This is no 'nothing special' with Obfs4proxy. DPI sees it as random byte stream, thus your government can decide to block unknown protocols. Instead, you should trick DPI into thinking it sees HTTPS. Unless your government decides to block HTTPS.
This is no 'nothing special' with Obfs4proxy. DPI sees it as random byte stream, thus your government can decide to block unknown protocols. Instead, you should trick DPI into thinking it sees HTTPS. Unless your government decides to block HTTPS.
Hi, posting from my main account (I'm also the poster of the GP comment).
"Nothing special" in this case was meant to describe the fact that it's random data with no identifiable patterns inherent to the data; you're absolutely right that that's what obfs4 does. I understand the confusion though, this phrasing could be better.
This does happen, though when I worked in the industry it wasn't common. Blocking of specific protocols was much more of an obstacle. HTTPS blocking (typically based on either the presence of a specific SNI field value, or based on the use of the ESNI/ECH TLS extension) was prolific. I won't comment on whether this was effective or not in impeding efforts to get people in these places connected.I will say though, Operator's Replicant does something similar to what you're describing in that it can mimic unrelated protocols. It's a clever approach, unfortunately it was a bit immature when I was working in that area so the team didn't adopt it while I was around.
> your government can decide to block unknown protocols
Has any government ever done that? Seems like it would just break everything (because the world is full of devices that use custom protocols!) at great computational expense.
China blocked https last week: https://www.tomshardware.com/tech-industry/cyber-security/ch...
Discussion: https://news.ycombinator.com/item?id=44958621
They blanket blocked connections to port 443 for an hour. There was no protocol sniffing.
Russia tested this in production by blocking Shadowsocks https://habr.com/ru/news/770840/
WebRTC is another great option: https://snowflake.torproject.org
It's used for a lot of legitimate traffic as well, so a bit harder to block.
The only VPN technology I see that blends as HTTPS is MASQUE IP Proxying, and the only implementation I know that does this is iCloud Private Relay. It is also trivial to block because blocking 443/udp doesn't really affect accessing the Internet.
Cloudflare WARP (1.1.1.1 tunnel or Zero Trust) run by default on MASQUE
Ah that's true, they originally started off with a rust implementation of Wireguard but have since moved to MASQUE.
Not the only, AFAIK Shadowsocks with xray-core can pretend to be a 443/tcp HTTPS server.
Thanks for this, really couldn't find any English explanation of xray-core though.
Exactly this. Hell, for OP's use case of accessing things like twitter, a good old fashioned https proxy would be entirely fine, and likely not even illegal.
what i was thinking. DPI might pick up on proxy headers. alternatively, idk how far one would get just slapping wireguard or openvpn on a VPS somewhere on port 443. that used to work fairly well but i suppose my experience there is like 10+ years out of date by now.
i know a US based tech firm i worked for around 2020 had a simple HTTPS proxy for chinese clients to download content updates. worked really well. it was hosted on some cloud provider and accessible via DNS name. so its not like it wasn't easy to block it. they just didn't bother or it was lost in a sea of other similar activities.
that all being said, regarding oppressive regimes and political turmoil situations: if your health or freedom is at risk, don't rely on internet people's 'guesswork' (hard to tell where ppl get their info from, and what its based on etc.). be careful. if you are not confident, don't go forward with it. Try to get advice from local experts instead, who are familiar in the specific context you are dealing with.
How can you do that exactly ?
Unless your government decides to block HTTPS.
In which case you use stenography, but I believe even the Great Firewall of China doesn't block HTTPS completely.
Nit: you likely mean steganography, stenography is what court reporters do :)
I encourage you and anyone else here to read into the GFW if you're interested. It's more like the Great Firewalls -- there's regional fragmentation with different vendors, operators, implementations and rules between different parts of the country.
Predictably this means there's no one-size-fits-all solution to circumventing censorship on the Chinese internet, and research into this area's difficult since China has both the technical means to identify violations very efficiently as well as the bureaucratic infrastructure to carry out enforcement actions against a considerable portion of those people who violate the GFW rules (with enforcement action being anything from a "cooldown period" on your internet connection where you can't make any connections for some amount of time between minutes and days, fines, or imprisonment depending on the type of content you were trying to access).
So, the ethics of digging into this get very muddy, very fast.
https://en.m.wikipedia.org/wiki/Kazakhstan_man-in-the-middle...