How the great firewall of China detects and blocks fully encrypted traffic [pdf]
gfw.reportI was wondering about simply using VPNs, which is not mentioned in the article at all, but checking GFW on Wikipedia, it tells:
> The use of VPNs in China can provide individuals access to the international internet, but in China, it can be a potential legal risk. In 2017, the Chinese government declared all unauthorized VPN services to be illegal.[94] An example of the use of this punishment is Vera Zhou, a student at the University of Washington, who, when visiting her Hui parents in Xinjiang, China, used a VPN to access her school homework. She was arrested and sent to a Xinjiang internment camp from October 2017 until March 2018, followed by house arrest after her release. She was not able to return to the US until September 2019.[95][96]
More context about this WikiPedia excerpt:
→ https://www.chinafile.com/extensive-surveillance-china
→ https://www.rfa.org/cantonese/news/student-01272020075256.ht...
It looks like 周月明 (Vera Yueming Zhou) was sent to a Chinese concentration camp mostly because she was part of a religious minority and not necessarily for using a VPN to access the University of Washington’s website.
> Vera was living in her hometown of Kuytun (Kuitun) in Ili Prefecture, an area directly north of the Tian Shan mountains that borders Kazakhstan. She had been trapped there since 2017, when—in the middle of her junior year at the University of Washington, where I was an instructor—she had taken a spur-of-the-moment trip back home to see her boyfriend, a former elementary school classmate. Using digital surveillance tools, the Kuytun police had noticed that Vera had used a Virtual Private Network in order to access websites such as her university Gmail account. Given her status as a member of a Muslim minority group, this could be deemed a “sign of religious extremism.”
That's the thing about "illegal but everyone does it"...it's nothing to worry about until the government decides it's convenient to enforce (against an individual or group), and then it's definitely something to worry about and it becomes a low barrier pretext for all sorts of oppression.
Remember this next time you're driving above the speed limit on the highway. Especially if you live in the US and are white.
WTF are you talking about. Being white means it's a non-issue. Being not-white is potentially fatal.
I'm pretty sure that's why they are asking white people to think about it. Others already know.
I think you missed the point
Encamped for your beliefs and not for breaking the law, that makes it much better!
Just tragic. Hard to imagine living in such a backwards place
Thanks for this elaboration. Upon reading original comment, it felt very strange that she was "encamped" for using VPN to access her school homework. Immediately I knew there was more than it meets the eye.
The best bit is that we're enacting very similar laws in the West [0]. As much as China is often deplorable I do wonder how much of a blind spot we have here to our own sins.
It’s subjective of course, but the real story seems worse.
Exactly. This is the period when Muslim ethnic groups like the Uigurs were being rounded up on any pretense to be reeducated into not wanting to be separatists anymore (often with no indication that they had anything to do with separatism other than their ethnicity.) Seeing the VPN pop up was more than enough of an excuse. Calling it a "genocide" is 99% propaganda, but it was obviously a sinofication meant to get rid of separatist identities and cultures, and a horrible injustice. In the beginning, they were inspired and immunized by the US's anti-Muslim fervor during the GWB invasions (we were not only not criticizing, but probably even sharing intelligence with China.)
> In the beginning, they were inspired and immunized by the US's anti-Muslim fervor during the GWB invasions (we were not only not criticizing, but probably even sharing intelligence with China.)
Yeah, seems to be overlooked quite a lot since it's convenient for the US narrative lately.
> Starting in 2002, the American government detained 22 Uyghurs in the Guantanamo Bay detainment camp. The last 3 Uyghur detainees, Yusef Abbas, Hajiakbar Abdulghupur and Saidullah Khalik, were released from Guantanamo on December 29, 2013, and later transferred to Slovakia.
> None of the Uyghurs wanted to be returned to China. The United States declined to grant the Uyghurs political asylum, or to allow them parole, or even freedom on the Naval Base.
> A May 2008 report by the Inspector General of the United States Department of Justice claimed that American military interrogators appeared to have collaborated with visiting Chinese officials at Guantánamo Bay to enact sleep deprivation of the Uyghur detainees.
https://en.wikipedia.org/wiki/Uyghur_detainees_at_Guantanamo...
Why do you say it's 99% propaganda?
"sinofication" sounds a lot like "eliminating the existing culture" which sounds a lot like genocide. Genocide is more than just murdering everyone like in some of the most well known cases like the Holocaust -- it includes elimination of an ethnic group by any means possible, including "nativification"
I understand where you're coming from, but -cide implies killing.
the "cide" in genocide refers to destroying
for example, a cultural genocide refers to destroying culture, e.g. Uighur or Muslim culture
Would you say the choice of the word "genocide" here is because it's the most accurate description of what's going on?
Or is it chosen for rhetorical/propaganda effect without too much concern for accuracy?
Not the person you're responding to, but it is an accurate description of genocide under its current meaning as defined by the UN (probably the most authoritative body on this kind of matter).
https://www.un.org/en/genocideprevention/genocide.shtml
What the Chinese are doing there is covered under Article II, c.
If you are being pedantic by holding fast to the literal Greek translation of "geno" and "cide" then, well, this is simply not the complete modern meaning of the term.
There is no authoritative body on the definitions of words. More generally, if genocide can mean "not killling, but very bad" then it is not much use except as an epithet - a negatively-loaded bomb to be lobbed in partisan debates at people who you think are doing something very bad. Virtually every controversial policy could be described as, "Causing serious bodily or mental harm to" some group.
> There is no authoritative body on the definitions of words.
false: there are a few. They aren't always correct, but they're more correct than you personally
> More generally, if genocide can mean...
there is no question what it means, you simply personally disagree with it
and since you definitely aren't an authoritative body on the definition of words, your personal pedantic insistence that the word mean only what the strict etymological roots imply, rather than how people actually use it, is irrelevant
> a negatively-loaded bomb to be lobbed in partisan debates
it's quite telling that you seem to view usage of the term "cultural genocide" to refer to cultural genocide as a bigger issue than actual cultural genocide
don't like people using the correct term to refer to the action? maybe get those perpetrating the action to stop, instead of telling everyone we're using the wrong words to describe it.
The definition, US propaganda under Pompeo as head of State tried (and failed to meet), was UN's convention on genocide, which would trigger legal responses on member states. The TLDR is Pompeo laundered very tortured legal analysis through Zenz and some Gulanist Saudi think tank (IIRC) to try insinuate PRC met the definition when most credible international lawyers saw through the bullshit, but noted PRC actions closer to cultural genocide, which does NOT have definition at UN, and hence not prosecutable. The result is PRC actions merely labelled as potential human rights abuses at UN, aka business as usual, and a bunch of useful idiots who ate Pompeo's bait thinking PRC actually met the definition of genocide when it manifestly did not. And buy business as usual, of human rights abuses / cultural genocide, it puts PRC XJ actions in league with behaviours of the west. Hence you don't hear much about the XJ campaign anymore from western propaganda, because the propaganda was mostly useful if the genocide label stuck at UN, and made PRC actions more nefarious not equal to west. Now it's mostly used by US to justify XJ sanctions and trying to partners onboard to cripple XJ industry like solar, cotton, agriculture.
