SSL VPN through Port 443
... and they're going to block that how exactly?
Multinationals and foreign web users based in China to get jittery on Wednesday after pictures began circling the internet which suggested a new clamp down on the use of virtual private networks (VPNs). While VPNs in the Western world are more commonly used to enhance security, for netizens-in-the-know living in the People’s …
Or a reverse SSH proxy on the same port. Or TOR or some-new-thing-I-have-not-heard-of-yet.
Kind of what I was thinking, block VPN and something else will get used instead. Based on comments further down it looks like the previous 'VPN Block' was simply a case of blocking the IP's of the popular VPN providers rather than based on any kind of protocol, so getting hold of a VPS in another country and running OpenVPN or somesuch would have got around that...
Virtually impossible to block - but easy to ban.
There are unlimited ways to sneak a VPN through disguised as allowed traffic, but if the punishment for getting caught doing so is high enough, few will take the risk.
This is a really dangerous situation and I wish western politicians will do something to prevent it - unfortunately I actually expect they are taking notes on how to do similar over here!
Why is the consensus that this would be difficult/impossible to filter?
Just block all international SSL/TLS traffic and port 443. No?
No doubt dear party officials could be whitelisted, should they needed to use Paypal or to pass CC details securely to some pr0nsite.
No doubt the next step in the privacy/censorship race would be base64enc ciphertext over plain http on port 80 - which could be a tad more tricky to filter? Deep packet inspection & heuristics at least?
Or am I having a Parisian episode? (Has been known)
"Why is the consensus that this would be difficult/impossible to filter?"
Probably because this is a tech site, populated by people who know that simply blocking as you describe would (a) fail to prevent VPNs using any other method, and (b) succeed in knocking out vast chunks of the web.
You, however, appear to be one of the few who realise that the Chinese authorities are *not* tech experts and therefore, knowing neither of these things, will quite happily do just this and not care about who is inconvenienced.
At least, until the effects on the Chinese economy become clear. Perhaps by then it will be too late. If China makes itself unsafe or unsuitable for business, there are plenty of other countries who will happily step into the gap. The world is not short of poor countries. This doesn't have to be the Chinese Century. It could instead be yet another century in which China screws over its own people and achieves bog all of historical note.
Do you really think the Chinese politicians go about blocking the internet without consulting their own expertise, i.e. the likes of Huwei?
Trust me, they know what they are doing. If the attempts to block seem lame it's because the intention to instill fear rather than actual blocks that would hurt the Chinese economy.
Just curious, because I would think if China really REALLY wanted to see everything, they would simply block all encrypted and obfuscated traffic except from whitelisted (as in known government) addresses, which would be verified through the GFW. Then you knock out most of the possible avenues right off the top including TOR, Freenet, and VPNs. And any attempt to stego would probably stick out like a sore thumb in the age of raw binary transmissions, most of which has SOME formatting which can then allow it to be DPId, unless of course it's encrypted which would automatically make it suspect (even program code is formatted, so that's not an excuse).
"And any attempt to stego would probably stick out like a sore thumb in the age of raw binary transmissions"
I think considering how much constant traffic there is in gaming and video streaming, like PPS or QQLive, that it wouldn't be too hard to establish a hidden vpn amongst the "peers" including machines across the wall. Transferring multiple concurrent streams would even allow one time pads for a tweaked video codec that plays fine otherwise and the poor net watchers would probably vomit after watching a few hundred hours of kittens playing and stupid pet/human tricks.
Firewalls can inspect traffic and while the port used used for HTTPS, the characteristics of the traffic is not. They could also do SSL offloading and thus the encryption is between you and the great firewall proxy. Then the traffic is clear text for their inspection.
This was a notice at one particular business centre, so there's no indication that there's a trend of it happening. Certainly not in my workplace (tech company in a big office complex)... yet.
Internet access got pretty bad (crappy ping times, mega-variable DL speeds) during the party conference, with much internet traffic being routed through Beijing (according to business owner colleagues of mine in another city, where all of his visitors were coming from Beijing for that week).
And a completely unscientific poll of expat drinking buddies shows that some of us have had VPN troubles since the party conference too, with some of the foreign IPs simply becoming no longer available.
