Tor's vanilla TLS certificate presents a distinctive pattern (SubjectCN=www.[random].com; IssuerCN=www.[random].net using base32 random strings), which never changes across certificate rotations every 2 hours. Using this pattern against Censys and Shodan scan data without running any active scans, the authors discovered 694 private bridges and 645 private proxies, and deanonymized the IP address of 35% of public bridges with clients (23% of all active public bridges) in April 2016.

Bridges that carry clients are highly stable: their median lifetime is 116 days (~4 months) and 84% never change IP address, with 90% having at most one IP change. This means current censor policies that remove bridge IP blocks every 25 hours are far more conservative than necessary — an adversary could sustain blocks for months without significant collateral damage.

§V-B, Figure 3 evaluation

77% of public bridges offer only vanilla Tor, which is trivially detectable via TLS certificate pattern matching. An additional 15% offer Pluggable Transports with conflicting security properties (e.g., obfs4 + obfs3 + obfs2 co-deployed on the same bridge), allowing a censor to confirm and block the bridge via the weakest PT and thereby disable all stronger PTs on the same IP — including active-probing-resistant transports like obfs4 and ScrambleSuit.

§V-C, Table I defense

Default bridges — whose IP addresses are hardcoded in the Tor Browser Bundle — carry 91.4% of all bridge clients globally in April 2016, and 86.1% in Iran and 69.2% in Syria. Because these addresses are trivially obtainable from the Tor Browser Bundle configuration files, a censor can block the vast majority of bridge users in a country at any time.

§V-E, Table II evaluation

Four OR ports (443, 8443, 444, 9001) account for 82% of all active public bridge fingerprints as of April 2016, down from 95% in March 2013 but still concentrated. Scanning just three of these ports (443, 8443, 9001) is sufficient to deanonymize 71% of all active public bridges. Additionally, CollecTor's published per-bridge usage statistics allow a censor to rank bridges by client count per country and identify the highest-impact OR ports to scan next.

§V-D, Figure 6, Table IV detection

TLS-Attacker's Workflow Traces and Modifiable Variables mechanisms allow testers to specify arbitrary protocol flows and apply field-level modifications — including adding, removing, or overwriting individual TLS message fields — without breaking the internal TLS state machine. This makes it the standard instrument for probing how DPI systems and active-probing detectors respond to non-standard or mutated TLS handshakes.

2024-niere-tls-attacker §1 Introduction tls-fingerprintactive-probingdpi

ShadowTLS relays are detectable via three active probing techniques exploiting behavioral discrepancies from the mask sites they mimic: (1) responding to plaintext HTTP on port 443 with FIN-ACK rather than an error (only 17% of TLS servers share this behavior), (2) silently ignoring non-TLS record data post-handshake rather than sending a fatal alert (only 0.14% of 30M hosts behaved this way), and (3) silently ignoring corrupted TLS Application Data records rather than sending a bad_record_mac alert (only 0.12% of hosts silent).

2023-wang-chasing §3.2 active-probingtls-fingerprintdpi

Balboa's covert signaling protocol derives per-connection keys as KDF(TLS_master_secret ∥ pre_shared_secret) and signals by XOR-ing the MAC of a TLS Application Data record with this derived key. Because the master secret is ephemeral, the scheme inherits TLS forward secrecy—unlike Telex-based signaling (Client Random modification), future server compromise cannot retroactively identify which historical connections used Balboa, and a censor mimicking a client has negligible probability of guessing the modified MAC without the pre-shared secret.

2021-rosen-balboa §2.6.3 active-probingtls-fingerprint

Facade routes all encoded HTTP requests through a Selenium-controlled Chrome browser instance, so every message the censor observes is generated by a real browser implementation. This defeats 'parrot attack' fingerprinting, which exploits discrepancies between a protocol emulator's responses to error conditions and those of the genuine client or server.

2014-jones-facade §4, §5.1 active-probingtls-fingerprint

By scanning ports 443 and 9001 and fingerprinting responses with Tor's TLS v1 cipher-suite handshake pattern, ZMap identified 79–86% of all allocated Tor bridge fingerprints in a single scan, demonstrating that bridges whose protocol is distinguishable are largely discoverable through comprehensive Internet-wide scanning even though their addresses are not publicly listed.

2013-durumeric-zmap §4.4 active-probingtls-fingerprintmeasurement-platform

Iran deployed a new Tor-blocking strategy in February 2013 that caused direct Tor user counts to collapse from over 50,000 to near zero within weeks, as recorded by Tor Project metrics.

2013-winter-towards Figure 1, §1 dpitls-fingerprintactive-probing