TLS record fragmentation is implementable entirely in userspace at the application layer and requires no elevated privileges, unlike TCP segmentation which requires raw socket access. The authors' DPYProxy tool demonstrates a MITM approach that wraps TLS messages into smaller records before transmission without breaking the TLS handshake, since TLS records are unprotected during the handshake phase.
From 2023-niere-poster — Poster: Circumventing the GFW with TLS Record Fragmentation
· §2, §5
· 2023
· ACM CCS 2023 (poster)
Implications
Integrate TLS record fragmentation into any TLS-using transport (REALITY, VMess, domain-fronting clients) at the application layer — no kernel privileges or platform-specific packet injection APIs are required, enabling deployment in sandboxed or mobile environments.
Implement ClientHello fragmentation by wrapping existing TLS libraries to split the handshake message across sub-16KB records before the first bytes are sent on the wire.