Google is using a tool Chinese users developed to bypass the Great Firewall
Shadowsocks was developed in China to jump the Great Firewall, and now companies like Google are adopting it even as some debate its security and longevity
China's ability to control what its population sees online is well known. Facebook, Twitter and YouTube -- among others -- aren't accessible in the country.
Yet amidst a harsh crackdown on circumvention tools that help people in China get access to the global internet, one piece of technology -- developed in China -- has proven remarkably effective. It’s also gaining traction elsewhere in the world.
Like other types of proxies, Shadowsocks forwards web traffic through a foreign IP address, allowing users to circumvent censorship or appear like they’re browsing from another location. And though the idea of Shadowsocks was initially developed in China, the individual components that make up a Shadowsocks proxy aren’t anything new.
Shadowsocks is effectively a SOCKS5 proxy wrapped in encryption of the user’s choice. The innovation was combining open source technologies into something unique that meets the needs of Chinese users.
The result is a highly customizable, encrypted proxy. The customizability of Shadowsocks is perhaps its greatest strength. It can use many different types of encryption, come from servers from any provider anywhere in the world, and the traffic can be obfuscated to look like normal web traffic.
In 2015, though, creator clowwindy said he got a visit from the police and announced that he would no longer work on the project, subsequently deleting the code. But that’s hardly the end of Shadowsocks’ story.
Four years after that fateful police visit, the open source proxy technology is still thriving thanks to other developers. Moreover, it’s been increasingly adopted by overseas VPN companies seeking to help people improve security and circumvent geographical restrictions.
One of these companies is Jigsaw. The Alphabet subsidiary formerly known as Google Ideas created a project called Outline that deploys Shadowsocks on a private server for users.
Jigsaw describes the goal of Outline as making it “easy for news organizations to set up a corporate virtual private network (VPN) on their own server.” In fact, though, it’s a Shadowsocks proxy server, a sometimes subtle but important difference.
Unlike a VPN connection, when you have a proxy set up on a computer, not all internet traffic runs through that proxy by default, potentially revealing unencrypted data or your true IP address. For those who might be government targets, like Chinese dissidents, that can be dangerous.
Jigsaw has worked to make Outline appear similar to a VPN, like implementing fixes that prevent potentially-dangerous domain name server leaks. But it still operates by setting up a proxy on your computer.
Jigsaw representatives wouldn’t comment on why the organization chose Shadowsocks over other VPN protocols, but company product manager Justin Henck said they sought to use the “strongest technology available.”
“Shadowsocks seemed like a great fit as an actively developed, cross-platform open source protocol designed to help protect your internet traffic,” he told Abacus in an email. “We built on what the Shadowsocks team created, and chose state-of-the-art encryption and other secure defaults, and tried to make it accessible not just to technical users, but also to anyone who can use a computer.”
The technology’s increasing popularity outside of China may be owed to its ease of use. Auto-installation scripts like Outline are easy to find on GitHub, the largest repository for open source code. These allow people to buy a virtual private server (VPS) from companies like Digital Ocean or Vultr for as little as US$5 per month and quickly deploy their own proxy.
After installation to the server, users simply have to copy and paste a custom URI link or scan a QR code containing all the necessary proxy settings in a Shadowsocks program or mobile app.
This simplicity doesn’t just benefit users. It also makes it easy for an entrepreneur to run a one-man shop, providing proxies to those who can’t be bothered to set up a server themselves. That’s what Daniel Szmulewicz did by starting Caonima.io, a proxy company with a provocative name taken from a vulgar Chinese phrase.
“Caonima grew out of my needs as a frequent China traveler,” Szmulewicz said. “We are small and do not worry about growth too much… Call it a boutique shop, if you will.”
As it gets easier to find and use Shadowsocks proxies, it might be a more appealing option than a VPN for users in China even though it might not be as secure. Many users are more interested in simply getting access to the internet outside China than they are securing all their communication.
