China Now Blocking Encryption

The "Great Firewall of China" is now able to detect and block encryption:

A number of companies providing "virtual private network" (VPN) services to users in China say the new system is able to "learn, discover and block" the encrypted communications methods used by a number of different VPN systems.

China Unicom, one of the biggest telecoms providers in the country, is now killing connections where a VPN is detected, according to one company with a number of users in China.

EDITED TO ADD (1/14): Some interesting blog comments from an American living and working in China.

Posted on December 20, 2012 at 6:32 AM • 52 Comments

Comments

BrettDecember 20, 2012 6:49 AM

Hmmm. I wonder if they are able to tell the difference between a VPN service and a corporate VPN connection back to a home office. If not, going to make for some fun times in the IS departments of many multinational companies doing business in China.

vDecember 20, 2012 6:52 AM

@Dan
however much we expect/fear the death of freedom it doesn't meant an event - even in China - should go uncommented on.
Having said that I'm slightly surprised they blocked rather than broke.

PybeDecember 20, 2012 6:59 AM

@Brett: Recently, our corporate VPN that we're using to communicate with our Chinese partner has been blocked off regularly. We tried changing the port, but it kept on getting blocked off.

So I guess the answer is no, or at least not for the small companies.

Clive RobinsonDecember 20, 2012 7:18 AM

Whilst this has been expected for some time, there are numours solutions that could be used to get around the block as currently described.

However that is perhaps not the main point to consider...

Tthe assumption is that China is doing this to stop it's citizens seeing or communicating with entitiess the Communist Party has issue with.

However there may be a more serious issue from the point of businesses with entities in China. It may be a move designed to perform espionage by trying to force company secrets out into the open. Forcing companies off of VPN's is in the sshort term cause ad-hoc solutions that will in effect open up corporate firewalls thus also aiding in APT type activites.

WinterDecember 20, 2012 7:29 AM

Does this block https too?

I heard somewhere that China will regularly do man in the middle attacks on https connections. But if you can get the certificate, that would show.

Carlo GrazianiDecember 20, 2012 7:29 AM

Are they killing ssh/port 22?

If not, a simple work-around is to set up an encrypted tunnel over ssh. Not distinguishable from a vanilla ssh connection.

jokergirlDecember 20, 2012 7:33 AM

Interestingly, I've been to China last week and my VPN worked fine... so I'm not sure that it is already working.

stvsDecember 20, 2012 8:41 AM

Now it's a game of whack-a-mole. OpenVPN's port 1149 is apparently completely blocked, so VPN companies are recommending UDP on other ports, or even harder to block TCP.

It's trivial to stand up an OpenVPN server on any port with either protocol. If one does certificate-based VPN with TLS authentication, how easy is it to detect the VPN tunnel versus any other kind of encrypted traffic?

indeedDecember 20, 2012 8:50 AM

China has been autodetecting tor bridges and disabling them in the firewall for a year or so thus obfsproxy was written to conceal encrypted traffic

Karlos2x2lDecember 20, 2012 8:55 AM

Does anyone but me see this as an opportunity for the CH govt to start selectively charging companies to allow VPNs in their domain? Long live Capitalism!

StephaneDecember 20, 2012 9:20 AM

"It's trivial to stand up an OpenVPN server on any port with either protocol. If one does certificate-based VPN with TLS authentication, how easy is it to detect the VPN tunnel versus any other kind of encrypted traffic?"

If they are doing deep packet inspection, it's rather easy to detect these types of connections during either initial handshake or later during key renegotiation.

One solution would be to use a port that routinely uses TLS (like 443) but then they can still break it by performing a MITM attack on the channel: they won't get to see your traffic, but they'll still break the VPN.

aikimarkDecember 20, 2012 9:20 AM

I wonder what the reaction of the central government will be if a foreign company stated they will pull their business out of China if they can't communicate securely with their China operations.

StephaneDecember 20, 2012 9:22 AM

"Does anyone but me see this as an opportunity for the CH govt to start selectively charging companies to allow VPNs in their domain"

You mean CN, I suppose: the Swiss government isn't really interested in charging for VPN (and doesn't control Internet, even locally).

Marvin SpatchcokDecember 20, 2012 9:42 AM

There's been an arms race on for years. The GFW occasionally upgrades; the numerous small VPN / workaround providers update pretty fast. There will always be a way.

Peter A.December 20, 2012 9:44 AM

@Stephane: The TLS-like protocols can be easily detected indeed during the initial handshake, esp. the server certificate is sent in the clear.

One possible way would be to use a protocol with pre-shared keys like the OpenVPN 'symmetric' mode - the traffic looks like garbage from the very beginning. But then there's a problem with efficient and secure key distribution, specifically for a user that is resident in China, not coming from abroad for a visit. Moreover, stricter policies may be employed bu the Chinese government - reject anything that is not a 'known good' protocol, for a convenient definition of 'known good'.

stvsDecember 20, 2012 9:46 AM

it's rather easy to detect these types of connections during either initial handshake or later during key renegotiation. … MITM attack on the channel: they won't get to see your traffic, but they'll still break the VPN

According to OpenVPN Security, "an SSL session is established with bidirectional authentication [then] encryption/decryption and HMAC key source material is then randomly generated by OpenSSL's RAND_bytes function and exchanged over the SSL/TLS connection."

Wouldn't OpenVPN with certificate/key exchange look like any other SSL/TLS channel, DPI or not? If so, the only secure way to block OpenVPN is to blindly plug all ports, including port 80, or at least all TLS if DPI is used.

It appears that this is the approach of the GFC -- just block a bunch of ports used for VPN, and VPN "detection" so far isn't actually VPN detection, but simply observation of the use of port UDP 1194 (OVPN) or TCP 1723 (PPTP). It *would* be trivial to detect PPTP (people are still foolishly using it) but it's not necessarily clear that certificate-based OpenVPN is detectable by itself.

Paul SuhlerDecember 20, 2012 10:53 AM

In pre-Internet days I heard a story that the French government required foreign companies doing business in France to hand over the keys for any encrypted telecommunications. Presumably this was for the benefit of French companies.

Is there any truth to that story?

SpellucciDecember 20, 2012 11:34 AM

@aikimark said, "I wonder what the reaction of the central government will be..."

Didn't effectively the same thing already happen with Google? The central government's reaction was, "Don't let the doorknob hit you on the way out."

MapesDecember 20, 2012 1:03 PM

@Winter

Unless they signed it with a China based CA that is already in most browsers selection of CA certs. In which case no invalid cert.

install bsdDecember 20, 2012 1:19 PM

As mentioned before, obfsproxy already solves this problem by obscuring your encrypted tor or vpn traffic into http looking traffic and some people have released obfsproxy+openvpn bundles

http://sourceforge.net/mailarchive/message.php?...

Or, you could make your own obfsproxy tor bridge using a dirt cheap VPS you bought with bitcoins, configure Torrc file to only use 1 hop (your own bridge) and there's your vpn.

Interestingly, redphone encrypted voip traffic isn't affected by this new clampdown (yet) though China has been zapping tor bridge traffic for a while now:
https://blog.torproject.org/blog/knock-knock-knockin-bridges-doors

FigureitoutDecember 20, 2012 1:28 PM

I've got a Chinese ladyfriend who uses I think Sina Weibo, she told me how she criticized the gov't and had that post "mysteriously deleted". She also says she likes living in the U.S. more and the talk about China growing economically is exaggerated; her words not mine. Just odd to think gov'ts feel so threatened w/ open communications; and if they're being used to plan attacks, maybe that should be a hint there's a little anger.

t3zarDecember 20, 2012 2:32 PM

the only way i think DPI can't block is making a VPN based on this scheme : VPN server give client software to user with a shared secret, user request access youtube.com and VPN server fetch youtube.com and encrypt it, then to send data to user server do this : make an HTML page with a random template and translate ciphertext (encrypted youtube.com/index.html) into a code book to make data only shown as letters or numbers that look like all regular web pages. then send this html page to user, client decode the data on this page based on code book into ciphertext then decrypt ciphertext then user have youtube.com/index.html and great firewall can't block it without AI with DPI, if so all internet get down :D

CurmudgeonDecember 20, 2012 3:17 PM

It's surprising that China didn't take a page out of the Canadian ISP playbook and use protocol white listing.