That article IIc pivots on the key phrase "physical destruction".
Look, internment isnt good either, why dig in your heels on the most loaded possible word?
physical destruction, internment, cultural genocide, they are all happening
why not focus on that, rather than your personal, individual dislike of a term?
why dig your heels in on the semantics of the thing, rather than the substance?
It's absolutely not. There's a reason US propaganda under Pompeo had to manufacture and launder reports with tortured legal interpretation to try to get the genocide label to stick but couldn't because there's no intent to destroy, hence useful idiots trying to be pedantic and argue how enforcing family planning reflect intention even though that applied to Han majority, or mass (temporary) internment / inflicting "pain" somehow equivalent to physical destruction while population continues to grow.
Modern definition of genocide at UN explicitly wouldn't categorize what PRC is doing in XJ - cultural genocide - because members, especially west went out of their way to ensure cultural genocide would have little legal ramifications, otherwise Canada would have been sanctioned to death for self professed cultural genocide a few years ago. Incidentally the entire reason Pompeo tried to propagandize genocide label was because it would trigger diplomatic ramifications at UN. What the PRC is doing in XJ is cultural genocide, and bluntly that’s permissible thanks to lobbying from the west.
The entire manufactured genocide narrative is so retarded because if PRC wanted to, they could just... commit genocide. At PRC scale they can wipe out the 12M Uyghurs in a few weekends on the cheap instead of wasting trillions of RMB trying to sinicize them.
Would you say the common, accurate usage of the term "cultural genocide" to refer to what the term refers to, is a bigger or smaller problem than the actual cultural genocide itself?
"-cide" is a suffix that means "to kill," as in:
It comes from the Latin word "caedo," which means "to kill." The phrase "cultural genocide" is not the same as "genocide," and indeed the legal definition of "genocide" expliticly says that destruction of a culture is not genocide.* suicide * regicide * fratricide * insecticide * pesticideUsing the word "genocide" to refer to something other than mass murder - and then falling back to the claim that "genocide" doesn't mean mass murder - is just playing rhetorical games.
Of a nation or ethnic group.
> Why do you say it's 99% propaganda?
I suspect because of propaganda.
Just a small personal anecdote from another country with tight restrictions:
When I rented a furnished apartment in Saigon back in 2008, there was an ethernet cable on the table and a piece of paper in English that said "Do not visit websites of anti-government propaganda, or pornography, or news such as the New York Times."
Naturally, as the police held my passport for the entire year I was in Vietnam, I was cautious. But after a few days, I just went ahead and openly browsed the NYT for a few minutes. My internet was shut off for about 3 hours. The next time I did it, it was shut off for 24 hours, and then I knew it wasn't a glitch. It wasn't exactly immediate, either; it took a few minutes. I was pretty sure there was a semi-dedicated person assigned to watch my traffic.
That wasn't over a VPN. I wanted them to see my traffic. But I knew running over a VPN would just raise suspicion. When I opened up VPNs to check email after that, I did it from cafes, and I did it in short spurts.
Supposedly you get in shorter lines at the consulate if you have at least a photocopy of your passport available. You should be able to petition the consulate of your home country to issue you a new passport.In fact, the US Department of State recommends that all US citizens have a photocopy of their passport with them, when traveling abroad.I think it may be illegal, but I've heard from people who travel to places where it's sketchy for Americans to travel, that they report their passport as destroyed, get a second copy issued, then keep the first one.
The reasoning is that certain immigration departments see red flags if they see visa stamps from certain other countries, and you may get grief for having visited them. Cuba and the US used to be one, but cross-border rivalries are another. Knowing who hates who and presenting the right passport to receive the stamp would save you grief. Also if you encounter corruption/extortion you can schedule the next flight out and run.
With the electronic ones now I don't know how many places that still works.
USA will issue “anyone” 2-3 valid passports at the same time. This is designed for two reasons:
1) you travel a lot and sometimes may need to mail your passport off to get a pre-travel visa from some consulate, while you are still outside the USA. This way you can send off one passport to get the visa for your next country, while keeping a valid passport with you while you’re abroad.
2) You need to travel between Israel and countries which have laws against visiting Israel (Historically, GCC countries). This way you can always present whichever passport doesn’t have Israel’s entry and exit stamps on it.
I’ve had two valid US passports at the same time, and I’m just a random nobody American.
Israel no longer gives you any visa stamps in passport.
https://www.touristisrael.com/the-israeli-passport-stamp/974...
But your passport is still tainted if you use any Israeli land crossing--they see the stamp from the other country and infer you were in Israel. Unlike what we saw in the 80s in Africa--so long as "South Africa" didn't appear you were ok. The border stamps into/out of South Africa didn't cause problems. The possession of a fair quantity of supplies with packaging in English/Afrikaans didn't matter--but the first day across the border the organizer had us stop and very carefully go over everything with a sharpie looking for labels that said "product of South Africa"--those had to be totally blotted out.
And to show how stupid things were--he also had a stamp he had made up to make forged entries on our yellow books. At that time your average joe certainly did not have an up-to-date smallpox shot--but at multiple border crossings they would hit you up for a bribe if you didn't have an up-to-date smallpox shot. Hence fake them. (Even around 2000 which was the last time I had occasion to have anything added to my yellow book there still was no anti-counterfeit protection.)
"Tainted" is an odd word. Any country that would reject a Jew from entering for having an Israeli stamp in their passport is a country I would never want to step foot in, whatever my views on Israeli politics.
I visited Israel circa 2012 and this was true even then.
> I visited Israel circa 2012 and this was true even then.
It used to depend on where you were coming from. When travelling to Israel for work a few years back, my passport (irish citizen) was not stamped, but my colleague's (at the time, a Turkish citizen) was.
That’s… were they fucking with him?
No idea, Israeli border security are weird. Like, for the first few times I went there, they treated my like a terrorist (i am concerned that someone may have placed bombs in your bag etc). The last two times, OTOH, it's just been like a normal airport.
No idea why.
sad to hear this, but not suprised as much. according to wikipedia, turkey is one of the few countries/regions where israel requires a visa from; along with india, pakistan and arab countries.
Anyone that says you should keep your passport on you when you're in a foreign country has never traveled. I never keep my passport on my person when I'm walking around outside the US. I lock it away as securely as I can wherever I'm staying, and carry a color copy of it in my pocket.
Part of this is simply because American passports are extremely valuable. Another part is that anyone who wants to fuck with you in some semi-official capacity now has to choose whether to go back to your hotel or arrest you on the spot, which puts them in a better mind to give up or take a bribe.
Another part is that anyone who wants to fuck with you in some semi-official capacity now has to choose whether to go back to your hotel or arrest you on the spot, which puts them in a better mind to give up or take a bribe.
Happened to me at an airport in Thailand. Some airside police officer demanded to inspect my passport, then wouldn't give it back to me until I walked him to an ATM so I could pay him a "tax" in cash.
I never went back to Thailand.
Had this in Hungary about 2004. Had no money at all at the time. They handed me a notice in 15 languages which said I was now permanently excluded from ever entering Hungary again ^_^
But please don't keep it in a room safe at a hotel. If I had a dollar for the people I know who put valuables in the room safe and lost them...
