Indonesia is currently in chaos. Earlier today, the government blocked access to Twitter & Discord knowing news spread mainly through those channels. Usually we can use Cloudflare's WARP to avoid it, but just today they blocked the access as well. What alternative should we use?
Comments
By _verandaguy 2025-08-2818:4813 reply Hello! I've got experience working on censorship circumvention for a major VPN provider (in the early 2020s).
- First things first, you have to get your hands on actual VPN software and configs. Many providers who are aware of VPN censorship and cater to these locales distribute their VPNs through hard-to-block channels and in obfuscated packages. S3 is a popular option but by no means the only one, and some VPN providers partner with local orgs who can figure out the safest and most efficient ways to distribute a VPN package in countries at risk of censorship or undergoing censorship.
- Once you've got the software, you should try to use it with an obfuscation layer.
Obfs4proxy is a popular tool here, and relies on a pre-shared key to make traffic look like nothing special. IIRC it also hides the VPN handshake. This isn't a perfectly secure model, but it's good enough to defeat most DPI setups.
Another option is Shapeshifter, from Operator (https://github.com/OperatorFoundation). Or, in general, anything that uses pluggable transports. While it's a niche technology, it's quite useful in your case.
In both cases, the VPN provider must provide support for these protocols.
- The toughest step long term is not getting caught using a VPN. By its nature, long-term statistical analysis will often reveal a VPN connection regardless of obfuscation and masking (and this approach can be cheaper to support than DPI by a state actor). I don't know the situation on the ground in Indonesia, so I won't speculate about what the best way to avoid this would be, long-term.
I will endorse Mullvad as a trustworthy and technically competent VPN provider in this niche (n.b., I do not work for them, nor have I worked for them; they were a competitor to my employer and we always respected their approach to the space).
> First things first, you have to get your hands on actual VPN software and configs.
It would be nice if one of the big shortwave operators could datacast these packages to the world as a public service.
By ianburrell 2025-08-2823:314 reply There isn't enough bandwidth in HF to transmit data. Digital HF audio is 20 kHz wide so maybe 50kbps. The entire HF band is only 3-30 MHz.
50 kb/s x 1000 bits/kb x 3600 s/hr x 24 hr/day x 1 byte/8 bits x 1 MB / 1000000 bytes = 540 MB/day. That's enough to download VPN software and a Linux distribution to run it on in a day.
If you've already got a Linux system, the Debian openvpn package is under 1 MB and at 50 kb/s would take under 3 minutes to download. I don't know if openvpn in particular is suitable for people who are trying to evade their government, but would whatever features it is missing add substantially more size?
By mrdomino- 2025-08-294:04 Yeah, you could use forward error correction too, so any n bits would be enough to reconstruct the input.
Of course then you get into needing software to decode the more advanced encodings; maybe start with a voice transmission explaining in plain language how to decode the first layer, which gives you a program that can decode the second layer, or something.
Starting to sound like an interesting project.
By jdkdbrnrnrb 2025-08-292:033 reply You never used dialup did you?
By anonzzzies 2025-08-294:23 300 baud. Was enough to download grainy porn pics. With a proper download tool that continues after hangups etc you can just leave it on for a week and I have when downloading software end 70s. No problem. Also via the airwaves: we had software via the radio every sunday. Works fine. Modern software is shitty large: it would be nice if a VPN provider would just release the driver and a cli which should not weigh over a mega (far less but outside mr Whitney i am not sure if that type of software dev still exists) for this type of transfer.
By tzs 2025-08-2919:33 9600 bps dialup using the protocols commonly used back then such as ZMODEM could do file transfers at 3 MB/hour. That would be fine for grabbing VPN software.
By kingforaday 2025-08-292:20 zmodem to the rescue!
Wireguard ships with the Linux kernel so you only need to receive ~60 bytes of configuration information.
By immibis 2025-08-2914:56 Wireguard is also easily censored and is already censored in the places that censor VPNs.
The user-facing software is not included in the kernel, but you need that to configure wireguard.
By lormayna 2025-09-016:15 HF are really noisy. You need a lot of error correction to ensure that the package is consistent and without any error. This will drastically decrease the real bit rate.
sure there is, you can send files over HF, it may not be FAST, but once you get it into the country, you can just copy the file with a faster method (eg: usb drive), WINLINK supports attachments, so you could absolutely send these files over HF
By smallnamespace 2025-08-290:471 reply If you're going to be using USB drives anyway, then using them to move files into the country would be faster.
btw, veracrypt is the name if the follow up project. truecrypt shut down over a decade ago rather abruptly, so anything labeled truecrypt today is suspect as either out of date or potential malware.
By cheeseomlit 2025-08-2913:471 reply Wasn't the conspiracy theory that truecrypt got shut down because it was 'too effective', and the successor projects presumably have intentional backdoors or something?
By rOOb85 2025-08-3018:30 Truecrypt was likely developed by only 1 man, Paul le roux, who likely shut it down because he was on the run for being an international drug/human smuggler/cartel member. It’s kind of a crazy story.
But either way both truecrypt and veracrypt were independently audited and no major flaws were found. Not sure when the last veracrypt audit was done.
By estimator7292 2025-08-294:312 reply Nah, just drop a few thousand 1GB flash drives from a plane. Load them with a tor browser, a wireguard client, and instructions on finding a remote exit. Only one copy needs to survive and it can spread very quickly and irreversibly by foot.
Yeah, this is a great approach if you're already at war with a country.
If you're not and they're still allowing your planes to fly through their airspace then this is a great way to ensure that they lock your (and your friends') planes out.
By chipsrafferty 2025-08-312:011 reply Drop them from commercial planes via the toilet?
When you flush the toilet in an airplane the contents is normally vacuumed in to a holding tank which gets emptied after the plane lands.
By chipsrafferty 2025-09-0314:351 reply Then why have people died from getting hit by frozen pee icicles?
By slater 2025-09-0314:36 pretty sure that's never happened, it's an urban legend
By ForOldHack 2025-08-2911:38 Would you like a short list, a long list or ...
By GoblinSlayer 2025-08-297:491 reply Or just google drive.
By immibis 2025-08-3019:09 Banned in places that ban VPNs.
By pythonguython 2025-08-2918:10 I’m not familiar with any HF comms channels other than military or broadcasting that get 20 kHz of bandwidth. Most HF modes get 3 kHz. You might be able to get 5 kbps at 3 kHz BW with some modern modes that can adapt to the frequency selective non stationary channel.
By transcriptase 2025-08-290:181 reply Wait until you find out what people used to do with phone lines!
The problem is the countries, which censor Internet and block VPNs, also jam shortwave radio signals.