It's not hard to create DPI signatures for known, widely used, cleartext protocols and block everything that doesn't match a known signature.

Most Canadian ISPs use this method to block Bittorrent and degrade VPNs, HTTPS, and all TLS, for home users without business accounts.

China's firewall could very easily use the same method to drop all VPN traffic rather than, as Canada does, inject enough latency into VPN connections to make interactive use impossible.

Harvey MacDonaldDecember 20, 2012 4:05 PM

Early FSB message - apparently a species of spider is aware of how it _looks_, and creates enlarged decoys of itself to avoid predation. Oh, and it ties puppet strings to the different appendages so it can make the fake spider act like a real spider.


No word yet on how long it will take them to overthrow humanity, but it certainly can't be that far off.

http://www.theregister.co.uk/2012/12/20/...

W.B.R.December 21, 2012 2:01 AM

@stvs: OpenVPN's page exagerates: the connection is based on SSL, but is not SSL. sslh for example can tell OpenVPN and SSL apart. That said, add a layer of proxytunnel or corkscrew and you're there.

@Paul: I think France was requiring key escrow for reasons similar to the US preventing export of crypto: plain paranoia of the police not being able to eavesdrop, rather than organised industrial intelligence.

JohnstonDecember 21, 2012 6:36 PM

You always hear how labor & manufacturing are cheaper in China, but I can't recall ever hearing how other costs of doing business in China are increased due to connectivity being regularly sabotaged.

TimboDecember 21, 2012 9:37 PM

I'm the head of IT for an international company. This new block is very easy to defeat... simply as soon as you register a disconnection, get the vpn to reconnect on another port. (ensure your vpn server accepts connections on a large range of ports).

We are configuring each of our openvpn's (one in each office) with 4 random ports. Usually we don't get disconnected at all. It takes hours for the GFOC to kick in and detect it.

If they get faster we will simply have a pool of 5 vpn connections to different computers with 4 idle at each office. If one goes down we will pipe traffic over the others.

Gordon StewartDecember 23, 2012 4:39 AM

I don't know if the blocking is relatively isolated, or even if this is just plain old FUD.

I have no issues using VPN from offices in Beijing, Shanghai, Suzhou, Qingdao and Chongqing, all connecting to the UK.

4 of those are TLS tunnel based VPNs, and one is PPTP.

jrDecember 23, 2012 5:33 AM

I work for a large hosting company that has a datacenter in Hong Kong. We routinely see connectivity problems to mainland China, and sometimes it's just very high latency (>600 ms) and packet loss, which could be caused by poor engineering or rate-limiting, and other times it looks like something is being filtered. We haven't had any problems with VPNs specifically that I know of, although one of our lawyers believes VPNs are illegal in China. Occasionally we can route traffic through a different entry point or change a port number to work around apparent filtering, but for the most part any connection back to the mainland is unsupportable.

LawrenceDecember 27, 2012 10:14 PM

As far as I know, the Guardian post is mostly spurred by the VPN provider Astrill getting blocked yet again by the government here in China.

For a few years now, the government has been playing whack a mole with each providers setup. Usually they concentrate on the provider specific servers.

The government uses a grab bag of different techniques for blocking. Each region/area has different equipment installed, and different techniques in place. So what gets reported as being in place for Beijing doesn't apply to Shanghai, etc.
You'll find in practice that the major centres will have more up to date blocking, as you go to 2nd and 3rd tier cities, there is less in place.


For commercial use, VPN is legal, although not for web traffic (unless its to a corporate net or similar). Eg Business use is fine.
We have no problems for point to point VPN at clients using China Telecom over business level equipment - eg Checkpoint hardware, or even Cisco PIX (at the low end).


OpenVPN on the other hand is widely used by home users to illegally* bypass government blocks, so is targeted heavily. Current blocking appears to be using DPI to detect openvpn connections, although its not implemented that thoroughly yet (as people have noted above, you can connect on another port after initial setup).

Each providers backbone will also have different restrictions in place.
You'll usually find that the second and third tier providers have more restrictions in place. Eg China Unicom is more heavily restricted than Telecom is.
This is mainly due to governmental restrictions - essentially - if you aren't a state entity, you have to be more careful.

Western 5 star hotels may also have less restrictions in place due to hardware infrastructures - although the monitoring is generally ramped up at the telco side.


China works on a things roll downhill mechanism.
Each provider is responsible for their users.

So if something happens at a user level, their ISP is responsible, for the ISP their provider is responsible, for the provider then their carrier is responsible etc.

This structuring makes sure that each segment takes care that their customers do things the way that the government wants. No-one wants to get in trouble, and no-one wants to be fined, or lose their business licences.

At the moment user VPN is more of a nuisance thing than a bit deal, so its more a matter of following orders from above to restrict it. If there was a serious face losing incident, then that would change.

Given the limited amount of legitimate vpn's here, i wouldn't be suprised if at some stage they just block everything, then only registered users will be able to use them., or they restrict vpn to business level connections only.

---

*I'm not going to talk about whether its a good or a bad thing. Its illegal to bypass the firewall to view blocked sites here. If you break the law, thats your business.

Philip G. CollierDecember 28, 2012 9:10 AM

As an American working and living in Xiamen, China, I can confirm that the GFW has been much more aggressive in suppressing VPNs. Their detection and blocking system is limited in speed, requiring 8 to 10 hours to detect and block my OpenVPN connections.

First, the connection slows, as though my traffic is being segregated. Then they block the port and IP. I have a cheap Amazon EC2 server running as a VPN, and it is a trivial matter to change the IP and stay connected to the outside world. My colleagues are having a hard time with email, banking, and other internet tasks, and we do our best to get these private servers (with OpenVPN) dancing in fresh IPs.

As foreigners here, we try to stay under the radar, but the rich, corrupt punks running China have yet to understand that a regime being widely criticized in the press and social media must have real flaws. Be that as it may, port and IP rotation keeps us online longer than we're off. Next, the GFW will have to sever all lines to the outside, and that knife cuts both ways.

Hang Tough.
Truth and cryptography will set you free.

Philip C

TwofishDecember 28, 2012 10:34 AM

What the Chinese government is doing is an incredibly clever bit of social engineering.

Rather than blocking all VPN's which indeed would cause Western businesses to consider leaving, they appear to be leaving the VPN systems which large businesses use (IPSec) open. Also, the Chinese government also can figure out what IP addresses are used by large companies, and specifically not block those. However, not blocking corporate networks is not going to help "personal" users, because most large corporations have usage policies that prevent users from using their networks for personal purposes, and while a large corporation is going to complain loudly if their VPN's are cut off for business reasons, most companies have policies that prevent their networks from being used for "political" purposes (i.e. try sending out a campaign flyer from a work account and see how fast you get a nasty call from HR).

The problem with "cryptography will get you free" is that cryptography is focused on the wrong problem. This isn't a cryptography problem. It's a traffic analysis/stenography/social engineering problem. The openvpn protocol is designed for preventing a hostile user from reading a message, but it obviously is not designed for preventing a hostile user from knowing that a message has been sent, and from cutting the connection completely. Even worse, the fact that large companies and individuals use different protocols (IPSec versus openvpn), allows the Chinese government from blocking individual users without blocking large companies.

One other thing that I've noticed is that the increasing use of broadband makes it harder to to stegnography. One thing that I've noticed is that the GFW is less aggressive at blocking text than it is at blocking video streams. Sending one e-mail and you can hide in the chatter. Sending a youtube video and its much harder to hide. Furthermore, broadband media is easier to block. If you want to send a 5kb e-mail, this is hard to block, but sending a 10GB video and you can degrade the service to the point that it is unusable.

twofishDecember 28, 2012 10:50 AM

* Tthe assumption is that China is doing this to stop it's citizens seeing or communicating with entitiess the Communist Party has issue with.

It's actually not....

The point of the GFW is two-fold

1) It's to prevent people from mass organizing. In general the GFW doesn't block people in China from communicating with each other in ways that the Party cannot control. One thing about the GFW is that it's never been able nor has it ever been able to block all news sources from the West. But it has been used to block things like facebook in which people can use to organize.

2) It's also to create "self-censorship." The thing about the GFW is that the more trouble you have to do to bypass it, the more you are internally aware that you are doing something unsanctioned, and the more likely you are to self-censor. If I have to spend five hours setting something up to read the New York Times, then when I write an e-mail on gmail (which isn't blocked), there is this voice in the back of my head saying that maybe I ought be a little reserved about how I actually feel about the experience.

3) Finally it's a convenience thing. If you have to spend hours and hours trying to connect to youtube, then after a while you feel like just giving up and viewing and posting on the censored alternatives.

The important thing to realize is that the purpose of the GFW is not to make communication *impossible* but merely to make it *inconvenient*. If you know that you are being watched then you end up merely passively reading rather than organizing.

Something that I think that people just have to accept is that the "technological utopianism" just will not work, and that the Chinese government has in fact successfully tamed the internet, and they've done so by focusing on *social factors* in addition to technological ones. Yes, people can and should think of countermeasures, but I think that these countermeasures need to take into account the *social context* of the GFW. Otherwise, people are just solving the wrong problems.

TwofishDecember 28, 2012 11:13 AM

Question: I wonder what the reaction of the central government will be if a foreign company stated they will pull their business out of China if they can't communicate securely with their China operations.

Most likely they'll unblock the ports for that company, and as long as the company uses the ports for internal corporate communications, no problem...... Now if that company starts using that network for non-corporate communications, they'll be asked to stop, and if they don't stop, they'll be kicked out. But it's a clever piece of social engineering, since most corporations frown on using corporate networks for personal use anyway.

One reason that I think this is what is going on is that corporations in China are allowed to connect directly with servers outside of China thereby completely bypassing the GFW in the first place. What corporations are *not* allowed to do is to set up shop as a telecommunications operator. I.e. if a company wants to bypass the GFW for its own internal use, it can do that, but if it starts selling or letting people outside the company use those services then it becomes an unlicensed telecom operator and it gets shut down.

This is the problem with VPN's. A large enough company can (and many companies do) create a *non-virtual* private network, and as long as the physical private network is not shared, the Chinese government doesn't block those.

TwofishDecember 28, 2012 11:29 AM

quote: *I'm not going to talk about whether its a good or a bad thing. Its illegal to bypass the firewall to view blocked sites here. If you break the law, thats your business.

One curious thing is that under Chinese law, it *isn't* illegal to bypass the firewall. There is no Chinese legal regulation that prevents a person from bypassing the GFW, and no person that I am aware of has ever been sanctioned for attempting to bypass the GFW or for passively *reading* content.

It is a violation of Chinese law:

1) to operate an unlicensed telecommunications company that allows other people to bypass the GFW. However curiously enough it's not a criminal violation to do so. It's a massive civil violation in which the government can go in and just shut you down and fine your company into bankruptcy.

2) under several laws (i.e. state subversion), it is a violation to *write* content that is considered subversive, and there have been many prosecutions for *writing* literature. Organizing people gets you into even worse trouble.

One reason that it's not a violation of Chinese law to *read* or to *personally bypass* the GFW is that if it were, the public outcry would be so large that the government would have to back down. One part of the reason that the Chinese government has been rather successful at taming the internet, is that rather than making everything illegal and blocking everything, they've selectively figured out what to make illegal and to block.

TwofishDecember 28, 2012 12:22 PM

Apologies for posting so much.

Part of the reason I'm doing this is that I've been really annoyed at the difficulty that the GFW has been causing me, so I'd like to provide as much information as possible so that people can figure out countermeasures.

A few observations:

1) Not everything is blocked. What gets blocked changes from day to day, but New York Times is blocked. Washington Post is not. Most Google searches are not blocked and Google maps are not blocked. Gmail is not blocked, but youtube and google chat is.

