Hacker News new | past | comments | ask | show | jobs | submit login

I'll be 40 years old later this year. I've been interested in communications and communications protocols since I was about 12. I've been a software developer with a focus on network communications for over 15 years.

I'm well aware of all that you've said.

My point was, they get TLS interception down, and they capture what they want from a target of interest.

When they look closely at your traffic and decide all these cat gifs have too much or too little entropy in the data that forms their pixels, they simply (if they're courteous) say, "Persuade me that you did not know that this app was helping you hide messages back and forth. Persuade me or we shoot you now." And then they shoot.




I could split hairs and suggest that the browser accept the phony CA and simply use a secondary encryption layer on top of it, but that misses your point. A sufficiently clever evil government will see that you're doing something encryption-like and shoot you.

But, being "sufficiently clever" isn't all that easy. China has done a good job, but they're a very big country with a lot of resources and a lot of very smart people, and let's be honest, even as good as they are, anyone with a will to get that censored information will get it.

It costs a lot to censor people on the Internet. The goal of people like me is not to stop the most determined, intelligent censorship approaches, but rather to make them as expensive as possible to build and maintain.

My ideal is force governments to either accept the Internet without censorship, or almost completely disconnect from the Internet (and simultaneously deny their nations the competitive advantages that come with it). North Korea is a good model. They basically don't have Internet in North Korea. It's sad, but I can live with that; it's better than allowing an oppressive regime to benefit from the Internet while oppressing their citizens.


"Sufficiently clever" has historically been more expensive than difficult.

For example, in order to scale less expensively, the Great Firewall is architected such that it need not actively be in the middle of the entire flow of traffic and need not actively proxy. Historically, they didn't need it to do so in order to achieve their goals.

Now, however, the advancement of a combination of new technologies is finally closing that gap.

In order to maintain historic blocking capability it becomes necessary in the long run to actively MiTM all the connections.

But that can be made to scale and there are nations who can afford it.

How do we know? Because the job is not significantly harder than serving up all that content. (At worst it's a little more than 2x the work.)

And today most content is served up from a handful of privately owned infrastructures. If a corporation can build it, so too can a lot of nation-states.

The incentives to build this have changed.


You're proposing that the penalty for being suspected of subverting the firewall is death. In those cases you're going to want a highly refined system for avoiding detection, and it's also very important that one exist, because regimes that oppressive deserve to be opposed.

Fortunately the more typical case isn't kidnapping and execution but only having your connection blocked, which creates a helpful feedback loop that enables continuous improvement in the ability of secure communications to avoid detection. Which benefits everybody, but especially those in violent authoritarian countries that need it all the more.


No disagreement here. What's being done is despicable.

Rather than death, if we look at the history of oppressive societies, the more likely outcome is a job offer, the kind they won't let you refuse but they'll make it so you don't want to refuse anyway. They find the clever people who are working around the filters and interception and hire them to be the watchers. They get perks like time to spend on a real private connection, etc. Meanwhile they are required to contribute to making the noose ever tighter.


> You're proposing that the penalty for being suspected of subverting the firewall is death.

no, he's being hyperbolic to make the point that in an extreme situation, a default-deny approach could facilitate mass suppression of 'undesirable' traffic without creating an insurmountable backlog of traffic for the 'bad actor state' to review in determining what to process further.


> no, he's being hyperbolic to make the point that in an extreme situation, a default-deny approach could facilitate mass suppression of 'undesirable' traffic without creating an insurmountable backlog of traffic for the 'bad actor state' to review in determining what to process further.

Only it doesn't, because as soon as they allow anything, everything else starts to look enough like whatever is still allowed to make it through, because that's the only way to make it through.

Slashing away more things only increases the resources people will put behind making arbitrary traffic look like allowed traffic. It trades not having to review everything for having to fight everyone instead of only the people they want to block.

Then some people win, everyone copies the winners' methods to get through, and you're back to square one only now everything looks even more like everything else than it did before.


You've elegantly stated my point precisely. Thank you!



In CIS states they prefer the term thermo-rectal cryptanalysis. A soldering iron in one's nether regions does wonders for extracting secrets.


In that case, the old field of steganography might become useful. Embed illegal content within legal content and figure out another means of sharing the decryption scheme.




Applications are open for YC Winter 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: