
An unidentifiable mechanism that helps bypass the Great Firewall of China - unlit_spark
https://github.com/trojan-gfw/trojan
======
netsharc
This page has more details than the "executive summary"
[https://github.com/trojan-
gfw/trojan/blob/master/docs/protoc...](https://github.com/trojan-
gfw/trojan/blob/master/docs/protocol.md)

As far as I understand it:

1\. Client connects to the standard HTTPS port.

2\. If it provides a packet with the right (encrypted) password, then the
server acts as a SOCKS5 proxy.

3\. If it doesn't provide the right password, the server responds like a
normal HTTP server over the TLS connection.

Seems pretty clever, the hard bit is making sure the passwords don't leak and
the firewall starts bombarding suspect servers with requests (brute-forcing
passwords). Also if there are timing differences between a genuinely confused
HTTP server and a "Trojan" server faking the confusion, they'd figure that out
too.

Also, things like continuous back-and-forth between the client and a simple
webserver would be suspicious, because usually clients send small requests in
bursts, get the response, and activity would stop (it doesn't apply to
streaming sites, obviously, but there the clients won't be as chatty either).
So things like Skype calls might be easily recognized...

~~~
JoachimSchipper
Yes; there is some discussion of attacks in [https://github.com/trojan-
gfw/trojan/issues/14](https://github.com/trojan-gfw/trojan/issues/14).

Personally, I'd be _very_ careful telling people to rely on my software for
avoiding the Chinese surveillance - traffic analysis is _terrifyingly_
powerful.

~~~
yorwba
For the people currently using random forks of ShadowsocksR they purchased via
shady backchannels, an alternative that is less likely to get blocked is
probably more important than absolute security guarantees. After all, most
users of censorship circumvention tools aren't secretly plotting revolution,
they just want to watch YouTube.

------
kohtatsu
I think anything looking to serve China should at least avoid hosting on
github pages until encrypted SNI is widely available. When someone visits the
online documentation at trojan-gfw.github.io, the FQDN is sent plaintext as
part of HTTPS.

If the data is plainly on github.com (like the wiki), it would at least
require an MITM to see what you are reading. Of course an MITM might be likely
in China regardless.

It's also worth noting the Tor project has done a lot of work in this area:
[https://2019.www.torproject.org/docs/pluggable-
transports.ht...](https://2019.www.torproject.org/docs/pluggable-
transports.html.en)

~~~
thisgoodlife
> the FQDN is sent plaintext as part of HTTPS.

Can you please elaborate on that? domain name is sent after ssl handshake, no?
Why is it sent plaintext?

~~~
nneonneo
A given server might be hosting multiple websites, each with a different
certificate (e.g. a CDN endpoint). It needs to know which certificate to
present to the user. Therefore, during the initial TLS handshake, the client
sends the server name (hostname) in _plaintext_ in a field called the Server
Name Indication (SNI). This is mandated by the fact that a certificate
identifies a website, not a server.

This is distinct from the HTTP Host: header, which is sent inside the TLS
session and therefore is encrypted along with the rest of the HTTP request.

~~~
GoblinSlayer
SNI is an optional extension and is legal to be missing. No SNI - no problem.

~~~
lxgr
You won't be able to reach any web server that is sharing more than one
hostname per IP that way.

This includes all sites on a free Cloudflare plan to my knowledge.

~~~
GoblinSlayer
Cloudflare terminates ssl at the edge, no? Then it has the private key and has
no need to care about the site certificate. It just sends a certificate with
all hosts in alt names.

~~~
lxgr
Cloudflare has way more customers/hostnames than what would fit into a single
X.509 certificate. (They actually do seem to do what you describe to support
non-SNI clients, but not on their free tier.)

SNI also allows decoupling TLS and TCP termination, which in turn allows for
shared IP addresses and load balancers without necessarily delegating TLS
termination and exposing certificates to some shared host.

------
exabrial
I don't think it would be very difficult for the Chinese government to demand
a compromised root cert authority be installed on every device sold there.

~~~
zhaoweny
They certainly can try, but major vendor will resist. Kazakhstan government
has tried this method[1]. They sure can try sneaky ways, but any imported
laptop connecting to hotel Wi-Fi could reveal it.

[1]: [https://blog.mozilla.org/security/2019/08/21/protecting-
our-...](https://blog.mozilla.org/security/2019/08/21/protecting-our-users-in-
kazakhstan/)

~~~
gruez
>They certainly can try, but major vendor will resist

It's China. Apple/Microsoft isn't going to resist. Google might not resist
because they're already banned there so they've got nothing to lose.
Regardless, it doesn't really matter because there's a bunch of homegrown
chromium forks that can readily replace Chrome.

------
rvnx
"unidentifiable mechanism" I'm not sure this is actually true.

You can determine that it is a VPN by checking the amount of exchanged packets
between interval of time (e.g. if 5 kbps are routinely sent every 30 seconds
for 5 minutes this is totally abnormal)

Another alternative for the government could be to limit the bandwidth and
time of hosts who have a big standard deviation in the amount of the packets
per second they transmit.

So undetectable I don't think so and I believe smarter people here can find
even better ideas.

That being said it's a very nice tool, certainly useful in corporate
environments as well (except of course, that it'll be suspicious that one
single host is exchanging so much data and keeping so long connections)

------
m3kw9
Maybe subscribe to satellite internet

------
fnord77
it took me a few minutes to figure out what "GFW" meant

~~~
marcus_holmes
I honestly thought Games For Windows

~~~
slantyyz
I was thinking it was either Games for Windows or Git for Windows, and missed
"Great Firewall" on first skim of the Readme.

