Governments around the world limit free and open communication on the
Internet through censorship. To reliably identify and block access to certain
web domains, censors inspect the plaintext TLS SNI field sent in TLS
handshakes. With QUIC rapidly displacing TCP as the dominant transport-layer
protocol on the web, censorship regimes have already begun prosecuting network
traffic delivered over QUIC. With QUIC censorship poised to expand, censorship
circumvention tools must similarly adapt. We present QUICstep, a
censorship-resilient, application-agnostic, performant, and easy-to-implement
approach to censorship circumvention in the QUIC era. QUICstep circumvents TLS
SNI censorship by conducting a QUIC-TLS handshake over an encrypted tunnel to
hide the SNI field from censors and performs connection migration to resume the
QUIC session in plain sight of the censor. Our evaluation finds that QUICstep
successfully establishes QUIC sessions in the presence of a proof-of-concept
censor with minimal latency overhead