Authors: Anonymous
Starting from October 3, 2022 (Beijing Time), more than 100 users reported that at least one of their TLS-based censorship circumvention servers had been blocked. The TLS-based circumvention protocols that are reportedly blocked include trojan, Xray, V2Ray TLS+Websocket, VLESS, and gRPC. We have not received any report of the blocking of naiveproxy though.
Below are a summary of this blocking event and our conjuncture.
The blocking is done by blocking the specific port that the circumvention services listen on. When the user change the blocked port to a non-blocked port and keep using the circumvention tools, the entire IP addresses may get blocked. It is worth noting that their domain names are not added to GFW’s DNS or SNI blacklists.
While most of the users report their port 443 got blocked, a few users reported that their non-443 port on which circumvention services listen got blocked as well. While most of the blocked servers are in some popular VPSes providers’ datacenters (for example, the bandwagonhost), at least one user reported the blocking of a server in residential network in Europe.
In a few cases (not all cases), the blocking seems to be dynamic because the web browser could still access their circumvention ports but not the circumvention tools did not work.
All these observations above strongly indicate that the GFW can indeed accurately identify and block the circumvention services, rather than simply block the port 443, or block the popular VPS providers.
Based on the information collected above, we suspect, without empirical measurement yet, that the blocking is possibly related to the TLS fingerprints of those circumvention tools. Perhaps developers want to look into uTLS. One may also find this paper reading group, this summary, and this post on TLS fingerprint helpful.
We will investigate if the GFW indeed uses the TLS fingerprints sent by these clients to identify circumvention protocols. At the same time, if you have any server being blocked, or if you have any evidence that can corroborate or falsify our hypothesis, we courage you to share your comments publicly or privately. Our private contact information can be found at the footer of GFW Report.