Update "Circumventing censorship/filters"

content/knowledge/Commercial VPN Use Cases.md

@@ -56,49 +56,64 @@ A VPN is useful in a variety of scenarios, such as:
 
 ## Circumventing censorship/filters {#circumventing-censorship}
 
-Network filtering can take many forms, from simplistic DNS or IP blocklists to sophisticated deep packet inspection ({{< rawhtml >}}<abbr>DPI</abbr>{{< /rawhtml >}}). A VPN, if not itself blocked, is the most robust method to circumvent filtering, but other methods may also be worth considering:
+<!--
+  This section ("Circumventing censorship/filters") licensed under CC BY 4.0.
+  https://creativecommons.org/licenses/by/4.0/
+  (c) 2022 WfKe9vLwSvv7rN (original author)
+  (c) 2022­­-Present PrivSec.dev
 
-{{< rawhtml >}}
+  **This annotation should be modified appropriately if changes are made to this section**
-<dl>
+-->
-  <dt>Encrypted DNS</dt><dd><ul>
-    <li>Bypasses unsophisticated DNS blocks only</li>
-    <li>Easily thwarted by unsophisticated IP address or <a href="https://www.cloudflare.com/learning/ssl/what-is-sni/"><abbr title="Server Name Identification">SNI</abbr></a> blocks</li>
-    <li>Increases fingerprintability</li>
-    <li>Free and easy (<a href="https://quad9.net/service/service-addresses-and-features">Quad9</a>, <a href="https://developers.cloudflare.com/1.1.1.1/encryption/">Cloudflare&nbsp;1.1.1.1</a>, <a href="https://developers.google.com/speed/public-dns/docs/secure-transports">Google&nbsp;Public&nbsp;DNS</a>)</li>
-  </ul></dd>
 
-  <dt><a href="https://github.com/ValdikSS/GoodbyeDPI">GoodbyeDPI</a> or <a href="https://github.com/krlvm/PowerTunnel">PowerTunnel</a></dt><dd><ul>
+Network filtering can take many forms, from simplistic DNS or IP blocklists to sophisticated deep packet inspection ({{< abbr "DPI" />}}). A VPN, if not itself blocked, is the most robust method to circumvent filtering, but other methods may also be worth considering:
-    <li>Works for HTTP(S) traffic only</li>
-    <li>Attempts to work around DPI by exploiting bugs in DPI software</li>
-    <li>May increase fingerprintability</li>
-    <li>Free and does not rely on external servers</li>
-  </ul></dd>
 
-  <dt>VPN on port tcp/443</dt><dd><ul>
+Encrypted DNS
-    <li>Extremely difficult to block without affecting HTTPS traffic</li>
+: - Bypasses unsophisticated DNS blocks only
-    <li>Slow due to encapsulation with TCP</li>
+  - Easily thwarted by unsophisticated IP address or [{{< abbr "SNI" "Server Name Identification" />}}](https://www.cloudflare.com/learning/ssl/what-is-sni/) blocks
-    <li>Cannot use WireGuard (requires UDP)</li>
+  - Increases fingerprintability
-    <li>Offered by many commercial VPN providers (<a href="https://www.ivpn.net/knowledgebase/troubleshooting/how-do-i-change-the-port-or-protocol-used-to-connect/">IVPN</a>, <a href="https://mullvad.net/en/help/connection-speed-why-it-so-slow/">Mullvad</a>, <a href="https://protonvpn.com/support/udp-tcp/">Proton&nbsp;VPN</a>)</li>
+  - Free and easy ([Quad9](https://quad9.net/service/service-addresses-and-features), [Cloudflare&nbsp;1.1.1.1](https://developers.cloudflare.com/1.1.1.1/encryption/), [Google&nbsp;Public&nbsp;DNS](https://developers.google.com/speed/public-dns/docs/secure-transports))
-  </ul></dd>
 
-  <dt>Obfuscation proxy: <a href="https://shadowsocks.org/">Shadowsocks</a>, <a href="https://gitlab.com/yawning/obfs4">obfs4</a>, or <a href="https://www.v2fly.org/en_US/">V2Ray</a> (VMess)</dt><dd><ul>
+[GoodbyeDPI](https://github.com/ValdikSS/GoodbyeDPI) or [PowerTunnel](https://github.com/krlvm/PowerTunnel)
-    <li>Specifically designed for obfuscating traffic from DPI</li>
+: - Works for HTTP(S) traffic only
-    <li>Very similar to VPNs, unlike traditional proxy implementations</li>
+  - Attempts to work around DPI by exploiting bugs in DPI software
-    <li>Security implications generally less explored than VPNs</li>
+  - May increase fingerprintability
-    <li>Limited or zero commercial availability (requires self&#8209;hosting)</li>
+  - Free and does not rely on external servers
-  </ul></dd>
 
