Match each censor tactic to its modern encryption-based countermeasure: DNS interference, SNI inspection, TLS downgrade, and HTTP version analysis.
Encrypt DNS (DoT/DoH/DoQ); hide the hostname with Encrypted Client Hello (ECH); enforce TLS 1.3; and use HTTP/3 over QUIC to break old fingerprinting.
* Censor tactic to encryption countermeasure — each cleartext leak is closed by an encrypted protocol. *
| Censor tactic | Countermeasure |
|---|---|
| Monitor/block/manipulate DNS resolution | Encrypted DNS — DNS over TLS (DoT), over HTTPS (DoH), over QUIC (DoQ) hide the queries |
| Read the Server Name Indication (SNI) in the TLS Client Hello via DPI | Encrypted Client Hello (ECH) encrypts the SNI header, so the censor can't see which site you request |
| Force weak cipher suites / fingerprint TLS (downgrade) | Use TLS 1.3 — few, strong cipher suites and no downgrade to 1.2, cutting fingerprinting sharply |
| Analyse HTTP version, downgrade attacks | HTTP/3 over QUIC (UDP) instead of TCP — needs different (heuristic) fingerprinting and is harder to block |
The strategic point: these technologies must be widely adopted. The more users rely on encrypted protocols, the higher the economic and political cost of censorship.
Tip: SNI was historically the censor's favourite leak — it's the one part of an HTTPS handshake that revealed the destination hostname in cleartext. ECH finally closes that gap.
Go deeper:
Server Name Indication (Wikipedia) — the SNI hostname leak and its Encrypted Client Hello fix.
DNS over HTTPS (Wikipedia) — the encrypted-DNS countermeasure to DNS interference.