Ignoring the "Great Firewall of China"

Richard Clayton is presenting a paper (blog post here) that discusses how to defeat China's national firewall:

...the keyword detection is not actually being done in large routers on the borders of the Chinese networks, but in nearby subsidiary machines. When these machines detect the keyword, they do not actually prevent the packet containing the keyword from passing through the main router (this would be horribly complicated to achieve and still allow the router to run at the necessary speed). Instead, these subsiduary machines generate a series of TCP reset packets, which are sent to each end of the connection. When the resets arrive, the end-points assume they are genuine requests from the other end to close the connection -- and obey. Hence the censorship occurs.

However, because the original packets are passed through the firewall unscathed, if both of the endpoints were to completely ignore the firewall's reset packets, then the connection will proceed unhindered! We've done some real experiments on this -- and it works just fine!! Think of it as the Harry Potter approach to the Great Firewall -- just shut your eyes and walk onto Platform 9¾.

Ignoring resets is trivial to achieve by applying simple firewall rules… and has no significant effect on ordinary working. If you want to be a little more clever you can examine the hop count (TTL) in the reset packets and determine whether the values are consistent with them arriving from the far end, or if the value indicates they have come from the intervening censorship device. We would argue that there is much to commend examining TTL values when considering defences against denial-of-service attacks using reset packets. Having operating system vendors provide this new functionality as standard would also be of practical use because Chinese citizens would not need to run special firewall-busting code (which the authorities might attempt to outlaw) but just off-the-shelf software (which they would necessarily tolerate).

Posted on June 27, 2006 at 1:13 PM • 96 Comments

Comments

Pat CahalanJune 27, 2006 1:45 PM

Clever.

"Instead try to realize the truth."

"What truth?"

"There is no wall."

another_bruceJune 27, 2006 1:58 PM

ok. is there any way the censors can tweak the hop count in their reset packets to make them appear as if they had originated at the far end of the channel?

Tim VailJune 27, 2006 2:02 PM

Possibly, but would it be efficient? I kind of think that computing hop counts can be quite costly when dealing with lot of traffic.

Mark GritterJune 27, 2006 2:28 PM

It's certainly feasible to inject the reset packets with a correct-looking hop count; if you're sniffing the TCP packets going both directions then you already have all the information you need. (i.e, you just need to set the IP TTL field to the same value as in the packets you observed.)

Tim VailJune 27, 2006 2:45 PM

@Mark

Well, looking for keywords does not really require any "state" information, or any connection tracking. Tracking the ttl fields of packets that you observed requires a bit more state information. And for routers processing lot of traffic, that can be an overhead.

That is what I'm thinking...unless someone can figure out a way to do it that is more stateless.

JurgenJune 27, 2006 3:21 PM

So how does the connection terminate when the RST packets are thrown away? With the FIN flag?? and if so doesn't that mean that the snipering routers just have to send 2 packets; one with a FIN and another with the RST packet?

Jurgen

Nicholas WeaverJune 27, 2006 3:21 PM

You know, they can do a LOT better:

Inject a route for a /32 going to the questioned host. Now route the packets manually through your IDS fully, and start dropping/modifying traffic.

After a little while, revoke the injected route.

Nicholas weaverJune 27, 2006 3:29 PM

Actually, route updates would probably be too slow.

But its interesting that they are using the same basic trick Bro uses.

caseyJune 27, 2006 3:32 PM

This is a very interesting discovery, but I think there is still a limitation to its practicality.

"these subsiduary machines generate a series of TCP reset packets, which are sent to each end of the connection"

Even if the client-side installs a packet filter, websites would still be unaccessible, unless the web server also ignored the injected RSTs.

Nicholas weaverJune 27, 2006 3:38 PM

More importantly, it requires a presence on BOTH sides of the endpoints (the RSTs undoubtedly are sent in both directions).

As such, if you control BOTH endpoints, you can do a much more subtle job of firewall evasion.

Martin EspinozaJune 27, 2006 3:48 PM

Not only would route updates possibly be too slow, but can you imagine the size of the routing table if you're blocking /32s? No idea how many blocks they perform a day, but the internet-connected population is only growing.

AnonymousJune 27, 2006 3:54 PM

so when do we ALL start to configure web servers to ignore resets from china?

Nicholas WeaverJune 27, 2006 3:56 PM

An interesting followup. The authors hypothesize that the system is stateless, but without proving it.

Someone should do the followup test of fragmenting the request across multiple TCP packets or IP fragments, and see if it triggers the firewall.

If so, you can then evade for arbitrary sending of requests with software only on the sending side.

Nicholas weaverJune 27, 2006 3:57 PM

And you don't want to ignore RSTs. They are critical and important.

Jonathan LouieJune 27, 2006 4:02 PM

Let's not forget that the Chinese governement has access to the logs of these sessions. If you're consistantly triggering their censors, you might just get a visit from the authorities. An interesting discovery, but a long way to go before truly free speech.

ChrisJune 27, 2006 4:13 PM

That ignores the obvious - if standard OSs included methods to defeat the censorship, the government would just choose a different method to censor.

Rogue ShotenJune 27, 2006 4:17 PM

Yes, but you have to keep in mind that nothing ever ends the constant back-and-forth between attacker and defender, which is what this really is. Saying "oh, but they could come up with another way," isn't the point. The point is that, in the realm of attack trees, you've just increased the cost of China's attack on your connectivity. They can do more to counteract what you're doing, but it means more work for them.

JungsonnJune 27, 2006 4:30 PM

Sorry, but how are they going to filter keywords in tcp packets that are being send through an ssl connection, on which a user can surf, or simply trough a 1,95$ shell, by using a remote webserver like say in the U.S.?

Bypassing this firewall system isn't that complicated as decribed in the paper, at least trivial to do it like that.

GreyfeldJune 27, 2006 4:38 PM

I am wondering if this will work against products like Websense as well. I know that, with Websense connected to a PIX firewall, the original outbound packet from the web client still gets passed by the firewall and the return packet is allowed. It's just that since the Websense enforcement point is in your local network, it can send you the blocked html page before the return comes back from the outside world. If you block traffic from the Websense enforcement point that sends out the "this page is blocked" html, can you still surf wherever you want? Might have to experiment with this a little. It probably wouldn't work with a proxy server if Websense is running on the proxy, but if not, it might.

oztunJune 27, 2006 4:40 PM

Jungsonn summed up what I was about to say. If you have to control both ends than this isn't necessary since you can simply use encryption. I was thinking people outside China could provide proxies that either drop RST's or use encryption.

SteveJune 27, 2006 4:49 PM

I was in China about 4-5 years ago. At the time you couldn't get to sites like cnn.com. I found an anonymous proxy 'https' and had no problem bringing up any site I wanted. I realize this only covers web server access but it was a breeze to get around their firewalls and anyone who wanted to was able to do it in less than 5 minutes.

Bill StewartJune 27, 2006 4:50 PM

So Falun-Gong.com and Free-Tibet.org need to ignore RST packets from China - they're not likely to mind. On other other hand, getting non-China-specific sites to ignore them is tougher.

SSL doesn't protect you from everything - if you're looking at https://censored.example.com/censored.stuff,
the firewall still knows from the headers what site you're looking at and can block it, without having to look at the content.

rather be anonymous :(June 27, 2006 4:55 PM

I think reset messages may be sent by American ISPs as well, to terminate some p2p file sharing connections.
I witnessed this while connecting with a person who was using a commercial cable ISP in New York state. Resets would happen to appear from his end, inexplicably, for they were not sent by the program being used. Chinese may wish to censor particular web sites. American internet companies censor protocols they detect on their lines.

Romain WartelJune 27, 2006 4:57 PM

I think it would be trivial, for the router sniffing the traffic/injecting the RST packets, to detect that the RST packets have been ignored and that the TCP session has actually not been stopped, just by looking at the TCP sequence number.

In other word, I tend to think that yes, you can bypass the firewall, but you can expect a visit from the authorities soon after!

Romain.

phesslerJune 27, 2006 5:25 PM

I'm suprised this actually works. I would consider this to be a bug that can be exploited at least into a DOS if not higher. The OS should protect against it (similar to packet injection).

Of course, if I misunderstand how RST is supposed to be handled, please ignore the above ;).

NathanJune 27, 2006 5:27 PM

@Jungson

If you fake the http header saying you want to pull up the page "censored.html", you don't get the page you were trying to view.

Its like giving someone a map and then "faking" the address they're trying to go to -- they'll end up at the wrong place.

AGJune 27, 2006 5:27 PM

Question:
Would an ISP (domestic or otherwise) inserting their own packets "end transmission packets" into your datastream not be illegal?

Reason: They are not closing "their" connection they are affecting your hardware.

Example: It would be legal for them to close the connection on their equipment, but they do not want to do that because you would just open another connection. Instead they close the connection at YOUR hardware... sounds illegal to me.

[Si]dragonJune 27, 2006 5:32 PM

"SSL doesn't protect you from everything - if you're looking at https://censored.example.com/censored.stuff,
the firewall still knows from the headers what site you're looking at and can block it, without having to look at the content."

Incorrect. Secure Socket Layer establishes an encrypted session with the remote system first, then requests resources. This essential because what data is requested is almost always as sensitive as the data itself. (By the way, this is the reason that web servers cannot offer SSL-enabled named virtual hosts from the same address. Connections are initiated before the HTTP request goes through.)

neoJune 27, 2006 5:39 PM

So your telling me that I could forge packets for any address that I wanted and send resets to say cnn.com and the person that I am pretending to be would henceforth stop being able to access cnn? That sounds like a dos waiting to happen.

DJune 27, 2006 5:49 PM

[Si]dragon is correct - this is exactly why you can't put multiple SSL certificates on the same vhost. The initial request is at the IP address, then, after encryption starts, you send your host-specific request.

Of course, they could just censor based on IP address ...

JungsonnJune 27, 2006 5:52 PM

@nathan,

enlighten me...

It was the indication that it could be done through ssl (tunneling), though i prefer shellaccess on a foreign server, Both cases beats the system, and do it without being to scientific about it.

people can learn using these systems (ssl, shells), but to put their tcp packet theory of the presented paper in practise requires a different kind of people and skills

The people's republic, yeah now we know ;-)

Richard ClaytonJune 27, 2006 5:57 PM

I note the comments about lack of "state". It is true (I'm one of the authors of the paper) that we've not proved its absence [that's hard really], but all the evidence points that way.

However, I'd caution against assuming that testing with fragmented packets would prove it one way or the other -- since the devices being used (which come from an IDS environment) are specifically designed to handle these cases.

Bottom line is that a firewall system with "state" would do a much more sophisticated job at blocking! and, for example, could easily get TTL values correct.

We accept that encryption also evades keyword blocking. However, it is also blockable in itself (by assessing the entropy of the packets passing the firewall) so it's not a panacea. We also comment (see the paper) that it could make a difference to the authorities approach to your case -- since the firewall can log everything -- to ensure that they can see what you're really doing. This may make you less (or maybe more) of a target. There's more than one round to this "game"!

What would make a difference is for vendors to change their TCP/IP stacks so that "out of the box" the firewall's "attacks" fail to work. If the code is "standard" it is hard for the authorities to "make an example" of people who are evading the firewall.

KileJune 27, 2006 5:59 PM

Re: [Si]dragon
"Incorrect. Secure Socket Layer establishes an encrypted session with the remote system first, then requests resources. This essential because what data is requested is almost always as sensitive as the data itself. (By the way, this is the reason that web servers cannot offer SSL-enabled named virtual hosts from the same address. Connections are initiated before the HTTP request goes through.)"

Actually, an attacker _can_ know what site you're looking at (though not what document within the site) for precisely this reason. As you said, before the HTTP headers are sent, the SSL connection is negotiated... which includes the server sending the (unencrypted) certificate which identifies it as censored.example.com, for example.

dr2chaseJune 27, 2006 6:22 PM

A different question: are there things that we can do with ordinary, not-censored-by-China, internet connections that would make their censorship more expensive for them? For instance, if we were always to send chopped up and out-of-order packets to China, would that hinder their filters? Seems like it would.

Scott FrazerJune 27, 2006 7:47 PM

Kile said, "Actually, an attacker _can_ know what site you're looking at (though not what document within the site) for precisely this reason. As you said, before the HTTP headers are sent, the SSL connection is negotiated... which includes the server sending the (unencrypted) certificate which identifies it as censored.example.com, for example."

But _that_ part can be safely "wrong." The receiving browser would throw a warning (The cert says you are visiting blahblah.com, but you typed in foobar.com. Do you want to continue?) but the traffic would still be encrypted just fine. The only thing the firewall would "know" are the endpoint addresses and ports.

adevadehJune 27, 2006 9:36 PM

I am living in China, and yes, they block by IP. So https does not help. The Great Firewall is vast and extremely annoying. I have taken to using tor+privoxy when I want to read someting from Wikipedia or Blogspot. It works but it is really slow.

adevadehJune 27, 2006 9:36 PM

I am living in China, and yes, they block by IP. So https does not help. The Great Firewall is vast and extremely annoying. I have taken to using tor+privoxy when I want to read someting from Wikipedia or Blogspot. It works but it is really slow.

badger44June 27, 2006 10:14 PM

I find it odd that no one has mentioned the one thing that I'd worry about using this technique for real in China: yes, the blocking sounds like the way Websense works. I wonder if it logs like Websense does?

Sure, you may find what you're looking for outside the firewall --- and then the people who set up the firewall come to find you....

Tony MobilyJune 27, 2006 10:50 PM

Hello,

Am I missing something? How about VPNs?
A little while ago, I created a tunnel between my own computer and a machine I had an account in shell with. The tunnel was encrypted. It was seen by my computer as a network interface, and it was my default route.
Result: my computer would always, and only, talk to the other end of the tunner. I didn't even have to be root!

The chinese government would know that you have this (encrypted) traffic with this other host. No more.

For more info: http://openvpn.net/

The only problem is that it does take a bit of skill to install/use. How long before it's easy enough so that the firewall dissolves?

Merc.

Tony MobilyJune 27, 2006 10:50 PM

Hello,

Am I missing something? How about VPNs?
A little while ago, I created a tunnel between my own computer and a machine I had an account in shell with. The tunnel was encrypted. It was seen by my computer as a network interface, and it was my default route.
Result: my computer would always, and only, talk to the other end of the tunner. I didn't even have to be root!

The chinese government would know that you have this (encrypted) traffic with this other host. No more.

For more info: http://openvpn.net/

The only problem is that it does take a bit of skill to install/use. How long before it's easy enough so that the firewall dissolves?

Merc.

spacehuntJune 27, 2006 10:59 PM

Actually private VPNs are illegal in China; you have to register your VPNs, together with decryption keys, with the government.

AminorexJune 28, 2006 12:17 AM

> Actually private VPNs are illegal in China;
> you have to register your VPNs, together
> with decryption keys, with the government.

Actually, that's Great Britain. China is otherwise.

Yes, it has always been trivial to bypass the GFW,
and no, the police do not go looking for people
who use STARTTLS. But most people can't do
trivial things. It's an issue of public safety,
as much as it is an issue of information control,
and trivial measures suffice to keep the vast majority
of users safe from bad information. Like drug laws,
that's considered good enough.

GordonjcpJune 28, 2006 1:39 AM

>> Actually private VPNs are illegal in China;
>> you have to register your VPNs, together
>> with decryption keys, with the government.

> Actually, that's Great Britain. China is otherwise.

Actually, that's nonsense. We don't need to register VPNs and we don't need to hand over encryption keys in the UK.

Phil KarnJune 28, 2006 3:12 AM

I point out that IPSEC (the basis of VPNs) is specifically designed to handle attacks involving injection of spurious packets and/or corruption or replay of legitimate ones. Sounds like a perfect application to me.

JesradJune 28, 2006 4:24 AM

Wouldn't it be easier to not trigger the filter at all ? For example, fragment the packets in the middle of sensitive data (fragment 1 ends with "demo", fragment 2 starts with "cracy").

Web servers would just need to do the same on the way back. I don't think China can actually keep connection sequence for every open connection and check whether successive fragments match the filter.

JesradJune 28, 2006 4:45 AM

Additionnally, the criterion of the filter can be determined easily by anyone who knows a reliable, accessible host on the other side of the GFW.

In fact the criterion list could be updated in real time by the bypassing software whenever it detects that a connection received bogus RST packets.

rogerJune 28, 2006 6:51 AM

@neo:
> So your telling me that I could forge packets for any address that I wanted and send resets to say cnn.com and the person that I am pretending to be would henceforth stop being able to access cnn?

You need to know their TCP sequence numbers -- easy if you have a sniffer on their local network or route, hard otherwise. Even better, you could reset the client and then spoof it to the server; this is called TCP session hijacking. Once upon a time, when such numbers were easier to guess, this was a relatively common attack. This is the reason properly designed modern OSes generate hard-to-guess sequence numbers.

RichardJune 28, 2006 6:52 AM

Register VPN decryption keys with the govornment in the UK? I live here, that's bollocks, we are free to privatise as we please... unlike poor China :-(

RonKJune 28, 2006 6:59 AM

@ Richard Clayton

> ... encryption also evades ... also blockable in itself (by assessing the entropy of the packets ...

Wouldn't that also entail blocking all compressed traffic, also? I can't believe a non-stateful filter will be able to reliably differentiate between them.

Also, you must have heard about steganography, right? I'm pretty sure it's possible to artificially lower the entropy back down to whatever you want in a sophisticated enough way that detection would require more processing power than they can economically wield.


RonKJune 28, 2006 7:07 AM

The "than they can economically wield" part of my last post was probably a bit too optimistic. Especially if (perhaps for other reasons) someone's communications get personal scrutiny.

RonKJune 28, 2006 7:10 AM

The "than they can economically wield" part of my last post was probably a bit too optimistic. Especially if (perhaps for other reasons) someone's communications get personal scrutiny.

RIPJune 28, 2006 7:21 AM

> we don't need to hand over encryption keys in the UK.

If the HO gets its way with RIP (cue the current consultation), then we'll have to hand them over at a request.

Without a warrant.

CatherineJune 28, 2006 9:40 AM

The encryption thing is a great idea, but at least as of 18 months ago, the Chinese government did not allow encrypted packets out of the country. I know this, because I worked as a consultant for a company that was providing e-mail for employees in China and we had to disable the encryption requirements in order to allow them access to the systems.

JoachimJune 28, 2006 10:02 AM

Aloha!

One question I have is if sending RSTs to hosts outside China makes it an offence? This really is a DoS-attack (as well as a form of session hijacking.)

Blocking the traffic on the border, and messing up the traffic within RPC is one thing. But distrupting traffic - which could mean disrupting services delivered by companies in the rest of the world, can't be ok, no?

KeithJune 28, 2006 10:10 AM

Is there are need to register decryption keys with the Chinese government for anyone who wants to access information from within?

coryJune 28, 2006 11:21 AM

Yeah, These basic ideas like SLL and shells and all that just wont work. I was in China 2 months ago, and there was just no way around it, they didnt let any eencrypted traffic out. I couldnt do what I needed because my company uses a Remote Desktop Citrix solution and I couldnt even log in.

Mr.G.June 28, 2006 12:29 PM

I use the following method when I need to use an insecure network which can also be used to bypass a firewall watching my connections. I connect my home computer through ssh and forward a VNC port to my remote desktop from my home computer. The connection is compressed and encrypted. The best of all my connection is always a ssh to my home computer; wherever I connect through VNC can not be monitored by my local network.

Mr.G.June 28, 2006 12:40 PM

If encrypted packets are not allowed at all, this will not bypass the firewall in China :( Unencrypted VNC connection might work though, since it is only a compressed bitmap transmission.

LeeJune 28, 2006 1:00 PM

@richard @Gordonjcp @RIP
In the UK under the Regulation of Investigatory Powers (2000) http://www.opsi.gov.uk/acts/acts2000/20000023.htm
(Section 51 I think)
gives the authorities the power to demand decryption keys, with a 2 year prison sentance if they are withheld (forgetting is no excuse unless you can prove it). They are also permitted to prevent you from disclosing that you have provided the keys.

At least we don;t have to worry they don't use this ofter (oh did i mention that its use can be kept secret).
Bother.

ChodeJune 28, 2006 1:34 PM

You can also encapsulate data in etags with base64... just get more people to support embedding such things.

ChodeJune 28, 2006 1:46 PM

Oh ... and you can also transfer messages using steganography in html, photos, wav files, etc...

ChodeJune 28, 2006 2:02 PM

And let us not forget freenet. 0.7 once more stable should help end the madness.

Then; there is also running SSL on port 80. That may have mixed results.

Oh and data transfers over ICMP, like icmp-shell.

Creating distribution hubs in China would also work. Tunnel the traffic through multiple routes into multiple locations, aggregate it and distribute from within.

Piggy-backing traffic from Chinese government officially accepted sites in the rest of the world with a hash payload to act as a proxy... That would be nifty. Maybe random looking user-agent tags being pointers to sites and etags carrying the payload. I know, requires a special client-server model.

How about reverse proxy? Is SSH/SSL allowed IN to China? Could route with port knocking or something more simple like a web interface...

