TLS-Scanner, a subproject of the TLS-Attacker suite, automates handshake probes across deployed TLS hosts and has been used in published IPv4-wide scanning studies. It surfaces supported protocol versions, enabled extensions, and known vulnerabilities, providing a ready-made audit tool for circumvention infrastructure operators.

TLS-Attacker implements more than 330 cipher suites, including uncommon GOST and SM cipher suites specified by the Russian and Chinese authorities, covering SSL 3.0 through TLS 1.3 as well as DTLS 1.0 and DTLS 1.2. This breadth lets researchers test whether authority-mandated or jurisdiction-specific cipher suite selections alter TLS fingerprint classification by censors in those countries.

§2 Development evaluation

The TLS-Attacker suite is being extended to cover QUIC and DTLS 1.3 under a universal analysis framework that reuses existing Workflow Trace and Modifiable Variable machinery with only protocol-specific components added. As of 2024 the QUIC dialect is functional, making TLS-Attacker the only open-source tool that can fuzz TLS, DTLS, and QUIC handshakes under a single scriptable API.

§2 Development / §3 Outlook evaluation

TLS-Attacker's Workflow Traces and Modifiable Variables mechanisms allow testers to specify arbitrary protocol flows and apply field-level modifications — including adding, removing, or overwriting individual TLS message fields — without breaking the internal TLS state machine. This makes it the standard instrument for probing how DPI systems and active-probing detectors respond to non-standard or mutated TLS handshakes.

§1 Introduction evaluation

Comprehensive Internet-wide scanning enables cross-IP tracking of users and devices by correlating stable cryptographic identifiers — TLS certificates or SSH host keys presented by home routers and cable modems — with public geolocation data across DHCP lease changes, defeating the anonymity assumption behind dynamic IP addresses.

2013-durumeric-zmap §4.6 tls-fingerprintmeasurement-platform

By scanning ports 443 and 9001 and fingerprinting responses with Tor's TLS v1 cipher-suite handshake pattern, ZMap identified 79–86% of all allocated Tor bridge fingerprints in a single scan, demonstrating that bridges whose protocol is distinguishable are largely discoverable through comprehensive Internet-wide scanning even though their addresses are not publicly listed.

2013-durumeric-zmap §4.4 active-probingtls-fingerprintmeasurement-platform

Russia's Ministry of Digital Development issued guidelines effective April 15, 2026 requiring popular apps to detect and restrict access from VPN-using devices. RKS Global's analysis of 30 popular Russian Android apps found that 22 of 30 implement VPN detection, and 19 of those transmit the detected VPN status to their servers. This represents a shift from network-layer blocking (TSPU) to app-layer enforcement as an additional censorship vector.

2026-rks-russian-apps-vpn-detection §3, §4 tls-fingerprintml-classifier

The RKS Global report documents a two-tier Russian censorship architecture: TSPU network-layer blocking (documented by Xue et al. 2024) at the ISP level, now supplemented by mandated app-layer VPN detection in the 30 most popular Russian Android apps. This layered approach means a circumvention tool that successfully bypasses TSPU at the network layer can still be detected and reported by the app layer, closing the gap that network-only circumvention leaves open.

2026-rks-russian-apps-vpn-detection §2, §7 tls-fingerprintml-classifiermiddlebox-interference

The largest single source of censored domains in the GNL is MESA lab's SNI monitoring dataset (E21-SNI-Top200w.txt) containing 57,362 censored domains, and E21-SNI-Top120W-20221020.txt with 36,467 domains—totaling over 93K domains from network tap data alone for a single country (E21 = Ethiopia per InterSecLab attribution). A separate Xinjiang dataset (XJ-CUCC-SNI-Top200w.txt) contains 13,604 domains. These datasets "do not seem to come from popular domain lists, and instead appear to be gathered from network taps," confirming that Geedge builds censorship target lists directly from passive traffic observation.

2026-sheffey-geedge §4.2, Table 3 dpisni-blockingmeasurement-platform

Of 6,915,266 domains extracted from the 572 GiB Geedge Networks Leak (GNL), 298,955 censored domains (93.7% of all GNL-censored domains) appear in neither Tranco top-1M nor CitizenLab test lists. Measurements across China (Guangzhou/Nanjing), Myanmar, Pakistan, and Algeria confirmed censorship via DNS injection and SNI-based TLS connection termination. The GNL covers 25–62% of Tranco-censored domains across countries, showing substantial but incomplete overlap. This vendor-side ground truth reveals a censorship surface roughly two orders of magnitude larger than curated academic test lists.

2026-sheffey-geedge §4.1, Table 2 dpisni-blockingdns-poisoningmeasurement-platform