The most secure place to keep it is on your person *under* your clothing. Waterproof protection would be a good idea if you're in a warm climate.
It most certainly can be done--I wore mine basically 24/7 for a year. The only time it wasn't under my clothing was for border crossing or bathing--and in the latter case it almost always was under a traveling companion's clothing. No close calls--but someone else in the group wasn't so cautious and hers was snatched. Fortunately, the thief wasn't sophisticated, kept the cash and dumped everything else quickly.
Yep, laminated color copy is the way to go.
Reporting the passport lost or stolen is generally not a good idea. Legality issues aside, when a passport is reported lost or stolen then it is marked in the system as invalid. Depending on the country it will be reported to Interpol's STLD database [1] which can be checked by immigration authorities in other countries.
In the end you'll have two passports but one of them is now useless and it will be flagged the moment you actually use it for traveling. It may not be pleasant when you're abroad and the authorities catch you using an invalid travel document.
I guess it makes more sense if you never intend to use the old passport again for crossing borders?
[1] https://www.interpol.int/en/How-we-work/Databases/SLTD-datab...
Some countries will issue second passports legally exactly for the reasons you list, but you typically need to apply for permission. Replacing your passport early without needing to pretend it's lost because it has stamps from a "problematic" country tends to be easier most places, but of course a hassle if you travel to these countries more than once.
Wait, the police held your passport? Why?
If you're an American and you rent an apartment, the local police keep your passport until you leave. You keep a xerox. That's how it was at the time. I don't know if that's still the case.
I didn't feel good about it when I found out (actually, the moment I signed the lease), but there was nothing I could do about it.
My exit from Vietnam was almost humorous. I had about 50 DVDs in my suitcase, mostly encrypted backups and burned movies, and every single one was inspected by sight, holding it up to the light (to see how far the burn went?), then left on the floor of the airport for me to pick up. Upon re-entering the US, the customs officers did almost the same thing, and then just confiscated all my discs.
Weirdly, no one on either side checked my laptop.
They took your DVDs? On what pretext? Did you get them back?
The pretext was piracy, since some of them were labeled with the names of movies. I protested they should just keep those ones, but they took them all and said I was lucky they weren't going to prosecute me. I didn't even try to get them back.
So how do you travel outside the country then, if the police are holding your passport?
You need to request it from the police for travel. In my experience, I did it via my landlord, and it took about a day.
A lot of people actually use VPNs in China (since 2010 even), and some of them call it "加速器" which basically means "booster" (for your internet). Some use it for lower latencies when playing foreign games. The issue is that VPN connections get easily blocked. We aren't really worried about legal issues.
Except for that one time when police (of a certain district, not everywhere in China) knocked on people's doors to inspect their phones for VPNs during the "white paper protest" I believe.
Surely Xinjiang has stricter rules and more aggressive enforcement than the other provinces/regions? They always put a hardliner in as party head.
Probably, but there's a real history of many terrorist attacks in China being planned online. It's why Facebook is blocked. Look at what the US did to Muslims after 9/11
This. I don't worry about generating illicit traffic in China--but there's no way I'm going to Xinjiang. If I had to go there I would stay off the internet entirely.
Sure, but you're ruining the yellow peril narrative we need for our cold war with China.
When I was in China in 2019, the VPN built into google fi actually got me around the GFW with zero effort. I didn’t even realize it until I caught myself checking American social media unhindered.
My experience is most younger and tech savvy people have a VPN. It’s common / casual, like speeding your car by 10mph on the highway.
Most people are not persecuted for using a VPN, I assume that’s reserved for people who the government already wanted to persecute and just need to give an excuse for why they detained their target.
Assuming what you mean is over mobile data (and not over wifi), mobile data works differently than typical internet. You can think of it like when you connect to a mobile network what you're actually doing is making an IPsec connection to your carrier, with all data flowing over that IPsec connection. As such any carrier with a roaming agreement in China will bypass the GFW entirely -- and this is by design, Chinese carriers have to whitelist the APNs of western companies they do business with.
I think China doesn’t care if foreigners use a VPN, it’s their own people they want to keep under control.
I keep contact with a girl in China and from her reports using VPNs is kinda common for young people with college education. She would do it sometimes to access YouTube, and would laugh it off when I would say she should be careful doing such things.
I suppose for the government, as long as it isn’t the majority of people doing something that would cause trouble, it isn’t worth tracking down all things, as expected.
This is intentional; "Oh it's not authoritarian/bad, people use VPNs all the time and get away with it".
Except for that muslim chick another commenter pointed out, or anyone else the party decides is undesirable.
Just be prepared to spend a year or two in prison if relations between your country and China worsen and they need a hostage.
Like the executive from Huawei who was imprisoned in Canada
s/Huawei/Chinese State Security/
She was a spy--look at how intense their reaction was.
Unfortunately, they tend to grab innocents to exchange for captured spies. However, they're going to go for big fish, not little ones. As an average joe I'm not concerned about being held for a spy swap, but if I were a highly placed executive there's no way I would set foot in China.
Meng was PRC royalty - the daughter of Huawei's president, imagine a literal billionaire being a spy. She was taken hostage under Pence's China Initative for Iranian sanctions shenanigans that historically was dealt via fines. The initiative explicitly called for targetting PRC nationals.
Hence intense reaction. The 2 Canadian Michaels on the other hand, were text book spys with NGO covers. Western propaganda likes insinuate PRC would capture innocent westerners when state security have massive state survillance capability that completely dismantled CIA networks a few years prior. Like literally friend of Michael hinted he was in "intelligence" and CSIS (Canadian CIA) publically celebrated on twitter upon their return. The Michaels weren't executives. The TLDR, while in PRC, don't traffic drugs, don't be a spy/do anti state activities, don't get involved in expensive legal proceedings - the latter is what actually get (white) westerners in trouble via exit bans.
It's time for the West to stop playing around and allowing this sort of hostage taking. If China and Russia want to play dirty, play dirty back. They take a hostage, start taking their nationals hostage and plant large quantities of fentanyl on them.
Do you have any proof she was a spy? She absolutely was not. An extremely high ranking executive of one of the largest technology companies on earth would be literally the worst possible choice for a spy.
That's because the GFW allowed it, GFW has no problems to block any VPN at will.
GFW is sophisticated beyond imagination, one way to detect VPN traffic(or SSL, or SSH) is to observe its patterns and where the traffic is going. It's not too hard to have a blacklist of all VPN vendors too.
shadowsocks was designed to bypass it(to make traffic looking random), I recall its developers were visited by cops and warned to stop doing that.
It's said China built the largest LAN on earth, the government is just too scared by its people to get educated, it's a true parallel universe.
The reverse is true as well. I traveled in India with a friend from China who used their Chinese sim card in India, and their data was censored through the firewall. Really annoying to be outside China and not able to use Google maps.
Mostly that's india blocking Chinese comms.
Could that just be India blocking Chinese sims?
That's roaming, not a VPN.
Google Fi offers a VPN as well: https://support.google.com/fi/answer/9040000?hl=en
This is the same in Qatar, and probably in other Middle-East countries. Most of the residents use a VPN to get around the firewall, but I don't think anyone would be prosecuted for it unless the police wanted a nice easy reason to get you into custody.