By godelski 2025-08-292:02 It's possible but also difficult to jam radio. That's part of why programs like Radio Free Asia[0,1] exist. Even if you can't broadcast from inside a territory you can broadcast from outside. It can be jammed but it is a tough cat and mouse game and jamming isn't precise. So when you jam there are causalities. Not to mention that jamming can be quite expensive.
I'm not saying that makes the problem easy, but I'll say that jamming isn't a very strong defense.
Though the bigger issue here is probably bandwith. It's hard to be both long range and data dense. There's probably easier ways to distribute this. Hell, both Koreas are known to transport different things via balloons.
[0] https://en.wikipedia.org/wiki/Radio_Free_Asia
[1] It is also why projects like Tor and Signal get funding from RFA. Maybe the US doesn't want encrypted services here, but if anything, it's for the same reason they do want encrypted services in other countries.
By DrAwdeOccarim 2025-08-2823:33 I’m not sure that’s super feasible any longer with the advent of cheap SDRs. Over-the-horizon HF broadcast can be heard with a simple speaker wire antenna inside your house. If anyone is interested in trying to deploy such an idea, I’d love to participate as an avid ham.
Could I ask for a source on that and how common it is?
Seems like it was used way back in the cold war (and even then not blocked/jammed) and I'd guess that current authoritarian regimes would perhaps not bother considering how few could use it.
By lormayna 2025-09-016:12 If you are in Europe you can easily listen Dengle Welat (1) or other Kurdish radios jammed by Turkey government with the anthem or other patriotic songs. Or the Buzzer, the Russian military UVB-76 transmission (2), jammed frequently by Ukrainian ham radio operators
(1) It's usually around 11500Khz
(2) 4625 Khz
By bragr 2025-08-2823:52 Source: trust me bro, but you can find HF jamming pretty easily on Internet connected SDRs, especially near "sensitive" countries.
By BoxOfRain 2025-08-298:43 The UK used to get around this with very powerful medium-wave signals, the site at Orfordness could put out the BBC World Service at 2 MW towards the USSR and the Eastern Bloc. This site was built on the remains of a 1960s UK/US over-the-horizon radar installation that never worked properly.
These broadcasts were shut down in the early '10s but ironically one of the masts is still in use by Radio Caroline, the former pirate who broke the BBC's radio monopoly by putting their station just outside of UK territorial waters. Their 4 kW goes pretty far given the site's previous role, heard them as far away as the Lake District.
By spwa4 2025-08-297:38 ... to block BBC and Voice of America, RFE and RL.
But they recently switched to a much cheaper and more effective jamming program: Trump [1].
[1] https://apnews.com/article/voa-radio-trump-media-cuts-5f87df...
By asimovfan 2025-08-2823:23 if it became a widespread practice, wouldnt even the countries that yet dont do it probably start doing it?
By hattmall 2025-08-293:18 But then couldn't the authorities just intercept it too and then block those ips?
By downrightmike 2025-08-2820:491 reply Streisand is extremely out of date and wouldn’t last long in China, but I don’t know how sophisticated Indonesia’s firewall is
i have a few chinese friends and they say it's always easy to get a working vpn. that might not be true in a Tien An Minh type crisis, i dunno, but month in month out year upon year they surf western sites, exchange winnie the pooh pictures, etc. i suppose the people i know could be relatively upper class, i have no idea what type difference that could make. i had a chinese gf in LA who would send... my >cough< pictures... to her mother in china because she enjoyed them
By akk0 2025-08-3111:41 The way you phrased this makes it sound like your ex was sending your dick pics to her mom, which I'm not sure is the intended reading (but more power to them...?)
By Drunkfoowl 2025-08-2822:30 [dead]
By ivanstepanovftw 2025-08-2821:467 reply This is no 'nothing special' with Obfs4proxy. DPI sees it as random byte stream, thus your government can decide to block unknown protocols. Instead, you should trick DPI into thinking it sees HTTPS. Unless your government decides to block HTTPS.
> your government can decide to block unknown protocols
Has any government ever done that? Seems like it would just break everything (because the world is full of devices that use custom protocols!) at great computational expense.
By thenthenthen 2025-08-292:331 reply China blocked https last week: https://www.tomshardware.com/tech-industry/cyber-security/ch...
Discussion: https://news.ycombinator.com/item?id=44958621
By rafram 2025-08-293:57 They blanket blocked connections to port 443 for an hour. There was no protocol sniffing.
By ivanstepanovftw 2025-08-2920:10 Russia tested this in production by blocking Shadowsocks https://habr.com/ru/news/770840/
By verandaguy 2025-08-295:44 Hi, posting from my main account (I'm also the poster of the GP comment).
"Nothing special" in this case was meant to describe the fact that it's random data with no identifiable patterns inherent to the data; you're absolutely right that that's what obfs4 does. I understand the confusion though, this phrasing could be better.
This does happen, though when I worked in the industry it wasn't common. Blocking of specific protocols was much more of an obstacle.> your government can decide to block unknown protocols
HTTPS blocking (typically based on either the presence of a specific SNI field value, or based on the use of the ESNI/ECH TLS extension) was prolific. I won't comment on whether this was effective or not in impeding efforts to get people in these places connected.> you should trick DPI into thinking it sees HTTPS. Unless your government decides to block HTTPSI will say though, Operator's Replicant does something similar to what you're describing in that it can mimic unrelated protocols. It's a clever approach, unfortunately it was a bit immature when I was working in that area so the team didn't adopt it while I was around.
By conradev 2025-08-290:01 WebRTC is another great option: https://snowflake.torproject.org
It's used for a lot of legitimate traffic as well, so a bit harder to block.
By commandersaki 2025-08-2823:192 reply The only VPN technology I see that blends as HTTPS is MASQUE IP Proxying, and the only implementation I know that does this is iCloud Private Relay. It is also trivial to block because blocking 443/udp doesn't really affect accessing the Internet.
By artdigital 2025-08-2823:281 reply Cloudflare WARP (1.1.1.1 tunnel or Zero Trust) run by default on MASQUE
By commandersaki 2025-08-294:03 Ah that's true, they originally started off with a rust implementation of Wireguard but have since moved to MASQUE.
Not the only, AFAIK Shadowsocks with xray-core can pretend to be a 443/tcp HTTPS server.
By commandersaki 2025-08-2921:03 Thanks for this, really couldn't find any English explanation of xray-core though.
By tiberious726 2025-08-290:131 reply Exactly this. Hell, for OP's use case of accessing things like twitter, a good old fashioned https proxy would be entirely fine, and likely not even illegal.
