Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

The exact reverse engineered algorithm of the GFW is on page 4. It looks very reasonable (given what they are trying to achieve with it).

The easiest bypass I can think of would be to tunnel your connections via TLS. For example socks server tunneled via SSH which in turn is tuneled via TLS to your gateway.

Or perhaps you can somehow get your SSH client to transmit "GET " at the beginning of the connection, have the server ignore those 4 bytes, then proceed as usual.



This is what I have a question about.

Can China pressure every domestic company to use their certificate authority allowing them to decrypt all TLS traffic, or be blocked? And block all sites outside China?


Kazakhstan had attempted a similar move[1], albeit through PSAs rather than convincing device manufacturers to add certificates to end-user devices.

[1] https://en.wikipedia.org/wiki/Kazakhstan_man-in-the-middle_a...


1 - I believe they do it

2 - they obviously do not want to block all traffic, since they can do it any day, but they don't.


If it’s over https, an outside observer has no way of knowing your stream started with a GET. Unless they’ve tapped ssl certificates, but that would be major news


They are tapped into SSL certificates, those that are generated in China. Plus wherever the Chinese intelligence managed to install their "plugins".


Are any of those tappable certificates still considered trusted by wider internet? Which CAs are those? They should be removed from trusted ASAP.




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: