We begin with a short summary of how we got to where we are today. The Great Firewall of China (GFW) began operation in 2003. Early methods of censorship included Internet Protocol (IP) blocking, Domain Name System (DNS) poisoning, and the malicious insertion of Transmission Control Protocol (TCP) resets. Tor was blocked in 2009, and public obfs4 bridges were blocked a few months after their introduction. OpenVPN was blocked in 2013.
In 2015, the Chinese Communist Party (CCP) expanded its censorship to include personal as well as technical measures. In August 2015, the legendary Clowwindy was invited to drink tea. In July 2017, Breakwa11 was human flesh searched and her Github repositories deleted (though this appears not to have been the result of a CCP initative). In November 2018, Toyo disappeared from the Internet and his Github account was deleted. On March 25, 2019, the state prosecutor in Xinmi, Henan, charged him with facilitating computer crimes. In May of that same year, Teddysun deleted his articles on installation scripts.
There are occasional reports of netizens being charged with administrative offenses simply for possessing GFW circumvention software. On December 28, 2018, a user in Shaoguan, Guangdong, was fined 1,000 yuan for having Lantern (蓝灯) Pro on his phone. Similarly, on March 25, 2019, a user in Pengxi County, Sichuan, was issued a police warning when they found Wujie Yidiantong (无界一点通) on his phone. Physical inspection of phones seems to have been a factor in both cases. Affluent users should consider carrying a burner phone while traveling; everyone should memorize how to quickly do a factory reset of their phones in an emergency.
The battle between netizens and censors is frequently described as a cat-and-mouse game. This is particularly true here, since widespread dissemination of technical information necessarily requires making it public, and public discussions are as visible to the CCP as they are to anyone else.
At one time, open discussions between netizens took place on Google Plus groups. In April 2019, Google shut down Google Plus. Technical discussions continue on Chinese-language blogs, forums, and groups. For obvious reasons, discussions must be hosted outside China, and posters must register under pseudonyms. During 2019 we learned that the CCP can deanonymize Twitter users by maliciously requesting a password reset. When the password reset message is sent to a Chinese phone number, the CCP intercepts the message and identifies the user.
Censorship is notoriously tight during so-called “sensitive” periods. One example would be the two national political meetings (全国两会) during March 2019. June 4, 2019, marks the thirtieth anniversary of the CCP ordering troops to fire on civilians in Tiananmen Square (六四事件). In the weeks approaching this anniversary, Wikipedia was blocked in all languages. Image and keyword blocking intensified, assisted by artificial intelligence. Critics of the CCP disappeared without explanation. One theory why censorship is periodically tightened and loosened is that the CCP is willing to allow a certain amount of airing of grievances, but will clamp down on anything likely to lead to organized protests.
This leaves open the following possibilities for bypassing the GFW of China in 2019:
ShadowsocksR (SSR) is probably still the single most popular method for crossing the wall (翻墙), despite the fact that it is no longer maintained.
The original Shadowsocks (SS) is still maintained. Some users are reporting that the GFW can now detect and block SS servers that do not use some form of obfuscation. One interesting innovation is the Cloak plugin for Shadowsocks-Libev. This aims to disguise the SS server as an HTTPS server.
V2Ray offers more features and is less likely to be blocked than SS, though it is harder to configure. The graphical user interface (GUI) for V2Ray is provided by separate projects such as V2RayN for Windows and BifrostV for Android.
The trojan-gfw/trojan project on Github has been in development since October 2017. It claims to imitate HTTPS so well as to be undetectable. Configuration is slightly more complex than SS/SSR.
The ValdikSS/GoodbyeDPI project on Github claims to be able to bypass deep packet inspection (DPI).
The GreatFire project offers the FreeBrowser.
Lantern and Psiphon still exist. Other possibilities that may work include the VPN Gate extension to SoftEther, Dynamic Internet Technology’s Freegate (自由门), and UltraReach Internet Corporation’s Ultrasurf (无界).
People who travel to Hong Kong can purchase phones with Hong Kong subscriber identification module (SIM) cards.
Users at major universities have freer access to the rest of the world through the China Education and Research Network (中国教育和科研计算机网). IPv6 often works best.
Wireguard may still work, though its protocol could conceivably be detected and blocked by the GFW at some later date.
A few netizens use Tor with the meek-azure pluggable transport, though the Tor Browser is itself difficult to obtain in China.
Since parts of the GFW are regional, and parts are outsourced to the different ISPs, there are isolated reports of success with unexpected methods such as OpenConnect.
A handful of commercial virtual private network (VPN) services obfuscate traffic so that their services still work in China. Sometimes only a limited number of their servers will work. Apple has removed VPN clients from its app store in China; affected users must follow a convoluted process to access the U.S. app store.
SS and SSR servers may be either self-built or rented from micro-businesses that set them up and share them among customers. Because of their icons, SS and SSR are sometimes referred to as paper airplanes (纸飞机). International access points are therefore called airports (机场). The better quality offerings generally connect through China Telecom’s “China Next Network” (CN2 or Autonomous System 4809) to improve performance. The best performance (and the highest prices) come from CN2 Global Internet Access (GIA). At the very top of the market are services who lease an international private leased circuit (IPLC).
For self-built solutions, you must make an informed choice of virtual private server (VPS) provider and location. It may help to choose a provider who allows for changes of IP address at low cost or no cost. It is particularly frustrating to discover that an IP address is already blocked due to the actions of a previous customer. The choice of protocol and obfuscation method also matter. Some obfuscation methods allow the proxy server to be camouflaged as a web server. If this kind of obfuscation is not used, frequent changes of port number and password may help. Slow page load times may be due to limited peering capacity rather than intentional throttling. The Bottleneck Bandwidth and Round-trip (BBR) congestion control algorithm for TCP may help here. Some users also accelerate TCP by tunneling it through kcptun.
没有评论:
发表评论