Hacker News new | ask | show | jobs
by H8crilA 1087 days ago
The exact reverse engineered algorithm of the GFW is on page 4. It looks very reasonable (given what they are trying to achieve with it).

The easiest bypass I can think of would be to tunnel your connections via TLS. For example socks server tunneled via SSH which in turn is tuneled via TLS to your gateway.

Or perhaps you can somehow get your SSH client to transmit "GET " at the beginning of the connection, have the server ignore those 4 bytes, then proceed as usual.
2 comments
EGreg 1087 days ago
This is what I have a question about.

Can China pressure every domestic company to use their certificate authority allowing them to decrypt all TLS traffic, or be blocked? And block all sites outside China?

link
supriyo-biswas 1087 days ago
Kazakhstan had attempted a similar move[1], albeit through PSAs rather than convincing device manufacturers to add certificates to end-user devices.

[1] https://en.wikipedia.org/wiki/Kazakhstan_man-in-the-middle_a...

link
H8crilA 1087 days ago
1 - I believe they do it

2 - they obviously do not want to block all traffic, since they can do it any day, but they don't.

link
nikanj 1087 days ago
If it’s over https, an outside observer has no way of knowing your stream started with a GET. Unless they’ve tapped ssl certificates, but that would be major news
link
H8crilA 1087 days ago
They are tapped into SSL certificates, those that are generated in China. Plus wherever the Chinese intelligence managed to install their "plugins".
link
throwaway290 1087 days ago
Are any of those tappable certificates still considered trusted by wider internet? Which CAs are those? They should be removed from trusted ASAP.
link