back to article China 'enhances' Great Firewall, teaches it to choke off VPNs

China has tightened the screws on its infamous web-filtering system, according to virtual private network providers. The Great Firewall of China has been enhanced to "learn, discover and block" encrypted VPN protocols. Machine learning algorithms have been applied to carry out encrypted traffic analysis, something advocated by …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    and they want to do business with the rest of the world?!

    I can't see how China expects to do serious business with the rest of the world by blocking or attempting to block VPN connections.

    The organisation I work for has presence in China and VPN is key to secure comms back to the UK, without this our clients just won't be interested in that market full stop.

    1. Mike Brown

      Re: and they want to do business with the rest of the world?!

      its not really china that needs us tho, our decadent western way needs the chinese. this wont effect any business deals

      1. Bumpy Cat
        Headmaster

        Re: and they want to do business with the rest of the world?!

        Affect! Affect!! Using effect in this context means "this will not conclude any business deals", which actually results in you saying the opposite of what you meant!

      2. Adam 1

        Re: and they want to do business with the rest of the world?!

        China and the west may not NEED each other but trade benefits both sides immensely.

        Not being able to securely communicate between regional offices is a major impediment to business. If the sovereign risk is too high then business will move elsewhere.

      3. RICHTO
        Mushroom

        Re: and they want to do business with the rest of the world?!

        But it will. No international company will want to open an office in China without secure communications back to HQ....And staff that visit wont be able to access their remote desktops / email / phone systems either. Big old mess....

      4. Anonymous Coward
        Anonymous Coward

        Re: and they want to do business with the rest of the world?!

        And you know that how?

        If a visiting businessman can't get his porn, it is affecting business.

        I'm done with you,

      5. Anonymous Coward
        Anonymous Coward

        Re: and they want to do business with the rest of the world?!

        Europe GDP 14 TRILLION DOLLARS, U. S 14 TRILLION DOLLARS, AND CHINA 5 TRILLION DOLLARS. We need them do we? Hahahaha. Don't think so buddy. Try the other way around.

        By the way I live in China as an expat and the vpn embargo will probably see me leave sooner. I'm sick of the ignorance of the ruling elite here. They need to go back to common sense school. They are afraid, very afraid, and rightly so. Decisions like this will see their demise hastened and yet they feel they have so much power they could avoid it with draconian measures. History tells different stories. For instance, that new Chinese carrier, dead carrier floating if you ask me. It would be at the bottom of the sea before the western generals or Japanese generals could mutter "war".

    2. Electric Panda
      Big Brother

      Re: and they want to do business with the rest of the world?!

      They really should look at a two-tiered system. Official businesses should be allowed heavily monitored access for large sums, end-users none at all.

      If China want to exercise serious censorship while allowing business operations to run unfettered, this is something they should look at.

    3. Volker Hett

      Re: and they want to do business with the rest of the world?!

      This does not effect businesses, you'll get your VPN from your premises.

      1. Volker Hett

        Re: and they want to do business with the rest of the world?!

        s/effect/affect

        just learned the difference :)

    4. gollux
      FAIL

      Re: and they want to do business with the rest of the world?!

      It works in their interest to transparently proxy your VPN communications for a reason. You only thing you have free access through. They have your lunch.

  2. Anonymous Coward
    Anonymous Coward

    I can confirm this.

    Freegate does not seem to be able to pass through the GFWOC (which, in my opinion, is not so great at all!)

    Oh, now it works!

    Eh... now it doesn't...

    Now I can Facebook...

    And now I can't! AAAAGGGHHH!!!

    There seem to be Angels fighting Demons as we speak!

  3. Christian Berger

    One should note...

    The technology they are using down there is not home grown. It was sold to them by western countries. Often even specifically for those purposes.

    Large scale DPI is not a dual-use technology. You don't need to look at multiple saturated 10gig links to monitor your network, you only need that to monitor your people.

  4. K
    FAIL

    Aside from the Scale

    There is absolutely nothing impressive about this!

    All "Next Generation" firewalls have the ability to analyse packets... but all they will achieve by this is people moving from PPTP and IPSec based firewalls to SSL VPNs using port 443.

    1. Anonymous Coward
      Anonymous Coward

      Re: Aside from the Scale

      Actually, we use SSL vpn (openvpn based). Since a couple of months, depending on the region in China, users there can't connect anymore. FW on our side doesn't even see a connection attempt. There are workarounds of course.

  5. Anonymous Coward
    Anonymous Coward

    Why block facebook?

    it shows how the capitalist failed to monetise properly and what shite they think is worth billions.

    A good way to promote communism if you ask me

    1. geejayoh
      Unhappy

      Re: Why block facebook?

      Because they have a clone site for every single western "innovation"

      ren ren wang = facebook

      sina weibo = twitter

      lashousifang = foursquare

      tuangou = groupon (admittedly probably copied from China)

      amongst others. They block it for two reasons:

      - Free sharing of information with westerners

      - All that advertising revenue would go to an american company, not to the state (which has fingers in most of the pies).

      Once the Chinese ones are big enough, that they know they won't lose market share....

      This is why I keep saying it's a fallacy for people to refer to China as a market. For Chinese companies it's a market. But a market by different rules. A market of face, relationships and how many cartons of cigarettes you can buy the politicians with.

      Interestingly, I can confirm anecdotally that China Unicom have started cutting VPNs as soon as they're detected. I quite enjoyed having Facebook access on my smart phone over mobile (China Unicom are the only provider that supports proper 3G and HSPA), but recently, I've been unable to connect, even using "stealth" IPs from my VPN provider. Here in Guangzhou (canton) at least.

      1. Chris 3

        Re: Why block facebook?

        Get this man to write an article.

  6. Anonymous Coward
    Stop

    Not exactly business-friendly, is it?

    Does Beijing expect multinational business people to use an unsecured network connection when trying to get back onto their corporate networks? That's not going to work.

    1. BigFire

      Re: Not exactly business-friendly, is it?

      Rule #1 for dictators in running a country: Preserve Your Own Poser by any means necessary.

      There really isn't any other rules. So if it mess up people's ability to actually do business, so be it.

    2. h3

      Re: Not exactly business-friendly, is it?

      Probably they would expect anyone important to meet in Hong Kong. (Which is still completely unrestricted.)

      1. Anonymous Coward
        Thumb Down

        Re: Not exactly business-friendly, is it?

        Unfortunately, the PRC likes to position Shanghai as a major global business hub, and probably Guangzhou, Beijing and other areas. Since China has a pretty poor reputation for protection of IP, I would think that the international business community would be incredibly hesitant to send network traffic "in the clear". They wouldn't do that in any Western nation, much less one with China's rep.

    3. dssf

      Re: Not exactly business-friendly, is it?

      Imagine pre-quarterly reports by big companies having to go out by briefcase.

      A response market, however, might involve the use of optical signaling. Microwave would require a local or national permit. Light signaling might not affect anyone, but the distance, and attempts to reach a satellite would be prohibitive. Even if feasible to transceive, the payload would probably be astonishingly low.

      During the summer, I was in Shanghai, and I could not without a VPN reach fb. I was, however, able to set up a google plus account, but it was spottty, laggy, and seemed as if someone was screwing around with it, delaying my posts for hours if not days.

      Countries expecting to be considered Tier One should not be allowed in the club if they behave this way.

      I was recently considering sublicensing to Chinese nationals for manufacture some product ideas i had. After experiencing inability to see word press, facebook, wikipedia, and a slew of other sites I could outside of China, i decided to remove China from my list of business planning. So long as they act this way, I will NOT return to that country even if it is an all-expenses-paid trip.

      They can spy on and inhibit their OWN people all they want, but, block me from getting useful info or distractive entertainment that is on the wrong side of they firewall.... Well, you do NOT deserve my money.

      Grow up, China. End the corruption. Either jail or execute the most corrupt. Replace them with the "untested", but show them the execution or early-retirement vids. Allow foreigners WHO AGREE TO BE ON THEIR BEST BEHAIVOR to go about surfing as usual. Spy on them if you must. But, only go after individual violators,.

