Russia's censor (at the Moscow/ASN-50867 vantage point) inspects only the first HTTP packet of the first TCP segment per TCP stream and never analyzes subsequent HTTP requests—whether in the same TCP packet or a later one. This caused all 2,015 accepted test vectors to successfully evade censorship, and the bypass is achievable with standard-compliant HTTP (e.g., whitespace or case variations in header names, which HTTP/1.1 explicitly permits).

China's Great Firewall showed anomalous inconsistency: 13 test vectors produced mixed outcomes—TCP RST injection on some executions and a clean server response on others—with circumvention rates between 10% and 35% across 100 executions per vector. The authors attribute this to heterogeneous GFW infrastructure components applying different HTTP parsing logic, a departure from the GFW's usual consistency.

§5.2 detection

Of 4,488 total HTTP Request Smuggling test vectors, 2,015 (44.9%) were accepted by at least one web server. CL*/TE vectors had a 99.0% acceptance rate (1,103/1,114); TE*/CL had 76.0% (859/1,130); CL/TE* had only 4.7% (53/1,130); and TE/CL* had 0%. Nginx 1.25.2 accepted 1,315 vectors while Apache 2.4.57 accepted only 11, reflecting HRS countermeasures added in Apache 2.4.25 and 2.4.52.

§5.1 / Table 1–4 evaluation

HTTP Request Smuggling—a web-security vulnerability that exploits CL/TE header parsing ambiguities between a front-end (censor) and back-end (web server)—can be systematically repurposed as a censorship circumvention technique. By hiding a censored Host in the body of a benign outer request, the censor parses only the uncensored outer request while the destination server processes both, successfully bypassing HTTP censorship in China (19 vectors), Iran (254 vectors), and Russia (all 2,015 vectors) from the evaluated vantage points.

§3 / §8 defense

Iran's censor contains an implementation bug: when the Content-Length header carries an invalid (non-integer) value and a Transfer-Encoding header is also present, the censor gracefully skips the invalid CL value and attempts to parse subsequent traffic, but fails to correctly interpret the TE header—causing it to pass the smuggled (censored) request. This bug enabled 254 of 2,015 evaluated test vectors to bypass Iranian censorship, all using the CL*/TE or CL/TE* vector types.

§5.2 / §5.3 detection

During the June 2025 shutdown, Iranian authorities blocked international One-Time Password (OTP) SMS delivery, preventing new sign-ins to foreign secure-messaging platforms and VPN services. This forced users toward government-approved domestic platforms that lack security and privacy protections. The blockade of OTPs effectively weaponized account-recovery flows as a secondary shutdown layer, disproportionately affecting users who needed to activate new circumvention tools during the crisis.

2025-iran-shutdown-measurement §Human Rights Implications port-blockingdpikeyword-filtering

Input blocking in Chinese LLM services (DeepSeek, Qwen, Kimi, Doubao) is overwhelmingly consistent: all four services persistently block the exact same queries across all 5 measurement samples in both Simplified and Traditional Chinese. Output blocking is far less consistent, with only 29 out of 349 output-blocked queries blocked across all 5 samples. Baidu-Chat is exceptional: it performs almost no input blocking but instead relies heavily on post-search and output blocking (78.6% of blocks are output-phase).

2026-ablove-characterizing §VI-B keyword-filteringdpi

TLS connections to blocked services (instagram.com, telegram.org) were terminated by TCP RST immediately after the client's ClientHello, before any certificate exchange, confirming SNI-based DPI that reads the plaintext SNI extension and aborts the handshake. HTTP filtering additionally matched Host headers and URL keywords case-sensitively, with injected HTTP 403 pages or TCP RST responses, and case-change evasions were sometimes effective.

2025-aryapour-stealth-blackout §4.2, §4.3 sni-blockingdpirst-injectionkeyword-filtering

Iran's HTTP censor exhibits several parsing inconsistencies exploitable for evasion: (1) it is case-sensitive and ignores lowercase method variant "gET"; (2) it does not censor the Host header for HTTP version strings "HTTP", "1.1", and "example" (suggests a version regex of HTTP/.*); (3) when the Host header is absent, the path is not censored for versions "HTTP" and "HTTP/1"; (4) the body is never analyzed regardless of version. All HTTP and DNS censorship occurs at the same last-hop border node, suggesting centralized architecture.

2025-lange-i-ra-nconsistencies §3.2, Table 1 dpikeyword-filteringrst-injection

All six Chinese browsers (Baidu Searchbox, UC Browser, QQ Browser, OPPO, Redmi/Mi, VIVO) transmit the full URL of every page visited—including HTTPS pages—along with page titles and search terms out-of-band to vendor servers, entirely bypassing VPN tunnel protection. In five of six cases this data is transmitted with no cryptography or weak cryptography (purely symmetric AES with hardcoded keys, or textbook RSA with a 128-bit modulus factorable in under 3 seconds), making it readable by any on-path actor between the VPN egress and the vendor's servers.

2025-rodriguez-revisiting §4.1 dpikeyword-filtering

All six browsers grant dangerous Android permissions (READ_PHONE_STATE, INTERNET, ACCESS_NETWORK_STATE) to third-party SDKs; built-in phone browsers grant significantly more such permissions than app-store browsers. Baidu Mobile Tongji Analytics SDK—present in all six via Baidu as default search engine—collects IMEI, UUID, CUID, GAID, device MAC, and Bluetooth MAC, creating a persistent cross-app device fingerprint that identifies users across VPN sessions and survives IP changes.

2025-rodriguez-revisiting §4.3 dpikeyword-filtering