Required viewing - http://www.ted.com/talks/michael_anti_behind_the_great_firewall_of_china.html
/anon for obvious reasons
/message sent encrypted via Hong Kong
Publicly available, expat type VPN services were unavailable while corporate VPN continued to work? If China ultimately wants to be both open to business and largely closed to VPN, the only way I can see for them to achieve this would to allow companies to register their "legitimate" VPN services.
Companies' VPNs are, apparently, working still. They're well aware of what people do here. And they know full well that some Chinese have FB accounts.
Come to think of it, the Chinese gov aren't so bothered about foreigners accessing their foreign stuff: it's more about the locals getting foreign stuff. So in cities like Beijing, Shanghai, and Shenzhen where there are lots of foreigners, you get locals who have FB accounts so they can be online friends with their foreign coworkers. Something the gov really doesn't like at all!
/anon because etc etc
"there's no indication that there's a trend of it happening"
Well not exactly like that but I was unable to use my VPN service and got this message:
"Dear Clients,
Recently, China had blocked VPN Ports and it had affected almost all the VPN providers but our Services were working fine until yesterday. "
Luckily they were onto it and within a day I had downloaded updated configuration files and everything is back to normal.
The chinese government is determined to play whack-a-mole with the VPN services but as some posters have pointed out if they come knocking at my door then my days of unrestricted web access are over. If they successfully shutter the internet here then it's only a matter of time before a freedom loving government near you decides to follow suit.
We don't just live in interesting times - we live in dangerous times too.
This post has been deleted by its author
After joining our Bejing office to the corporate VPN mesh the first thing I told the local IT guys was the IP and port of the corporate proxy servers in UK and US datacenters. Obviously just so they could access the corporate intranet.. cough!, cough!
It's perfectly possible to encapsulate VPN traffic within ICMP packets, if they are doing aren't doing any type and content checking on the ICMP protocol.
I'm surprised they haven't just banned all use of encryption already, with stiff penalties for its use and that of steganography. The firewall would probably filter out plaintext stego by scrubbing HTML and plaintext (enforce single whitespacing) and sniff binaries to make sure they're not hiding things within.
Consider this, VPN to your corporate concentrator, RDP or VNC to a VM, launch browser on remote machine, visit any site you want.
How would they go about blocking that besides blocking the actual protocols? I dont know if they would go to the lengths of deep inspection of RDP/VNC traffic and then extracting HTML tags from that.
There are a plethora of satellite data terminals, portable and fixed. which can be hand carried in to China - you can claim they are engineering samples to get quotations for production - using all manner of carriers.
The only precautions you need to take: Make sure any dish antennae are small and split into pizza slices (even the dumbest China Customs guys can spot a uncollapsed dish; and make sure the antenna is mounted discretely on a balcony or window ledge.
Broadband speeds are easily achievable.
?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
Trying to make up for the massive deficit of this punctuation mark in el Reg forums.
i live in China, and all vpns are down now, and have been for the past month and a half. all the dumbases that paid for a vpn lost their money. to say that a vpn is essential in China is like saying that baidu is essential in britain. i went through decades of my life without google, and i think i can go decades more without it. just like british law does not cater to Chinese nationals, i dont see why Chinese laws ought to cater to british nationals. it's hilarious to hear about these shills smuggling satelite dishes into China. if you want to use facebook that badly, why dont you just stay in britain instead?
Baidu might be adequate for you, but I get the impression quite a few of your compatriots feel differently - otherwise, they wouldn't be paying for VPNs and other measures to bypass the restrictions, would they?
I find UK restrictions chafing enough (people being prosecuted for wearing a T-shirt the government doesn't approve of?!) - I'm not at all surprised it's popular to circumvent the PRC's too. Depressing to see anyone saying they're happy to be under such a jackboot, though!
boner....
'all vpns are down and have been for the past month' wrong and wrong not all and not for a month
'vpn users have lost their money' - also wrong my VPN was fixed within 6 hours.
OK not essential but if you want to use youtube, blogger, wordpress, blogspot, vimeo, facebook, twitter, google plus, google earth then a vpn is essential.
What are you going to spend your wu mao on for that post?
Finally, If you like censorship and restrictions that much why don't you go the whole hog and move to North Korea?