trojan VS ja3

A fellow Aussie currently in China, a Trojan [0] server has been working fine for the last week I've been here. I've got it hosted through a VPS (smaller provider) in LA. While it's a bit of a pain to setup, reliability has been rock solid and definitely useable - my laptop is connected 24/7 and I can access the unfiltered web, including video, just fine. V2ray also supposedly works quite well, but I haven't looked into it.

[0] https://github.com/trojan-gfw/trojan

Normal VPNs that you can see ads all over the place like N*rdVPN won't work, period. The correct way is to rent a few servers from different providers, make sure their ips are not blocked, and build your own V2Ray or Trojan service first. The Chinese gov will not be able to distinguish your Trojan traffic from ordinary https traffic, so the only thing that's sus to them would be the fact that all your traffic goes to one foreign ip, but I've been doing it for a few years without officials knocking on my door so yeah I think it will work for you as well. I don't take responsibility tho, do your research.

(TrojanGFW)[https://github.com/trojan-gfw/trojan] and (V2Ray)[https://github.com/v2fly/v2ray-core]. But you need your own server to do it, and some few tweaks. For first-timer it might be quite confusing to configure, but you will understand how it works in the long run. You could also tunnel your connection to your server which then forward it to protonvpn (which what I'm doing rn).

v2ray or Trojan

This paper is nice, but it goes over some finer technical things.

So, not about the great wall, but there's projects out there, like this one https://github.com/salesforce/ja3 , which talk about how you can fingerprint fully encrypted traffic. Would be surprising if the great wall doesn't do this, when some open source firewall will.

It's sufficient to identify you since there is still all other tracking data any browser supplies as part of the HTTPs connection handshake [1].

It's also not necessary to have Mozilla be the bad actor. Anyone who has access to the information in the future is a possible bad actor as they might be able to cross-reference the allegedly "innocuous" information with some future, more-pervasive data.

---

[1] - https://github.com/salesforce/ja3

You can, sort of, with JA3 hashes https://github.com/salesforce/ja3

ExtensionZ: ...

That becomes a string like "1-C,B,A-X,Y,Z", which gets hashed to a fingerprint like "ae76e4566b036882147de2f7feddad4a". That gives us a totally different unique id, with the same ciphers but in a different order.

(This is pseudocode of course - the actual fingerprints have a few more params and use the number ids for each cipher and extension instead of strings, but it's equivalent)

Here, with 3 ciphers in two different orders, we've seen two different fingerprints already. With those three ciphers alone, there's actually 6 (3 factorial) possible permutations - i.e. a client could order those ciphers any one of 6 different ways, and each ordering has a different fingerprint.

If you have 4 ciphers, there's 24 possible orderings, 6 gives 720, 10 gives 3.6 million, and this goes up very rapidly, so that for a more realistic set of 20 ciphers there's 2 * 10^18 possible orderings, each one of which gives a unique fingerprint, even before we start talking about extension order.

Does that make more sense? The full algorithm is here: https://github.com/salesforce/ja3#how-it-works

Not only that - enterprise bot management protections will run behavioral identification (e.g. how your mouse moves —> AI -> bot yes/no), TCP stack fingerprinting (and other devices if available e.g. gyroscope), TLS ClientHello fingerprinting (e.g. see https://github.com/salesforce/ja3), etc. Lots of very unique info in the Scraping Enthusiasts discord where lots of pro scrapers hang out.