      One coup for China is that businesses that cannot dare sent financial or competitive or HR or privacy info vial plain traffic will simply pack up and leave, leaving China with a little more than infrastructure-- it will get nearly full ownership of left-behind assets. Carrier pigeons cannot carry cases of papers nor relay optical traffic, and optical messaging just won't carry the bandwidth. The WTO and WIPO should slam China for these and a handful of reasons alone. It is oppressive, anti-competitive, and tantamount to government-sanctioned data theft beyone crime reduction.

      Sigh. Maybe the world SHOULD have ended...

    4. Anonymous Coward
      Anonymous Coward

      Re: Not exactly business-friendly, is it?

      In typical fascist fashion, business users will have to register with the government.

      Or they'll motivate (by randomly dropping packets destined to TCP/22 and 1194, etc) people to use Governemnt-approved VPN providers who can intercept their traffic.

      The scum.

      1. MacGyver
        FAIL

        Re: Not exactly business-friendly, is it?

        Yep, They'll connect securely to Big Brother, and then Big Brother will secure them to their approved business destination. All the while allowing Big Brother to monitor the in-between. It sure is a good thing that all those Chinese have their government there to protect them from themselves, not like the rest of the world where adults have to make their own choices (well some of the rest of the world).

  7. Kevin McMurtrie Silver badge
    Big Brother

    Only spam works at China Unicom

    There hasn't been even a slight glitch in postscan, spam, and intrusion attempts coming from China Unicom to my firewall. The official contact "abuse@cnc-noc.net" still doesn't work. Its a surprise that outgoing packet rejection still needs to be done on China's side.

  8. Anonymous Coward
    Anonymous Coward

    HTTPS anyone ?

    It's possible to tunnel anything over pretty much anything. HTTPS used for a secure website isn't going to look much different from HTTPS used to tunnel some other VPN protocol. I don't think they are going to switch off HTTPS somehow.

    I used HTTPTUNNEL for this job once a long time ago, when an employer I won't name blocked SSH, but having 2 TCP layers fight each other isn't a smooth experience. Pretty jerky and a bit slow, but it worked well enough.

  9. Anonymous Coward
    Anonymous Coward

    This is already impacting our fledgling Chinese branch office in Shenzhen.

    All calls are made over a Cisco CUCM system, connected via a VPN. We can't make internal calls anymore, and their phones can't report back to the main base unit, so they're offline. The staff there are stuck using their personal mobile phones.

    Also, the branch email system runs over the VPN too. Staff in China currently can't use that either.

    I'm not in a mood to create technical workarounds. I've told the Directors that it is impossible to fix, and they should rethink the idea of having a Chinese branch office. They are now considering other options, such as establishing an office in Hong Kong and working with partners in the mainland from there. They've spent a pretty big sum on the Shenzhen office, and getting local partners, but the current situation is pretty much untenable. The VPN is up and down like a yo-yo.

    1. Ammaross Danan

      try this

      My corp firewall does SSLVPN. Should try using it sometime. Might just fix your problem. Unless you deployed a substandard device....

      1. Anonymous Coward
        Anonymous Coward

        Re: try this

        It's not just PPTP and L2TP VPNs experiencing these issues. We use IPSec via a mix of Cisco devices and strongSwan, and are having issues.

        In fact, the problems are even more widespread than that. I'm having trouble SSH-ing into our Internet-facing Linux server in China right now. The connection just keeps dropping out and we're getting errors with key-based authentication regularly.

        It's like the Government there basically decided that anything other than plaintext is banned.

        1. Charles 9

          Re: try this

          Surprised they haven't forbidden all encryption already and used DPI to make sure other formats/protocols aren't being used for stegonography.

        2. Anonymous Coward
          Anonymous Coward

          Re: try this

          Yessir, that's what I just said above, that's what's already happening.

          By 2020 the EU fascists will have the same rules and "best practices".

    2. Volker Hett

      Up to yesterday a VPN to a facility in Shanghai did work, have to check on monday.

    3. RICHTO
      Mushroom

      Switch to Lync - no VPN is required for secure internet access (plus a much better end user experience)

  10. Long Fei

    Yah

    I'm with Astrill, and they keep sending me update notices on this.