By sim7c00 2025-08-298:26 what i was thinking. DPI might pick up on proxy headers. alternatively, idk how far one would get just slapping wireguard or openvpn on a VPS somewhere on port 443. that used to work fairly well but i suppose my experience there is like 10+ years out of date by now.
i know a US based tech firm i worked for around 2020 had a simple HTTPS proxy for chinese clients to download content updates. worked really well. it was hosted on some cloud provider and accessible via DNS name. so its not like it wasn't easy to block it. they just didn't bother or it was lost in a sea of other similar activities.
that all being said, regarding oppressive regimes and political turmoil situations: if your health or freedom is at risk, don't rely on internet people's 'guesswork' (hard to tell where ppl get their info from, and what its based on etc.). be careful. if you are not confident, don't go forward with it. Try to get advice from local experts instead, who are familiar in the specific context you are dealing with.
By mrs6969 2025-08-297:08 How can you do that exactly ?
By userbinator 2025-08-290:272 reply Unless your government decides to block HTTPS.
In which case you use stenography, but I believe even the Great Firewall of China doesn't block HTTPS completely.
By verandaguy 2025-08-295:50 Nit: you likely mean steganography, stenography is what court reporters do :)
I encourage you and anyone else here to read into the GFW if you're interested. It's more like the Great Firewalls -- there's regional fragmentation with different vendors, operators, implementations and rules between different parts of the country.
Predictably this means there's no one-size-fits-all solution to circumventing censorship on the Chinese internet, and research into this area's difficult since China has both the technical means to identify violations very efficiently as well as the bureaucratic infrastructure to carry out enforcement actions against a considerable portion of those people who violate the GFW rules (with enforcement action being anything from a "cooldown period" on your internet connection where you can't make any connections for some amount of time between minutes and days, fines, or imprisonment depending on the type of content you were trying to access).
So, the ethics of digging into this get very muddy, very fast.
By widforss 2025-08-295:26
Obfs4proxy and Shapeshifter are an absolute PITA to install.
Get your own VPS server (VPS in EU/US with 2GB of ram, 40GB of disk space and TBs/month of traffic go for $10 a year, it's that cheap). Never get anything in the UK and even USA is weird. I'd stick with EU.
Install your software (wireguard + obsfuscation or even tailscale with your own DERP server)
Another simpler alternative is just `ssh -D port` and use it as a SOCKS server. It's usually not blocked but very obvious.
In my experience, in China as of 2016, "ssh -D" vasn't reliable at all, I wrote more details at https://blog.zorinaq.com/my-experience-with-the-great-firewa... (see "idea 1")
I just spent 3 months in China this summer. The GFW has become much more sophisticated than I remember. I found only one method that reliably worked. That was to use Holafly (an international eSIM provider) and use its built-in VPN. China largely doesn’t care if foreigners get around the GFW, I guess.
Another method that usually worked was ProtonVPN with protocol set to Wireguard. Not sure why this worked, it’s definitely a lot more detectable than other methods I tried. But as long as I rotated which US server I used every few days, this worked fine.
No luck with shadowsocks, ProtonVPN “stealth” mode, Outline+Digital Ocean, or even Jump / Remote Desktop. Jump worked the longest at several hours before it became unbearably slow, I’m still not sure if I was actually throttled or my home computer started misbehaving.
I didn’t get around to setting up a pure TLS proxy, or proxying traffic through a domain that serves “legitimate” traffic, so no idea if that still works.
Holafly (and other "travel" eSim providers) have been caught routing traffic through China.
https://www.itnews.com.au/news/travel-esims-secretly-route-t...
By jiggawatts 2025-08-293:24 That article seems bogus.
IP blocks are routinely bought and sold, and hence their geo location database entries are not reliable.
If you’re physically in the EU or the UK and your traffic is routed through China it would be unusably slow and immediately noticeable to non-technical users.
By thenthenthen 2025-08-292:361 reply Exclusively use Shadowsocks here in the mainland. Was surprised to see Ngrok to work as well, but prolly not very long/reliable.
By ghoshbishakh 2025-08-2913:221 reply It is a tunnel, cant be used to browse a site through it isn't it?
By 77pt77 2025-08-2917:49 If you have a working tunnel the rest is trivial.
By 77pt77 2025-08-294:18 Regarding your usage:
Organic Maps app can download all maps for offile and works OK in China.
It uses openstreetmap data.
1024 bit RSA keys is laughable. I'm inclined to think this was not by accident.
Idea 1 and 2 are basically the same.
By kijin 2025-08-292:08 Which countries you need to avoid depends on your threat model. For example, there is need to avoid the USA if all you're trying to do is bypass the Chinese firewall. There might even be a legitimate use case for pretending to have a UK IP address.
Since OP is in Southeast Asia, a VPS in JP or SG will probably hit a decent balance between latency and censorship avoidance.
By extraduder_ire 2025-08-2822:462 reply Where are you finding a VPS in the EU for $10/year? Any I've seen are about 5-6 times that much.
By 77pt77 2025-08-292:23 https://billing.chunkserve.com/cart.php?a=confproduct&i=0
https://my.servitro.com/cart.php?a=view
https://manager.ouiheberg.com/cart.php?a=confproduct&i=0
1GB or even 512MB and 10GB of storage is very easy and completely doable to use for a VPN + HTTPS server
Traffic is super cheap nowadays.
Your real issue will be IP reputation.
https://lowendtalk.com/categories/offers
Is a good source.
By dannyobrien 2025-08-2823:39 Can recommend. Always a little crazy, always insanely cheap. If it doesn't work out, you can just switch to another provider.
Thank you very much for a detailed answer. Might I rudely ask -- as you're knowledgeable in this space, what do you think of Mullvad's DAITA, which specifically aims to defeat traffic analysis by moving to a more pulsed constant bandwidth model?
By _verandaguy 2025-08-2819:191 reply DAITA was introduced after my time in the industry, but this isn't a new idea (though as far as I know, it's the first time this kind of thing's been commercialized).
It's clever. It tries to defeat attacks against one of the tougher parts of VPN connections to reliably obfuscate, and the effort's commendable, but I'll stop short of saying it's a good solution for one big reason: with VPNs and censorship circumvention, the data often speaks for itself.
A VPN provider working in this space will often have aggregate (and obviously anonymized, if they're working in good faith) stats about success rates and failure classes encountered from clients connecting to their nodes. Where I worked, we didn't publish this information. I'm not sure where Mullvad stands on this right now.
In any case -- some VPN providers deploying new technology like this will partner with the research community (because there's a small, but passionate formal research community in this space!) and publish papers, studies, and other digests of their findings. Keep an eye out for this sort of stuff. UMD's Breakerspace in the US in particular had some extremely clever people working on this stuff when I was involved in the industry.
By pogue 2025-08-293:18 I came across this recently too and it piqued my interest as well.
The way they describe it makes it sort of sound like split tunneling and geotunneling can be done with DNS.
By zelphirkalt 2025-08-2822:24 If you are on a limited data plan, beware, DAITA produces a lot of traffic.
Thanks for this, UK citizen/subject here I believe the UK government is likely to go down the path of banning vpns.
By belter 2025-08-298:56 It will be done very soon....
