back to article VPN ban makes for nervy times behind Great Firewall

Multinationals and foreign web users based in China to get jittery on Wednesday after pictures began circling the internet which suggested a new clamp down on the use of virtual private networks (VPNs). While VPNs in the Western world are more commonly used to enhance security, for netizens-in-the-know living in the People’s …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    SSL VPN through Port 443

    ... and they're going to block that how exactly?

    1. The BigYin

      Re: SSL VPN through Port 443

      Or a reverse SSH proxy on the same port. Or TOR or some-new-thing-I-have-not-heard-of-yet.

      How China expects remote workers to operate without VPN is a mystery to me. Do they expect corporate LANs to be publicly accessible or soemthing?

      1. Ben Tasker

        Re: SSL VPN through Port 443

        Or a reverse SSH proxy on the same port. Or TOR or some-new-thing-I-have-not-heard-of-yet.

        Kind of what I was thinking, block VPN and something else will get used instead. Based on comments further down it looks like the previous 'VPN Block' was simply a case of blocking the IP's of the popular VPN providers rather than based on any kind of protocol, so getting hold of a VPS in another country and running OpenVPN or somesuch would have got around that...

      2. PM.

        Re: SSL VPN through Port 443

        Yes , please open your LAN's. No need to be afraid of anything.

        Signed: People's Liberation Army

        1. Danny 14

          Re: SSL VPN through Port 443

          I imagine they will simply block the protocols IKE,L2TP,GRE etc simply blocking port 500 etc will be fruitless as people will simply change the port (80? 443?)

          1. GettinSadda
            Unhappy

            Re: SSL VPN through Port 443

            Virtually impossible to block - but easy to ban.

            There are unlimited ways to sneak a VPN through disguised as allowed traffic, but if the punishment for getting caught doing so is high enough, few will take the risk.

            This is a really dangerous situation and I wish western politicians will do something to prevent it - unfortunately I actually expect they are taking notes on how to do similar over here!

      3. Anonymous Coward
        Anonymous Coward

        Re: SSL VPN through Port 443

        TOR would be great, but China had been blocking the public access nodes. They've recently started blocking the not-so-public ones too though.

        Apparently.

        So I've been told.

        /anon because etc etc

    2. JimC
      FAIL

      Re: SSL VPN through Port 443

      They don't need to block it. They just send a man round if they find you using it. Try bypassing any security structure from a room with steel bars for windows.

    3. Androgynous Crackwhore
      Paris Hilton

      Re: SSL VPN through Port 443

      Why is the consensus that this would be difficult/impossible to filter?

      Just block all international SSL/TLS traffic and port 443. No?

      No doubt dear party officials could be whitelisted, should they needed to use Paypal or to pass CC details securely to some pr0nsite.

      No doubt the next step in the privacy/censorship race would be base64enc ciphertext over plain http on port 80 - which could be a tad more tricky to filter? Deep packet inspection & heuristics at least?

      Or am I having a Parisian episode? (Has been known)

      1. Ken Hagan Gold badge

        Re: SSL VPN through Port 443

        "Why is the consensus that this would be difficult/impossible to filter?"

        Probably because this is a tech site, populated by people who know that simply blocking as you describe would (a) fail to prevent VPNs using any other method, and (b) succeed in knocking out vast chunks of the web.

        You, however, appear to be one of the few who realise that the Chinese authorities are *not* tech experts and therefore, knowing neither of these things, will quite happily do just this and not care about who is inconvenienced.

        At least, until the effects on the Chinese economy become clear. Perhaps by then it will be too late. If China makes itself unsafe or unsuitable for business, there are plenty of other countries who will happily step into the gap. The world is not short of poor countries. This doesn't have to be the Chinese Century. It could instead be yet another century in which China screws over its own people and achieves bog all of historical note.

        1. Anonymous Coward
          Anonymous Coward

          Re: SSL VPN through Port 443

          Do you really think the Chinese politicians go about blocking the internet without consulting their own expertise, i.e. the likes of Huwei?

          Trust me, they know what they are doing. If the attempts to block seem lame it's because the intention to instill fear rather than actual blocks that would hurt the Chinese economy.

        2. Yet Another Anonymous coward Silver badge

          Re: SSL VPN through Port 443

          Or the solution to doing business is simply to have a chinese government person on your board as a non-exec "advisor" and then your company's traffic isn't a problem.

          Just like you need ex-ministers on your board here to "advise you" on how to get govt IT contracts.

