China's Great Firewall to crack down on unofficial VPNs – state-approved net connections only The Chinese government has started an 18-month crackdown that will require all VPN providers to seek government approval for their activities if they want to stay in business. The news, announced by the Ministry of Industry and Information Technology on Sunday, says that the market for services that bypass the content filters …
Expect Theresa May to take this line too.
Fortunately for us in the UK, the government famously identified VoIP as being the technology used to bypass ISP blocking etc, so until they get that right, we are pretty safe...
https://www.theregister.co.uk/2015/01/27/how_peers_failed_to_sneak_snoopers_charter_into_terror_bill/?page=2
Lord Blair said:
"All the different apps for phones mentioned by the noble Lord, Lord King, along with all the other services, are increasingly being used across the internet via something I now know more about than I ever wanted to – a system known as VoIP, the Voice over Internet protocol.
This makes all those transmissions untraceable. I will not specify them, but they are being used in methodologies that members of this House will be using most days."
"They will also have to demonstrate to the Institute of Computing Technology of the Chinese Academy of Sciences that they have hardened up the security of their services to deal with current internet threats."
Where only IPSEC vpns will work on the mainland since SSL vpns are too hard to crack and inspect packets and therefore dropped.
I ain't calling out the regime on hypocrisy. Wait, looks as if i am.
It's okay. I have that issue too, but work around it like this: my country spies on me and other people without their consent in the name of the NSA and I do not approve nor condone this. Same thing with The Great Firewall, I do not approve of it, yet I cannot do anything about it. At least in the US I can join a group of dissenters and work against the over-reaching access of the NSA, and other orgs, in the open without fear of being hunted down and threatened with military action for doing so. Not so in China. Even our backwards dislike for people who legitimately "blow the whistle" on questionable activities by orgs that think themselves above the law is better than a totalitarian regime hell-bent on making it look like a democracy to outsiders.
I'm sure we Americans look weak and silly to a nation of people so completely enslaved by their government they cannot even think about alternatives, let alone see pictures and read text about such abominations. The real weakness is being complacent about the dirty tricks being played on you and every other citizen that turns a blind eye to Big Brother. Whatever nation he hails from.
I'm sure we Americans look weak and silly to a nation of people so completely enslaved by their government they cannot even think about alternatives, let alone see pictures and read text about such abominations.
I wouldn't be too confident - we are already at the point where pissing of the wrong person can lead to IRS or other trouble.
We are mostly free to protest at this point, but those rights are being steadily eroded.
You have an SSL VPN that works inside China?! :O
Seriously, it's a machine learning firewall. It's documented that several years ago you could open an SSH tunnel on a random port, pad all that packets to be at least 1200 bytes (removes some fingerprinting functionality), and the damn thing would crack down within 24 hours and block further connections.
If you have a VPN that actually works over there, I'd love to hear about it. You might also be interested in a bridge I own in Brooklyn...
for a while, the Kindle/paperwhite/Voyage 3G using perma-licensed Amazon "whispernet" & experimental-mode browsing could get 50 megs of data a month through the GFW. I'm sure the regime was aware, but recognised it as a limited 'foreign-devil' type problem therefore not that serious.
This map shows it is fairly localised 'free 3G' http://client0.cellmaps.com/tabs.html#cellmaps_intl_tab
not much coverage in Uyghur areas, probably not many Amazon Prime accounts there either. . .
"Genuinely curious as to what is stopping someone renting a VPS with an SSL VPN on it that's hosted outside Middle Kingdom? How would it be any different than a visitor from abroad using their corporate Juniper SSL VPN or DirectAccess tunnel?"
One difference might be that someone living in China could find they start facing problems when attempting to pay for or use a "banned" service provided from outside China. In practice the authorities only need to hint that using external "unauthorised" VPNs could get you into serious trouble for it to deter those who might otherwise be politically active. And this is probably one of the main goals.
