typically way more people than needed for that job, and their qualifications are pretty low on average, but government spend incredible resources on them, so there are some bright minds as well.
After this article they will be obliged to close the hole at the very least to prevent snitching by a competitive team. If lucky, present it as a win to higher command, before the other team does.
I remember in one authoritarian country they made a coordinated effort of Bureau of Investigations + Traffic Police + Field Police just to capture one rogue teenager who drew a graffiti supporting opposition leader somewhere in second-rate town like half a year ago. I wrongly assumed all those involved have better things to do than to waste their time on graffiti, but they really did it.
I don't see the point - ASCII vs. binary doesn't make any real difference. And there's no an actual unencrypted HTTP/2 traffic, so there's no incentive to censor.
This is already being done, but the GFW can detect even some pretty clever obfuscation attempts, they even look at TCP timings and all kinds of things you might not think about. Even if the inner traffic is completely encrypted, there are other ways to tell with a degree of probability that the connection is likely a tunnel, and they'll block it.
Why not use _Encrypted_ HTTP/2 traffic? The article goes on and on about HTTP 1.1 and unencrypted HTTP 2.0 but never once mentioned encrypted HTTP 2.0 which I would assume shares the exact same binary/“hard to block” characteristics of unencrypted HTTP 2.0.
I can only assume that everyone knows why that’s already blocked in China, but I don’t
Because China already uses TLS SNI sniffing anyways, and since that TLS is the outermost layer, it does not matter which HTTP version* is inside, it's already blocked anyways.
* For those who knows HTTP/3, the answer is port blocking.
> Despite no web browser implementing unencrypted HTTP/2, we detect that up to 6.28% of websites support unencrypted HTTP/2 traffic.
My own experience with trying to use unencrypted http/2 between two docker containers was that it was easier to use a self-signed certificate than to get my libraries to use unencrypted http/2. If I was in charge of the Chinese firewall this would be pretty far down on my list of holes to close up
No idea whether this is going to be a priority for censoring states to prevent though... wasn't there already talk that China is poised to lift the great firewall anyway?
considering what happened in Hong Kong, I can't imagine the lifted firewall decision would last very long at all. But for that window, it would be the best of both worlds, with the rest of us enjoying eternal jiǔyuè (九月)
There are teams who's job is to serve their leaders. And leaders make their demands (like close up the dissent, stop "misinformation" spread etc). So teams are very incentivized to live up to their demands, show increasing number of "work" done (e.g. # jailed, # websites closed etc). And they get pretty good salary and are constantly hungry for work and to show their loyalty. They are typically way more people than needed for that job, and their qualifications are pretty low on average, but government spend incredible resources on them, so there are some bright minds as well.
After this article they will be obliged to close the hole at the very least to prevent snitching by a competitive team. If lucky, present it as a win to higher command, before the other team does.
I remember in one authoritarian country they made a coordinated effort of Bureau of Investigations + Traffic Police + Field Police just to capture one rogue teenager who drew a graffiti supporting opposition leader somewhere in second-rate town like half a year ago. I wrongly assumed all those involved have better things to do than to waste their time on graffiti, but they really did it.
Why not use _Encrypted_ HTTP/2 traffic? The article goes on and on about HTTP 1.1 and unencrypted HTTP 2.0 but never once mentioned encrypted HTTP 2.0 which I would assume shares the exact same binary/“hard to block” characteristics of unencrypted HTTP 2.0.
I can only assume that everyone knows why that’s already blocked in China, but I don’t
* For those who knows HTTP/3, the answer is port blocking.
Trojan horses are used by the good guys too.