Update "Circumventing censorship/filters"

content/knowledge/Commercial VPN Use Cases.md

@@ -56,49 +56,64 @@ A VPN is useful in a variety of scenarios, such as:
 
 ## Circumventing censorship/filters {#circumventing-censorship}
 
-Network filtering can take many forms, from simplistic DNS or IP blocklists to sophisticated deep packet inspection ({{< rawhtml >}}<abbr>DPI</abbr>{{< /rawhtml >}}). A VPN, if not itself blocked, is the most robust method to circumvent filtering, but other methods may also be worth considering:
+<!--
+  This section ("Circumventing censorship/filters") licensed under CC BY 4.0.
+  https://creativecommons.org/licenses/by/4.0/
+  (c) 2022 WfKe9vLwSvv7rN (original author)
+  (c) 2022­­-Present PrivSec.dev
 
-{{< rawhtml >}}
-<dl>
-  <dt>Encrypted DNS</dt><dd><ul>
-    <li>Bypasses unsophisticated DNS blocks only</li>
-    <li>Easily thwarted by unsophisticated IP address or <a href="https://www.cloudflare.com/learning/ssl/what-is-sni/"><abbr title="Server Name Identification">SNI</abbr></a> blocks</li>
-    <li>Increases fingerprintability</li>
-    <li>Free and easy (<a href="https://quad9.net/service/service-addresses-and-features">Quad9</a>, <a href="https://developers.cloudflare.com/1.1.1.1/encryption/">Cloudflare&nbsp;1.1.1.1</a>, <a href="https://developers.google.com/speed/public-dns/docs/secure-transports">Google&nbsp;Public&nbsp;DNS</a>)</li>
-  </ul></dd>
+  **This annotation should be modified appropriately if changes are made to this section**
+-->
 
-  <dt><a href="https://github.com/ValdikSS/GoodbyeDPI">GoodbyeDPI</a> or <a href="https://github.com/krlvm/PowerTunnel">PowerTunnel</a></dt><dd><ul>
-    <li>Works for HTTP(S) traffic only</li>
-    <li>Attempts to work around DPI by exploiting bugs in DPI software</li>
-    <li>May increase fingerprintability</li>
-    <li>Free and does not rely on external servers</li>
-  </ul></dd>
+Network filtering can take many forms, from simplistic DNS or IP blocklists to sophisticated deep packet inspection ({{< abbr "DPI" />}}). A VPN, if not itself blocked, is the most robust method to circumvent filtering, but other methods may also be worth considering:
 
-  <dt>VPN on port tcp/443</dt><dd><ul>
-    <li>Extremely difficult to block without affecting HTTPS traffic</li>
-    <li>Slow due to encapsulation with TCP</li>
-    <li>Cannot use WireGuard (requires UDP)</li>
-    <li>Offered by many commercial VPN providers (<a href="https://www.ivpn.net/knowledgebase/troubleshooting/how-do-i-change-the-port-or-protocol-used-to-connect/">IVPN</a>, <a href="https://mullvad.net/en/help/connection-speed-why-it-so-slow/">Mullvad</a>, <a href="https://protonvpn.com/support/udp-tcp/">Proton&nbsp;VPN</a>)</li>
-  </ul></dd>
+Encrypted DNS
+: - Bypasses unsophisticated DNS blocks only
+  - Easily thwarted by unsophisticated IP address or [{{< abbr "SNI" "Server Name Identification" />}}](https://www.cloudflare.com/learning/ssl/what-is-sni/) blocks
+  - Increases fingerprintability
+  - Free and easy ([Quad9](https://quad9.net/service/service-addresses-and-features), [Cloudflare&nbsp;1.1.1.1](https://developers.cloudflare.com/1.1.1.1/encryption/), [Google&nbsp;Public&nbsp;DNS](https://developers.google.com/speed/public-dns/docs/secure-transports))
 
-  <dt>Obfuscation proxy: <a href="https://shadowsocks.org/">Shadowsocks</a>, <a href="https://gitlab.com/yawning/obfs4">obfs4</a>, or <a href="https://www.v2fly.org/en_US/">V2Ray</a> (VMess)</dt><dd><ul>
-    <li>Specifically designed for obfuscating traffic from DPI</li>
-    <li>Very similar to VPNs, unlike traditional proxy implementations</li>
-    <li>Security implications generally less explored than VPNs</li>
-    <li>Limited or zero commercial availability (requires self&#8209;hosting)</li>
-  </ul></dd>
+[GoodbyeDPI](https://github.com/ValdikSS/GoodbyeDPI) or [PowerTunnel](https://github.com/krlvm/PowerTunnel)
+: - Works for HTTP(S) traffic only
+  - Attempts to work around DPI by exploiting bugs in DPI software
+  - May increase fingerprintability
+  - Free and does not rely on external servers
 
