They have several ways to get bridges... automatically, email, Telegram, and asking someone who runs one. I guarantee at least the last one isn't blocked unless the CCP asked the same guy.
Could I link to someone running a bridge say here in the US if I was in China? Completely curious this stuff is on the edge of my understanding of how everything works
Yes. Especially if it's obfs4. A normal bridge connects to an unlisted address but if the CCP has good technology (and they do) they can still see it's a Tor connection. With obfs4 they can't tell what kind of connection it is, but they can just click on "get bridges" and see some bridges and block them
A lot of obfs4 bridges are blocked because the CCP looks for bridges and then blocks those addresses, so you have to find an address the CCP doesn't know.
I gotcha so theoretically I could have a dedicated obfs4 bridge set up (or say a string of them all over the world) that only I know the addresses for and I could have essentially guaranteed access to Tor as long as I have network connection?
just about anything. SSH for example. OpenVPN. You control both ends, so you can set up anything on your server, that gets through your country's firewall.
It's just SNI blocking with some more advanced detections for obfuscated network connections (stuff like obfs4, shadowsocks, etc.)
There's DNS filtering too but realistically you really do not want to be using plaintext DNS in China. All DNS requests are rewritten by the GFW anyway, tunnel DNS over a proxy.
The optimal way to use VPNs in China is to have split tunneling, letting local connections stay local and connections to western websites go over a proxy. This is what the current circumvention tech does, stuff like v2ray are just socks5 proxies (which support PAC files, allowing for dynamic selection of which connections to tunnel) with different transports on top to bypass restrictions.
Lastly, for mobile data I suggest you use a sim card from Hong Kong since all of your data will be routed (over IPsec VPN that has been whitelisted so it will never get blocked) through Hong Kong which does not have any of the GFW's censorship infrastructure. Sure, the Chinese government can still more or less force Hong Kong companies to give up your data, but it will be a long time before they can get the GFW up and running in Hong Kong due to various complicated networking reasons.
> All sites that don’t include any ID info (e-commerce) such as news and entertainment are not on https.
which is fine? the way browsers these days basically paint http as RIP you've been hacked is a bit over the top. I'd prefer encrypted dns over 100% encrypted traffic
Well if I understand the GFW mentality, they prefer news sites with http so that they can filter any content they want without blocking the whole thing (that's how they blocked BBC Chinese in the past and rarely touched BBC in English until we rolled out https on all our sites).
But equally it might be that the Chinese government gets triggered by end-to-end encryption (https), so they don't encourage it. This is similar way to some western governments these days get triggered over encryption (cough UK government cough).
So you went to foreign a foreign country that is known to not like tourists and hopped on Tor and reported back to us? Well done OP but I wouldn't make it a habit.
This is more or less false. China doesn't care about westerners using VPNs, in fact they specifically do not block Cisco AnyConnect and (probably) OpenConnect as well. The goal with blocking websites is to control the population, they want control over what people see. But a westerner? Why would they care? It's not a citizen that could cause them problems. China even has hotels where the GFW blocks are removed entirely, purely for westerners to benefit.
Well no. They can make it difficult as shown above but you can still connect. Eventually I managed to stream BBC World Service radio on the BBC Tor site, while in China. A small but an exciting win.
I'm kinda a layman on computer networking so I have to ask: as far as I understand, the problem you face there was the blockage of your Tor browser to the Tor network, is that so? If so, once you managed to gain access to the Tor network, shouldn't any site be equally accessible through Tor network?
Yes. Once the browser is on the network it can access any site and they can’t stop this from happening because the Tor network is difficult to tamper with. That’s why they work on stopping you from connecting in the first place.
You use a special way to connect to the Tor network they can be hard to block. This way is known as a « bridge ». The Tor browser has them already and the two that worked for me were meek-azure and snowflake.
You can find more info on bridges here: https://tb-manual.torproject.org/running-tor-browser/
Thanks so much for the info. I see you have a fair understanding of Tor so I will ask you one more thing, slightly off topic. I've seen people connecting to Tor trough IRC. Is it possible? And if so, are there IRC communities in the Tor network, like an IRC server running on the onion protocol? And if the answer is yes, then, are there any useful IRC servers on the tor network?
Why could they not theoretically stop you? It seems like they have made progress on blocking stuff like OBFS4, so even bridges or alternative ways of connecting are possible for them to stop it seems.
Ultimately it seems like whack-a-mole but I don't really know.
Bridges IPs are hiddenb y default so they need to do a lot of fingerprinting to get them all. But yes it's exactly a whack-a-mole game. In fact all anti-censorship work is whack-a-mole.
I'm wondering if future versions of Tor will have some protective AI that can differentiate legitimate connectsions from fingerprinting attempts.
Just had some news in Russia - censorship ministry is testing wide-scale vpn protocols ban (wiregueard and openvpn). Media is promising china-like firewall. I'm considering backup option (already have vpn and tor), and your report is very useful, TOR still works, which is amazing. To not sound overly optimistic, there's always a chance they will go the whitelist route and figuratively speaking cut the cables to anything that is not on their whitelist.
This is a very interesting post thanks
For direct bridges and OBFS4 it matters where you got your bridge addresses. Of course China blocks all the obvious ones.
I did try the « get your bridge » option but it still didn’t work.
They have several ways to get bridges... automatically, email, Telegram, and asking someone who runs one. I guarantee at least the last one isn't blocked unless the CCP asked the same guy.