There seems to be an intentional effort to make the block "leaky." I'm really annoyed and maybe a little angry about it, but I'm not so annoyed and angry that I'm going to join a street protest or leave China.

2) One thing that alarmed me before all of this happened was how easily people are willing to give you security for convenience. One thing that the Chinese government did a few months back was to encourage Chinese service providers to promote single sign on. The way that it works is that if you want to register for a new web service, you just type in your Chinese cell phone number and you are automatically registered. Once you are registered for one site, you can automatically transfer your registration to any other Chinese internet service.

The interesting thing from a social engineering point of view is that no one protests against this regulation, because in fact it does make the Chinese internet more convenient. Instead of spending ten minutes to register for a new website, you just type in a number, and you are done.

However, the security issue should be obvious. Not only can the Chinese government track down anyone to their mobile phone, but they can effectively prevent someone overseas from posting to a Chinese website. The only way you can post to a Chinese board is if you have an account linked to someone with a mobile phone in China.

3) Speaking of mobile phones. Smart phones are cool.... Find restaurants!!! Never get lost!!! Makes you want to carry your phone around where ever you go. But.....

Now, because every Chinese web service is now linked to a mobile phone, if someone posts something the Chinese government finds objectionable, they can now link that post to a mobile number. Once they have a mobile number, they can then figure out where that person has been in the last month, and everyone they have talked to.

4) Boycotts from Western companies will not work. The thing about boycotts from Western companies is that Chinese domestic companies just love them. Less competition. Every Western internet service has a Chinese equivalent. Many of them are less polished and less functional than the Western equivalent, but you can access them without gashing your teeth.

5) A lot of the technology that the Chinese government is using is based on corporate environments. What the Chinese government is doing is creating a giant intranet, so all of the technology that can be used to create corporate intranets can be deployed at a national scale. Also a lot of the "mental know how" that the Chinese government is using comes from the corporate world.

6) The internet was supposed to be impossible to control because it was supposedly decentralized. The problem is that once we got out of the "frontier era", it turned out that centralization meant convenience. I remember the "good old days" when I had to run my own mail servers and I had my own http server. However, I use an ISP for that now. However, convenience means centralization, and centralization means choke points.

This is true even when the centralization happens in the West. It would be much hard for the Chinese government to block facebook or google if there were a thousand facebooks, twitters or googles. But because there is one facebook, one twitter, and one google, it makes it easier for the Chinese government to target a block against that one target, and to develop local equivalents to them. One reason it has been surprisingly easy for the Chinese government to target VPN providers is that there are only a few dozen of them, and they are running pretty similar technology.

I apologize for posting so much, but I figure that the more information i provide, the more people can figure out how to develop effective countermeasures.


Philip G. CollierDecember 29, 2012 1:46 AM

What we have in the making, as described by Twofish is a form of internet apartheid. Large corporations will have security and connectivity while small businesses and individuals will not. Rich, squeaky wheels will be able to encrypt their meetings and transactions, while individuals will not. Their network activity is legitimate, while an individual's is not... Well, that makes people easier to control, doesn't it?

That will enrage any Westerner who expects to have the same security and connectivity privileges as a travel agent as Wal-Mart gets as a fortune 500 company.

For sure, OpenVPN (in its various forms) has a detectable footprint that the Chinese can exploit. What we need next is something hard to distinguish from "noise to a thousand IPs on a thousand ports" that is also strong. I'm not at all sure that's possible with the network we have. And what will happen if the Chinese stop trusting IPSEC? Presently, the trend is toward less trust, so even the big shots may start to suffer financially from reduced connectivity.

And, yes, the censorship is selective. Google searches are VERY slow these days, without a VPN. Gmail and Yahoo mail are choked off as well, but not 100% of the time. Individual news about China is subject to filtering, as usual.

Being restricted to connecting in the clear, from a Chinese IP is not acceptable, as some foreign sites block Chinese IPs. Access to our home government sites, certain technical forums, and too many mere blogs are blocked, so there is indeed demand for effective circumvention tools. Then, the Chinese can see unplugging the internet as a final solution.