> The use of VPNs in China can provide individuals access to the international internet, but in China, it can be a potential legal risk. In 2017, the Chinese government declared all unauthorized VPN services to be illegal. An example of the use of this punishment is Vera Zhou, a student at the University of Washington, who, when visiting her Hui parents in Xinjiang, China, used a VPN to access her school homework. She was arrested and sent to a Xinjiang internment camp from October 2017 until March 2018, followed by house arrest after her release. She was not able to return to the US until September 2019.
Use of VPNs is... universal... among middle-to-upper-class Chinese. This is obviously not an example of legal risk associated with using a VPN. Rather, it's an example of a punishment coming down on someone who was targeted for other reasons.
An immediate implication is that, if you repealed all the laws against VPNs, nothing about anything would change.
And for those who don’t feel in legal jeopardy many VPNs are still being blocked and reconfigured in an endless arms race between the provider and the GFW
I’ve done so much experimentation with GFW pre pandemic while staying in China for extended period of times. I was always amazed at how quickly they would catch up on my shadowsocks, random ssh tunnels…etc. 48 hours top before I had to rotate IPs. This report seems to indicate this is now instant?
Fwiw My most reliable trick ended up piggie-backing off of a physical line going into Hong Kong from Shenzhen, and when roaming around China, using a vpn to get to that shenzhen gateway. As far as I can recall, that always worked. This led me to believe that most of the vpn traffic analysis (and blocking)was done at the edge of the GFW and not inside of it. Again, this could be outdated by now.
I tried to setup a shadowsocks server to bypass the GFW about 2 weeks ago. Server was hosted on my local network in Australia (with public IP), client was connecting from China (using the server IP).
It was blocked immediately and the client could not connect. I had several unknown IPs try to connect prior to the attempted connection.
I was stunned at how water tight the GFW is, it's really unfortunate as I would love to work/travel through China but cannot due to needing an active internet connection.
Yeah pdf of report says that blocking is instant as of 2021. Also completely agree with the need for an active connection to do work. A lot of the software/hacker devs I knew have left China all together in the last 3-4 years. Inability to look up stuff reliably (even on working VPN providers) was one of the reasons cited by a few.
A fellow Aussie currently in China, a Trojan [0] server has been working fine for the last week I've been here. I've got it hosted through a VPS (smaller provider) in LA. While it's a bit of a pain to setup, reliability has been pretty decent (with occasional? short breaks) and definitely useable - my laptop is connected 24/7 and I can access the unfiltered web, including video, just fine. V2ray also supposedly works quite well, but I haven't looked into it.
Last time I went to China (2018) you could simply get a China Unicom Hong Kong SIM card and then use that to roam in mainland China. With that you'd get the Hong Kong censorship level, which is much much less restrictive. No VPN or anything needed apart from the SIM card itself.
"you'd get the Hong Kong censorship level, which is much much less restrictive."
Didn’t that changed since 2018?
I'm in China right know with a Mainland/Macao/HK eSIM. My Chinese friend has to use a VPN to access Instagram as did I when I was connected via WiFi in mainland China. Using the eSIM connection I could access Instagram and Youtube without any issues, likewise here in Hongkong (with WiFi).
I didn't investigate how large the difference is, but Hongkong traffic is still treated more liberal.
It was really sad seeing all the bookstores close.
I run https://snowflake.torproject.org/ in my browser as my way to help.
That's a massive shame because shadowsocks has been the only real reliable method for a long time.
I used it successfully when I was in mainland China while VPN's, even the ones boasting they could get through the GFW were all hit or miss.
There's a more straightforward way: roam with a foreign sim card. Roaming traffic is tunneled to your home telco and for whatever reason the tunnel isn't inspected at all. With the advent of esims you can buy a roaming sim and use it on your phone within minutes.
Can you activate it while abroad though? After I moved away from the UK I still had to have a UK mobile phone for various things. My UK sim would stop working after about a year away. When buying a new one I had to get someone in UK to put it in their phone to let it at least once connect to the home network. Without it the card would be useless. Is using foreign sim cards now easier?
eSIMs just need a data connection back to the SM-DP server and that can be done over Wi-Fi. I don't think that protocol is blocked that they talk to it, and the SM-DP vendors on the market are typically "global" providers that work with multiple operators.
EDIT: I checked myself to be sure. It's "RAM over HTTP(s)" -- "Remote Application Management" of the eSIM. GFW doesn't block HTTPS, so you should be able to get provisioned to any carrier worldwide while inside the firewall.
There are esims explicitly targeted to travelers. Those are the ones you want. In my experience they don't have any activation restrictions like the ones you describe
GFW only looks at connections with destination IPs outside of China, the private fibre line bypasses it entirely.
> the private fibre line bypasses it entirely
Well, I'm sure the Chinese are tapping it. ;-)
Its more that they are just not actively acting on the content.
Not much use tapping encrypted packets, which is why it terminates connections when able.
MS and other vendors recommend doing something similar (connecting via Hong Kong): https://learn.microsoft.com/en-us/azure/virtual-wan/intercon...
Meanwhile Microsoft refuses to implement TLS 1.3 in their CDNs so that HTTPS-VPNs can’t be blended in with other Microsoft traffic.
“You should…” from any large corporation translates in my mind to “…because we certainly won’t.”
Many years back I was running a socks proxy for access while in China and I found that it worked great in Shanghai but was rapidly blocked (or degraded in some fashion) in Hangzhou. That seemed internal and not edge but I do no really know how they were interfering with it. Given Hangzhou's tech expertise it just may be the ISP there was more capable and up to date?
Was there an international event in Shanghai at that time? If they expected a large number of foreigners in a particular region they would relax the censorship in that particular region. They could even do it per hotel room where hotel rooms booked by foreigners automatically have lesser interference between GFW.
That might be it. I was there every year for about a 15 year period but this may have been around the time of the 2010 Expo. Though I was not in hotels, I was in apartments (ones owned and lived in by Chinese, not foreigners).
I wonder if the whole tor obsf4 and snowflake business works with the GFW.
Yes but they are unfortunately targeted more than other censorship circumvention tools. Since everyone knows Tor/Obfs4/Snowflake it's easier to get your research published if you work on detecting that.
Why don’t they just detect and block all VPNs? In Dubai, that’s what seemed to be happening
They certainly could, but I assume there’s an understanding among officials that to do so would cripple certain sectors of the economy. Certain kinds of work would grind to a halt. I’d wager that a majority of non-Chinese residents would leave the country.
I remember having to deal with the early GFW about 20 years ago when I was working for a company that had some employees on a site in Shanghai.
Every morning, our colleagues in China would open their mail client and it would connect to our server abroad.
The first person would usually be OK, but for everyone else, the connection would fail.
At the time, almost nothing was known of the GFW and it wasn't as clever as it is now. I found out that the POP connection was quickly blocked after a few minutes, probably triggering some slow firewall rules along the way (it seemed a bit random, so I assumed the firewall setup wasn't unified).
Moving to POPS/SMTPS seemed to improve things for a while, but the connection would still be randomly blocked.
What worked in the end was to use a bunch of random ports instead of the well known ones to accept POP/SMTP connections on the server, and we never had any issues after that, at least until we changed system a couple of years later.
We have a satellite office in Dubai. I know their static IP. When they connect to our imap/smtp server they are coming in from another IP. I never looked into it deeply but assumed their connection is being diverted for inspection. (If true, they would probably not be below performing industrial espionage with the data they are accessing)
I've debugged connection issues with someone in China. The same person, using the same browser and at the same time, showed up in the logs of two cloud apps with different IP addresses. The applications were adjacent in the cloud, same network config and everything. We figured there was always redirection, and we were never seeing their "true" IP address.
A simpler test is to search "what is my IP" and compare the values returned by different services.
The IP space in China is wild, multiple ISPs use the same IP ranges and some even use foreign IP space but they don't route them outside of China. I wouldn't be at all surprised seeing proxy setups at ISPs trying to "fix" some of this.
Even when we had physical machines in Chinese data centers it didn't mean that our service was reachable from all ISPs. In 2010 we gave up on that and just started using Akamai China CDN with our servers in Europe.
At that level, there is no reason to proxy it through a different IP address. If you control the network, you can just make the packets come from the original, real address.
It was probably written by junior devs, like most other software around the world.
GFW that can inspect petabytes of traffic per second for 1.4 bln population cannot be written by juniors
It might be something government mandated where all ISPs direct mail traffic to a central location. (The largest ISP is the government by the way)
Is the IMAP/SMTP connection not encrypted?
Doesn't matter if the government mandates MITM and forces install of root certs on all clients.
Yes they are encrypted.
Speaking of satellites, the ones in geosynchronous orbit, how can Chinese block those?
“We will shoot your satellite if you don’t block access while over China”.
In orbit? Good luck
Lasers maybe?
the US has done so with a missile so basic that it's named "standard missile 3"
most satellites will just be following an uninterrupted, predictable path for most of their time
Interesting that it's cracking down on Shadowsocks with obfuscation plugins. SS w/ v2ray was more or less the gold standard when I was going there from 2017 to 2019.
Back then, certain times (early June, big government meetings) would see a crackdown on VPNs where, so far as I could tell, they just threw down crude blanket blocks on anything they sorta-kinda knew was a VPN but couldn't procedurally target-block. It would (usually) still connect but be rate-limited to essentially nothingness.
I always got the vibe that they sort of informally tolerated VPNs above a certain threshold of sophistication, figuring that they were more interested in blocking the low-hanging fruit that the unwashed masses could easily use, rather than something more sophisticated that only a few techno-nerds could utilise. As other posters have said, they'd know who was doing it and preferred to come knocking with a rubber hose if those people caused too much in the way of issues.
China doesn't realize how much they are being held back by meaningless investments of time and expertise on this. They spend almost the same %GDP as the US does on the US military as on their internal suppression forces.
Maybe it's good for the world that they burn so much talent and wealth on adding inefficiency to their internal information exchange.
It is not the goal of the CCP to advance China as it is to keep themselves in power.
I would disagree. The leading organization is much more aligned with the needs of the nation than the likes of Iran or Russia, which probably wouldn't mind bombing the shit out of their own city if it was necessary to stay in power.
For example they actually bow to American pressure and try to avoid sanctions or other trade problems. As of today their navy could be completely destroyed with like 30% of the US Navy, so any naval blockade is probably unbreakable for them. Iran's hunta would (and did) just say "whatever" and continued tanking the GDP.
Another example - the Chinese intelligence helps domestic industries, even those that are far from the defense business.
I didn't downvote you but if a government
- offers no way of replacing itself democratically
- extends own term indefinitely
- blocks free exchange of information
- censors specific speech that shows its failures or desire of people to replace it
- suppresses internal protests with murders and disappearings of people (1989 Tiananmen, 2019+ Hong Kong, blank paper movement, ...)
etc then it's super clear its primary goal is maintaining power.
Sure, it cannot maintain power without at least seeming to be "aligned with nation". But it takes second place to maintaining power.
There's probably more disagreement within the Chinese government than between the two dominant parties of each of the western powers.
Perhaps, but you wouldn't know it, and the results sure aren't felt domestically or internationally.
Everyone knows when people disappear or get "nicely escorted" from party meetings. /s
I am guessing the comment above somehow meant that more infighting within a gang of literal criminals who put themselves in power and clearly struggle to maintain it means the gang is somehow better than a democratic government? But I cannot see the logic
Yes of course. Because those disagreements are about how to stay power really, and something else for looks.
You have to keep the poeple happy enough, not even China could withstand the full force of their own people rising up against them.
So, on the surface, you appear aligned with growth and advancement and all that.
But under the surface, the system is about control, and only control.
> which probably wouldn't mind bombing the shit out of their own city if it was necessary to stay in power
See the Tiananmen Square Massacre.
You have to have a sense of proportion on this, and an example that isn't 30 years old.
They fear bomb their own cities though (using drones!):
Shanghai Residents Told to 'Control Your Thirst for Freedom' Amid Lockdown
https://www.newsweek.com/shanghai-residents-told-control-you...
Bombing a city can result in tens to hundreds of thousands of casualties.
PRC centralized narrative setting apparatus is more efficient than constant misinformation shitshow on western platforms. Not to mention the entire reason why PRC has domestic info ecosystem is because they were prescient in filtering external content. The system already paid for itself many times over.
>They spend almost the same %GDP as the US does on the US military as on their internal suppression forces.
It's almost as if PRC doesn't spend that much %GDP on military. The waste is PRC spending as much as US on domestic policing, which is not great considering how militarized US policing is. Meanwhile PRC simply doesn't spend that much on defense <2% vs US ~3.5%, if you include guestimates of shadow budgets, 3% vs 6%.
Get used to it; we will soon be a part of China's "community of common destiny".
I wouldn’t say that. But Western countries would absolutely replicate the surveillance and censorship if they could. And they do in some ways, but there are many structural things stopping them.
They let the private sector do it for them instead.
I wouldn't be so sure that it's a bad idea. Look how social media has damaged democracy around the world. US democracy is stuck in a bit of a death spiral - https://www.theatlantic.com/ideas/archive/2021/04/how-stop-m.... I hate repression, but they've been at it for thousands of years and I'm no longer super confident we have something better (see citizens united, roe v wade, affirmative action). China's life expectancy just beat the US.
The US doesn't have a minority rule death spiral because of social media, it has a minority rule cycle because the constitution literally entrenches minority rule via mechanisms like senatorial malapportionment, supermajorities, the electoral college and judicial review of policy (see citizens united, roe v wade, affirmative action) rather than merely procedure. It has experienced this before, sometimes devolving into outright civil war, without actually reaching death.
The technologies for resolving America's problems are well understood - majority decision making, parliamentarism, representation and participation of electoral minorities rather than inhibiting the work of the majority, a narrower scope of judicial review and/or a more flexible constitution. But as long as people say, as you do, "it isn't the thing that caused the problem that is the problem, it is some fancy gadget that is the problem", then you will be unable to solve the problems
> It has experienced this before, sometimes devolving into outright civil war, without actually reaching death.
