Security Blog
March 01, 2026 1 min read

uTLS: Stealing Chrome's Identity to Defeat JA3 Fingerprinting

Building Black Phoenix Protocol A Security Engineering Blog The Last Fingerprint We've spent this entire blog series making BPP traffic look like legitimate protocols. The entropy matches. The packet sizes match. The timing patterns match. Even the SNI field contains domains that belong on the host OS. By every metric we've covered, BPP traffic blends in perfectly. But there's one fingerprint we haven't addressed. And it's the one that modern DPI systems are increasingly relying on. JA3. What JA3 Is and Why It's a Problem JA3 was introduced by Salesforce in 2017 as a method to fingerprint TLS client implementations. The idea is elegant and, from an evasion perspective, terrifying. When a TLS client sends its ClientHello message, it advertises a set of capabilities: which cipher suites it suppor...

Black Phoenix Protocol Series
Read Analysis
March 01, 2026 1 min read

Testing the Untestable: Fuzz, Entropy, and Beating OpenVPN by 2.34x

Building Black Phoenix Protocol A Security Engineering Blog You Can't Ship What You Can't Prove There's a particular kind of paranoia that comes from building security software. Every line of code is a potential vulnerability. Every untested edge case is a door left unlocked. And since BPP's entire value proposition is "your traffic is invisible and your data is safe," a single failure mode could be catastrophic not for our reputation, but for someone's actual freedom. So we tested. A lot. Here's how. Fuzz Testing: 500,000 Attempts to Break Each Parser Fuzz testing is the art of throwing garbage at your code and seeing what happens. Not random garbage guided garbage. Go 1.18+ has a built-in fuzzing framework ( testing.F ) that uses coverage-guided mutation: it starts with valid inputs, then...

Black Phoenix Protocol Series
Read Analysis
March 01, 2026 1 min read

BPP Guardian: We Built a Firewall to Attack Ourselves

Building Black Phoenix Protocol A Security Engineering Blog The Problem with Testing Anti-Censorship Tools How do you test a protocol designed to evade state-level firewalls when you don't have access to a state-level firewall? Most anti-censorship projects rely on indirect evidence: "We deployed in China, and users report it works." That's useful but deeply unsatisfying from an engineering perspective. It tells you nothing about which heuristics are passing, nothing about edge cases, and nothing about whether the next GFW update will break everything overnight. I wanted something better. I wanted to test BPP against a DPI system that uses the same techniques as the Great Firewall, the Iranian filtering infrastructure, and Russia's TSPU but one that I control, can instrument, and can iterate against. So I built o...

Black Phoenix Protocol Series
Read Analysis
March 01, 2026 1 min read

Building the Command Center: When Security Needs a Human Face

Building Black Phoenix Protocol A Security Engineering Blog The Prettiest Protocol in the World Is Useless If Nobody Can Use It I'll be honest I spent months obsessing over cipher suites, entropy profiles, and DPI evasion. I could talk about X25519 key exchange for hours. But here's what I learned the hard way: if the interface is confusing, people won't use it, and all that cryptographic beauty just sits there collecting dust. Security tools have a long tradition of being ugly and hostile. Ever configured an IPsec tunnel by hand? Tried to set up V2Ray with the correct JSON config? Most anti-censorship tools assume their users are network engineers. Most of their users are journalists who just want to talk to their sources without getting arrested. BPP needed a Command Center that a non-technical admin could actually operate....

Black Phoenix Protocol Series
Read Analysis
March 01, 2026 1 min read

Ghost Mode: Burning the Evidence After the Mission

Building Black Phoenix Protocol A Security Engineering Blog The Scenario Nobody Wants to Think About Picture this. A journalist in a country with an authoritarian regime has been using BPP to communicate with a source for three months. The network layer is airtight traffic looks like regular Google Analytics requests. The DPI can't touch it. Then, at 4 AM, there's a knock on the door. Police seize the laptop. If BPP left behind log files, cached credentials, temporary files, or even fragments of encryption keys in RAM the journalist is compromised. Not because the protocol failed on the wire, but because it left breadcrumbs on the machine. This is why Ghost Mode exists. And honestly, building it was one of the most paranoid engineering exercises I've ever done. What "Secure Deletion" Actually Means ...

Black Phoenix Protocol Series
Read Analysis
March 01, 2026 1 min read

175+ Domains: How BPP Fakes Your OS's Natural Traffic

Building Black Phoenix Protocol A Security Engineering Blog The SNI Problem Nobody Talks About You've encrypted your traffic. You've disguised it as TLS 1.3. Your entropy is perfect. Your protocol mimicry is byte-for-byte accurate. And then a DPI analyst notices something: "Why are 500 different IP addresses in Tehran all connecting to obfuscation-proxy.example.com at 2 AM?" The Server Name Indication (SNI) is the Achilles' heel of anti-censorship tools. It's a field in the TLS ClientHello that tells the server which website the client wants to reach and it's transmitted in plain text. Every DPI system in the world can read it. Most tools either ignore this problem or use a single cover domain. BPP took a radically different approach: make the SNI field actively work for you. OS-Aware...

Black Phoenix Protocol Series
Read Analysis
March 01, 2026 1 min read

Trojan, Shadowsocks, and the Art of Automatic Disguise Selection

Building Black Phoenix Protocol A Security Engineering Blog Two More Faces of the Chameleon In our last post, we covered XTLS-REALITY (the "perfect impersonator") and VMess (the "binary chameleon"). Today, we complete the Chameleon Engine's transport lineup with two protocols that take radically different philosophical approaches to evasion and then tie everything together with BPP's automatic protocol selection. Trojan: Hiding in Plain Sight The Philosophy Trojan-GFW took a contrarian approach to anti-censorship: instead of making traffic look random or exotic, make it look boring. Specifically, make it look like ordinary HTTPS traffic from a normal web server. The key difference from REALITY: where REALITY borrows another site's certificate, Trojan wraps its data inside standard TLS...

Black Phoenix Protocol Series
Read Analysis