Open RPRX opened 1 year ago
pnck
commented
1 year ago How can you guys seriously talk about "the gfw shoud not have been able to ..." / "it's not ecnomic for the gfw to ..."
SekiBetu
commented
1 year ago 如果是基于数据和实证研究的技术争论,它将是建设性的,因为它是基于一种可证伪的方法论,越争论,数据越充分,事实越清楚。如果是基于道听途说和纯粹猜想的争论,与事实层面没有严格的、可重现的联系,这种争论只会在主观的领域转圈,不会得出什么有意义的结果。这篇文章证据太少,猜想太多,它的结论宣称的口径远大于它提供证据的力度。当然每个人都有权利提出自己的猜想,但是以自己缺乏证实的猜想为依据,以安全公告的形式去建议广泛的非专业读者采取特定行动,这就是经典定义的FUD了。
If it is a technical argument based on data and empirical research, it will be constructive because it is based on a falsifiable methodology, and the more it is argued, the more sufficient the data and the clearer the facts. If the argument is based on hearsay and pure conjecture, with no strict, reproducible connection to the factual level, such an argument will just spin around in the realm of subjectivity and will not yield any meaningful results. This article has too little evidence and too much conjecture, and the caliber of its conclusion claims is far greater than the strength of the evidence it provides. Of course everyone is entitled to their own conjecture, but to use one's unproven conjecture as the basis for a safety bulletin to suggest a specific course of action to a broad lay audience is the classic definition of FUD.
我的天,哲学家来到了技术论坛! “用哲学术语定义这个事情,就能让看不懂的人抵制他,这样我就可以让吹哨人闭嘴了!” "对GFW行为的揣测是非常危险的行为!一定要把他扼杀在摇篮里,任何无证据的推测都是对GFW不利的,是不公平的,我们要公平对待GFW"
Holy cow, the philosopher has come to the tech forum! "Defining this thing in philosophical terms will allow people who can't read to boycott him so I can shut the whistle blowers up!" "Speculation about GFW's behavior is a very dangerous act! He must be nipped in the bud, any unsubstantiated speculation is bad for GFW and is unfair, let's be fair to GFW"
tec1987
commented
1 year ago 首先必须承认一点:封锁现象及用户报告的情况确有其实,我们可以通过这些现象来分析推断GFW管理者的目的和想法,这是合情合理的。 但是:在没有十分确凿的证据之前,请不要以十分确定的语气来发表相关推论,因为目前没有十分可信的”内部“消息和相关证据来证明这些推测,因此有人质疑这些推论也是正常的。
个人对于GFW的一些理解: 1、以官方来看就是过滤”有害“信息,维护网络信息安全,最后上升到国家安全。 2、其目的也很明显:维护政治地位及其统治权,防止人们了解真实世界,以及明白真相的人们被”煽动“ 3、RPRX 所说的一些技术手段是存在的,GFW有能力处理和监控翻墙行为(至于怎么处理,估计是以综合敏感度来区别对待)
至于各种政策的制定及执行,还有利益关系复杂度是我们外部人士永远猜不透的。。。
First of all, it must be acknowledged: the blocking and user reports are indeed real. We can analyze and infer the purpose and ideas of the GFW manager through these phenomena. This is reasonable. But: Before there is very conclusive evidence, please do not publish relevant inferences in a very certain tone, because there are currently not very credible "internal messages" and related evidence to prove these speculations, so the fact that some people question these inferences is normal.
Some personal understanding of GFW:
As for the formulation and implementation of various policies, the complexity of the benefit relationship cannot be guessed by external people...
RPRX
commented
1 year ago 并不是所有“内部消息”都能拿到的,有的可能永远也拿不到,比如 GFW 秘密派一个团队离线解密,这怎么拿到实锤?要说偷密码,拼多多提权后就有这能力,国家级的手段就更多,还有各种云服务更是明面会把你的数据上传到云端,这些数据不会被审查吗?
上面举了一些例子 https://github.com/net4people/bbs/issues/254#issuecomment-1565599951 ,通过这些事我们可以一窥面对的是什么对手,其实还有一些太没面子的事我不方便说出来。
被爆料出的“内部消息”终究只是冰山一角,就像两年前的“内鬼”,就像去年底的“内鬼”说 GFW 能识别 40% padding 的 TLS in TLS,今年也证实了这法子确实可行。至于 AES in AES,我也觉得有点扯,但他说和硬件有关,不是我的专业。
而对于绝大多数已经发生、正在发生的事情我们拿不到实锤,这种情况下做好防护,最起码的确能消除风险。毕竟假如有一天实锤真的流出来,那时再去说什么弃用没有前向安全的加密,能弥补已经发生的事情吗?提前预警、提前扼杀风险才是负责任的做法。
最后提一下,我觉得看到“用户本来 TLS 用得好好的,结果被白名单了,于是开始用 SS,竟然还不封”这种情况就想到“降级攻击”,这是最基本的敏感性。欢迎其它看法,但要说得通,否则从何动摇现有看法?上面的两个其它看法,问题我已经指出来了。
Not all "internal news" can be obtained, and some may never be available. For example, GFW secretly sent a team to decrypt it offline. How can this have solid proof? To say that stealing passwords, there is this ability after Pinduoduo's rights, there are more national methods, and various cloud services will upload your data to the cloud. Will these data be reviewed?
Some examples are given above https://github.com/net4people/bbs/issues/254#issuecomment-1565599951. Through these things, we can get a glimpse of what opponents are facing. There are some things that are too faceless. It is not convenient for me to say.
After all, the "internal news" that was explored was only the tip of the iceberg, just like the "insider ghost" two years ago, just like the "insider ghost" at the end of last year that GFW can identify the TLS in TLS of 40% Padding. The method is indeed feasible. As for AES in AES, I think that's a little crazy, but he said that it is related to hardware, not my specialty.
And for most of the things that have happened or happening, we can't get a smoking gun. In this case, protecting the risk at least can be eliminated. After all, if the smoking gun really appears one day, then to say what abandoned encryption without front-oriented security, can you make up for what has happened? Early warning and killing risks in advance is a responsible practice.
In the end, when I see "the user used TLS happily, but then a whitelist was used, so they started to use SS, and it is not blocked", I think in this situation "downgrade attack". I welcome other views, but to say it, otherwise, where will it shake the existing views? I have pointed out the two other views above.
RPRX
commented
9 months ago 补充一些信息:
Some additional information:
woodlyer
commented
7 months ago 这是为了推广自己的REALITY的最新广告吗?
在代理软件普遍使用TLS之前,甚至clowwindy都说SSL不适合翻墙的时候,GFW干脆什么都不做直接监控不好吗。
Is this the newest advertisement for your REALITY software?
Before censorship circumvention software widely put TLS in use, when clowwindy even say SSL is not suitable bypassing GFW, why not GFW do nothing and just watch?
你觉得Linus会给你发 Linux的广告吗? "Come to use my kernel." @UjuiUjuMandan
或者他会说 "please don't use my kernel, because It doesn't work for 杠精"
Do you think Linus will send you ads for Linux? "Come to use my kernel." Or he'll say "please don't use my kernel, because It doesn't work for pointless argument"
briteming
commented
2 months ago @beavailable 兄弟这句话“顺便说说我的观点,专制政权唯一的目标就是维持统治,进而使用权力获利,如果统治者真的是为人民好,他们就不会搞专制了”-说得太对了
This statement of my brother "By the way, my point is that the only goal of authoritarian regimes is to maintain their rule and thus use their power for profit, if the rulers were really for the good of the people, they wouldn't be authoritarian" - is so true!
briteming
commented
2 months ago @beavailable , 你对rprx说的这句话“我觉得你和大多数中国人一样,总是认为当前的专制政权还是在为人民服务的,即使推出 GFW 也为了屏蔽所谓“不良信息”而不想影响人民搞经济、搞科研、写代码。 我已经不想反驳这种观点了,因为我知道,再多的证据都改变不了你们的阿Q思想。”完全正确。rprx开发翻墙技术,我们应该谢谢他,不过他的“总是认为当前的专制政权还是在为人民服务的”这种阿Q思想确实让人痛心,就像几年前,某些程序员(比如csdn.net的创建者)埋怨别人利用github.com传播翻墙术导致github.com被封一样的阿Q。 程序员们应该记住一句话-你不关心政治,但政治会”关心“你!
You said to rprx: "I think you, like most Chinese, always think that the current authoritarian regime is still serving the people, even if the GFW is launched, it is also for the purpose of blocking the so-called "undesirable information", and do not want to affect the people's economy, scientific research, and writing code. I don't want to refute this point of view anymore, because I know that no amount of evidence can change your 'Ah Q' mindset." Exactly right. rprx should be thanked for developing the wall-flipping technology, but his "Ah Q" mindset of "always believing that the current authoritarian regime is still serving the people" is really distressing, just like a few years ago, some programmers (such as the creator of csdn.net) complained that other people used github.com to spread the wall-flipping technology, which caused github.com to be blocked as "Ah Q". Programmers should remember the saying - you may not care about politics, but politics "cares" about you!
原文:https://t.me/projectXtls/91
警惕 SNI 白名单地区隐蔽的大规模“降级攻击”
根据长期的观察,以及多位身处 SNI 白名单地区的群友的反馈,这些地区的 IPv4 TCP 并不封锁 SS、VMess 这类全随机数裸协议,与其它地区的封锁策略形成了鲜明的反差,是一种非常反常的现象。
我们已知对于封锁翻墙流量,SNI 白名单是一种附带伤害极高的方式,我们也知道,其它地区的 GFW 正在轻易识别并封锁全随机数裸协议。那么请大家思考:为什么某些地区并不在乎附带伤害,对 TLS 采用 SNI 白名单这样的强过滤策略,却“完全不管”全随机数裸协议?
只有一种可能:故意留的口子,除此之外没有任何其它合理解释。 我们已知相较于 TLS,全随机数裸协议相当于是把翻墙写在了脸上,更便于识别、掌握情况。且它们普遍缺乏 TLS 的“前向安全”等高级安全特性,非常原始,通过某种方式拿到密码就可以解密以前、以后的所有流量,非常利于监控。所以我认为,这种 SNI 白名单+不封锁全随机数裸协议的组合策略,实质上是在迫使人们从较为安全的 TLS 协议迁移到不够安全的全随机数裸协议,是一场隐蔽的大规模“降级攻击”。
SNI 白名单地区存在的这种非常反常的现象也从侧面证实了,我在多个场合曾提醒过的关于全随机数裸协议的种种风险切实存在,就连 GFW 也明确希望你们使用全随机数裸协议而不是 TLS。 目前,这些地区仍可直接使用 REALITY,且它解决了 TLS 令人诟病的 CA 风险。或者,配置 REALITY over SS:https://github.com/XTLS/Xray-core/discussions/1811#discussioncomment-5355075
Original Article: https://t.me/projectXtls/91
Be wary of hidden mass "downgrade attacks" in SNI whitelisted areas
Based on long term observations and feedback from several group members in SNI whitelisted regions, IPv4 TCP in these regions does not block SS, VMess, and other fully randomized protocols, which is a stark contrast to blocking strategies in other regions and is a very unusual phenomenon.
We know that SNI whitelisting is a highly collateral damage approach to blocking wall traffic, and we know that GFWs in other regions are easily identifying and blocking full random number bare protocols. So think about this: Why do some regions not care about collateral damage and use a strong filtering strategy like SNI whitelisting for TLS, but "ignore" fully randomized protocols altogether?
There is only one possibility: intentional openings, but no other reasonable explanation. We know that compared to TLS, fully randomized protocols are the equivalent of putting a wall in your face, making it easier to identify and understand the situation. And they generally lack TLS "forward security" and other advanced security features, very primitive, some way to get the password can be decrypted before, after all the traffic, very easy to monitor. So I think this combination of SNI whitelist + unblocked fully randomized protocols strategy is essentially forcing people to migrate from the more secure TLS protocol to less secure fully randomized protocols, a covert mass "downgrade attack".
This very perverse phenomenon in SNI whitelisted regions also confirms that the risks of the fully randomized protocol that I have warned about on several occasions are real, and that even GFW explicitly wants you to use fully randomized protocols instead of TLS. For now, these regions can still use REALITY directly, and it addresses the CA risks that TLS has been criticized for. Or, configure REALITY over SS: https://github.com/XTLS/Xray-core/discussions/1811#discussioncomment-5355075