Comment on Movie industry demands US law requiring ISPs to block piracy websites
rottingleaf@lemmy.zip 7 months agoIt is going to show the censor that you are trying to reach different banned websites (and, probably, google, facebook, etc), all hosted on your server. Your beautiful website is all fine, but in clienthello there is still google.
WTF? No, in clienthello there is www.mysite.com . I’m talking about encapsulating traffic in an encrypted tunnel. We are assuming that FSB can’t decipher your TLS traffic.
The beautiful website I’ve imagined for a situation where some DPI robot will, say, visit it to check that there really is a website there. Or where you have to show that it’s a real website to get into a whitelist. Or something like that.
I don’t get it, you seem to be interested in the subject, but say weird things.
You also seem to be mixing up such entities as VPNs, proxies and encapsulation.
GnuTLS for this particular purpose is used only by Openconnect and that is just an example.
I’ve definitely seen more things using it even for similar purposes. Can’t remember anything specific, but I suppose a search in pkgsrc will yield something.
This tactic is very effective in China and Russia and collateral damage is insignificant.
BTW, I’m using VPNs in Russia from time to time. Something doesn’t work, something does.
And various western anti-censorship organizations wrote articles, that such methods are not possible in Russia as well,
I’m describing a specific kind of encapsulation. What you can do to guess that it’s a VPN is to analyze the amounts of data transmitted. That’d just require sending garbage from time to time. I think I’ve even seen a ready piece of software to make such tunnels.
khorovodoved@lemm.ee 7 months ago
As I I have previously mentioned, if you are encapsulating all traffic in an encrypted tunnel, then most of the data would have two layers of encryption. This can be detected, and, in fact is being detected in China and, experimentally, in Russia.
That is a good protection against active probing, but active proving is not the only detection method, available for censors.
How did you come to this conclusion?
What are you trying to say here? What does work? What does not?
What I understood from you is that you are talking about encapsulating TLS-encripted traffic in https, TLS-encripting it again. If I understood you wrong, please correct me. There are countless software solutions for that, but they are not panacea, because double layer of encryption can be detected and your beautiful website does not need encryption-on-top-of-encryption. It is obvious that you are reaching something else.
rottingleaf@lemmy.zip 7 months ago
Please explain how are you imagining that.
I think I’ve mentioned before one solution of having a constant amount of data transferred.
I meant L3 encapsulated in HTTPS.
khorovodoved@lemm.ee 7 months ago
I fo not have right now links to articles about that exactly, but here is an old article about somewhat similar tactics that China uses to block encrypted proxy protocols like shadowsocks, for example: gfw.report/publications/usenixsecurity23/en/
rottingleaf@lemmy.zip 7 months ago
I’ve read the article and really liked it, but it doesn’t say anything about TLS inside TLS.