This page has more details than the "executive summary"
<a href="https://github.com/trojan-gfw/trojan/blob/master/docs/protocol.md" rel="nofollow">https://github.com/trojan-gfw/trojan/blob/master/docs/protoc...</a><p>As far as I understand it:<p>1. Client connects to the standard HTTPS port.<p>2. If it provides a packet with the right (encrypted) password, then the server acts as a SOCKS5 proxy.<p>3. If it doesn't provide the right password, the server responds like a normal HTTP server over the TLS connection.<p>Seems pretty clever, the hard bit is making sure the passwords don't leak and the firewall starts bombarding suspect servers with requests (brute-forcing passwords). Also if there are timing differences between a genuinely confused HTTP server and a "Trojan" server faking the confusion, they'd figure that out too.<p>Also, things like continuous back-and-forth between the client and a simple webserver would be suspicious, because usually clients send small requests in bursts, get the response, and activity would stop (it doesn't apply to streaming sites, obviously, but there the clients won't be as chatty either). So things like Skype calls might be easily recognized...
I think anything looking to serve China should at least avoid hosting on github pages until encrypted SNI is widely available. When someone visits the online documentation at trojan-gfw.github.io, the FQDN is sent plaintext as part of HTTPS.<p>If the data is plainly on github.com (like the wiki), it would at least require an MITM to see what you are reading. Of course an MITM might be likely in China regardless.<p>It's also worth noting the Tor project has done a lot of work in this area: <a href="https://2019.www.torproject.org/docs/pluggable-transports.html.en" rel="nofollow">https://2019.www.torproject.org/docs/pluggable-transports.ht...</a>
I don't think it would be very difficult for the Chinese government to demand a compromised root cert authority be installed on every device sold there.
"unidentifiable mechanism"
I'm not sure this is actually true.<p>You can determine that it is a VPN by checking the amount of exchanged packets between interval of time (e.g. if 5 kbps are routinely sent every 30 seconds for 5 minutes this is totally abnormal)<p>Another alternative for the government could be to limit the bandwidth and time of hosts who have a big standard deviation in the amount of the packets per second they transmit.<p>So undetectable I don't think so and I believe smarter people here can find even better ideas.<p>That being said it's a very nice tool, certainly useful in corporate environments as well (except of course, that it'll be suspicious that one single host is exchanging so much data and keeping so long connections)