How about shipping cheap AP's to China or convincing some of them to acquire some AP's and have them set up rogue access points with SSID disabled and route those over backdoor methods. Then the average person could surf unrestricted. The hard work would be done by Chinese techies. I know.... they will flood China with a satelite or high altitude plane to interrupt the AP's...

Last ditch effort would be to infiltrate the Film Actors Guild.... nm

ToobsJune 28, 2006 6:39 PM

It would not be a good move commercially for the chinese govt to ban or filter VPN's as many many overseas buyers like myself need to be able to connect back to the office when travelling in China.
If VPNs were filtered out trade would be somewhat restricted.

JungsonnJune 29, 2006 10:31 AM

@ adevadeh who said:

"I am living in China, and yes, they block by IP. So https does not help. The Great Firewall is vast and extremely annoying. I have taken to using tor+privoxy when I want to read someting from Wikipedia or Blogspot. It works but it is really slow."


Blocking IP's ? which? i can't imagine they have blocked all ip's on which ssl is utillized, for the reason that this is gobally impossible.

So the easiest way is if you open a shell account on a server in the U.S. or some murky east european country, you can surf trough that server.

I'm interested in which keywords they "filter" because then some people could make counter measures and replace those words in the httpstream to china, beating that weird system and messing up their filters, and have a piece of software which decodes back the words that are replced to bypass the filter.

Seems a good operation freedom 4 all project.

Fulan PengJuly 1, 2006 8:36 PM

I have a https site which IP is forced to be changed every hour and its SSL certificate changes every day. If I have a secret domain name, they can never block it. Is this right, every body? Actually, all home computers have dynamic IPs, if every body install a SSL web on his home computer then tell some Chinese the domain name privately, I think there is no way for the Communist to block it. We have a complete system to break the CCP's blockage. Please visit our web site https://breakevialaxis.org/mvnforum/mvnforum/index?lang=en

Lawrence SheedJuly 2, 2006 10:34 AM

I live in Shanghai, and have no problem with encrypted traffic. OpenVPN, SSH, HTTPS all work fine (with some exceptions). People can do their banking without issues (except CitiBank - god knows why they're singled out!)


The TCP reset seems to be the theme du jour for this month - its affecting lots of international traffic, and its something that they added locally in the weeks coming up to the recent conference in Shanghai.

Usually you'll know when someone important is coming, because the blocking magically disappears for a week, so the visiting journalists don't have yet another article to write about the 'evil' firewall.

At least this reminds me to add this to my firewall rules both ends.

iptables -A INPUT -p tcp --tcp-flags RST RST -j DROP

Anyone going to make a list of the naughty routers so we can get more selective about this?


HelophoneJuly 2, 2006 10:34 PM

And .. quote-of-the-day goes to AG "... sounds illegal to me." ROFL!

HelophoneJuly 2, 2006 10:46 PM

2nd prize goes to Chode "And let us not forget freenet. 0.7, once more stable..." WEEHEHEHEE!

HelophoneJuly 2, 2006 10:51 PM

3rd prize for Toobs, "trade would be somewhat restricted". This is the *history* of China! HAHAHA! OH NO BWEAR RABBIT PWEAE DON FWOW ME IN THE BWYAR PATCH!

HelophoneJuly 2, 2006 10:54 PM

Sorry I meant "PWEASE" like tweety bird says ... not supposed to be mocking of chinese accent ..

ThirdRpckPhotoJuly 3, 2006 12:45 PM

This is virtually useless techno-babble to the average web surfer in China. Why can't anyone develop a user-installable, easy to configure application (platform independent would be an added bonus) that will open a hole in the firewall?

call2biz.gxsJuly 18, 2006 8:14 PM

http://www.call2biz.com
How about launching your store on Call2biz.com with one of your smartest bets, I bet you your hot items will be sold out soon. With its protecting system, your business interest will be guard against those business scams, you wonder like me where to start your business on Call2biz.com, the Call2biz.com is your source of detail information need to do it. We would help you and marketing your products without any charges of fees! You will save up to 100% and earn more easy money on Call2biz.com. with a only computer and phone at your home, you can, while being successful, enjoy this easy-money-making experience online. A homebased business will begin at Call2biz.com.

