This probably needs a good way to cover its tracks, or it'll just get blocked like other VPN-services. As far as I understand, you can make pretty educated guesses at the type of content even with SSL, because e.g. Videos are loaded in bursts. I'm sure web and other traffic has similar characteristics, and it would be easy enough to say that something isn't a normal HTTPS connection because of how the data flow looks. Does this tool defend against that, are the connections being dropped when not in use to mimic browser-behavior?
That's what I was thinking as well, but I guess there's little demand for one-way traffic, and you'd need to make a complicated system to make it two way (i.e. you request something off-channel, a new video gets created and uploaded which also contains your response) via an established platform.
Would be easier to do on a custom platform, but I'm not sure how well that'd work if you stand up a video site that suddenly gets a lot of traffic in $heavilyCensoredArea -- feels like something that'll get attention. For individual users it would probably work though.
The traffic pattern sounds like a remote browser. One way sends the video (and audio) stream (over WSS or WebRTC), the other way sends the UI interactions (clicks, pointer movements, scrolling, typing etc).
Just off my own experience living for a year in Vietnam, which was far less sophisticated at this than China... once your apartment has raised red flags, any suspicious traffic is going to lead to a temporary 15-minute to 1 hour internet shutoff. Any ports or domains you accessed will be blacklisted to trigger longer shutoffs in the future, just in case you didn't get the message the first time. The third or fourth time, someone from the police will politely ask you some questions. (I work for a western corporation that requires a VPN and is considering investment is the correct answer).
Maybe we're at a point now where traffic analysis weighs into the decision-making process, but that would actually mean freedom of information was winning and breaking through if they had to winnow down their target list that way.
In other words, there's no rhyme or reason to one service or IP being blocked and another being left open. It's done completely by fiat with the main intention not being to prevent you from access, but rather to frighten you so you censor yourself and think thrice before trying to connect again.
I'd say this is the wrong reaction. Vietnam is great. The people are incredibly friendly (even to an American who assumed I would be shunned). The culture is ancient, proud and endlessly intricate. It's an amazing place to visit and learn about. They were wildly mistreated by the French and Americans, and still have a confidence and pride that is lacking in most of the 30-odd countries I've visited in the world. Dealing with oppressive governments as a visitor is the rule around the world, not the exception. Not that I'd support stepping foot in or giving a cent to some of the worst (like Burma or Russia). But it would be wrong to say you'd never visit; especially a place like Vietnam which is worthy of a lot of latitude and respect for what they've built out of the ashes of nearly 100 years of anti-colonial warfare.
Steganographic overlays are a thing, and look set for wider use as
vile regimes tighten their grip.
But they are slow - fine for text based reporting, egress of
intelligence, protest coordination, or the dissemination of smaller
videos maybe, but not meeting the expectations of a generation raised
on interactive media.
I've spent the last four years reading a lot of research papers in this area as part of my PhD research, and while I'm all for increasing the available options for censorship circumvention it's not clear that Cloak does anything novel when compared to existing systems.
The real weakness of all such systems is setup and rendezvous: how do clients find friendly servers, and how do you prevent the censoring regime from finding and blocking them? It's not an easy problem to solve.
I always ask my tech cohort people this. They get alot of peer clout from pursuing “original”, when often times their vertical just needs “additional”.
Like an additional grocery store in the area. It doesnt need to innovate.
>it's not clear that Cloak does anything novel when compared to existing systems.
I'm not an expert on the current state of censorship-circumvention utilities but I found this recent comment when browsing the Cloak source repository that may partially answer your question:
>, and how do you prevent the censoring regime from finding and blocking them?
The tools like Cloak try to work on the principle "collateral freedom" which hides censored data inside of "internet services that are too big block" : https://en.wikipedia.org/wiki/Collateral_freedom
And the effectiveness of that strategy depends on the hackability of those internet services as they can sometimes change the rules which close the loopholes of "collateral freedom" : https://en.wikipedia.org/wiki/Domain_fronting#Disabling
Cloak doesn’t appear to be a research project, so novelty may not be a goal. It appears to be extremely simple; that alone may be valuable for some users.
It's always the same problems. Here, it looks like you have to know someone who's running one, and transfer the details through a side channel. Those may be problematic, but also maybe not. Even rot13'd over email will probably work.
Isn't the problem of censorship much more than technical? I mean, censorship doesn't seem like something everybody agrees is bad. Free speech is not absolute at all : there is a demand to regulate, prohibit and prosecute for instance pornography, defamation, so-called "hate speech", "disinformation" and so-on.
Whether we agree with these policies or not, the fact remains that these impediments to free speech can be seen as a form of censorship. At the end of the day, I think what makes censorship acceptable is very much subjective, and tied to political beliefs. I can't help noticing for instance that on this github page, there are a few flags illustrating "censoring regimes", and the Russian one is there, but not the European Union one, even though the European Council blocked RT and Sputnik throughout the whole EU after the Russian special military operations in Ukraine. This blocking, regardless of what one can think of its legitimacy, is hard not to consider as censorship. If it's not, how is it called then?
This. A lot anti-censorship technology assumes a censored space surrounded by a non-censored space. However, we should we thinking about different areas with different blocks, and therefore bi-directional circumvention. Show BBC to Russia, and Russia Today to EU.
Censorship anywhere is bad. Especially when it is purely for political reasons.
Most European nations have very strict Holocaust denial laws. And as much as I personally think people who deny the Holocaust happened are idiots, that's clearly "thoughtcrime" type of censorship. What someone thinks or believes about history is none of the government's (or anyone else's) business.
Free speech is not absolute. Every (almost every?) country have laws against child porn. Does that mean every country is violating humans rights by banning it?
Thanks for reductio ad absurdum baiting. And yes, these "laws" are clearly an abuse. Most of them ends up banning virtually any drawings because its impossible to assert if particular manga really depicts non-minor. Funny thing to see where burden of proof is in this particular case. Even more funny what its been almost 1.5ky after Justinian's statute.
But anyway... Why should I give up my freedoms just because of someone's parenting failures? Irresponsible parents are putting their children in danger, not the ABSOLUTE freedom of speech. Which isn't a subject of quid pro quo, really. And even not because my libertarian views on this matter, but because it simply doesn't work otherwise.
Some child porn laws may be an abuse, but that doesn't mean all child porn laws are.
The exact example I mention doesn't matter. I am just saying free speech absolutism doesn't make sense unless you are anarchist. Free speech doesn't include hiring a hit man, treason, libel, slander, etc.
If you are actually in support of no regulation on speech then do you actually support removing the laws I mentioned above? You don't think somebody hiring a hitman to kill you or a loved one should be punishable?
> Cloak also supports tunneling through an intermediary CDN server such as Amazon Cloudfront. Such services are so widely used, attempts to disrupt traffic to them can lead to very high collateral damage for the censor.
I once blacklisted a bunch of Amazon IPs that I found in some random Gist on Github, and surfed the web, and so much stuff was broken. It's staggering just how entangled AWS is with the web. The dream of the 'decentralized web' would be hard to implement. You would need to root out any dependence on AWS, Google, Cloudflare etc
But if this means we can reliably hide traffic in these centralized networks, then maybe it's a good thing they exist. Sort of like steganography with cloud services.
The problem with the “decentralized web” that everyone dreams of is that there is no way for it to truly work.
Either everyone has a home/office server for everything and then a company makes routers that “automatically” set up a DMZ and firewall rules and whatever, OR
Everything is just on a conglomeration of smaller hosts, which is still not ideal because that means each user pays higher prices and gets less performance, lower bandwidth, higher latency, etc because of the lack of hardware scalability with mom-and-pop server hosts.
Some level of single player (or few large players) is necessary for the modern internet.
I don't think that decentralized web is about not depending on cloud providers. I think it's mostly about having many independently controlled web sites,, as opposed to most content living in a few corporate silos with their own rules of access control, like FB, IG, Youtube, Twitter.
Physically a large chunk of decentralized web could live on one huge server, and still remain acceptably decentralized. OTOH if every home had a separate p2p-networked appliance from Google or Meta, but Google's lawyers and Meta's algorithms running on each node decided what you see on your newsfeed, and what is downplayed or taken down, it would still be centralized, as it is now.
Why is shadowsock needed to go thru cloak? I thought shadowsock did sort of the same thing; to masquerading proxied traffic as normal web browsing activities. What does cloak do that shadowsock does not to not get the traffic censord?
I really like the tool; I use it on my devices when I'm abroad. It worked very well in China (2019) with a Japan based VPS. The peering China-Japan-Europe is much better than China-Europe btw.
First time I could not connect successfully from a public Wifi to my server was Qatar airport this summer... Maybe they work with whitelists for access control.
Looks like a toy for me. Also written in Go which itself means its not serious.
When tampering gubment censorship, one should apply the usual opsec rules and thus stick to mature and proven solutions and refrain from experimenting. This means Tor or reputable commercial VPN provider, not yet-another-tor-killer. And the developers in general should invest more efforts into low-level attacks like GoodbyeDPI instead.
34 comments
[ 3.6 ms ] story [ 85.8 ms ] threadWould be easier to do on a custom platform, but I'm not sure how well that'd work if you stand up a video site that suddenly gets a lot of traffic in $heavilyCensoredArea -- feels like something that'll get attention. For individual users it would probably work though.
Maybe we're at a point now where traffic analysis weighs into the decision-making process, but that would actually mean freedom of information was winning and breaking through if they had to winnow down their target list that way.
In other words, there's no rhyme or reason to one service or IP being blocked and another being left open. It's done completely by fiat with the main intention not being to prevent you from access, but rather to frighten you so you censor yourself and think thrice before trying to connect again.
It may be, but I'm happy to have the choice not to visit such places.
But they are slow - fine for text based reporting, egress of intelligence, protest coordination, or the dissemination of smaller videos maybe, but not meeting the expectations of a generation raised on interactive media.
The real weakness of all such systems is setup and rendezvous: how do clients find friendly servers, and how do you prevent the censoring regime from finding and blocking them? It's not an easy problem to solve.
I always ask my tech cohort people this. They get alot of peer clout from pursuing “original”, when often times their vertical just needs “additional”.
Like an additional grocery store in the area. It doesnt need to innovate.
I'm not an expert on the current state of censorship-circumvention utilities but I found this recent comment when browsing the Cloak source repository that may partially answer your question:
https://github.com/cbeuw/Cloak/issues/169#issuecomment-12574...
>, and how do you prevent the censoring regime from finding and blocking them?
The tools like Cloak try to work on the principle "collateral freedom" which hides censored data inside of "internet services that are too big block" : https://en.wikipedia.org/wiki/Collateral_freedom
And the effectiveness of that strategy depends on the hackability of those internet services as they can sometimes change the rules which close the loopholes of "collateral freedom" : https://en.wikipedia.org/wiki/Domain_fronting#Disabling
Whether we agree with these policies or not, the fact remains that these impediments to free speech can be seen as a form of censorship. At the end of the day, I think what makes censorship acceptable is very much subjective, and tied to political beliefs. I can't help noticing for instance that on this github page, there are a few flags illustrating "censoring regimes", and the Russian one is there, but not the European Union one, even though the European Council blocked RT and Sputnik throughout the whole EU after the Russian special military operations in Ukraine. This blocking, regardless of what one can think of its legitimacy, is hard not to consider as censorship. If it's not, how is it called then?
https://www.openrightsgroup.org/app/uploads/2020/03/Internet...
Most European nations have very strict Holocaust denial laws. And as much as I personally think people who deny the Holocaust happened are idiots, that's clearly "thoughtcrime" type of censorship. What someone thinks or believes about history is none of the government's (or anyone else's) business.
It is a war. There is no demand for this euphemism.
And no, free speech is absolute thing, otherwise it simply doesn't work.
A society that will trade a little liberty for a little order will lose both, and deserve neither.
But anyway... Why should I give up my freedoms just because of someone's parenting failures? Irresponsible parents are putting their children in danger, not the ABSOLUTE freedom of speech. Which isn't a subject of quid pro quo, really. And even not because my libertarian views on this matter, but because it simply doesn't work otherwise.
The exact example I mention doesn't matter. I am just saying free speech absolutism doesn't make sense unless you are anarchist. Free speech doesn't include hiring a hit man, treason, libel, slander, etc.
If you are actually in support of no regulation on speech then do you actually support removing the laws I mentioned above? You don't think somebody hiring a hitman to kill you or a loved one should be punishable?
I once blacklisted a bunch of Amazon IPs that I found in some random Gist on Github, and surfed the web, and so much stuff was broken. It's staggering just how entangled AWS is with the web. The dream of the 'decentralized web' would be hard to implement. You would need to root out any dependence on AWS, Google, Cloudflare etc
But if this means we can reliably hide traffic in these centralized networks, then maybe it's a good thing they exist. Sort of like steganography with cloud services.
Either everyone has a home/office server for everything and then a company makes routers that “automatically” set up a DMZ and firewall rules and whatever, OR
Everything is just on a conglomeration of smaller hosts, which is still not ideal because that means each user pays higher prices and gets less performance, lower bandwidth, higher latency, etc because of the lack of hardware scalability with mom-and-pop server hosts.
Some level of single player (or few large players) is necessary for the modern internet.
Physically a large chunk of decentralized web could live on one huge server, and still remain acceptably decentralized. OTOH if every home had a separate p2p-networked appliance from Google or Meta, but Google's lawyers and Meta's algorithms running on each node decided what you see on your newsfeed, and what is downplayed or taken down, it would still be centralized, as it is now.
First time I could not connect successfully from a public Wifi to my server was Qatar airport this summer... Maybe they work with whitelists for access control.
When tampering gubment censorship, one should apply the usual opsec rules and thus stick to mature and proven solutions and refrain from experimenting. This means Tor or reputable commercial VPN provider, not yet-another-tor-killer. And the developers in general should invest more efforts into low-level attacks like GoodbyeDPI instead.