The GFW performs Deep Packet Inspection (DPI) on all connections. Tor Project has some detail https://blog.torproject.org/category/tags/gfw but basically a HTTPS/TLS handshake looks slightly different to an SSL handshake used for VPNs, and that difference is enough for the connection to be noticed, and dropped.
Cisco's IPSec is allowed through the GFW though. The development of Open Source Cisco IPSec equivalents might cause this to change in the future though.
VPN providers need to obfuscate the initial connection handshake as well as everything afterwards. Some can do that, other's fail. I found I needed to pay for 2-3 providers, as they would randomly be knocked offline, and then brought back with different IPs and strategies to defeat the DPI.
To be honest, it's only really an issue for expats now. The GFW is so effective, and the Chinese alternatives to western web services are better in most cases for local Chinese people, that most locals don't care about the GFW; they're perfectly happy with the Chinese Internet.
I honestly this was the policy, official or otherwise, for a while now. It's been well known for some time that there are only 3 major VPN providers that work inside China. And there's nothing special about their configs, technically, so it would not be a surprise to learn that they've been sharing data with the Chinese security apparatus, wittingly or not.
Since they're already doing this (de facto poicy), and they've already announced this in 2015... there doesn't seem to be anything to this at all, except an attempt at raising awareness.
...without pesky internet users getting information from the outside world.
Like the fact that the Tiananmen Massacre was a Western media scam according to Chinese search engine Baidu.
“Until they became conscious they will never rebel, and until after they have rebelled they cannot become conscious.”
George Orwell, 1984
WIth the Protonmail story last week, I said it'll end up (in the UK at least) that VPN's would be barred by the ISP unless you could produce a certificate to use the service like you would do with a gun license.
I am very, very sorry that I suggested this could happen, because it's obvious the Chinese Government read the comments section on these articles on El Reg.
I really, really am sorry x
consider that in Sweden in the 1950's the (forerunner to) Försvarets radioanstalt had wired up a surprisingly large percentage of homes to a centralised morse code click detection system. They were looking for HF transmissions, heading eastwards. This was sort-of a great RF Firewall. Nowadays achieved by a few SDRs e.g. http://hackgreensdr.org:8901/
What is the budget for the creation of your stegano compared to the budget that will be deployed against you?
"consider that in Sweden in the 1950's the (forerunner to) Försvarets radioanstalt had wired up a surprisingly large percentage of homes to a centralised morse code click detection system. They were looking for HF transmissions, heading eastwards. This was sort-of a great RF Firewall. Nowadays achieved by a few SDRs e.g. http://hackgreensdr.org:8901/"
And what's that got to do with the price of tea in...ahem, China, given steganography is meant to disguise one type of traffic as less suspicious traffic?
His point is that your solution is unlikely to be able to keep up with the resources of the Chinese state machinery employed to prevent VPN connectivity.
This post should be of interest to you: http://blog.zorinaq.com/my-experience-with-the-great-firewall-of-china/
Padding packets over an SSH tunnel on a random port worked in early 2016... for a day or so at a time.
So they're eventually getting down to a full-fat ban on all unsanctioned encryption (VPN, SSH, whatever), and all sanctioned encryption can be backdoored or is in key escrow. What the blog says is pretty soon they'll just whitelist all external connections, and it'll be pretty hard to defeat it since it's hard to obfuscate all tells.
We must get a tighter grip on availability of information to the peasants.
If they knew what they don't know, the world might break out in peace and tranquility.
How can we maintain power over the masses if they are educated in the ways of the world, what doom shall fall on the privileged heirs of Empires Wealth and Lineage.
If all else fails we must tear down this Internet of decent to protect ourselves.
<end inside voice of wannabe gods in China>
"If they knew what they don't know, the world might break out in peace and tranquility."
Whatever medium carries factual news - then it will also be able to carry biased propaganda.
It is human nature for people to believe what they want to believe - it is not usual for most people to seek out a balanced opinion. It is apparently a sign of intelligence to be able to entertain two opposing views in your mind at the same time. Most people prefer to ignore the inconvenient one - it is then Someone Else's Problem.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