    *Currently* OpenWeb works still, for websites, but Astrill's OpenVPN fails nine times out of ten. Ah well, I generally only use my VPN for surfing the net to get to blocked sites, but if that goes under it will be a *major* pain.

  11. Robert E A Harvey

    Company security

    That's an end to company email whilst in China, then. More opportunity to break $MEGACORP rules by using gmail.

  12. Cheshire Cat
    Unhappy

    Tunnelling over 443 wont work...

    They most likely kill tcp/443 connections after a few seconds, on the grounds that anything generating a large amount of data on that port is most likely a VPN. SImilarly, all other SSL service ports can also be limited. Known VPN ports blocked, other ports checked for VPN protocols in the initial packets on connection. As long as you have the resources available to you that the PRC do then this would be feasible...

    Actually, I had wondered how long it would take for them to start blocking VPNs.

    1. Jamie Jones Silver badge
      Alert

      Re: Tunnelling over 443 wont work...

      Feel free to call me an idiot..... But why won't this work?

      Firstly, VPN to a non-standard port on your own non-China-based server. Use some standard vpn encryption algorithm, but enclose it in something simple - like an XOR using a pre-agreed value on each byte.

      Lots of simple wrappers could be used, e.g. XOR 8 minus 15 etc,

      Wouldn't this be enough to stop the DPI recognising a known vpn protocol? Would it have to get to the stage where the only way to stop vpn is simply to block all traffic the DPI doesn't recognise?

      1. Charles 9

        Re: Tunnelling over 443 wont work...

        Like I said, I'm surprised it hasn't reached that point already. Even stego has limitations against a determined adversary with enough DPI tools to recognize potential carrier streams. They could alter those streams while still presenting acceptable non-secret data: random loss of bits of data, resizing, quality reduction, etc. With these techniques, you could reduce the potential stego flow to impractical levels.

  13. Flashy Red
    Big Brother

    Steganography

    Don't know how, bound to be slow, but gotta be possible.

    1. silent_count

      Re: Steganography

      You want something which is hard for them to filter easily (ie. using software) but painful to block outright.

      So send videos back and forth by email. A few hundred megs a pop, who cares what they are: corporate promo material, safety or training videos, staff doing touristy things, whatever. Replace the video data, for a few seconds in each video file with the encrypted file(s) you actually want to send.

      The idea being that to selectively filter videos, they'd have to employ real people to watch them which, even in China, is more expensive than software filtering. And outright blocking any video sent to/from China would hurt their tourism industry.

      Not as convenient as, for example HTTPS which is all but invisible to the end user, but I imagine it'd work.

      1. Charles 9

        Re: Steganography

        If I were China and I had a good enough nest of computers, I'd intercept graphic and video transmissions and mangle them just a bit: resize them some, alter their brightnesses and so on, IOW find a way to mangle stegonography in various ways while still presenting pictures and videos of acceptable quality. If they're not robust, this mangling will ruin the stego, making it useless. If they're robust, they're more likely to be detected through some signal analysis.

  14. Anonymous Coward
    Anonymous Coward

    Dictatorships in information control shocker

    If you want to do business with corrupt regimes, like China, Israel and the US, then you get all you do deserve

    1. Anonymous Coward
      Anonymous Coward

      Re: Dictatorships in information control shocker

      Which regime is not corrupt?

      And where is the EU on that list?

  15. This post has been deleted by its author

  16. Nifty
    FAIL

    The pressure vessel will explode

    Many repressive systems continue for a long time ONLY because a pressure relief valve does exist for those that really value it.

    If China really closed down all VPNs this is going to head into a really interesting phase.

  17. dssf

    Hmmm... I wonder what enterprising hack groups

    Will expose the non-indigenous companies selling the code and switches to China are these days. Hurt their investor relatioons a bit, and they might cut off or reduce support of such a regime. But, we know that that has not crimped Cisco enough.

    But, imagine the government in cahoots with spammers.... Yikes!

This topic is closed for new posts.

Other stories you might like