I don't think that's likely to be an effective strategy. The #1 priority for the CCP is to ensure that it is the sole and uncontested source of power and authority in the entire country. There's nothing anyone could offer that would outweigh that.

> So, maybe the most effective sort of activism right now would be to produce something that the Chinese government wants to exist, which can't exist without VPN traffic.

But isn't this use case—academia—already a very crucial aspect of society that China wants to exist? If this won't convince the CCP it's difficult to imagine what would.

Hypothetically, if you start a VPN business with a large pool of random ipv6 addresses and assign each customer one of those, could that be a start as a work-around?

No as they do DPI and protocol detection so they would shut down your users pretty quickly. There was more about this on 32C3, I think this is the correct link: https://media.ccc.de/v/32c3-7196-how_the_great_firewall_disc...

Sorry for not watching your video. Could you give a ELI5 explanation of why some vpns still work now if they have this tech?

Think of regular internet as postcards, secure web traffic as those window envelopes that are easy to recognize, and most vpn traffic as bubblewrap envelopes.

You read the postcards, and build a list of sender/receivers that communicate stuff you don't approve of.

You can use that list to block window envelopes of encrypted web traffic - you don't know what's in the envelope, but you have a pretty good idea who's talking to whom.

Now, the bubblewrap envelopes - they don't sort quite like other envelopes, they're a bit heavier. Maybe they're going to an unknown recipient, and you think that's odd. They look a bit different. Put those recipients on a list. One gets too high, maybe block them and see if anyone you care about complain.

Now, clearly, people will figure out a way to make their bubblewrap envelopes look like the regular business envelopes with windows. Look like secure web traffic.

But traffic patterns are likely to look different for streaming and peer-to-peer. You might have an idea of who you'd like to enable streaming media from.

In short - you can use pure traffic analysis to make an educated guess about the nature of a data stream. Packet size, frequency, bandwidth, participants (ip addresses).

Some packages says "VPN" clearly on the side. Some pretend to be HTTPS traffic. The latter might get through, some of the time.

(Not an attempt at summarizing the video, just an attempt at an analogy for packet inspection)

What about data stenography? I've heard of people using DNS packets to transmit HTTP data.

Imagine tracking a "raw data sent vs raw data received" for every host your network talks to. What _should_ DNS look like?

Now imagine tunneling all your network traffic over that DNS server, independent of how you encode it, you still need to send the bits to and fro.

How does that change the sent/received profile?

HTTPS VPNs work fine, but they are slow as you have to use TCP

I think the Chinese government can do deep-packet inspection to detect common VPN protocols like IPSec. Even if you use something like TLS-based VPN, the government uses bandwidth statistics to tell normal browsing apart from VPN.

Last time I was there (about two years ago), ssh command line sessions worked fine, but using the SOCKS proxy functionality killed the connection. It's getting quite clever.

What about X forwarding?

I didn't try it, but I'd suspect it would also get blocked.