Large scale blocking of TLS-based censorship circumvention tools in China
The page collects a GitHub user named HyeonSeungi’s comments, he revealed he as an employee of Internet censorship institute/company and disclosed many about the GFW’s strategies in /net4people/bbs’s “Large scale blocking of TLS-based censorship circumvention tools in China” thread and later deleted all comments and also his account. All these content below is from Wayback Machine archived webpages:
- https://web.archive.org/web/20221008104437/https://github.com/net4people/bbs/issues/129
- https://web.archive.org/web/20221008175723/https://github.com/net4people/bbs/issues/129
- https://web.archive.org/web/20221009044743/https://github.com/net4people/bbs/issues/129
- https://web.archive.org/web/20221009093506/https://github.com/net4people/bbs/issues/129
- https://web.archive.org/web/20221009130242/https://github.com/net4people/bbs/issues/129
- https://web.archive.org/web/20221009150911/https://github.com/net4people/bbs/issues/129
1
hello, all. i am working for a censorship vendor company. my company is a censorship member of guangzhou international internet exchange. i can confirm that some of the things you mentioned are correct. this tls in tls detect system is not realtime censorship, they automatically collect data connections with highspeed transmission or cumulative traffic greater than a preset value. these pcap packets will be sent to different vendors for detection, just like the popular covid-19 pcr test. if the provider inform that there has proxy data in the pcap, we have push rule to the edge bypass routing facility near the user for bgp flowspec reroute. these images were not sent by firewall operations staff, and it is certain that these vendors violated some confidentiality policies. based on the existing data, these vendors can only detect the fingerprints of tls1.2 and tls1.3. so using legacy tls protocol like tls1.0, tls1.1 is a good choice, you can also use sm algorithm, these protocols will not be detected. of course, there is only one way to avoid this detect, and that is to abandon e2e, and use self-signed certificates to sign these proxy websites after decryption on the server side and then the plaintext is send to the client through single tls, it’s can ensure that tls in tls is not be detect .
2
And I’m surprised that the legacy TLS 1.0, TLS 1.1 are not detected by the vendors. Would you mind explaining more about it? Don’t all versions of TLS implementations have corresponding fingerprints?
- sslv3, tls1.0 and tls1.1 have no significant fingerprint.
- new features of tls1.2 and tls1.3 make them very distinctive.
- the popularization of tls1.2 and tls1.3 by well-known websites makes detection easier.
- you cannot change the tls protocol of the target website when you visit using a proxy, except that the website you visit does not use tls.
- only detected when you’re transferring.