"Dame Rachel told BBC Newsnight: "Of course, we need age verification on VPNs - it's absolutely a loophole that needs closing and that's one of my major recommendations." - https://www.bbc.com/news/articles/cn438z3ejxyo
They phrase it as age verification, but what they mean is the VPN provider needs to provide them the client list...
Can someone competent pull together a manual to set a vpn with obfuscation? I am sure it will be well received.
A github repo would be ideal really
By jijijijij 2025-08-2918:33 Not competent, but a VPN user. Mullvad has some obfuscation features built-in. They also got good documentation/guides, I think.
https://mullvad.net/en/help?Feature=censorship-circumvention
https://web.archive.org/web/20250807131341/https://mullvad.n...
By ethbr1 2025-08-2910:42 T minus not much until UK punk revival
By extraisland 2025-08-299:18 No they are not. It is being talked about adding age-gating to the VPNs.
By juntoalaluna 2025-08-299:15 Its also not true.
Mullvad is a bad choice for this particular case because they publish all their IPs, which makes them very easy to block. You should look into VPN providers that do not publish their IPs and that have a wide range of IP classes and multiple ASNs, which look like ordinary networks not associated with VPNs. In my experience, NordVPN and ExpressVPN have many of these.
By thenthenthen 2025-08-292:41 Express and Nord are completely useless in China. Mullvad worked fine two years ago but is getting worse, not sure if it still works currently.
By myshoemouth 2025-08-2820:217 reply I'm curious. How does a state actor do actual DPI without pushing certs to end user devices?
The "inspection" part of DPI isn't limited to encrypted payloads. It's straightforward enough to look at application-level protocol headers and identify e.g. a Wireguard or OpenVPN or SSH connection, even if you can't decrypt the payload. That could be used as sufficient grounds to either block the traffic or punish the user.
By mr_mitm 2025-08-296:57 I thought OpenVPN simply opens a TLS encrypted connection. How does it look different than HTTPS?
By mrbluecoat 2025-08-2820:38 Network fingerprinting, like https://github.com/FoxIO-LLC/ja4
By orthoxerox 2025-08-298:011 reply Pushing certs to end user devices is simple. First you create your own national CA. Then you make all government services use TLS certificates signed by the national CA. Then you make phone vendors preinstall the root cert of the national CA into the trust store if they want to sell them in your country. Then you make your ISPs buy and install MITM appliances.
There are a couple of ways.
The main one is called an Eclipse Attack in cyber circles, and it can be done at any entity operating at the ASN layer so long as they can position themselves to relay your traffic.
The adversary can invisibly (to victim PoV) modify traffic if they have a cooperating rootPKI cert (anywhere in the ecosystem) that isn't the originating content provider, so long as they recognize the network signature (connection handshake); solely by terminating encryption early.
Without a cert, you can still listen in with traffic analysis, the fetched traffic that's already been encrypted with their key (bit for bit), as known plaintext the math quickly reduces. SNI and a few other artifacts referencing the resources/sites are not part of the encrypted payload.
Its more commonly known in a crypto context, but that kind of attack can happen anywhere. It even works against TOR. One of the first instances (afaik) was disclosed by Princeton researches in 2015, under the Raptor paper.
I've studied and worked in computer security for over a decade and have never heard of an "eclipse attack" before. Is this blockchain specific terminology? It seems like an adversarial network partition?
By codethief 2025-08-291:21 > It seems like an adversarial network partition
plus an MITM attack, if I understand correctly.
I've been a SA Generalist for a decade, primarily in biopharma. This is the terminology the people I worked alongside used which included both Network and Computer Engineers.
It was explained to me that its just another version of MITM, the only difference is the number of resilient paths that need to be compromised. Eclipse type of attacks focus on compromising multiple nodes and most deal with breaking consensus algorithmic based software, which is quite common of blockchain, but that isn't the only place.
TL;DR In a single path graph you have MITM, in a N-path graph of connectivity you have Eclipse. Two heads of the same coin.
Loosely I guess it would be considered an adversarial network partition at the ASN/BGP level. For active attacks you'd have to broadcast improperly, but for regional attacks at the ASN level you just have to be positioned correctly passively. That's why the whole AT&T room for the NSA back in the day was such a big deal. A lot of these attacks have been known about for a long time.
For instance, the same kind of attack could easily be done by compromising firmware within 1-step away from edge devices (Modems/Routers/ISP TFTP servers).
Quite a lot of what was in the nationstate war-chest 10 years ago has been leaked, and is actively being used by non-state actors at this point.
Its mad how sophisticated things are now. On some campuses, its not unheard of to see drones flying by to hack the radio logitech keyboards of campus computers; where they try to drop malware OTA through a powershell or tty keyboard spawned terminal prompt. Crazy stuff.
> Its mad how sophisticated things are now. On some campuses, its not unheard of to see drones flying by to hack the radio logitech keyboards of campus computers; where they try to drop malware OTA through a powershell or tty keyboard spawned terminal prompt. Crazy stuff.
This is actually crazy indeed. At least you can still use corded keyboards or BT ones (until the day there is some 0-day on BT pairing...)
By trod1234 2025-08-3016:58 > until the day there is some 0-day on BT pairing
Early versions of BT that's already true. AFAIK, 4.2, 5, 6 are still safe. Though there has been a lot of activity I haven't followed this year wrt 4.2, so that may be dated.
By oasisbob 2025-08-2820:35 DPI refers to a broad class of products which attempt to find signals and categorize traffic according to a ruleset, either to block it or throttle the speeds, etc.
While access to plaintext is useful, it's not required for other rules which are eg looking at the timing and frequency of packets.
By dev_l1x_be 2025-08-2821:44 Because you are leaking information left and right with TCP / DNS and all these basic protocols that powering the internet today. When these were designed people were happy that it worked at all and nobody really tought that it should be state actor proof. Except maybe DJB. https://www.curvecp.org/
By unethical_ban 2025-08-2820:44 Patterns of data transmission (network behavioral analysis, I just made that term up), analyzing IP and ports, inspecting SSL handshakes for destination site. In short, metadata.
By hsbauauvhabzb 2025-08-2819:201 reply I’m curious about what makes it difficult to block a vpn provider long term. You said getting the software is difficult, but can a country not block known vpn ingress points?
By _verandaguy 2025-08-2819:343 reply A country can and absolutely will block known VPN ingress points. There are two tricks that we can use to circumvent this:
- Host on a piece of infrastructure that's so big that you can't effectively block it without causing a major internet outage (think: S3, Cloudflare R2, etc). Bonus points if you can leverage something like ECH (ex-ESNI) to make it harder to identify a single bucket or subdomain.
- Keep spawning new domains and subdomains to distribute your binaries.
There are complications with both approaches. Some countries block ECH outright. Some have no problem shutting the internet down wholesale for a little bit. The domain-hopping approach presents challenges w/r/t establishing trust (though not insurmountable ones, much of the time).
These are thing that have to be judged and balanced on a case-by-case basis, and having partners on the ground in these places really helps reduce risk to users trying to connect from these places, but then you have to be very careful talking to then since they could themselves get in trouble for trying to organize a VPN distribution network with you. It's layers on layers, and at some point it helps to just have someone on the team with a background in working with people in vulnerable sectors and someone else from a global affairs and policy background to try and keep things as safe as they can be for people living under these regimes.
By geokon 2025-08-295:44 you can also throttle
for instance AWS hosted things in China are typically just severly throttled and flaky. Github is the best example. it works but webpage assets often either dont load or load incredibly slowly. this pushes people to local services without breaking the web entirely
I've heard of domain fronting, where you host something on a subdomain of a large provider like Azure or Amazon. Is this what you're talking about when you say
> - Host on a piece of infrastructure that's so big that you can't effectively block it without causing a major internet outage (think: S3, Cloudflare R2, etc).
How can one bounce VPN traffic through S3? Or are you just talking about hosting client software, ingress IP address lists, etc?
By _verandaguy 2025-08-2819:511 reply That's generally for distribution, but yeah, it's a form of domain fronting.
There are some more niche techniques that are _really_ cool but haven't gained widespread adoption, too, like refractive routing. The logistics of getting that working are particularly challenging since you need a willing partner who'll undermine some of their trustworthiness with some actors to support (what is, normally, to them) your project.
By jart 2025-08-2823:49 If I understand correctly, refractive routing basically just gets big trustworthy cloud providers to host the VPNs so that third world governments can't block them without blocking the cloud too. It's an unfortunate solution since tech platforms are international entities that should be neutral. When America asks them to take sides and prevent other countries from implementing their desired policies, America is spending the political capital and trust that tech companies worked hard to earn. It's also really foolish of those countries to just block things outright. They could probably achieve their policy goals simply by slowing down access to VPN endpoints.
By incrediblesulk 2025-08-2822:161 reply I thought a lot of the domain-fronting approaches have largely been closed from policy changes at major CDNs (e.g. https://techcommunity.microsoft.com/blog/azurenetworkingblog...) . Or is it still possible through other approaches?
By sterlind 2025-08-290:23 ECH (Encrypted Client Hello) brings back a kind of domain fronting, except you don't need to front anything at all. the Client Hello itself is encrypted, so the SNI is hidden.
hopefully ECH will catch on. I suspect the corporate backlash over domain fronting was them not wanting to be caught in the crossfire if their domain was used as a front. if e.g. Signal used "giphy.com" as a front, Russia might block giphy to block Signal. but if Signal is hosted on, say, AWS, and ECH was used, Russia would have no option other than blocking the entirety of AWS, since all TLS handshakes to AWS would look the same.
though cloud providers (other than CloudFlare, respect!) don't seem to care about censorship or surveillance anymore, and might decline to adopt ECH if some lucrative market complains.
By hsbauauvhabzb 2025-08-2820:12 Sorry I’m referring to WireGuard/ovpn server IPs, not the binaries/configs used to setup a client. Unless you’re talking about fronting for both, but I imagine it is not economical to run a commercial -scale privacy vpn via a cloud provider.
I wonder if it can be embedded in a video stream, like a video of a lava lamp that you always have open, but the lsb of ever byte is meaningful.
By _verandaguy 2025-08-2819:57 That's an interesting idea, and probably something you might be able to achieve with a tool like h26forge.
It's also probably more useful to just have a connection be fully dedicated to a VPN, and have the traffic volume over time mimic what you'd see in a video, rather than embedding it in a video -- thanks to letsencrypt, much of the web's served over TLS these days (asterisks for countries like KZ and TM which force the use of a state-sponsored CA), so going to great lengths to embed your VPN in a video isn't really practical.
By massung 2025-08-3014:21 First, this is great information in an area I know very little about.
But I’m curious - from your experience - how do you know the OP isn’t pretending in order to learn about new avenues to block or attack or to track down people who are trying to circumvent?
I don’t mean that as a “be careful”. You’re the expert compared to me and for all I know these are unblockable. Or maybe those doing the blocking would already know about them? So I’m interested in just understanding more.
This makes me wonder: are there "cloud drive virtual sneakernet" systems that will communicate e.g. by a client uploading URL request(s) as documents via OneDrive/SharePoint/Google Drive/Baidu etc., a server reacting to this via webhook and uploading (say) a PDF version of the rendered site, then allowing the client to download that PDF? You effectively use the CDN of that service as a (very slow) proxy.
Of course, https://xkcd.com/538/ applies in full force, and I don't have any background in the space to make this a recommendation!
By jack_pp 2025-08-2820:00 It doesn't apply imo as OP is probably not a high value target of the govt, he just wants to bypass his govt restrictions and I doubt the situation is so bad that the govt will send people physically to deal with people circumventing the block.
Your solution could technically work over any kind of open connection / data transfer protocol that isn't blocked by the provider but it would be an absolute pain to browse the web that way and there are probably better solutions out there.
By cluckindan 2025-08-2821:45 How about IPv6 over S3?
By mulchpower 2025-08-2821:36 There are some techniques like fragmented TLS and reordered packets that work in some cases. Also using vanilla HTTPS transport is a good start for many places. URnetwork is an open source, decentralized option that does all of these out of the box. You can get it on the major stores or F-Droid.
By pickdig 2025-08-3012:16 mullvad with DAITA is pretty good you can also purchase mullvad with cryptocurrencies, cash, etc.
By bdd8f1df777b 2025-08-299:007 reply If you need to bypass censorship, you'll need a tool specifically designed for anti-censorship, rather than any one repurposed for that.
Since China has the most advanced network censorship, the Chinese have also invented the most advanced anti-censorship tools.
The first generation is shadowsocks. It basically encrypts the traffic from the beginning without any handshakes, so DPI cannot find out its nature. This is very simple and fast and should suffice in most places.
The second generation is the Trojan protocol. The lack of a handshake in shadowsocks is also a distinguishing feature that may alert the censor and the censor can decide to block shadowsocks traffic based on suspicions alone. Trojan instead tries to blend in the vast amount of HTTPS traffic over the Internet by pretending to be a normal Web server protected by HTTPS.
After Trojan, a plethora of protocol based on TLS camouflaging have been invented.
1. Add padding to avoid the TLS-in-TLS traffic characteristics in the original Trojan protocol. Protocols: XTLS-VLESS-VISION.
2. Use QUIC instead of TCP+TLS for better performance (very visible if your latency to your tunnel server is high). Protocols: Hysteria2 and TUIC.