TheoNovember 4, 2006 2:53 AM

After reading all this, am I right to assume that China does not block 443, 500 and the likes?

livinsiderDecember 7, 2006 10:13 PM

Hi, i actually live in china and must say i have seldom seen so many stupid remarks.
Id say like 90% of the ppl telling you how it "works" in china either have little understanding of computer tech or are making up some fantasy.

I *am* living here and can tell you that Lawrence sheed seems to be the only one who also does.
I can backup his posting to 100%.
and thanks to the author for this article. It helps a lot.

PBDecember 16, 2006 12:44 AM

I've been able to bypass the firewall with http://www.strongvpn.com, ok but my problem is the speed of the connection once I'm past. I've asked and checked with strongvpn and the connection is clean, it's just slow with or without the firewall. I've got the fastest connection you can buy. What are the speed you guys are getting?

bqJanuary 18, 2007 6:37 AM

PB,

I have the same problem. I am in dongguan and using China Telecom VNET that provides the speed of 2M for Chinese sites. Accessing U.S. sites is so slow that it is just ridiculous. Did you have any luck getting the access speed to be any faster. Any tip is very much appreciated. I am so desperate.

millsJune 26, 2007 5:00 AM

this is very clever but ive done better with my grannys computer - 7 MB of memory and 1 MB of RAM its shit but better than bruce's !!!!!

Dr leeJune 26, 2007 5:03 AM

dose any one know how to get around the schools internet securety quickly and easly as i am not great on a pc. e-mail me millsy340@hotmail.co.uk

Lawrence SheedJuly 16, 2007 9:29 PM

Its happening again this year, sigh.

Always seems to tie in with the government conferences.

We have had discussion with China Telecom contacts, and they claim that there is nothing wrong. Unofficial discussion however says that this is likely to lift after the conference as we expect.



References:
(Chinese)
http://www.qiyeyouxiang.net/node/113
http://www.5dmail.net/bbs/archiver/...

(English Translation)
http://www.google.com/translate?... node%2F113&langpair=zh%7Cen&hl=en&ie=UTF8
http://spacehunt.info/2006/06/09/...
http://webnews.giga.net.tw/article/... .cn.exchangeserver/37002

BJNovember 17, 2007 11:01 AM

This is still happening right now, on a DSL line in Gansu province.

Many connections are RESET, including random resets of SSL connections to my private webmail server (so much so that it's unusable).

SSH tunneling (to the same server) is working, fwiw.

BJ

Connelly BarnesJune 23, 2008 3:33 PM

I find the hypocrisy of most Westerners in condemning China for censorship quite sickening. They condemn censorship and then turn around and support Copyright law, and accuse people of not paying artists when they try to assert their freedom by saying what they want through the Internet. The U.S. censors pretty much everything, I've never considered it a free country at all. It's just another variant of statism: for the greater good, you can't say what you want.

JRApril 26, 2010 2:29 AM

Well Connelly Barnes, hand in your passport and apply for Chinese citizenship if you would rather live here (or obviously in your case 'there') permanently.

Its people like YOU that make me sick.

People here in China are actually SUFFERING and all you can say is "it happens in america too". Well, it DOESN'T, thats why you can get any Chinese media in the USA but you can get f*ck all in China except pre-approved beijing friendly sources.

JRApril 26, 2010 2:36 AM

You'll know when Americans live in the same situation as Chinese, because one of your parties will be exiled to Hawaii, and anone that sympathises with them and with any kind of free speech will be dead or in jail, AND forget about any kind of labor unions, welfare, or even knowing if the headache tablets you buy are real or fake. Stop complaining about "copyright laws" when people are having their organs harvested because they TRY to excersize the privaledge of free speech that is only granted to government officials and not to the mere mortals in society.

DypeTypejesNovember 13, 2010 9:16 PM

To more we volatile we obligated to postpone matters into their own hands. (na kogo głosować) So I bald-faced to stir up a understanding being's subserviently recompense brighten off away in elections pro the council. I am a herself of the two candidates seeking alderman in the mark of Lodz (kandydat do rady miasta łódź). Representing years, actively participate in innumerable associations which in on account of to outshine obsession in our city. In totting up to working actively in associations and assisted people with disabilities. Thanks to my involvement, assorted people can validate their dreams, such as obtaining a stalking and a satisfying life. Be confident of go wrong all, and our frailties should not be insurmountable barriers. My unbiased is led into this to throb a impetuous evacuation our urban locality unspoilt and ended of misfortune's retreat as our children, we torture to outline disquietude of.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..