China upgrades Great Firewall to defeat censor-beating TLS tools
Just in time to ensure nobody can disagree that giving Xi five more years as president is the best idea ever
China appears to have upgraded its Great Firewall, the instrument of pervasive real-time censorship it uses to ensure that ideas its government doesn’t like don’t reach China’s citizens.
Great Firewall Report (GFW), an organization that monitors and reports on China’s censorship efforts, has this week posted a pair of assessments indicating a crackdown on TLS encryption-based tools used to evade the Firewall.
The group’s latest post opens with the observation that starting on October 3, “more than 100 users reported that at least one of their TLS-based censorship circumvention servers had been blocked. The TLS-based circumvention protocols that are reportedly blocked include trojan, Xray, V2Ray TLS+Websocket, VLESS, and gRPC.”
Trojan is a tool that promises it can leap over the Great Firewall using TLS encryption. Xray, V2ray and VLESS are VPN-like internet tunneling and privacy tools. It’s unclear what the reference to gRPC describes – but it is probably a reference to using the gRPC Remote Procedure Call (RPC) framework to authenticate client connections to VPN servers.
GFW’s analysis of this incident is that “blocking is done by blocking the specific port that the circumvention services listen on. When the user changes the blocked port to a non-blocked port and keep using the circumvention tools, the entire IP addresses may get blocked.”
Interestingly, domain names used with these tools are not added to the Great Firewall’s DNS or SNI blacklists, and blocking seems to be automatic and dynamic.
“Based on the information collected above, we suspect, without empirical measurement yet, that the blocking is possibly related to the TLS fingerprints of those circumvention tools,” the organisation asserts.
An alternative circumvention tool, naiveproxy, appears not to be impacted by these changes.
- Kylin: The multiple semi-official Chinese versions of Ubuntu
- Chinese scammers target kids with promise of extra gaming hours
- Yahoo shutters email service in China
- Hong Kong Watch says its website suddenly can't be seen in Hong Kong
Earlier in the week, Great Firewall Report also posted analysis asserting China has barred google.com and all of its subdomains.
Which is an odd thing to say given that China started blocking Google in 2010 and Greatfire.org, another service that monitors China’s internet censorship, says Google and its online services, including YouTube and Google.com, are 100 percent blocked in China, and have been blocked for ages. Google.cn redirects to Google.com.uk in Hong Kong, but even that .hk domain is blocked these days in mainland China along with the .com.
It’s also hard to reconcile Great Firewall Report’s assertion and Google’s decision from earlier this week to discontinue availability of its online translation service in China due to Beijing's censorship.
Inconsistencies aside, Great Firewall Reports asserts it has spotted a new effort to suppress access to Google.
“The censors," we're told, "first started Server Name Indication (SNI) SNI-based censorship on google.com and *.google.com on Thursday, September 22, 2022, sometime between 6:23 AM and 7:33 PM Beijing Time (UTC+8). Specifically, the censor looks for SNI values in Transport Layer Security (TLS) ClientHello messages, and when a SNI value matches the blacklist rules, the censor sends forged TCP RST packets to tear down the connections.”
Eight days later, domain name system filtering kicked in to block queries and hamper access to any Google domain. Great Firewall Report believes 1,147 google.com domains are now blocked in China – even though they were probably blocked already in some way or another. This may be another or updated filtering mechanism deployed by Beijing.
SNI, for what it's worth, is used by browsers connecting to a web server using TLS (HTTPS) to specify the domain of the website the user wishes to visit. A server can handle multiple sites from one IP address, and SNI is used to select the site the person wants. SNI is typically sent non-encrypted, prior to the establishment of encryption between the browser and server, so it's ripe for government snoops to detect and use to censor unwanted connections.
It’s not hard to guess why China might have chosen this moment to upgrade the Great Firewall: the 20th National Congress of the Chinese Communist Party kicks off next week. The event is a five-yearly set piece at which Xi Jinping is set to be granted an unprecedented third five-year term as president of China.
The Congress takes place amid a slowing economy, and strict zero-COVID policies that have frustrated China’s citizenry. While dissent has been limited to occasional online rumblings, China will not want its internet to carry anything other than good – no, brilliant! – news of the Congress to its people. ®