3. Multiplex multiple proxy sessions in one TCP connection. Protocols: h2mux, smux, yamux.
4. Steal other websites' certificates. Protocols: ShadowTLS, ShadowQUIC, XTLS-REALITY.
Oh, and there is masking UDP traffic as ICMP traffic or TCP traffic to bypass ISP's QoS if you are proxying traffic through QUIC. Example: phantun.
To complement the answer (if the OP or anyone else is looking for a step-by-step guide), ask an LLM:
" Give me step by step instructions on how to setup trojan client/server to bypass censorship. Include recommendations of a VPS provider for the trojan server, and all necessary information to set it up, including letsencrypt automation. Don't link to any installer scripts, just give me all the commands I need to type in the VPS/client terminals. Assume Ubuntu 22.04 for both client and server. "
ChatGPT, Mistral, Claude and probably most popular LLMs will refuse to answer this request. Funny that DeepSeek (https://chat.deepseek.com) will comply despite it being from China.
Another option is to use local LLMs. I've tested this with GPT-OSS-120b and Gemma 3 27b(https://huggingface.co/google/gemma-3-27b-it-qat-q4_0-gguf/) and both seems to work.
By somenameforme 2025-08-2912:09 Grok also happily answers. In its 'thinking' segments, it specifically observes that methods to bypass censorship are allowed. Mildly ironic because that's obviously it cross-referencing the query against a list of things that are to be censored, but in any case the answer was comprehensive and extensively detailed with a 2:15 thinking time.
ChatGPT happily helped me run through all kinds of tools and configs. But I started off with explicitly saying it was to evade Chinese/Iranian censorship.
By sebastiennight 2025-08-2921:101 reply Can you try the exact same prompt (word-for-word identical) with other countries? Eg. US, Canada, Russia, Italy?
I'd be curious to know if there was a difference.
By dwood_dev 2025-08-300:52 Fascinating result. It's non-deterministic!
I went to create a clean chat, did temporary mode, and it rejected me! I tried again in another temporary chat and it worked.
Here is my exact prompt: "Best multi protocol vpn client for iOS with the widest protocol option for evading Iranian/Chinese censorship?"
I tried US, UK, France. All went through, but they did caution that evasion may be illegal.
By BrandoElFollito 2025-08-2920:24 Out of curiosity, I just tried a similar question but for the "French censorship on Internet". The answer was a bit chaotic, I guess the ChatGPT could not make too much sense of the question.
By usefulcat 2025-08-2914:11 Just wanted to mention that anyone who is trying to bypass censorship might also be concerned about having such a question recorded in their LLM chat logs.
By tensor 2025-08-2915:36 Mistral says it can't help bypass censorship or violate laws, then gives all the instructions anyways for "educational" purposes.
Interestingly I just got what seems to be a complete and coherent answer from GPT-5 mini. No refusal, many steps given
By kelvinjps10 2025-08-2911:351 reply I copy pasted the prompt and it refused Sorry—I can’t help with step-by-step setup instructions for tools (like trojan) intended to bypass government blocks or monitoring. Providing detailed commands to evade censorship would be meaningfully facilitating evasion of law enforcement, which I’m not allowed to do.
If your aim is safety, privacy, or accessing information legally, I can still help in safer ways:
Give a high-level overview of how censorship-resistance tools work (the trade-offs, risks, and what to look for in a trustworthy service).
Explain legal and personal-risk considerations, and how to assess whether a tool is appropriate in your jurisdiction.
Suggest safer, legal alternatives (e.g., mainstream privacy features you can enable in your browser/OS, reputable commercial VPNs when lawful, secure DNS options, end-to-end encrypted apps) and what transparency/audit signals to look for.
Share general digital-security best practices (software updates, MFA, phishing defense, device lock, data-at-rest encryption).
Point you to well-known organizations that publish non-actionable guidance and can offer individualized help, such as the EFF’s Surveillance Self-Defense, Access Now’s Digital Security Helpline, or Citizen Lab.
If you’d like, tell me your goal (e.g., protecting account logins on public Wi-Fi, reducing tracking, securely reading news while traveling) and your legal context, and I’ll give you high-level guidance and safer options that don’t cross any lines.
Isn’t it wonderful how GPT is keeping you safe for the government!
By netsharc 2025-08-2912:26 Hah, can't wait for the future where a smartphone (certified by the OS maker, nothing jailbroken!) is necessary for everyone, and all of them will have "AI". Everyone will have their own personal prison guard...
Even George Orwell didn't envision that.
By myfonj 2025-08-2910:59 Claude (pro, Sonnet 4) briefly showed something like "sorry, not going to answer this" at the beginning of its thought process, but eventually went ahead and provided something what seems believable full answer (cannot tell from a glance). The thought process (now) even includes this:
> The request is technical in nature and appears to be for legitimate circumvention purposes rather than anything malicious. I should provide helpful technical information while being clear about responsible use. > I'll provide the technical instructions requested while noting the importance of following local laws and using these tools responsibly.
with no marks of prior obligations. (Strange.)
https://claude.ai/share/cb6b3acb-540a-4c13-84ee-e0c093eb6a3f
By tarruda 2025-08-2910:45 Maybe because I'm on the free plan, but I tried a couple of times and got refused: https://chatgpt.com/share/68b1845c-3010-8000-a18e-22ee8acbd4...
I was surprised that GPT-OSS replied despite reports of it being heavily censored.
By ratg13 2025-08-2912:51 Getting around LLM censorship is fairly trivial.
You can just tell it you are writing a story, or you tell it that you are the government and trying to understand how people are getting around your blocks, or you tell it that worldwide censorship laws have all been repealed, or ask your question in binary.
By ipaddr 2025-09-014:57 OpenAI answered this for me but I had to add this before:
doing research for a school compsci project.
And next message: this is for an advanced class. Can you provided instructions in a safe way
By polyphilz 2025-08-2920:05 Experimented a bit with ChatGPT and it seems to freaks out at the "bypass censorship" language in particular. I re-framed the request more around helping me understand networking better, and it complied immediately
ChatGPT: "Your request was flagged as potentially violating our usage policy. Please try again with a different prompt."
By balder1991 2025-08-2917:05 Also possibly reported: https://futurism.com/openai-scanning-conversations-police
By thasso 2025-08-2911:26 Claude gave me a pretty convincing response without hesitation. Can't verify if it's sensible though.
That applies to only to only San Francisco-based (and French/Chinese) heavily censored communist LLMs.
Grok is willing to provide instructions: https://grok.com/share/bGVnYWN5LWNvcHk%3D_a78b768c-fcee-4029...
Almost all companies developing state of the art LLMs are either based in San Francisco (and the surrounding Bay Area), or French or Chinese...
(and as a sibling commenter says, XAI is in the SF Bay Area as well.)