That's not really enough to establish a pattern, though. People in China have furniture older than the United States.
> But as long as people say, as you do, "it isn't the thing that caused the problem that is the problem, it is some fancy gadget that is the problem", then you will be unable to solve the problems
This is victim blaming. US citizens get no say in governance:
"Testing Theories of American Politics: Elites, Interest Groups, and Average Citizens"
https://www.cambridge.org/core/journals/perspectives-on-poli...
Free speech causing problems for the USA yet again?
I'd say the issue is "factionalism" as the US founding fathers identified it. Some group (elites, landlords, corporations, white people, etc) is looking out only for themselves at the expense of society in general. East Asian countries love enforcing their conformity and harmony.
Limited use cases but for moving info in and out of a system like this you should be able to use this https://en.m.wikipedia.org/wiki/Chaffing_and_winnowing
This is a really cool idea. Thanks for sharing.
The comments from people obviously never having been into a restricted country are hilarious. There are a few, most likely shadow approved, VPN providers that work. I refuse to believe they are just smarter than the GFW. I am convinced they are sanctioned and monitored. Which is fine if you never have any beef with the government. Which you never know you do until you do.
Stuff like socks5/shadowsocks and wireguard have long been useless. Imagine being in your house, and you want to go out, without anyone seeing you. No matter how well you try, just the attempt itself reveals you are trying - thus you are caught. Same for escaping GFW. A sanctioned VPN or RDP that stays alive without metering, is your best option.
Your comment is equally hilarious from the point of view of a native who lives in China now.
idk if i'm smarter than the GFW but every time I rolled my own censorship-circumvention tool it worked well, even the most lazy way worked. I've never used any VPN provider. And FYI even unchanged WireGuard still works, though there seems to be some offline traffic analysis looking for that, so once a week you'd wake up to your VPN connection broken and had to change ListenPort on the server.
The only annoying thing for me is: f- you AWS, egress too damn expensive!
Can't you use a "sanctioned" VPN to tunnel your connection to a "real" VPN or any wireguard endpoint? They could still be able to find out you're using a VPN, but not monitor your traffic.
Yes, you can. But you have to wonder what the sanctioned VPN is doing on/to your machine. There is a lot of trust going into any VPN solution.
are you talking about the VPN endpoint exploiting a 0day vulnerability in the VPN client stack of the OS?
This paper is nice, but it goes over some finer technical things. So, not about the great wall, but there's projects out there, like this one https://github.com/salesforce/ja3 , which talk about how you can fingerprint fully encrypted traffic(TLS/HTPS). There's a great section in the Readme "How it works" that goes over it. Would be surprising if the great wall doesn't do this, when some open source firewall will.
Chrome randomizes the ClientHello these days[1], so JA3 is obsolete in that sense. You could still build a fingerprint off of the common advertised TLS parameters, disregarding their order. The linked paper references an incident where the list of ciphersuites were used to detect Tor-obfs connections[2][3].
[1] https://www.fastly.com/blog/a-first-look-at-chromes-tls-clie...
[2] https://gitlab.torproject.org/legacy/trac/-/issues/4744
[3] https://blog.torproject.org/ethiopia-introduces-deep-packet-...
The algorithm found seems so unintuitive that I wonder if it was not found by the AI.
"Allow a connection to continue if the first TCP payload (pkt) sent by the client satisfies any of the following exemptions:
Ex1: popcount(pkt) len(pkt) ≤ 3.4 or popcount(pkt) len(pkt) ≥ 4.6.
Ex2: The first six (or more) bytes of pkt are [0x20,0x7e].
Ex3: More than 50% of pkt’s bytes are [0x20,0x7e].
Ex4: More than 20 contiguous bytes of pkt are [0x20,0x7e].
Ex5: It matches the protocol fingerprint for TLS or HTTP.
Block if none of the above hold."
It's extremely intuitive. You're trying to filter unusual, encrypted traffic.
First rule exploits the IND-CPA property of most encryption. You want to kill traffic that has about 4 bits set to 1 per byte, i.e. traffic that "looks random".
The following rules are exemptions for permissible encrypted or compressed traffic (note that compression, while not IND-CPA, results in high entropy and thus will trigger the first rule).
This could work very well, which is confirmed by the researchers in this paper.
Cool, I'll just base32 my encrypted traffic and sail through!
Yep, or simply add "GET " in front of it. Best add it in front of all packets.
Thanks for the information, it is very interesting.
> I wonder if it was not found by the AI.
Do you mean "found" by the CCP, or "found" by the researchers? In the case of the CCP it was likely generated through basic statistical analysis, and tuned to minimize side effects and collateral damage below some threshold of acceptability (~0.6% of global traffic unintentionally blocked). In the case of the researchers, the paper details the basic statistical analysis used to discover these rules.
Ex1 is just excepting low-entropy packets (distribution of 1s and 0s tends toward the mean for high-entropy data). Encrypted data presents as high-entropy. This is a crude method (errs on the side of not excepting) but is very efficient for embedded hardware to compute.
Ex2-4 are just excepting ASCII text, which is used by many unencrypted protocols (e.g. IMAP), but which are high enough entropy that they statistically will fail the first test often.
Ex5 is necessary because TLS is high-entropy (by nature of being encrypted). HTTP is also excepted presumably so e.g. compressed uploads (e.g. images/video) aren't flagged.
That "low entropy" is the key to bypassing the GFW isn't surprising at all -- high entropy is all but a necessary feature of most cryptography schemes. (I say "all but" because -- encryption isn't adding information, so unless you compress before you encrypt, it's possible for a (hypothetical) encryption scheme to preserve entropy, according to several objective metrics. I don't know of any that do this, beside the meta scheme of compression before encrypting, followed by steganographically padding the encrypted data afterward. This of course leaks some information through the encryption -- equal to the negentropy of the message -- but it would typically be information that can't be gleaned from context, e.g. that the message is HTML+text.)
So... base64-encode your TLS?
Looks more like it was found using random forests.
Lol you guys never worked with real data :D
There's at least 1'000 such algorithms at each google-like company.
That looks hilariously easy to defeat though it will require introducing "0x20,0x7e" padding to protocols heh.
This is just some experimentation results, it's not algorithm.
An algorithm is just a bunch of rules to follow to perform an operation, so this looks like an algorithm to me.
You misunderstood your parent comment. What he/she meant is that the "algorithm" is only a guess from reverse engineering. The actual algorithm deployed at GFW can look significantly different.
Oh yeah, that's definitely not how I read it. Thanks!
Yeah already 10-12 years ago was clear.
My university vpn only worked for a few days while studying in China.
But there is this tiny little vpn software being spread around. Not sure if it's true but I remember it's falun gong teaming up with the CIA. Which at the time was able to go undetected, I think they keep rotating the IPS or something.
Was interesting how fast that tool spread "offline" between international students. Also Chinese have it but its less known among them.
Not sure if it still works:https://en.m.wikipedia.org/wiki/Freegate
[Edit] Here is an old hn comment saying it doesn't work anymore and other options that are also hard;
Nearly the same experience with my campus life.
https://en.wikipedia.org/wiki/Domain_fronting was a workaround for a while.
https://signal.org/blog/looking-back-on-the-front/ (2018) https://news.ycombinator.com/item?id=16970199
The exact reverse engineered algorithm of the GFW is on page 4. It looks very reasonable (given what they are trying to achieve with it).
