• rottingleaf@lemmy.zip
    link
    fedilink
    English
    arrow-up
    1
    ·
    7 months ago

    However, there is so-called “clienthello” that is not encripted and can be used to identity the resource you are trying to reach.

    Yes, so how is it going to inform you that this is a VPN server and not anything else? You put your little website with kitties and family photos behind nginx on a hosting somewhere, and some resource there, like /oldphotos, you proxy to a VPN server, with basic auth before that maybe.

    And about libraries: VPN protocol Openconnect, for example uses library gnutls (which almost no one else uses) instead of more common openssl. So in China it is blocked using dpi by this “marker”.

    Ah. You meant fingerprinting of clients.

    Banning everything using gnutls (which, eh, is not only used by openconnect) is kinda similar to whitelists.

    Both applicable to situations like China or something Middle-Eastern, but not most of Europe or Northern America.

    • khorovodoved@lemm.ee
      link
      fedilink
      English
      arrow-up
      2
      ·
      7 months ago

      It is going to show the censor that you are trying to reach different banned websites (and, probably, google, facebook, etc), all hosted on your server. Your beautiful website is all fine, but in clienthello there is still google.

      It is not necessary fingerprinting of clients, you can fingerprint the server as well. GnuTLS for this particular purpose is used only by Openconnect and that is just an example. This tactic is very effective in China and Russia and collateral damage is insignificant.

      And various western anti-censorship organizations wrote articles, that such methods are not possible in Russia as well, but here we are. China’s yesterday is Russia’s today, American tomorrow and European next week. Here it all started in the exact same manner, by requiring ISPs to block pirate websites. And between this and blocking whatever you want for the sake of National Security (for example, against Russian hackers) is not such a long road as you think it is.

      • rottingleaf@lemmy.zip
        link
        fedilink
        English
        arrow-up
        1
        ·
        7 months ago

        It is going to show the censor that you are trying to reach different banned websites (and, probably, google, facebook, etc), all hosted on your server. Your beautiful website is all fine, but in clienthello there is still google.

        WTF? No, in clienthello there is www.mysite.com . I’m talking about encapsulating traffic in an encrypted tunnel. We are assuming that FSB can’t decipher your TLS traffic.

        The beautiful website I’ve imagined for a situation where some DPI robot will, say, visit it to check that there really is a website there. Or where you have to show that it’s a real website to get into a whitelist. Or something like that.

        I don’t get it, you seem to be interested in the subject, but say weird things.

        You also seem to be mixing up such entities as VPNs, proxies and encapsulation.

        GnuTLS for this particular purpose is used only by Openconnect and that is just an example.

        I’ve definitely seen more things using it even for similar purposes. Can’t remember anything specific, but I suppose a search in pkgsrc will yield something.

        This tactic is very effective in China and Russia and collateral damage is insignificant.

        BTW, I’m using VPNs in Russia from time to time. Something doesn’t work, something does.

        And various western anti-censorship organizations wrote articles, that such methods are not possible in Russia as well,

        I’m describing a specific kind of encapsulation. What you can do to guess that it’s a VPN is to analyze the amounts of data transmitted. That’d just require sending garbage from time to time. I think I’ve even seen a ready piece of software to make such tunnels.

        • khorovodoved@lemm.ee
          link
          fedilink
          English
          arrow-up
          1
          ·
          7 months ago

          I’m talking about encapsulating traffic in an encrypted tunnel.

          As I I have previously mentioned, if you are encapsulating all traffic in an encrypted tunnel, then most of the data would have two layers of encryption. This can be detected, and, in fact is being detected in China and, experimentally, in Russia.

          The beautiful website I’ve imagined for a situation where some DPI robot will, say, visit it to check that there really is a website there.

          That is a good protection against active probing, but active proving is not the only detection method, available for censors.

          You also seem to be mixing up such entities as VPNs, proxies and encapsulation.

          How did you come to this conclusion?

          BTW, I’m using VPNs in Russia from time to time. Something doesn’t work, something does.

          What are you trying to say here? What does work? What does not?

          I’m describing a specific kind of encapsulation.

          What I understood from you is that you are talking about encapsulating TLS-encripted traffic in https, TLS-encripting it again. If I understood you wrong, please correct me. There are countless software solutions for that, but they are not panacea, because double layer of encryption can be detected and your beautiful website does not need encryption-on-top-of-encryption. It is obvious that you are reaching something else.

          • rottingleaf@lemmy.zip
            link
            fedilink
            English
            arrow-up
            1
            ·
            7 months ago

            As I I have previously mentioned, if you are encapsulating all traffic in an encrypted tunnel, then most of the data would have two layers of encryption. This can be detected, and, in fact is being detected in China and, experimentally, in Russia.

            Please explain how are you imagining that.

            because double layer of encryption can be detected and your beautiful website does not need encryption-on-top-of-encryption. It is obvious that you are reaching something else.

            I think I’ve mentioned before one solution of having a constant amount of data transferred.

            What I understood from you is that you are talking about encapsulating TLS-encripted traffic in https, TLS-encripting it again.

            I meant L3 encapsulated in HTTPS.

              • rottingleaf@lemmy.zip
                link
                fedilink
                English
                arrow-up
                1
                ·
                7 months ago

                I’ve read the article and really liked it, but it doesn’t say anything about TLS inside TLS.

                • khorovodoved@lemm.ee
                  link
                  fedilink
                  English
                  arrow-up
                  1
                  ·
                  edit-2
                  7 months ago

                  As I said earlier, it is only somewhat similar to TLS-in-TLS blocking. I do not have exact articles right now, and it is not easy to google them, since almost all of them are in Chinese.

                  But here is for example, a proof of concept of a tool, that detects TLS-in-TLS: https://github.com/XTLS/Trojan-killer

                  It is incomplete and I do not know if it uses the same methods as Chinese censors, but it still proves the possibility.

                  If you still require more concrete proff, then, I will try to find an article in my free time and if I do, I would reply to your comment again after that (it is not going to be in the nearest future.

                  • rottingleaf@lemmy.zip
                    link
                    fedilink
                    English
                    arrow-up
                    1
                    ·
                    7 months ago

                    OK, I’ve looked at this thing and read about it. It can be real. It should be solved by what I said earlier, but apparently in real life they solve it a bit more efficiently.

                    Didn’t check.