-  <dt>VPN over obfuscation proxy</dt><dd><ul>
-    <li>Increased latency compared to standalone proxy</li>
-    <li>More complex setup for self-hosting</li>
-    <li>Offered by some commercial VPN providers (<a href="https://www.ivpn.net/knowledgebase/troubleshooting/i-cant-connect-from-china-or-vietnam-or-iran-etc-how-do-i-enable-obfsproxy/">IVPN</a>, <a href="https://mullvad.net/en/help/intro-shadowsocks/">Mullvad&nbsp;Bridges</a>)
-  </ul></dd>
+Remote desktop
+: - Requires significant trust in the endpoint
+    - TLS terminates at the endpoint
+    - All browsing and usage data can be easily scraped by the endpoint sysadmin
+  - Limited practicality
+  - High latency and subject to compression artifacts
+  - Greater hardware requirements for the endpoint
+  - Limited commercial availability
 
-  <dt><a href="https://www.torproject.org/">Tor</a></dt><dd><ul>
-    <li>Works for TCP traffic only (UDP tunneling over Tor is <a href="https://www.whonix.org/wiki/Transporting_UDP_Tunnels_over_Tor">complicated, fragile, and counterproductive</a>)</li>
-    <li>Extremely slow</li>
-    <li>Offers DPI-bypassing entrance proxies (<a href="https://tb-manual.torproject.org/circumvention/">Tor&nbsp;bridge pluggable&nbsp;transports</a>)
-    <li>Free and decentralized</li>
-  </ul></dd>
-</dl>
-{{< /rawhtml >}}
+VPN on port tcp/443
+: - Rarely port-blocked (default port for HTTPS), but detectable with DPI
+  - Slow due to encapsulation with TCP
+  - Cannot use WireGuard (requires UDP)
+  - Offered by many commercial VPN providers ([IVPN](https://www.ivpn.net/knowledgebase/troubleshooting/how-do-i-change-the-port-or-protocol-used-to-connect/), [Mullvad](https://mullvad.net/en/help/connection-speed-why-it-so-slow/), [Proton&nbsp;VPN](https://protonvpn.com/support/udp-tcp/))
+
+Obfuscation proxy: [Shadowsocks](https://shadowsocks.org/), [obfs4](https://gitlab.com/yawning/obfs4), [V2Ray](https://www.v2fly.org/en_US/) (VMess), [Xray](https://github.com/XTLS/Xray-core)
+: - Specifically designed for obfuscating traffic from DPI
+  - Functionally very similar to VPNs, including encrypted transport
+  - Security implications generally less explored than VPNs
+  - Limited commercial availability outside of specific regions
+
+VPN over obfuscation proxy
+: - Increased latency compared to standalone proxy
+  - More complex setup for self-hosting
+  - Offered by some commercial VPN providers ([IVPN](https://www.ivpn.net/knowledgebase/troubleshooting/i-cant-connect-from-china-or-vietnam-or-iran-etc-how-do-i-enable-obfsproxy/), [Mullvad&nbsp;Bridges](https://mullvad.net/en/help/intro-shadowsocks/))
+
+Tor [pluggable transports](https://tb-manual.torproject.org/circumvention/)
+: - Works for TCP traffic only (UDP tunneling over Tor is [complicated, fragile, and counterproductive](https://www.whonix.org/wiki/Transporting_UDP_Tunnels_over_Tor))
+  - Slowest option for clearnet access
+  - Free and decentralized
+
+See also [Great Firewall Report](https://gfw.report/)'s highly technical reports on Shadowsocks, V2Ray, and other censorship-related topics.
+
+---
+
+_Note that attempting to circumvent government censorship or network filters may come at significant risk to life and property. It is up to every individual to carefully balance their need for access against the potential implications of being discovered, including by a log&#8209;now-decrypt&#8209;later approach. While the authors and team of PrivSec.dev support open and uncensored internet access for all, we cannot assume any responsibility or liability for consequences that may arise from the pursuit thereof._
+
+<!-- End section "Circumventing censorship/filters" -->