-  <dt>VPN over obfuscation proxy</dt><dd><ul>
+Remote desktop
-    <li>Increased latency compared to standalone proxy</li>
+: - Requires significant trust in the endpoint
-    <li>More complex setup for self-hosting</li>
+    - TLS terminates at the endpoint
-    <li>Offered by some commercial VPN providers (<a href="https://www.ivpn.net/knowledgebase/troubleshooting/i-cant-connect-from-china-or-vietnam-or-iran-etc-how-do-i-enable-obfsproxy/">IVPN</a>, <a href="https://mullvad.net/en/help/intro-shadowsocks/">Mullvad&nbsp;Bridges</a>)
+    - All browsing and usage data can be easily scraped by the endpoint sysadmin
-  </ul></dd>
+  - Limited practicality
+  - High latency and subject to compression artifacts
+  - Greater hardware requirements for the endpoint
+  - Limited commercial availability
 
-  <dt><a href="https://www.torproject.org/">Tor</a></dt><dd><ul>
+VPN on port tcp/443
-    <li>Works for TCP traffic only (UDP tunneling over Tor is <a href="https://www.whonix.org/wiki/Transporting_UDP_Tunnels_over_Tor">complicated, fragile, and counterproductive</a>)</li>
+: - Rarely port-blocked (default port for HTTPS), but detectable with DPI
-    <li>Extremely slow</li>
+  - Slow due to encapsulation with TCP
-    <li>Offers DPI-bypassing entrance proxies (<a href="https://tb-manual.torproject.org/circumvention/">Tor&nbsp;bridge pluggable&nbsp;transports</a>)
+  - Cannot use WireGuard (requires UDP)
-    <li>Free and decentralized</li>
+  - Offered by many commercial VPN providers ([IVPN](https://www.ivpn.net/knowledgebase/troubleshooting/how-do-i-change-the-port-or-protocol-used-to-connect/), [Mullvad](https://mullvad.net/en/help/connection-speed-why-it-so-slow/), [Proton&nbsp;VPN](https://protonvpn.com/support/udp-tcp/))
-  </ul></dd>
+
-</dl>
+Obfuscation proxy: [Shadowsocks](https://shadowsocks.org/), [obfs4](https://gitlab.com/yawning/obfs4), [V2Ray](https://www.v2fly.org/en_US/) (VMess), [Xray](https://github.com/XTLS/Xray-core)
-{{< /rawhtml >}}
+: - Specifically designed for obfuscating traffic from DPI
+  - Functionally very similar to VPNs, including encrypted transport
+  - Security implications generally less explored than VPNs
+  - Limited commercial availability outside of specific regions
+
+VPN over obfuscation proxy
+: - Increased latency compared to standalone proxy
+  - More complex setup for self-hosting
+  - Offered by some commercial VPN providers ([IVPN](https://www.ivpn.net/knowledgebase/troubleshooting/i-cant-connect-from-china-or-vietnam-or-iran-etc-how-do-i-enable-obfsproxy/), [Mullvad&nbsp;Bridges](https://mullvad.net/en/help/intro-shadowsocks/))
+
+Tor [pluggable transports](https://tb-manual.torproject.org/circumvention/)
+: - Works for TCP traffic only (UDP tunneling over Tor is [complicated, fragile, and counterproductive](https://www.whonix.org/wiki/Transporting_UDP_Tunnels_over_Tor))
+  - Slowest option for clearnet access
+  - Free and decentralized
+
+See also [Great Firewall Report](https://gfw.report/)'s highly technical reports on Shadowsocks, V2Ray, and other censorship-related topics.
+
+---
+
+_Note that attempting to circumvent government censorship or network filters may come at significant risk to life and property. It is up to every individual to carefully balance their need for access against the potential implications of being discovered, including by a log&#8209;now-decrypt&#8209;later approach. While the authors and team of PrivSec.dev support open and uncensored internet access for all, we cannot assume any responsibility or liability for consequences that may arise from the pursuit thereof._
+
+<!-- End section "Circumventing censorship/filters" -->