Yeah, and mind you the UK under May and the US would almost certainly love to do this too. Demonize encryption and anything which might allow you to bypass either monitoring, ISP fuckery, or copyright law. There’s probably no technical solution for a government to do this, but as with rubber hose crypto, they don’t actually need one. If we don’t want this in our future, it’s going to take a lot of work.

We need to provide a united voice. And that is probably via some kind of organization outside of our respective monopolistic corporations.

How are "reverse proxy logs" in any way useful for decrypting SSL?

Root certificates aren't useful either unless users install them. On the other hand, private keys of SSL providers can be of use for serving false certificates, but that's only useful if you also MITM.

The problem with root certificates is there are so many of them installed by default with your operating system.

As of writing this message I currently have over 170 root certificates on my macOS. Some of them are from companies who are known to care very little about your privacy. There's even a "Federal Common Policy" certificate which is actually run by the US government [1]

If the government did MITM you're traffic, it would still show in the certificate chain. But how many people really check this every time they visit a site?

1. https://security.stackexchange.com/a/71174

1. It is a calculated risk to MitM this way, if someone notices the cert is different than what everyone else sees, there would be pretty major blowback.

2. Regardless, Certificate Transparency means it will almost certainly be noticed.

Reverse proxy is part of the MITM. Every sizeable work place in my country has some sort of root certificate installed on every workstation's browsers. They log your traffic and use those root certificates to decrypt your traffic. -1 all you want.

Which you can assume on some I flight Wi-Fi... https://arstechnica.com/information-technology/2016/02/why-y...

Most HTTPS connections use Forward Secrecy, so even if a government records an encrypted HTTPS connection and then later gets access to the private keys of the relevant TLS certificates, they still can't decrypt the recorded connection.

It's still possible for the government to apply pressure so that ISPs man in the middle and force weaker ciphers that can be decoded after the fact

They cannot force weaker ciphers. TLS specifically won’t allow it due to past attacks relying on this.

Everyone would notice if ISPs were man-in-the-middling their TLS connections because none of the TLS connections would work.

You don't understand the web's chain of trust.

That's why browsers pin the certificates of certain sites.

Setup VPN on Cloud VMs for personal usage -> Generally ok, and you may need to stop it if police known it... Share it with others -> Maybe ok if not too many people, and you need to stop it if police known it... Sell it to others -> dangerous if you lived in China.

The GFW have the ability to detect VPN connections and you will got a connection reset...It’s more and more difficult to use blocked service/site in china.

You're 100% right. Even Shadowsocks is not enough recently. GFW can sort of detect it with heuristics and just throttle your whole connection -- like you said mostly spamming you with RSTs.

This is also quite different from (some?) Islamic states where sites are generally whitelisted. With GFW everything is allowed until it's blacklisted.

There are no laws against individuals who use VPNs to browse restricted sites, but there are laws(license impossible to get as individuals) to take down those sellers.

VPNs are becoming obsolete, Proxies like ShadowsocksR are still usable.

Out of curiosity, where do you host your SSR?

AFAIK AWS, DigitalOcean, GCP are regularly blocked. GigsGigs in HK is throttled.

It's fine on those services, just rotate IP addresses and ports regularly. Don't put too many users on the same proxies at once.

That's a really big hassle when you need to use the tunnel and the IP has been burned. You actually need the same tunnel to manage your servers.

GFW even blacklisted my personal domain because I was running DNS queries against it to establish my SS tunnel. At least it seems like it.

I got annoyed by this too much a couple years ago, also the fact that they seem to be able to detect most if not all tunnel types and randomly inject packets that will break the connection. So I proceeded to quickly hack up a simple tunnel based on the surprisingly simple to use tun devices. The protocol was UDP based, didn't support any kind of connection reset, was not encrypting but just masking via xor, and contained some simple but cool tricks (as far as I'm concerned ) to deal with the high packet loss across the gfw you'll experience depending on time of day. Sure not ideal if you permanently live there or want to spread sensitive information, but all I want is decent browsing experience when accessing "our" internet. I was happy when 720p videos played without buffering on YouTube.

What? Just ssh elsewhere and manage from there. And don't use DNS for you proxies. Push updates to your crew out of band.

> Taobao is owned by Alibaba, which also owns the South China Morning Post.

Interesting. I am wondering how they update their posts. Because scmp.com is actually being blocked in where I am staying at. Maybe some state sanctioned services? I have been using aliyun services and never had any issues.. yet..

I've noticed this too, SCMP and a bunch of other Chinese cloud-hosted websites don't load when I have my VPN turned on. The Great Firewall works both ways these days. I would stay far away from Chinese cloud services unless they're to be used by Chinese users only.

What do you mean? As far as I know SCMP writers don't reside in mainland China. At most in Hong Kong.

SCMP is completely inaccessible from China Unicom (mobile) and China Telecom (landline). Most possible the other options also block it.

My bad. Somehow I was under the wrong impression.

So Amazon and rackspace can't rent cloud servers to people from southern china ? or is it just low cost proxy's and vpn's that get seller into prison ?

Whoops, I did that too. It was fun tho.