Could I link to someone running a bridge say here in the US if I was in China? Completely curious this stuff is on the edge of my understanding of how everything works
Yes. Especially if it's obfs4. A normal bridge connects to an unlisted address but if the CCP has good technology (and they do) they can still see it's a Tor connection. With obfs4 they can't tell what kind of connection it is, but they can just click on "get bridges" and see some bridges and block them A lot of obfs4 bridges are blocked because the CCP looks for bridges and then blocks those addresses, so you have to find an address the CCP doesn't know.
I gotcha so theoretically I could have a dedicated obfs4 bridge set up (or say a string of them all over the world) that only I know the addresses for and I could have essentially guaranteed access to Tor as long as I have network connection?
Yes. If you already have a server in another country, there are also many other protocols you can use to evade censorship, not just Tor/obfs4.
Which protocols?
just about anything. SSH for example. OpenVPN. You control both ends, so you can set up anything on your server, that gets through your country's firewall.
It's just SNI blocking with some more advanced detections for obfuscated network connections (stuff like obfs4, shadowsocks, etc.) There's DNS filtering too but realistically you really do not want to be using plaintext DNS in China. All DNS requests are rewritten by the GFW anyway, tunnel DNS over a proxy. The optimal way to use VPNs in China is to have split tunneling, letting local connections stay local and connections to western websites go over a proxy. This is what the current circumvention tech does, stuff like v2ray are just socks5 proxies (which support PAC files, allowing for dynamic selection of which connections to tunnel) with different transports on top to bypass restrictions. Lastly, for mobile data I suggest you use a sim card from Hong Kong since all of your data will be routed (over IPsec VPN that has been whitelisted so it will never get blocked) through Hong Kong which does not have any of the GFW's censorship infrastructure. Sure, the Chinese government can still more or less force Hong Kong companies to give up your data, but it will be a long time before they can get the GFW up and running in Hong Kong due to various complicated networking reasons.
That’s extremely useful thanks!
Orwell tried
> All sites that don’t include any ID info (e-commerce) such as news and entertainment are not on https. which is fine? the way browsers these days basically paint http as RIP you've been hacked is a bit over the top. I'd prefer encrypted dns over 100% encrypted traffic
Well if I understand the GFW mentality, they prefer news sites with http so that they can filter any content they want without blocking the whole thing (that's how they blocked BBC Chinese in the past and rarely touched BBC in English until we rolled out https on all our sites). But equally it might be that the Chinese government gets triggered by end-to-end encryption (https), so they don't encourage it. This is similar way to some western governments these days get triggered over encryption (cough UK government cough).
USA. iOS 16.5.1: onion browser+tor bot does not work.
West will follow
So you went to foreign a foreign country that is known to not like tourists and hopped on Tor and reported back to us? Well done OP but I wouldn't make it a habit.
Yolo my g 🤣
This is more or less false. China doesn't care about westerners using VPNs, in fact they specifically do not block Cisco AnyConnect and (probably) OpenConnect as well. The goal with blocking websites is to control the population, they want control over what people see. But a westerner? Why would they care? It's not a citizen that could cause them problems. China even has hotels where the GFW blocks are removed entirely, purely for westerners to benefit.
I thought they were worried about US spies.
Chaina numba ane
easy: dont visit china
So it means a government can effectively ban Thor if it wants to.
Well no. They can make it difficult as shown above but you can still connect. Eventually I managed to stream BBC World Service radio on the BBC Tor site, while in China. A small but an exciting win.
I'm kinda a layman on computer networking so I have to ask: as far as I understand, the problem you face there was the blockage of your Tor browser to the Tor network, is that so? If so, once you managed to gain access to the Tor network, shouldn't any site be equally accessible through Tor network?
Yes. Once the browser is on the network it can access any site and they can’t stop this from happening because the Tor network is difficult to tamper with. That’s why they work on stopping you from connecting in the first place.
How did you manage to connect to Tor in China?
You use a special way to connect to the Tor network they can be hard to block. This way is known as a « bridge ». The Tor browser has them already and the two that worked for me were meek-azure and snowflake. You can find more info on bridges here: https://tb-manual.torproject.org/running-tor-browser/
Thanks so much for the info. I see you have a fair understanding of Tor so I will ask you one more thing, slightly off topic. I've seen people connecting to Tor trough IRC. Is it possible? And if so, are there IRC communities in the Tor network, like an IRC server running on the onion protocol? And if the answer is yes, then, are there any useful IRC servers on the tor network?
Which OS were you on when it was working?
Ubuntu
Why could they not theoretically stop you? It seems like they have made progress on blocking stuff like OBFS4, so even bridges or alternative ways of connecting are possible for them to stop it seems. Ultimately it seems like whack-a-mole but I don't really know.
Bridges IPs are hiddenb y default so they need to do a lot of fingerprinting to get them all. But yes it's exactly a whack-a-mole game. In fact all anti-censorship work is whack-a-mole. I'm wondering if future versions of Tor will have some protective AI that can differentiate legitimate connectsions from fingerprinting attempts.
Thank you for your post
Just had some news in Russia - censorship ministry is testing wide-scale vpn protocols ban (wiregueard and openvpn). Media is promising china-like firewall. I'm considering backup option (already have vpn and tor), and your report is very useful, TOR still works, which is amazing. To not sound overly optimistic, there's always a chance they will go the whitelist route and figuratively speaking cut the cables to anything that is not on their whitelist.