I don’t know about Cloak, but for Shadowsocks the most important thing is use AEAD ciphers only (chacha20-ietf-poly1305, aes-256-gcm, aes-128-gcm). Many Shadowsocks implementations also support “stream ciphers” (aes-128-ctr, aes-128-cfb, camellia-128-cfb, chacha20, …) and you must not use these. AEAD ciphers are not perfect, but stream ciphers are vulnerable to a number of attacks, including decryption.
- A practical guide to defend against the GFW’s latest active probing
- How to Deploy a Censorship Resistant Shadowsocks-libev Server
- Decryption vulnerability in Shadowsocks stream ciphers
With Tor Browser, you can easily configure an obfs4 bridge, which is similar to Shadowsocks in the way it obfuscates traffic. But obfs4 resists surveillance only if you use a private bridge, ideally one you set up yourself—don’t use the built-in bridges, because their IP addresses are well-known.