In recent years, China has gotten increasingly better at blocking VPNs, especially through the use of artificial intelligence. But it’s still not an easy task. Two major means of cracking down on circumvention are identifying VPN connections by recognizing patterns from specific protocols like OpenVPN or just completely blocking IP addresses used by popular VPN services.
This has resulted in a cat-and-mouse game as VPN providers get more creative -- like using TLS encryption used for web traffic to disguise VPN connections -- and dumping IP addresses for new ones whenever they’re attacked. But anyone running their own Shadowsocks proxy can easily jump over to a new server or completely change VPS providers at the cost of mere pennies.
Another benefit of Shadowsocks is that it was designed first-and-foremost to circumvent censorship, according to Szmulewicz. But since it’s a proxy, it’s not as secure as a VPN by design.
“Shadowsocks looked at the problem of censorship in isolation, without preconceptions, and came up with a proxy solution,” Szmulewicz said. “To fool the censorship system, it was crucial to make the traffic look like normal HTTPS traffic. VPNs are ill-suited for that.”
Szmulewicz offers his service free to journalists based in China, but he explicitly says on the website FAQ that the service is not meant to keep journalists safe. In spite of that, he says he was inspired to start Caonima.io while working at a newspaper in Jerusalem, where he gained greater respect for journalists covering dangerous stories.
Shadowsocks does use high-end encryption, though. It offers a variety of choices, some of which you’ll find in VPNs, such as AES-256. This is why Jigsaw touts “strong privacy and security.”
And no VPN matches the simplicity of getting up-and-running on Shadowsocks. VPN protocols like OpenVPN may require sharing public key certificates.
Since Shadowsocks was designed to get around China’s Great Firewall, it was natural for developers to devise something that could be shared simply by scanning a QR code on a friend’s phone. All of a sudden, within seconds, that person is connected to the World Wide Web in all its unbowdlerized splendor.
The plethora of options in setting up Shadowsocks also makes connections hard to detect. The proxies vary in type of encryption, ports used, obfuscation techniques and server providers.
Even amid a fierce crackdown on commercial VPN services in the leadup to the 30th anniversary of the June 4th Tiananmen crackdown, Shadowsocks remained a reliable circumvention tool as Chinese censors played whack-a-mole in blocking IP addresses. Even though some VPS providers saw many of their IP addresses blocked in June, simply copying the proxy settings to a new server from the same provider could be enough to regain access with another IP address.
Detection methods are getting more sophisticated, though. The Great Firewall can recognize and cut off certain types of connections by patterns in data packets or port numbers. With artificial intelligence becoming more sophisticated, some people are also bleak about Shadowsocks’ chances at staying ahead of the censors.
That was the conclusion of a detailed report from Comparitech on the methods used by the Great Firewall to block or detect and shut down VPN connections. The sophistication of China’s detection methods led the author to state, “It’s only a matter of time until Shadowsocks is on the chopping block.” The author did note, though, that obfuscation methods like those using TLS encryption offer some hope.
Another person who seems bleak about the long term chances of Shadowsocks is a Chinese developer known as Teddysun. He developed one of the more popular auto-installation scripts for Shadowsocks on Github, but he announced in May that he would no longer be developing it. He noted that other tools now met that need and referenced the “bad things” that have happened to past developers, like clowwindy.
“Numerous maintainers have abandoned the maintenance of the project,” Teddsun told Abacus. “It won't last long, and it's a matter of time.”
For now, though, foreign companies seem happy to adopt this piece of free, open source tech that gives their users yet another means of avoiding censorship. VPN services like ibVPN and Surfshark offer Shadowsocks connections within their custom apps. A company called WannFlix offers Shadowsocks proxies to people looking to get around Netflix’s geographic restrictions for certain content.
It might seem ironic that one of the most rapidly adopted pieces of anti-censorship tech today came from China. But there’s no other place in the world with more of an incentive to create such an effective tool.
In the long run, Shadowsocks will live or die based on interest and necessity. But today, it’s very much alive, even if developers from its home country feel compelled to abandon it.