The easiest bypass I can think of would be to tunnel your connections via TLS. For example socks server tunneled via SSH which in turn is tuneled via TLS to your gateway.
Or perhaps you can somehow get your SSH client to transmit "GET " at the beginning of the connection, have the server ignore those 4 bytes, then proceed as usual.
This is what I have a question about.
Can China pressure every domestic company to use their certificate authority allowing them to decrypt all TLS traffic, or be blocked? And block all sites outside China?
Kazakhstan had attempted a similar move[1], albeit through PSAs rather than convincing device manufacturers to add certificates to end-user devices.
[1] https://en.wikipedia.org/wiki/Kazakhstan_man-in-the-middle_a...
1 - I believe they do it
2 - they obviously do not want to block all traffic, since they can do it any day, but they don't.
If it’s over https, an outside observer has no way of knowing your stream started with a GET. Unless they’ve tapped ssl certificates, but that would be major news
They are tapped into SSL certificates, those that are generated in China. Plus wherever the Chinese intelligence managed to install their "plugins".
Are any of those tappable certificates still considered trusted by wider internet? Which CAs are those? They should be removed from trusted ASAP.
I am a total obfuscation noob. How far does their DPI go? I am guessing Tor and stuff have tried hiding it inside lots of different protocols and file types (I think I read something about that at some point). Is it to the point of hiding it as part of a html doc (like under a specific tag or something). At what point do we move towards having executable Javascript generate the encrypted text which then is decrypted?
i recall a chinese guy telling me he got around it on his PC by setting up a streaming webtop on a VPS on a foreign network that he didn't have issues accessing https://docs.linuxserver.io/images/docker-webtop
This is such an own goal by China. All this useless work done suppressing the human spirit.
> All this useless work done suppressing the human spirit.
It also becomes an inspiration to others.
Would-be dictators, or firewall makers?
google
Can you bring a Starlink and then just don't really care?
Nope. Starlink shuts down over china on the satellite side. Tesla has a huge presence there and they also threatened to shoot the satellites down (which they've done before) if starlink provided internet access there
To clarify for readers: China has never shot down someone else's satellite. They've only destroyed one satellite ever and it was their own.
and creating a ton of space debris in the process. oups
Maybe you can, but the Chinese "VPN law" used some wording like "unauthorized communication channels" without further definition. They can just call Starlinks "unauthorized" and start confiscating them, just like what they did to the satellite dishes for receiving foreign TV signals.
Seems like UDP is completely exempt, which would allow UDP-based VPNs, like Wireguard through.
SSH is also exempt...
Went to china some years ago and my pptp vpn blocked after a day. Switched to ssh and after a day it was rate limited to basically nothing, but I could avoid that by switching port every morning.
I'd go for ssh if I was trying to bypass it. At least legally I can claim that I'm just sshing to my aws server and not be jailed for using vpn.
Trying to get off the hook on a technicality isn't going to work. Lots of people use VPNs completely in the open without getting jailed, because they're not otherwise of interest, but if you are being targeted, nobody is going to care about your "sshing to aws" excuse. And ssh tunneling web traffic looks quite different from normal ssh usage anyways.
> And ssh tunneling web traffic looks quite different from normal ssh usage anyways.
Could you explain this further, this seems counter to my understanding of encrypted traffic!
I assume the timing patterns and amounts of data would likely be distinct between SSH and web. "Normal" SSH usage would mostly consist of much lighter packets, such as user keystrokes and terminal screenfuls of text. Typing tiny commands and getting a few kilobytes of output. SSH file transfers happen occasionally, sometimes with a large bulk of data.
Active web browsing requires downloading a crapton of files with wildly different sizes and sporadic timings between them. Add normal user interaction, API requests, ad cycles, long video streams that won't max out all bandwidth, all happening at once across multiple tabs. The client also sends much more data with each TLS handshake and all those HTTP headers.
This could probably be masked by deliberately filling idle periods with garbage data just to appear as a stable data stream both ways.
Forget using a real web browser over an SSH proxy. What using elinks on a remote host with ssh? I bet somebody using elinks across ssh is virtually indistinguishable from somebody using a text editor.
Not much good for images or video, but you could easily read https://text.npr.org/
SSH encryption only hides the content, not how much is being sent and when. When your browser fires off a bunch of requests to load a webpage, the timing is different from running typical commands on a server and receiving the output.
Open network tools in your browser and go to Reddit, count total traffic. Now compare it with a typical SSH session, even with 'tail -f' some logs.
> At least legally I can claim that I'm just sshing to my aws server and not be jailed for using vpn.
Your mistake is assuming that China has rule of law. If you're in China and you upset Xi enough, you get jailed/disappeared even if you technically didn't break any laws on the books.
I suspect TCP tunneling your traffic looks different than SFTP-ing some files around.
using ssh for proxying is getting blocked within the first minute.
Could be a use case for X-Windows with ssh -X [0]? (so your web browser is actually running outside the GFW, it's just the window updates that are coming over the SSH tunnel).
[0] https://unix.stackexchange.com/questions/12755/how-to-forwar...
any ssh traffic that does not look like ssh traffic (few bytes send to server, some more bytes returned) gets either terminated or slowed down to a crawl
Does this mean that in addition of the classic fail2ban, geoip firewall, or forever super slow login banners, we could also have a honey pot sending a lot of data with a traffic pattern similar than web browsing ?
Wireguard is detected within the first minute of usage and blocked. The ping is a dead giveaway.
Interesting. I was just going on my limited scan through the linked PDF, which evidently was not thorough enough.
I was told that SOCKS proxies (which let you tunnel over SSH) are popular in China. It's super easy to setup and you don't need to install anything. You just need to SSH into any Linux EC2 instance outside of your network with ssh -D $port_number $username@$hostname and change a simple setting in your browser to proxy through that node using SOCKS5. It's nice because you still control the remote host (no need to trust some third party VPN) and the traffic is encrypted between your remote host and your local host (where it counts)... Anyone snooping would just think that you're SSHing into your EC2 instance for work purposes and not realize you're using it to browse the net.
You were told wrong. If you uses SSH as a proxy, the connection will be slowed down to a crawl very soon. GFW distinguishes this from SSH command typing by looking at the traffic. This has been in place for at least a decade.
that's mentioned at the end of Page 17. The author tells it's a short term solution: "This is merely a stopgap measure, as the censor can enable their censorship for UDP."
It doesn't seem that there are any (long term) solution to bypass the rules ...
It does seem like this GFW scheme can be tuned to severely degrade the reliability of any unapproved high entropy traffic. However, this single scheme doesn't cover many other types of circumvention traffic, several of which are noted in the beginning of the paper. This scheme primarily applies to "fully encrypted" traffic - not SSL/TLS, etc.
