Can the GFW still do DPI for "new" vanilla Tor?
I heard from a team of researchers that they failed to get their vanilla bridge probed by the GFW, despite connections from several vantage points in China. I set out to test this myself. Here are the results:
- I repeatedly established a vanilla Tor connection from a VPS in China (running 0.3.2.10) to a bridge in the U.S. (running 0.2.9.16, and later 0.4.1.0-alpha-dev).
- All bridge connections bootstrapped to 100%. There was neither active probing nor blocking.
- I then used the tool tcis on the China VPS to simulate a Tor handshake. The tool creates a TLS client hello as sent by a rather old Tor version -- I don't remember how old, exactly.
- After running tcis, I immediately got my bridge probed and blocked.
The above makes me wonder if newer Tor versions changed their TLS handshake in a way that the GFW's DPI rules haven't caught up yet. It would be interesting to test this hypothesis and, if it's true, to find out what Tor changed in its TLS handshake.