Cheers,
Phil C

TwofishDecember 29, 2012 1:05 PM

It's not so much apartheid as "indirect control." The Chinese government allows corporate networks to bypass the GFW, because most corporations already have internal network policies that control traffic that is not business related.

Also, once you realize that what the Chinese government is doing with OpenVPN. It's not hard for someone with some network knowledge think of some easy countermeasures. The problem with countermeasures is not that they won't work, but they are hard to publicize. I can write a quick two page summarize of how to bypass the current measures. The trouble is that if any substantial number of people start using them, then it will get a lot of hits on google, and then the Chinese government will see it and then block those. It's pretty easy to come up with some "home brew" ways of getting around the current blocks (look for foot covering that rhymes with blocks).

The problem is that I don't see a way of publicizing that information.

What the Chinese government did in recent weeks was not to ban all encryption. What they basically did was to do a google search of "bypass Chinese firewall" and then put in a new system that targeted the top hits, and it's gotten a lot of press because people were using the top methods for circumventing the GFW.

Anything that requires a requirements document and years of design is not going to work for me.

I suspect google searches are intentionally slow. The government doesn't want to ban google, because if it bans google people will stop using it. What I think they've been doing is "degrading" the search so that video and audio becomes unusable. I also suspect that the reason they do this is that text is more easily filterable whereas video streams are not. Also, I think that the government really doesn't want to drive political activity underground. If it starts using harsh measures and makes searches impossible, then people will start using TOR and strong encryption. That's not want the Chinese government wants because if that happens, everything will go underground. So it makes gmail painful to use, but not so painful that people would want to install TOR.

The other thing is that I think people get the threat model wrong. For example, for something for be useful for me, I *don't* need anonymity. I'm pretty sure that the Chinese government can track me down it they want to, and I don't do anything on the network that would give them a reason to do this. Something that is useful for a political dissident would not be useful for someone that just wants to read the NYT, and vice versa.

One other thing is that a lot of "nice ideas" don't work. For example, you might think that it would be good to have a lot of open proxy servers outside of China to let people bypass the GFW. The trouble with that is that if you have an open proxy server, you'll find that almost no traffic consists of Chinese political dissidents.

Also, I don't think that the Chinese government wants to "unplug the internet". The thing that the Chinese government is concerned about is less to prevent information from getting in, than having people self-censor themselves. Again, there is a copy from the corporate world. I'm *not* going to send an e-mail about what I feel about the CEO from my corporate account. I don't have any problem doing this from my gmail account, since I know that my boss doesn't have access to my gmail account. In censoring the NYT, the goal of the Chinese government is not to prevent me from reading the NYT, its to just put in a psychological block so that I know "someone is watching" and I think about posting someone in public, and that prevents the internet from being used to search of "like minded individuals."

One other thing is that I think that there is a reason why the blocks have gotten more effective over the last year. The Chinese bureaucracy works on a "conveyor belt" system. The top people retire, and then everyone below gets promoted. What I think happened in the last year are two things. The first is that some technically capable people just got promoted into being in charge of the GFW. The other is that there has been a generational shift in technology people in China. The people that graduated from CS departments in 1990 tended to be rather anti-government. However, since 1990, students in elite Chinese colleges have tended to consist of people that have benefited from the current system (often the kids of top party members). Whereas a network engineer in 1995 wouldn't think of helping the government censor the internet, the Party has no shortage of very technically adept people working for them today, and that's starting to show up.

Collier: And what will happen if the Chinese stop trusting IPSEC? Presently, the trend is toward less trust, so even the big shots may start to suffer financially from reduced connectivity.