So for now, circumvention can live on, but this explains to everyone using fully encrypted protocols exactly why their connections would have been degraded over the past couple years. In the long term, steganography will probably work well as long as users are able to endure much higher costs for traffic (low ratio of true data to apparent data) and as long as the steganographic systems are effective at hiding any statistical fingerprints (very difficult). Protocol mimicry is another strategy, but a paper cited in this work details why successful protocol mimicry is very difficult.[0]
Attempts to disguise circumvention traffic as typical traffic is very difficult, because a lot of fingerprinting information can be gleaned from handshakes and headers. The draw of fully encrypted traffic is that it provides very little variation which can be used to fingerprint and classify different types of usages. However, it's also easy to detect and block en masse -- that much is obvious, but this paper does a great job of showing how China does it and inferences can be made from that to provide a view into China's priorities (how much cost they're willing to incur, rates of false positives they feel is acceptable). Overall, China's blocking current appears to be fairly conservative here, with relatively low rates of false positives.
In wider context, China is constantly updating their detection schemes, they're quite competent at it, and anything which doesn't match typical traffic is at risk.
all https traffic to servers outside of china gets slowed down to a crawl after the first MB of send data.
steganography?
Hiding the encrypted messages so that it looks like other normal traffic. Like encoding your encrypted message (subtly) in the pixels of an image (like noise).
Why would they let that happen? Doesn't seem to make any sense to me if it's how you describe it.
Yes, that is why I also found it interesting. As to their motives - I cannot comment.
They say UDP is never blocked, so would Wireguard work?
I mentioned this a few years ago (maybe 7-8 years ago) on HN when I was told everyone just uses a VPN. Even back then, the cat and mouse game was annoying. You would purchase a VPN (plenty offered), pay a year subscription, and then it would go dark a couple of weeks later (sort of like a membership at a gym that closes down a week after you renew a year subscription). I gave up quickly on outside access, though we had a line out at work so it wasn’t that bad.
But does the paper imply that something like chunked encoding smuggled HTTP requests with an encrypted payload after the second chunk would work?
That is, assuming entry nodes are available as e.g. nginx proxies inside the Chinese ASNs and are allowed to operate serving websites to ASNs from foreign countries.
I'm mentioning nginx because there were some related bypass vulnerabilities in the past, and one could argue that they just missed updating them.
tried that...done that... blocked The last rule of the GFW is: If you don't know what this traffic is or it looks suspicious, block it.
I always wondered where the talent and technical expertise inside China for manning and refining the GFW comes from and how many people it feeds - it seems at this point like family planning, an agency so big it exists simply to perpetuate and provide livelihood to a host of people. Also how much truth is there to the statement that Cisco helped setup the GFW for China in the 90's?
Would a steganographic hiding of payloads be possible and usably efficient inside permissible content/protocols? Has it been tried?
That would require mimicking an existing protocol, and as per the paper that's non-trivial
>Houmansadr et al. [39] conclude that mimicking a protocol is fundamentally flawed and suggest that tunneling through allowed protocols be a more censorship-resistant approach. Frolov and Wustrow [35] demonstrate that even when a tunneling approach is used, it still requires effort to perfectly align protocol fingerprints with popular implementations, in order to avoid blocking by protocol fingerprints. For instance, in 2012, China and Ethiopia deployed deep packet inspection to detect Tor traffic by its uncommon ciphersuits [44, 55, 67]. Censorship middlebox vendors have previously identified and blocked meek [29] traffic based on its TLS fingerprint and SNI value [28].
Given HTTPS traffic is mostly permitted, could one obfuscate VPN traffic over http/3 (which I believe is UDP)?
Indeed a whole class of GFW bypassing tools are now based on masquerading as HTTPS. Trojan (TCP only), Vision (TCP only), Hysteria (UDP), just for some examples.
Could China implement a MitM proxy for HTTPS traffic like many companies do?
No.
Companies get around ssl issues by minting their own root CAs and configuring their workstations to trust them. China has no (technical) way of forcing you to trust their root CA
>China has no (technical) way of forcing you to trust their root CA
That might be true, but "install our root CA or you can't access websites" would get most people to do it.
> 1 security vendor flagged this URL as malicious
https://www.virustotal.com/gui/url/f530591ff939e09c1cf8bc534...
Deeply unethical stuff. Why are Chinese people not currently trying to overthrow this garbage?
Because "Everybody does it and gets away with it", as seen in this very comment section, so it doesn't actually put much pressure on the public as far as they are concerned.
Also, "it's done for social harmony"; Very few places are as dogmatically hostile towards social good as the US, and are willing to make individual liberty sacrifices so that everyone may be better off. Arguably this is the same rhetoric or philosophy as the "Thin blue line" American cops love.
Also, your average chinese person just doesn't care to see english language media that much. They have diverse (to them) opinions and culture on their homegrown social media systems, and don't feel a need to leave the walled garden of Chinese internet much in the same way most westerners do not feel the need to join Russia's social media apps.
Also, the CCP "brought millions out of poverty" within living memory. Many people there feel that justifies a hell of a lot of vaguely "bad" actions, or makes it way easier to rationalize things.
The threat of you and your family members getting sent to a labor camp is a good incentive.
Pragmatism, I suppose. The country does well enough economically for people to accept it, not to mention they're used to it all already.
GFW always been a big issue, first with github, you only can clone repo at ~20kb/s, then apt yum homebrew, some is ultra slow,some just blocked Nowadays, I already put a lot of effort on how to bypass it
As a result of such blocking, I suspect steganographic techniques are only going to become more popular over time.
I wonder what can be done about detecting data hidden within video streams in a steganographic way.
So now we have to embed encrypted traffic in innocuous plaintext envelopes?
It's like the cold war.
With Youtube blocked, the Chinese are not being bombarded with VPN advertisements
What kind of websites does China block?
Anything that might reveal to Chinese citizens that the CCP is evil.
google, facebook, amazon, twitter, github, you name it ...
Not sure where you get your info, but github definitely isn't blocked. And there is a amazon.cn, just no one uses that crap.
I am Chinese and lived in China until this year if you want to know. For github, the situation is a little complicated, you can read this: https://www.reddit.com/r/China/comments/v8fv0p/why_is_github.... For Amazon, I mean amazon.com, not amazon.cn. Also amazon.cn's services are declining, almost nothing there.
Also Reddit (ironically Chinese owned).
Reddit's owned by the Chinese? I thought they were owned by a US-based conglomerate called Advance Publications, which is the same group that owns Conde Nast.
Tencent owns $150 million of it (based on its 2019 valuation anyways).
How long do you figure until the first public execution for using starlink?
And yet we can never cut them off because it would be economic suicide.
https://news.ycombinator.com/ need vpn https://hckrnews.com/ no need vpn i use vpn write this comment. my vpn 90$/year, pay use usdt. it is good, watch netflix/youtube fast.
On the other hand, this shows GFW authors are more, and more considerate of the collateral damage, which is a surprise. It seems GFW has indeed became good enough to frustrate casual users to trigger uproar when windows update, or AWS ip ranges go belly up, or something.
VPN authors should chose the maximum collateral damage strategy to frustrate GFW authors, make China as close as possible to completely cutting off outside internet. No need to completely evade fingerprinting, instead, do the complete opposite, and try to mimic common protocols, and critical applications as much as possible.
From my understanding, this is what TOR did for some time. They tried to make it look as close as possible to HTTPS.