You are viewing a single thread.
View all comments View context
2 points
*

At first, please, be a little bit more patient and no, I am not a LLM.

All https traffic is https-encapsulated by definition. And you can look inside https just fine. The problem is that most of data is TLS-encripted. However, there is so-called “clienthello” that is not encripted and can be used to identity the resource you are trying to reach.

And if you are going to https-encapsulate it again (like some VPN and proxy protocols do) data will have TLS-encription on top of TLS-encription, which can be identified as well.

And about libraries: VPN protocol Openconnect, for example uses library gnutls (which almost no one else uses) instead of more common openssl. So in China it is blocked using dpi by this “marker”.

permalink
report
parent
reply
1 point

However, there is so-called “clienthello” that is not encripted and can be used to identity the resource you are trying to reach.

Yes, so how is it going to inform you that this is a VPN server and not anything else? You put your little website with kitties and family photos behind nginx on a hosting somewhere, and some resource there, like /oldphotos, you proxy to a VPN server, with basic auth before that maybe.

And about libraries: VPN protocol Openconnect, for example uses library gnutls (which almost no one else uses) instead of more common openssl. So in China it is blocked using dpi by this “marker”.

Ah. You meant fingerprinting of clients.

Banning everything using gnutls (which, eh, is not only used by openconnect) is kinda similar to whitelists.

Both applicable to situations like China or something Middle-Eastern, but not most of Europe or Northern America.

permalink
report
parent
reply
2 points

It is going to show the censor that you are trying to reach different banned websites (and, probably, google, facebook, etc), all hosted on your server. Your beautiful website is all fine, but in clienthello there is still google.

It is not necessary fingerprinting of clients, you can fingerprint the server as well. GnuTLS for this particular purpose is used only by Openconnect and that is just an example. This tactic is very effective in China and Russia and collateral damage is insignificant.

And various western anti-censorship organizations wrote articles, that such methods are not possible in Russia as well, but here we are. China’s yesterday is Russia’s today, American tomorrow and European next week. Here it all started in the exact same manner, by requiring ISPs to block pirate websites. And between this and blocking whatever you want for the sake of National Security (for example, against Russian hackers) is not such a long road as you think it is.

permalink
report
parent
reply
1 point

It is going to show the censor that you are trying to reach different banned websites (and, probably, google, facebook, etc), all hosted on your server. Your beautiful website is all fine, but in clienthello there is still google.

WTF? No, in clienthello there is www.mysite.com . I’m talking about encapsulating traffic in an encrypted tunnel. We are assuming that FSB can’t decipher your TLS traffic.

The beautiful website I’ve imagined for a situation where some DPI robot will, say, visit it to check that there really is a website there. Or where you have to show that it’s a real website to get into a whitelist. Or something like that.

I don’t get it, you seem to be interested in the subject, but say weird things.

You also seem to be mixing up such entities as VPNs, proxies and encapsulation.

GnuTLS for this particular purpose is used only by Openconnect and that is just an example.

I’ve definitely seen more things using it even for similar purposes. Can’t remember anything specific, but I suppose a search in pkgsrc will yield something.

This tactic is very effective in China and Russia and collateral damage is insignificant.

BTW, I’m using VPNs in Russia from time to time. Something doesn’t work, something does.

And various western anti-censorship organizations wrote articles, that such methods are not possible in Russia as well,

I’m describing a specific kind of encapsulation. What you can do to guess that it’s a VPN is to analyze the amounts of data transmitted. That’d just require sending garbage from time to time. I think I’ve even seen a ready piece of software to make such tunnels.

permalink
report
parent
reply

Technology

!technology@lemmy.world

Create post

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


Community stats

  • 17K

    Monthly active users

  • 12K

    Posts

  • 543K

    Comments