opened 08:48AM - 04 Oct 22 UTC
China
Starting from October 3, 2022 (Beijing Time), more than 100 users reported that …at least one of their TLS-based censorship circumvention servers had been blocked. The TLS-based circumvention protocols that are reportedly blocked include [trojan](https://github.com/trojan-gfw/trojan), [Xray](https://github.com/XTLS/Xray-core), [V2Ray TLS+Websocket](https://www.v2fly.org/config/transport/websocket.html), [VLESS](https://www.v2fly.org/config/protocols/vless.html), and [gRPC](https://www.v2fly.org/config/transport/grpc.html). We have not received any report of the blocking of [naiveproxy](https://github.com/klzgrad/naiveproxy) though.
Below are a summary of this blocking event and our conjuncture.
The blocking is done by blocking the specific port that the circumvention services listen on. When the user [change the blocked port](https://gfw.report/blog/ss_tutorial/en/#mitigate-port-blocking-by-having-backup-ports) to a non-blocked port and keep using the circumvention tools, the entire IP addresses may get blocked. It is worth noting that their domain names are not added to GFW's DNS or SNI blacklists.
While most of the users report their port 443 got blocked, a few users reported that their *non-443* port on which circumvention services listen got blocked as well. While most of the blocked servers are in some popular VPSes providers' datacenters (for example, the [bandwagonhost](https://bandwagonhost.com/)), at least one user reported the blocking of a server in residential network in Europe.
In a few cases (not all cases), the blocking seems to be dynamic because the web browser could still access their circumvention ports but not the circumvention tools did not work.
All these observations above strongly indicate that the GFW can indeed accurately identify and block the circumvention services, rather than simply block the port 443, or block the popular VPS providers.
Based on the information collected above, we suspect, without empirical measurement yet, that the blocking is possibly related to the [TLS fingerprints](https://tlsfingerprint.io/) of those circumvention tools. Perhaps developers want to look into [uTLS](https://github.com/refraction-networking/utls). One may also find this [paper reading group](https://github.com/net4people/bbs/issues/54), [this summary](https://gfw.report/blog/v2ray_weaknesses/en/#unique-tls-clienthello-fingerprints), and [this post](https://zhufan.net/2022/06/18/tls%E6%8F%A1%E6%89%8B%E6%8C%87%E7%BA%B9%E6%A3%80%E6%B5%8B%E6%81%B6%E6%84%8F%E8%BD%AF%E4%BB%B6%E6%B5%81%E9%87%8F/) on TLS fingerprint helpful.
We will investigate if the GFW indeed uses the TLS fingerprints sent by these clients to identify circumvention protocols. At the same time, if you have any server being blocked, or if you have any evidence that can corroborate or falsify our hypothesis, we courage you to share your comments publicly or privately. Our private contact information can be found at the footer of [GFW Report](https://gfw.report).