I don't think they will. Early on in the 1990's, the Chinese government tried to ban all encryption and gave up because the backlash from business was too large, but if found that it didn't need to do this. The Chinese government can "trust" businesses with encryption, because large businesses are for-profit entities and not political dissidents. Even the most free-speech oriented company is not going to let random people on their internal networks.

yonJanuary 2, 2013 1:50 PM

The network blocked is the most serious during the Communist meetings,Blocking all sensitive use of network.Now blocked the degree mitigate.Now monitor your network data at any time, if it is found on any of the prohibited keyword,Your network will be interrupted.So at least need to do is to encrypt your network data before you send.
I have no use VPN. I am use other ways.

phone switchingJanuary 8, 2013 3:33 AM

Time to start a massive smartphone-exchange scheme.
Choose a cheap smartphone with microSD card reader.

Create an Android app with a peer-to-peer capability over bluetooth.

When two smartphones with this app pair over bluetooth, this app ask both
persons to meet and exchange their phone (but not the SD-card).

This app then informs a specific server maintaining yellow pages, then make a factory reset.

This server is out of reach of LEO.

It would be more secure but less convenient without SD-cards.

It would be more secure to replace the Android app by javascript hosted on the server.

It would be more secure when used massively.

AlexanderMarch 12, 2013 10:36 AM

Hi all,

since recently it has been difficult to get a direct vpn connection.. would SSL VPN work? it should be creating an HTTPS tunnel, always keeping in mind of mitm attacks

Alex

ElfApril 24, 2013 4:16 AM

Seems China has finally eased on the VPN blocking, hooray! You can follow this blog to keep up to date on the Great Firewall situation.

RZNovember 23, 2013 9:25 AM

I have a simple solution.... If their policies are hindering business they should know. If they don't allow businesses to use technologies they have already invested in.... pull out your offices. Shut them down.

FailpointDecember 19, 2013 5:46 PM

file under: US analog to China's wall
//A cost-effective Solution: where did SOPA go?
- not a magic bullet but...
- OpenDNS founder is an idiot that threatens splinternet: David Ulevitch
Nobody told Dave there are scores of DNS access points. He wants his socialist version of freedom of speech, but his company provides a non-useful DNS content filter snap-in for consumer routers. The contradiction is funny, and that type of filter doesn't even work.

People crying about China's gate...but it halfway works:

Sorry for the media theft crowd, but after the FBI downs darknet and bitcoin, they will probably finish torrent by attacking DNS farms for fronting the trackers. It's called aiding and abetting.
Do you want the hidden cost of intel offense, or do you want cost-effective infrastructure defense? You could re-task 50% of what Raven Rock does.
Hell, do you want entertainment media to exist? Broadcasted uploads and downloads is not "private sharing". There is no freedom of speech in what torrent does. The government downed SOPA because some people need to keep their lackeys in intel. Everybody chimed in for the wrong reasons, and now everyone is complaining about privacy invasion. That is the lesson to be learned. Choices.

From highschool boys to Japanese businessmen are going to cry when the flow of Hentai gets choked. Only a matter of time before the lawyers are properly briefed on the loss of tax revenue from media theft. The number must be staggering. The question is: do you think media theft actually increases interest in media as an advertising mechanism, that which Youtube proports, or is that just an immeasurable crime/excuse?

Download fast, perverts. It's all coming to a head.

Doing business with China? Any business is not good business. Get burned. I actually applaud China for checking the front door. Cry. Beat around the bush. You just want your downloads. Otherwise, why care? What, is this failed bicameral joke any better? I can't tell now.

NateDecember 27, 2013 5:30 AM

Failpoint • December 19, 2013 5:46 PM

You think you know way too much about what you talk about... bitcoin, torrents, porn, hentai.

I applaud you for not doing business with China. China is not ready for people like you... they would not understand your way of thinking and hence you would fail to get their business leaving you feeling burned.

Also... You should get into poetry... Your writing is so expressive... cry... beat around the bush... uhuh... well said.

Gabriel RüeckMarch 14, 2014 4:04 AM

That was to be expected as there is research on that in China. See OpenVPN Traffic Identification Using Traffic Fingerprints and Statistical Characteristics for a paper on how to discover openvpn connections.
But right now (fortunately), openvpn still does work most of the times from landlines, but it has become really difficult from mobile networks.
Also, the VPN connection typically seems to break when the key is re-negotiated. Some of the major VPN providers however seem to have developed counter-measures already. That is the good news.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..