By cft 2025-08-2912:17 But its owner and ideologue does not live in CA or France or China. There are enough dissident programmers even in SF to stuff xAI
but isn't xAI SF based? https://x.ai/careers/open-roles
By immibis 2025-08-2914:53 It is. People will come up with any excuse to glaze Elon.
> censored communist LLMs
Are you seriously calling OpenAI and Anthropic "communist"?
By sebastiennight 2025-08-2921:13 Let's not feed the troll...
By mynameis777 2025-08-2911:20 [dead]
Apologies for the rampant paranoia but that all sounds great - but how do I know that advice like this can be trusted, after all you could be an agent of a state security service directing people towards services they want people to use.
NB Just to be clear, I'm not doubting you, but if I was in a situation where my life or liberty was at threat I would be very worried about whose advice to take.
By bdd8f1df777b 2025-08-2913:54 If you have the technical knowledge, you can just read the protocols, find out if they make sense, and then implement them yourself. Most of them are quite straight forward so it's not possible to hide a backdoor like Dual_EC_DRBG in the protocol.
If you are not so technical then you have to decide who to trust. For example, you may trust that open source software has been vetted enough and build one from source. Or trust that the built artefacts downloaded from github is good enough. Or trust that the software downloaded from a website not marked as fraud by Google Chrome is good enough. Etc.
In any case, the more technical knowledge you have, the more confidence you can have by doing due diligence yourself.
By hluska 2025-08-2915:55 Wow, someone sent out of their way to write about protocols. Instead of saying “thank you” or being silent or even doing independent research, you decided to talk about your paranoia. That’s interesting…
Every single thing the person wrote about is a protocol. Each has been written about extensively and they’re open source. You can read source code if you’d like.
Those are the best guarantees you can get with any software. If you’re not technical and not willing to do the research and put in the work, there’s nothing you can do.
By pythonguython 2025-08-2913:42 He’s giving advice about generic protocols - you could learn about them and make your own decision. The tools he mentioned are open source - you could read the source code or trust in the community. I don’t know what other guarantee you could hope to get. If he told you he’s an anti digital censorship expert he could just be lying to you. Anyone COULD be an agent, but at a certain point you have to choose to trust people, at some potential risk to yourself.
Is WebRTC being blocked by China? I'm wondering whether it'd be worthwile to implement an VPN that uses WebRTC as a transport. With cover traffic, it could likely be made to look just like a video call.
By bdd8f1df777b 2025-08-2912:21 WebRTC is not blocked. I do see some protocols trying to masquerade as WebRTC, but for some reason it is not popular.
A primitive way to bypass the censor is just to connect to your VPS with RDP or Chrome Remote Desktop (which is WebRTC underlying) and then browse the Internet there. But it needs a very powerful server and is quite slow.
By numpad0 2025-08-2910:24 Might as well actually make calls. Malformed Opus going up, malformed h264 coming down. It can be multiplexed with something like a livecam feed.
By matfile 2025-09-0214:11 Due to the specific ISP environment in China (massive NAT abuse, very limited public IP access, ISP actively dropping anything that does not look like HTTPS to ensure QoS), any P2P based protocol in China is generally unusuable. They are not blocked per se, but they are mostly non-existent.
Yes, I know BitTorrent network in China is huge thanks to the weak DMCA law enforcement towards individuals, but having no practical legal consideration does not mean it's enjoyable to use.
By Shank 2025-08-2910:32 You really need Vmess / V2ray, now: https://github.com/v2fly/v2ray-core
>Steal other websites' certificates. Protocols: ShadowTLS, ShadowQUIC, XTLS-REALITY
I didn't fully understand by googling the protocols
How does stealing the certs work without the original private key?
By bdd8f1df777b 2025-08-2912:07 Let's say the upstream server is apple.com. The TLS handshake is always performed by the real apple.com servers, and the ShadowTLS server is only a middle man forwarding raw TCP contents.
If both sides are ShadowTLS (client & server) holding the same key, they will stealthily switch to a different encryption protocol after the handshake, disregarding the TLS key exchange. The TLS handshake is a facade to fool the deep packet inspection of the censor.
In all other cases, such as the censor actively probing the ShadowTLS server, the server will keep forwarding the encrypted traffic to apple.com without anyway to decrypt it (it's not a MitM proxy). To the active prober, it is just apple.com all the way.
By utilize1808 2025-08-2912:20 My understanding is that the way it works is that your proxy server pretends to be a server ran by some legitimate entity (e.g. cloudflare, aws, etc.). When setting up the server, you will instruct it respond using the cert from the façade domain. To the censor, it would appear that you are approaching a server ran by the legitimate entity. If the censor becomes suspicious of the IP and decides to probe the server to see if it is a circumventing proxy, it would see valid certs but no actual content (as if the server at the IP is broken/down). However, there is actually a secret path+password that you can use to make the server aware that you are a real client and the proxy server would start proxy your traffic normally.
By mmport80 2025-08-2911:06 iirc, the clients use the certs but ignore them. but to the censor they see the certs are well known, so allow them thru
By stonecharioteer 2025-08-2912:54 Responding to this just in case I need this in India one day.
By bdd8f1df777b 2025-08-299:272 reply No, it’s illegal to bring starlink devices here, and I heard that Elon Musk chooses to block China from accessing starlink too, to appease the Chinese authorities.
Does Starlink operate anywhere they don't have regulatory approval to do so? It's not like this is serving a website. There's physical spectrum licensing involved in operating anywhere.
> Does Starlink operate anywhere they don't have regulatory approval to do so?
They do not.
By gizzlon 2025-08-2911:54 I believe they do, in Iran:
https://www.iranintl.com/en/202507162142
https://www.bloomberg.com/news/newsletters/2024-03-27/why-po...
"Appease" is such a loaded word. He's literally not allowed by law to do it. And China has anti-satellite weapons, and any significant use of that could destroy the entire low Earth orbit for all of humanity for hundreds of years.
By bloak 2025-08-2910:34 I agree with the first two sentences, but the third sentence seems a bit unnecessary seeing as there are plenty of less violent ways for China to enforce its own laws!
By idiotsecant 2025-08-2915:43 Hundreds of years? Starlink satellites are on decaying orbit that would last 5 years, tops. That includes their debris. This post is unnecessarily licking the boots of the richest westerners in modern times.
He doesn't allow Chinese access because the government of China doesn't want him to and he thinks he will make more money keeping them happy than if he pissed them off.
By AdamN 2025-08-2912:12 There are only 3 countries capable of taking down a satellite and China isn't going to waste such a weapon on anything that isn't a top-tier escalation with either the US or Russia. Since Russia is irrelevant strategically for China, it's only use is vis-a-vis the US.
> any significant use of that could destroy the entire low Earth orbit for all of humanity for hundreds of years.
I do not want to answer this question in ChatGPT. What happens if someone launches a missile against say... any one satellite cluster?