          1. Charles 9

            Re: SSL VPN through Port 443

            Just curious, because I would think if China really REALLY wanted to see everything, they would simply block all encrypted and obfuscated traffic except from whitelisted (as in known government) addresses, which would be verified through the GFW. Then you knock out most of the possible avenues right off the top including TOR, Freenet, and VPNs. And any attempt to stego would probably stick out like a sore thumb in the age of raw binary transmissions, most of which has SOME formatting which can then allow it to be DPId, unless of course it's encrypted which would automatically make it suspect (even program code is formatted, so that's not an excuse).

            1. Eddy Ito

              Re: SSL VPN through Port 443

              "And any attempt to stego would probably stick out like a sore thumb in the age of raw binary transmissions"

              I think considering how much constant traffic there is in gaming and video streaming, like PPS or QQLive, that it wouldn't be too hard to establish a hidden vpn amongst the "peers" including machines across the wall. Transferring multiple concurrent streams would even allow one time pads for a tweaked video codec that plays fine otherwise and the poor net watchers would probably vomit after watching a few hundred hours of kittens playing and stupid pet/human tricks.

    4. Anonymous Coward
      Anonymous Coward

      Re: SSL VPN through Port 443

      Firewalls can inspect traffic and while the port used used for HTTPS, the characteristics of the traffic is not. They could also do SSL offloading and thus the encryption is between you and the great firewall proxy. Then the traffic is clear text for their inspection.

  2. Anonymous Coward
    Anonymous Coward

    Hello from the Other Side of the GFW

    This was a notice at one particular business centre, so there's no indication that there's a trend of it happening. Certainly not in my workplace (tech company in a big office complex)... yet.

    Internet access got pretty bad (crappy ping times, mega-variable DL speeds) during the party conference, with much internet traffic being routed through Beijing (according to business owner colleagues of mine in another city, where all of his visitors were coming from Beijing for that week).

    And a completely unscientific poll of expat drinking buddies shows that some of us have had VPN troubles since the party conference too, with some of the foreign IPs simply becoming no longer available.

    Required viewing - http://www.ted.com/talks/michael_anti_behind_the_great_firewall_of_china.html

    /anon for obvious reasons

    /message sent encrypted via Hong Kong

    1. Anonymous Coward
      Anonymous Coward

      Re: So presumably.....

      Publicly available, expat type VPN services were unavailable while corporate VPN continued to work? If China ultimately wants to be both open to business and largely closed to VPN, the only way I can see for them to achieve this would to allow companies to register their "legitimate" VPN services.

      1. Anonymous Coward
        Anonymous Coward

        Re: So presumably.....

        Companies' VPNs are, apparently, working still. They're well aware of what people do here. And they know full well that some Chinese have FB accounts.

        Come to think of it, the Chinese gov aren't so bothered about foreigners accessing their foreign stuff: it's more about the locals getting foreign stuff. So in cities like Beijing, Shanghai, and Shenzhen where there are lots of foreigners, you get locals who have FB accounts so they can be online friends with their foreign coworkers. Something the gov really doesn't like at all!

        /anon because etc etc

    2. Nol
      Black Helicopters

      Re: Hello from the Other Side of the GFW

      "there's no indication that there's a trend of it happening"

      Well not exactly like that but I was unable to use my VPN service and got this message:

      "Dear Clients,

      Recently, China had blocked VPN Ports and it had affected almost all the VPN providers but our Services were working fine until yesterday. "

      Luckily they were onto it and within a day I had downloaded updated configuration files and everything is back to normal.

      The chinese government is determined to play whack-a-mole with the VPN services but as some posters have pointed out if they come knocking at my door then my days of unrestricted web access are over. If they successfully shutter the internet here then it's only a matter of time before a freedom loving government near you decides to follow suit.

      We don't just live in interesting times - we live in dangerous times too.

  3. This post has been deleted by its author

  4. Anonymous Coward
    Anonymous Coward

    Good 'ole China!

    I don't think I'd be sane living in a country that is so restrictive. I thought the nutters on the UK were bad enough! Not that our government is any better. I live in a world of the mentally ill!

    1. Anonymous Coward
      Anonymous Coward

      'ole

      I'm curious as to what letter(s) you have removed from that word to require an apostrophe at the front?

      Usually 'ole = hole..

      Sole? Dole? Pole? Surely not...?

    2. Anonymous Coward
      Anonymous Coward

      "Not that our government is any better"

      Really? Really??? Just stop and think for a minute. Christ on a stick, UK citizens have more freedoms than they know what to do with.

  5. Anonymous Coward
    Anonymous Coward

    Guilty

    After joining our Bejing office to the corporate VPN mesh the first thing I told the local IT guys was the IP and port of the corporate proxy servers in UK and US datacenters. Obviously just so they could access the corporate intranet.. cough!, cough!

    It's perfectly possible to encapsulate VPN traffic within ICMP packets, if they are doing aren't doing any type and content checking on the ICMP protocol.

    1. Charles 9

      Re: Guilty

      Don't put it outside possibility they're tracking or throttling ICMP. After all, there's little legitimate use for high-bandwidth ICMP, is there?

  6. Charles 9
    Stop

    I'm surprised they haven't just banned all use of encryption already, with stiff penalties for its use and that of steganography. The firewall would probably filter out plaintext stego by scrubbing HTML and plaintext (enforce single whitespacing) and sniff binaries to make sure they're not hiding things within.

    1. Marvin the Martian
      Stop

      Why would stego be in HTML or whitespace?

      Play a video, and hide in each cell bits of your message. Perfectly viewable with little image degradation, if you don't overdo the stego-vs-overall content ratio.

      1. Charles 9

        That's the next step. Re-encode and alter any videos and images submitted through the firewall, to possibly mangle any stegos hidden within. The ones robust enough to withstand the alterations are probably more likely to be picked up with statistical analysis or image manipulation.

  7. Justicesays
    Headmaster

    Precipitous , I do not think that means what you think it means...

    "the precipitous nature of doing business in China"

    Should this be "precarious" by any chance.

    Unless doing business in China was a sudden and dramatic turn for the worse of course.

    1. Anonymous Coward
      Anonymous Coward

      ?

      Hi. I'm the friendly question mark. I do not think you know what I am for.

      1. Anonymous Coward
        Anonymous Coward

        Re: ?

        Not needed if rhetorical.

        1. Anonymous Coward
          Anonymous Coward

          Re: Rhetorical

          I don't agree, but in any case that wasn't a rhetorical question.

  8. kyza

    Orwellian sounding “Jinan City Internet Monitoring Team”

    hMM. Orwellian would be something like:

    'Jinan City Ministry for Digital Freedom'

  9. Maikol

    Consider this

    Consider this, VPN to your corporate concentrator, RDP or VNC to a VM, launch browser on remote machine, visit any site you want.

    How would they go about blocking that besides blocking the actual protocols? I dont know if they would go to the lengths of deep inspection of RDP/VNC traffic and then extracting HTML tags from that.

  10. JaitcH
    Go

    What's the problem with a Sat Data Terminal?

    There are a plethora of satellite data terminals, portable and fixed. which can be hand carried in to China - you can claim they are engineering samples to get quotations for production - using all manner of carriers.

    The only precautions you need to take: Make sure any dish antennae are small and split into pizza slices (even the dumbest China Customs guys can spot a uncollapsed dish; and make sure the antenna is mounted discretely on a balcony or window ledge.

    Broadband speeds are easily achievable.

  11. Anonymous Coward
    Anonymous Coward

    How does this work for corporates

    I don't live in China and am just asking as I'm sure someone on here will know the answer. What happens if your company has VPNs between regional offices and China and just happens that the internet traffic is broken out in the UK or US.

  12. Anonymous Coward
    Anonymous Coward

    ?????????????????????????????????????????????????

    ?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

    Trying to make up for the massive deficit of this punctuation mark in el Reg forums.

    1. keith_w

      Re: ?????????????????????????????????????????????????

      why

      1. C Yates
        Headmaster

        Re: ?????????????????????????????????????????????????

        See icon :)

  13. boner

    i live in China, and all vpns are down now, and have been for the past month and a half. all the dumbases that paid for a vpn lost their money. to say that a vpn is essential in China is like saying that baidu is essential in britain. i went through decades of my life without google, and i think i can go decades more without it. just like british law does not cater to Chinese nationals, i dont see why Chinese laws ought to cater to british nationals. it's hilarious to hear about these shills smuggling satelite dishes into China. if you want to use facebook that badly, why dont you just stay in britain instead?

    1. James 100

      Baidu might be adequate for you, but I get the impression quite a few of your compatriots feel differently - otherwise, they wouldn't be paying for VPNs and other measures to bypass the restrictions, would they?

      I find UK restrictions chafing enough (people being prosecuted for wearing a T-shirt the government doesn't approve of?!) - I'm not at all surprised it's popular to circumvent the PRC's too. Depressing to see anyone saying they're happy to be under such a jackboot, though!

    2. Anonymous Coward
      Anonymous Coward

      boner....

      'all vpns are down and have been for the past month' wrong and wrong not all and not for a month

      'vpn users have lost their money' - also wrong my VPN was fixed within 6 hours.

      OK not essential but if you want to use youtube, blogger, wordpress, blogspot, vimeo, facebook, twitter, google plus, google earth then a vpn is essential.

      What are you going to spend your wu mao on for that post?

      Finally, If you like censorship and restrictions that much why don't you go the whole hog and move to North Korea?

This topic is closed for new posts.

Other stories you might like