LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

Match each censor tactic to its modern encryption-based countermeasure: DNS interference, SNI inspection, TLS downgrade, and HTTP version analysis.

Encrypt DNS (DoT/DoH/DoQ); hide the hostname with Encrypted Client Hello (ECH); enforce TLS 1.3; and use HTTP/3 over QUIC to break old fingerprinting.

DNS interference→encrypted DNS, SNI inspection→ECH, TLS downgrade→TLS 1.3, HTTP analysis→HTTP/3 over QUIC.

* Censor tactic to encryption countermeasure — each cleartext leak is closed by an encrypted protocol. *

Censor tactic Countermeasure
Monitor/block/manipulate DNS resolution Encrypted DNS — DNS over TLS (DoT), over HTTPS (DoH), over QUIC (DoQ) hide the queries
Read the Server Name Indication (SNI) in the TLS Client Hello via DPI Encrypted Client Hello (ECH) encrypts the SNI header, so the censor can't see which site you request
Force weak cipher suites / fingerprint TLS (downgrade) Use TLS 1.3 — few, strong cipher suites and no downgrade to 1.2, cutting fingerprinting sharply
Analyse HTTP version, downgrade attacks HTTP/3 over QUIC (UDP) instead of TCP — needs different (heuristic) fingerprinting and is harder to block

The strategic point: these technologies must be widely adopted. The more users rely on encrypted protocols, the higher the economic and political cost of censorship.

Tip: SNI was historically the censor's favourite leak — it's the one part of an HTTPS handshake that revealed the destination hostname in cleartext. ECH finally closes that gap.

Go deeper:

From Quiz: PRIVACY / Anonymous Surfing, Tor & Location Tracking | Updated: Jul 14, 2026