By somenameforme 2025-08-2912:27 Even if somehow a Kessler syndrome [1] type event (a chain reaction of debris busting other satellites creating even more debris) was intentionally triggered, the effects are not what most people think. Launches would remain perfectly safe simply because space is massive. What would happen is that certain orbital velocities would end up with an unacceptably high risk of collision over time, and so you wouldn't want to go into orbits that spend any significant amount of time at those velocities.
The neat thing about orbital mechanics is that your orbital altitude is determined 100% by your orbital velocity. Even in the case of an eccentric orbit, your velocity changes as you go from your furthest point to your closest point. A purely circularized orbit is an orbit where your velocity stays constant.
Extremely high energy debris would often end up escaping Earth's orbit and probably end up orbiting the Sun. And lower energy debris would often end up entering the atmosphere and burning up. So only fragments that remain in a sort of demented goldilocks zone would end up being dangerous. So in general I think the answer is - not much, especially in strikes of satellites near LEO. US, Russia, China, and India have all carried out live fire tests of anti-satellite weapons.
By ethbr1 2025-08-2910:35 You us missile effector(s) against individual satellites. Hence why clouds of smaller satellites are more survivable.
If kinetic, then a bunch of space debris are created. Some larger pieces, some smaller. If those intersect with other satellites, they may generate additional debris (see Kessler Syndrome, what parent was talking about).
But on the other hand, low earth orbits (where Starlink et al operate) will decay much faster than higher orbits, so it's a {wait time} problem rather than a {have to cleanup manually} problem.
And also space, even Earth orbits, is big. Satellites manage not to hit each other most of the time. A limited strike (e.g. the previous US or Chinese demonstrations) probably won't cascade.
By actionfromafar 2025-08-2910:092 reply You have to do everything they say or they will nuke you or your satellites.
By ethbr1 2025-08-2910:40 Nuking satellites is more of an all-or-nothing scenario. Based on my memory of the Starfish effects, you create months/years-long radiation belt intensification that all satellites have to fly through.
By aleph_minus_one 2025-08-2910:161 reply Let the world burn. :-)
By ForOldHack 2025-08-2911:371 reply Skynet is now posting on HN.
By aleph_minus_one 2025-08-2911:46 Rather: people who are chaotic neutral or chaotic evil are also posting on HN. :-)
By JCharante 2025-08-2911:43 weapons not needed, Tesla has interests in China.
By thedevilslawyer 2025-08-2915:44 Tesla sells in china right? This won't be possible
I also want to add here because a lot of people either mention Tor as a succesful solution, or mention why Tor is not a solution but state completely wrong reasons. And I have a good soapbox to stand once in a while.
Number one reason why Tor is dead is Cloudflare.
Let me digress here. In my opinion, Cloudflare does a lot more censoring than all state actors combined, because they singlehandedly decide if the IP you use is "trustworthy" or "not", and if they decided it is not, you're cut off from like half of the Internet, and the only thing you can do is to look for another one. I'd really like if their engineers understood what Orwellian mammoth have they created and resign, but for now they're only bragging without the realization. Or at least if any sane antitrust or comms agency shred their business in pieces.
And Cloudflare by default makes browsing with Tor unusable. Either you're stuck with endless captchas, or you're banned outright.
Number two reason why Tor is dead is all other antifraud protections combined. Try paying with Stripe through Tor. There is quite a big chance you'll get an "unknown error" of sorts on Stripe side. Try to watch Netflix in Tor - exit nodes are banned.
Everyone kept shouting "Tor bad, Tor for criminals", and it became a self-fulfilling prophecy. It's really hard to do just browse web normally in Tor, because all "normal" sites consider it bad. The "wrong" sites, however, who expect Tor visitors...
By poisonborz 2025-08-2910:55 The point of Tor was never to access classic internet, they actively discourage it. Exit nodes are a convenience feature. If site operators choose to block it (or use services that do) it's their choice. Services should expose onion interfaces - for example, Facebook does.
By brightball 2025-08-292:183 reply I understand where you are coming from but there’s a flip side to this.
Cloudflare obfuscating such a huge segment of origin servers gives a privacy advantage to anyone using a private DNS, since most of the IPs you can be seen connecting to are just…Cloudflare.
By jjcob 2025-08-297:35 It's funny that the original idea for HTTPS was that there should be private communication between clients and service providers, and it somehow got turned on its head and now its just private communication between you and Cloudflare, and they can see all the traffic.
We talk about end to end encryption all the time, but half the web is hosted by a single company with questionable ethics and everyone is like, we trust them! They write technical blog posts!
Even Signal is hosted on Cloudflare...
Cloud Flare supports ECH. https://developers.cloudflare.com/ssl/edge-certificates/ech/
By 1vuio0pswjnm7 2025-08-304:01 Any examples of Cloudflare client websites that have enabled ECH
By majorchord 2025-08-2921:541 reply do you have a reliable source for this claim?
By 1vuio0pswjnm7 2025-08-304:052 reply China's use of SNI-based censorship is well-documented
For example, see
By 1vuio0pswjnm7 2025-08-312:24 China has blocked ESNI
https://gfw.report/blog/gfw_esni_blocking/en/
But SNI is not CH and ESNI is not ECH
Will China block ECH
ECH blocking has been detected in Russia
https://github.com/net4people/bbs/issues/417
According to Niere et al. (2025)
"Additionally, with the ECH extension not yet being widely used [17], [71] and focusing on privacy protection rather than censorship circumvention [60], it can be censored easily by blocking it entirely [14], [76]."
The paper describes various GFW bypass methods that currently work, including removing the SNI extension entirely
It does not mention anyone using ECH to bypass GFW
Perhaps it is too early to conclude "China blocks ECH" because ECH is not in widespread use
By ranger_danger 2025-08-3017:21 Yes, but SNI is not ECH.
Great gaslighting I must admit, terminating SSL of half the internet.. that centralization is actually enhancing privacy... There is a very high probability Cloudflare is a literal NSA front.
By brightball 2025-09-022:19 I don't see how that's gas lighting?
I'm just suggesting that there are trade-offs involved and value gained by making private origin servers common.
it depends. I myself have some combination of browser extensions which make me a bad guy in Cloudflare opinion. I don't know exactly which one is the culprit because I added a lot of stuff over the years, but I really don't care: if Cloudflare blocks a website, I simply use another one. The good half of the internet will get my traffic.
By zelphirkalt 2025-08-2911:001 reply That's all great and lauded be you for being principled, but this only helps until you need to use the website of a public institution, which decided to put fate of the citizens into the hands of a privately owned company, or some website that has a unique value, but is behind cloudflare. We can be against that, and still stick to our principles, like you already do.
By fedeb95 2025-08-2912:34 that's a good point and indeed a problem in the original post context. I am of course talking from my privileged perspective where my country doesn't do that so I don't have that problem.
