Shadowsocks imposes an extra per-session TCP connection for user/password authentication plus a 10-second keep-alive timeout, causing an average page load time of 3.7 seconds and a sharp PLT inflection when concurrent clients exceed 60. In contrast, ScholarCloud (split-proxy, no per-session auth handshake) achieves 1.3 seconds average PLT with linear scalability up to 180 concurrent clients. Native VPN and OpenVPN also scale linearly; Shadowsocks is the only tested solution with a non-linear degradation point.

Measured packet loss rates under GFW censorship (Feb–Apr 2017, client at Tsinghua University/CERNET): Tor with meek obfuscation suffers 4.4% average PLR; Shadowsocks (AES-256-CFB) suffers 0.77% PLR; native VPN (PPTP/L2TP) and OpenVPN both achieve ~0.21% PLR. For comparison, the same tools accessed from a US vantage point show PLR below 0.1%, confirming the excess loss is GFW-induced. The GFW's DPI and active probing techniques specifically target Tor and Shadowsocks protocol signatures.

§4.3 evaluation

China's Internet censorship ecosystem is bilateral: the GFW handles technical blocking while separate government agencies (MIIT, TCA, MPS, MSS) handle non-technical regulation, and 'these two components do not operate synchronously.' Google Scholar is considered a legal service by Chinese regulators but is incidentally blocked as collateral damage because it falls under the google.com domain, blocked since 2010.

§2 policy

ScholarCloud's 'message blinding' — a non-public byte mapping (f: [0, 2^8) → [0, 2^8)) applied between domestic and remote proxy — successfully evades GFW deep packet inspection with 0.22% average packet loss rate, statistically indistinguishable from native VPN (0.21%). The paper reports that even this simple encoding suffices because the GFW cannot classify the traffic; confidentiality of the algorithm is the operative property, not cryptographic strength. Because the operator controls both proxy endpoints, the blinding scheme can be rotated at any time without requiring client-side updates.

§3 defense

ScholarCloud was launched in January 2016 and by late 2017 served over 2,000 registered users with 700 daily active users. It operates on two commodity VM instances at a daily operational cost of 2.20 USD. Legal operation inside China was achieved by registering the service as an ICP with the TCA (China ICP Reg. #15063437) and restricting the proxy whitelist to verifiably legal but incidentally-blocked domains — a strategy that places the service outside the GFW's aggressive technical blocking while also satisfying regulatory scrutiny from MPS/MSS.

§1, §3 deployment