from Hacker News

Cloak: Censorship Circumvention Tool

by xanthine on 10/16/22, 5:37 AM with 33 comments

  • by vmoore on 10/16/22, 3:03 PM

    > Cloak also supports tunneling through an intermediary CDN server such as Amazon Cloudfront. Such services are so widely used, attempts to disrupt traffic to them can lead to very high collateral damage for the censor.

    I once blacklisted a bunch of Amazon IPs that I found in some random Gist on Github, and surfed the web, and so much stuff was broken. It's staggering just how entangled AWS is with the web. The dream of the 'decentralized web' would be hard to implement. You would need to root out any dependence on AWS, Google, Cloudflare etc

    But if this means we can reliably hide traffic in these centralized networks, then maybe it's a good thing they exist. Sort of like steganography with cloud services.

  • by jkhdigital on 10/16/22, 10:59 AM

    I've spent the last four years reading a lot of research papers in this area as part of my PhD research, and while I'm all for increasing the available options for censorship circumvention it's not clear that Cloak does anything novel when compared to existing systems.

    The real weakness of all such systems is setup and rendezvous: how do clients find friendly servers, and how do you prevent the censoring regime from finding and blocking them? It's not an easy problem to solve.

  • by Haemm0r on 10/16/22, 6:31 PM

    I really like the tool; I use it on my devices when I'm abroad. It worked very well in China (2019) with a Japan based VPS. The peering China-Japan-Europe is much better than China-Europe btw.

    First time I could not connect successfully from a public Wifi to my server was Qatar airport this summer... Maybe they work with whitelists for access control.

  • by luckylion on 10/16/22, 8:50 AM

    This probably needs a good way to cover its tracks, or it'll just get blocked like other VPN-services. As far as I understand, you can make pretty educated guesses at the type of content even with SSL, because e.g. Videos are loaded in bursts. I'm sure web and other traffic has similar characteristics, and it would be easy enough to say that something isn't a normal HTTPS connection because of how the data flow looks. Does this tool defend against that, are the connections being dropped when not in use to mimic browser-behavior?

  • by netheril96 on 10/16/22, 10:57 AM

    If the goal is to emulate TLS, why not use real TLS? Trojan, V2ray and GOST all do this.

  • by MasterYoda on 10/16/22, 4:22 PM

    Why is shadowsock needed to go thru cloak? I thought shadowsock did sort of the same thing; to masquerading proxied traffic as normal web browsing activities. What does cloak do that shadowsock does not to not get the traffic censord?

  • by grondilu on 10/16/22, 12:01 PM

    Isn't the problem of censorship much more than technical? I mean, censorship doesn't seem like something everybody agrees is bad. Free speech is not absolute at all : there is a demand to regulate, prohibit and prosecute for instance pornography, defamation, so-called "hate speech", "disinformation" and so-on.

    Whether we agree with these policies or not, the fact remains that these impediments to free speech can be seen as a form of censorship. At the end of the day, I think what makes censorship acceptable is very much subjective, and tied to political beliefs. I can't help noticing for instance that on this github page, there are a few flags illustrating "censoring regimes", and the Russian one is there, but not the European Union one, even though the European Council blocked RT and Sputnik throughout the whole EU after the Russian special military operations in Ukraine. This blocking, regardless of what one can think of its legitimacy, is hard not to consider as censorship. If it's not, how is it called then?

  • by RichardCNormos on 10/16/22, 1:55 PM

    The vast majority of censorship today happens server-side, not in the transport layer.

  • by justshowpost on 10/16/22, 6:49 PM

    Looks like a toy for me. Also written in Go which itself means its not serious.

    When tampering gubment censorship, one should apply the usual opsec rules and thus stick to mature and proven solutions and refrain from experimenting. This means Tor or reputable commercial VPN provider, not yet-another-tor-killer. And the developers in general should invest more efforts into low-level attacks like GoodbyeDPI instead.