By hostloc:
https://hostloc.com/thread-1083010-1-1.html
破解方法:
- 审核tls1.2/1.3,目前tls1.0/1.1放行
- 自签证书,服务器端解密后明文传回避免双重tls
- 使用sm算法,即国密算法,反向利用铁拳的白名单
更新内容
ssvl3 tls1.0 tls1.1没有显著指纹
tls1.2和1.3的新特性使得他们独特
广泛的tls1.2/1.3部署使得侦测他们更容易(深度学习需要数据量)
当你使用代理时,无法改变网站tls协议,除非你访问的网站不用tls
只有当你传输时才侦测
很多深圳外国企业用sslv3 tls1.0作为ssl扶墙,因此监管机构将其列入白名单
国有企业的海外分支机构使用tls1.1 tls1.2和国密套件,但需要用国产设备,因此也是白名单
供应商对政府的介绍是:sslv3 tls1.0 tls1.1没有可侦测的特征,使得假阳(误杀)概率特别高,会损坏互联网,而目前很少人用,因此直接忽略
即便你用tls1.0代理上网,你获得tls1.2的流量,那也是可以被识别的(技术上可侦测)
他们并不关心你用什么协议,而是检测单一tcp传输tls over tls,根据供应商的说法,他们可以用40%随机填充识别tls over tls,只是需要时间很长
(对于误杀)供应商是应铁拳要求不惜一切代价要将检测tls over tls用于生产之中。这只是一个实例,铁拳强制供应商在特定的时间前(某百年不遇之大会)将其用于生产。该检测系统之前只用于试验环境。供应商十分紧迫地生产一个自动化流量采样和规则以交付。
然而,现在没有足够多地GPU用于生产(nvidia a100和h100对华出口受美政府影响){我觉得铁拳可以回收矿卡,不知总座意下如何}
RFC8998 TLS1.3_SM4 国密的定稿正在被快速推进中,这个加密算法是白名单
sslv3, tls1.0 and tls1.1 have no significant fingerprint.
new features of tls1.2 and tls1.3 make them very distinctive.
the popularization of tls1.2 and tls1.3 by well-known websites makes detection easier.
you cannot change the tls protocol of the target website when you visit using a proxy, except that the website you visit does not use tls.
only detected when you’re transferring.
many large foreign companies in shenzhen that need to use legacy ssl扶墙. these 扶墙 are still using legacy protocols such as sslv3 and tls1.0. they often complain about ssl扶墙, the authorities require us to add these to the whitelist.
stateowned enterprises and their foreign branches usually use ssl扶墙 to communicate. These enterprises authorities are required to use sm cipher suites, they use firewall hardware made in china, using tls 1.1, tls 1.2 and sm cipher suites, are also in the whitelist.
instructions provided by the vendor: sslv3, tls1.0, tls1.1 have no available detection features, and the false positive rate is high, may damage the Internet, and few people use it, so it can be ignored
even if your proxy tunnel use tls1.0, if you access a tls1.2 website through the proxy, this can be detected
they don’t care what proxy protocol you use, they only detect multiple tls interaction characteristics of the same tcp connection. the vendor’s instructions, they can still detect tls in tls with 40% random padding, but the detection takes time very long.
vendors can apply it to production at any cost if required by the competent authority.
this tls in tls detection is an example. they forced the vendor to apply it to production before a certain date. this detection system was only used in the test environment before. the vendor urgently produced an automated traffic sampling and rule push for production.
but, there are not enough gpus for production now.
RFC8998 TLS1.3_SM4_GCM_SM3 is now rapidly promoted by the authorities as a policy requirement, and as such, it’s in the whitelist.
此人作为供应商内部人员,泄漏大墙工作原理,教你如何愚弄大墙,算不算颠覆gov政权和寻衅滋事?妈的,竟然中出叛徒,以后工作人员必须政审,如有违者,诛九族,流放宁古塔永不录用。心疼我的国,14亿人心不齐,不能拧成一股绳,撸起袖子对付美帝,看来实现中国梦还需攘外必先安内
背景:大墙是采集累计历史数据及高速流量送至供应商进行数据分析,而不是实时数据,因此封ip会有滞后性。类似一种核酸检测,大墙不是超算,它只负责封,不负责识别。
https://github.com/net4people/bbs/issues/129#issuecomment-1272267254
hello, all. i am working for a **ship vendor company. my company is a **ship member of guangzhou international internet exchange. i can confirm that some of the things you mentioned are correct. this tls in tls detect system is not realtime **ship, they automatically collect data connections with highspeed transmission or cumulative traffic greater than a preset value. these pcap packets will be sent to different vendors for detection, just like the popular covid-19 pcr test. if the provider inform that there has proxy data in the pcap, we have push rule to the edge bypass routing facility near the user for bgp flowspec reroute. these images were not sent by firewall operations staff, and it is certain that these vendors violated some confidentiality policies. based on the existing data, these vendors can only detect the fingerprints of tls1.2 and tls1.3. so using legacy tls protocol like tls1.0, tls1.1 is a good choice, you can also use sm algorithm, these protocols will not be detected. of course, there is only one way to avoid this detect, and that is to abandon e2e, and use self-signed certificates to sign these proxy websites after decryption on the server side and then the plaintext is send to the client through single tls, it’s can ensure that tls in tls is not be detect .
