Here’s a summary in English of the Habr article **“How Censorship Works from the Inside: A Look at the Leaked Chinese Firewall (Blocking Tor, VPN, Traffic Analysis)”**:
The article by Femida Search delves into a massive leak (about 500 GB) of internal logs and documents linked to China’s Great Firewall (GFW), revealing how censorship is not just blunt blocking but a sophisticated, dynamic system. (Habr)
Key Technical Mechanisms Exposed:
**TSG-X System**
A central “black box” (TSG-X) is installed at ISPs, controlled by the state. It inspects all user traffic. (Habr)
It supports **remote-updatable filtering rules**. When a new topic becomes sensitive (e.g. a protest or “forbidden” concept), authorities can push a new block rule to all or some providers. (Habr)
The system operates in two modes: *mirrored* (passive mirroring of traffic for analysis) and *in-line* (active filtering and blocking before traffic reaches its destination). (Habr)
**Deep Packet Inspection (DPI)**
TSG-X uses DPI to detect VPN handshakes, Tor connections, and other “anomalous” encrypted traffic based on signature patterns. (Habr)
Even if the system can’t recognize the exact application, it can mark unusually large flows as suspicious and, after enough time, block them automatically. (Habr)
**User Profiling & Reputation Scoring**
The leak includes references to a “reputation score” system that may penalize users for “bad” online behavior. (Habr)
This score could affect access: low-scoring users might lose their internet service, requiring identity verification to restore it. (Habr)
The system tracks VPN usage, classifies it, and can respond aggressively to new or unknown VPN providers. (Habr)
**AppSketch System**
Geedge (the company behind this system) builds signature databases of applications. This lets them block or allow specific apps (e.g. VPNs) via pre-defined “fingerprints.” (Habr)
Their toolset includes both **static and dynamic traffic analysis**, so they analyze real app behavior to generate these fingerprints. (Habr)
**Code Injection**
The censorship hardware (TSG-X) can inject malicious JavaScript or CSS into web pages, as well as malware into binary downloads. (Habr)
This gives the system not just passive visibility but active control over user traffic contents. (Habr)
**Network Management & Monitoring**
The system provides a dashboard called **Network Zodiac** (Nezha), akin to Grafana, for real-time network monitoring. (Habr)
Network admins can SSH into nodes, view network health, bandwidth usage, and apply or revert blocking rules. (Habr)
**Tor Blocking**
The leak reveals attempts to block Tor, especially mobile versions. (Habr)
When Tor is detected, the system forces users away from normal Tor tunnels (like default relays) to Snowflake, which makes it harder to fingerprint. (Habr)
China also maintains a whitelist / blacklist of VPN providers using AppSketch to decide which VPNs are “allowed” and which should be blocked. (Habr)
Bigger Picture & Implications:
The censorship system is **modular and highly dynamic** — new rules and filters can be deployed quickly to respond to emerging threats or sensitive topics. (Habr)
Censorship here isn’t limited to blocking sites: it's about **persistent surveillance**, behavioral scoring, and reactive suppression.
The ability to inject code into traffic means that the system isn’t just filtering — it can **modify content**, which raises serious security and privacy concerns.
The presence of reputation scoring loosely resembles a **social credit system** tied to internet behavior, though the leak doesn’t confirm full deployment at the individual-citizen scale. (Habr)
Because the system is built into ISPs and uses hardware, it is **scalable and exportable** — making this kind of censorship potentially a model for other authoritarian regimes.
If you like, I can turn this into a **short explainer for non-technical readers** (e.g. for social media or a blog) — нужно сделать?

**Bibliography / Sources**
Femida Search. *How Censorship Works from the Inside: A Look at the Leaked Chinese Firewall (Blocking Tor, VPN, Traffic Analysis)* — Habr. https://habr.com/ru/companies/femida_search/articles/966980/
Leaked Geedge / TSG-X internal logs and documentation (2024–2025).
Citizen Lab — reports on China’s network interference architecture.
Tor Project — research on global censorship and active probing by GFW.
GreatFire.org — monitoring of China’s censorship infrastructure.
Freedom House — Freedom on the Net: China.
OONI (Open Observatory of Network Interference) — empirical measurements of Tor/VPN blocking in China.
**Hashtags**
#China #GreatFirewall #Censorship #Surveillance #Tor #VPN #TrafficAnalysis #DPI #CyberSecurity #InternetFreedom #OpenSource #DigitalRights #Privacy #RepressionTech #NetworkControl