back to article China's Great Firewall to crack down on unofficial VPNs – state-approved net connections only

The Chinese government has started an 18-month crackdown that will require all VPN providers to seek government approval for their activities if they want to stay in business. The news, announced by the Ministry of Industry and Information Technology on Sunday, says that the market for services that bypass the content filters …

  1. Anonymous Coward
    Anonymous Coward

    Expect Theresa May to take this line too. She is proving more of a control freak than either Thatcher or Blair.

    1. John Brown (no body) Silver badge

      Based on her time as Home Sec, it really doesn't surprise me.

    2. Alister
      Facepalm

      Expect Theresa May to take this line too.

      Fortunately for us in the UK, the government famously identified VoIP as being the technology used to bypass ISP blocking etc, so until they get that right, we are pretty safe...

      https://www.theregister.co.uk/2015/01/27/how_peers_failed_to_sneak_snoopers_charter_into_terror_bill/?page=2

      Lord Blair said:

      "All the different apps for phones mentioned by the noble Lord, Lord King, along with all the other services, are increasingly being used across the internet via something I now know more about than I ever wanted to – a system known as VoIP, the Voice over Internet protocol.

      This makes all those transmissions untraceable. I will not specify them, but they are being used in methodologies that members of this House will be using most days."

      1. John H Woods

        "I now know more about than I ever wanted to – a system known as VoIP, the Voice over Internet protocol." --- Lord Blair

        It's amazing people can't die of shame --- I nearly passed out just reading that nonsense.

        1. Anonymous Coward
          Anonymous Coward

          "Lord Blair"

          Presumably this was his previous career - $deity$ help us:

          "Commissioner of Police of the Metropolis from 2005 to 2008 and was the highest-ranking officer within the Metropolitan Police Service"

  2. mr. deadlift

    "They will also have to demonstrate to the Institute of Computing Technology of the Chinese Academy of Sciences that they have hardened up the security of their services to deal with current internet threats."

    Where only IPSEC vpns will work on the mainland since SSL vpns are too hard to crack and inspect packets and therefore dropped.

    I ain't calling out the regime on hypocrisy. Wait, looks as if i am.

    1. Anonymous Coward
      Anonymous Coward

      It's okay. I have that issue too, but work around it like this: my country spies on me and other people without their consent in the name of the NSA and I do not approve nor condone this. Same thing with The Great Firewall, I do not approve of it, yet I cannot do anything about it. At least in the US I can join a group of dissenters and work against the over-reaching access of the NSA, and other orgs, in the open without fear of being hunted down and threatened with military action for doing so. Not so in China. Even our backwards dislike for people who legitimately "blow the whistle" on questionable activities by orgs that think themselves above the law is better than a totalitarian regime hell-bent on making it look like a democracy to outsiders.

      I'm sure we Americans look weak and silly to a nation of people so completely enslaved by their government they cannot even think about alternatives, let alone see pictures and read text about such abominations. The real weakness is being complacent about the dirty tricks being played on you and every other citizen that turns a blind eye to Big Brother. Whatever nation he hails from.

      1. Anonymous Coward
        Anonymous Coward

        I'm sure we Americans look weak and silly to a nation of people so completely enslaved by their government they cannot even think about alternatives, let alone see pictures and read text about such abominations.

        I wouldn't be too confident - we are already at the point where pissing of the wrong person can lead to IRS or other trouble.

        We are mostly free to protest at this point, but those rights are being steadily eroded.

  3. The Original Steve

    SSL

    Genuinely curious as to what is stopping someone renting a VPS with an SSL VPN on it that's hosted outside Middle Kingdom? How would it be any different than a visitor from abroad using their corporate Juniper SSL VPN or DirectAccess tunnel?

    1. Anonymous Coward
      Anonymous Coward

      Re: SSL

      What's probably going to happen is that China will configure the Great Firewall to block all illegal unlicensed VPNs. I.e. the firewll will drop any VPN traffic that's not on the official approved VPNs list.

      So your VPN to your VPS won't work from inside China.

      1. jamesb2147

        Re: SSL

        You have an SSL VPN that works inside China?! :O

        Seriously, it's a machine learning firewall. It's documented that several years ago you could open an SSH tunnel on a random port, pad all that packets to be at least 1200 bytes (removes some fingerprinting functionality), and the damn thing would crack down within 24 hours and block further connections.

        If you have a VPN that actually works over there, I'd love to hear about it. You might also be interested in a bridge I own in Brooklyn...

        1. Anonymous Coward
          Anonymous Coward

          Re: SSL

          we do quite a bit of work over in China and our users SSL VPN doesn't work. They always moan about it too ;o)

        2. David Shaw

          Re: SSL

          for a while, the Kindle/paperwhite/Voyage 3G using perma-licensed Amazon "whispernet" & experimental-mode browsing could get 50 megs of data a month through the GFW. I'm sure the regime was aware, but recognised it as a limited 'foreign-devil' type problem therefore not that serious.

          This map shows it is fairly localised 'free 3G' http://client0.cellmaps.com/tabs.html#cellmaps_intl_tab

          not much coverage in Uyghur areas, probably not many Amazon Prime accounts there either. . .

      2. paulnick2

        Re: SSL

        My brother is in China & he is using PureVPN .... Is he doing anything illegal ? Doesn't he has the right to access restricted channels in China?

        1. Anonymous Coward
          Anonymous Coward

          Re: SSL

          Right? WHAT right?

    2. Chris Fox

      Re: SSL

      "Genuinely curious as to what is stopping someone renting a VPS with an SSL VPN on it that's hosted outside Middle Kingdom? How would it be any different than a visitor from abroad using their corporate Juniper SSL VPN or DirectAccess tunnel?"

      One difference might be that someone living in China could find they start facing problems when attempting to pay for or use a "banned" service provided from outside China. In practice the authorities only need to hint that using external "unauthorised" VPNs could get you into serious trouble for it to deter those who might otherwise be politically active. And this is probably one of the main goals.

    3. trammel

      Re: SSL

      The GFW performs Deep Packet Inspection (DPI) on all connections. Tor Project has some detail https://blog.torproject.org/category/tags/gfw but basically a HTTPS/TLS handshake looks slightly different to an SSL handshake used for VPNs, and that difference is enough for the connection to be noticed, and dropped.

      Cisco's IPSec is allowed through the GFW though. The development of Open Source Cisco IPSec equivalents might cause this to change in the future though.

      VPN providers need to obfuscate the initial connection handshake as well as everything afterwards. Some can do that, other's fail. I found I needed to pay for 2-3 providers, as they would randomly be knocked offline, and then brought back with different IPs and strategies to defeat the DPI.

      To be honest, it's only really an issue for expats now. The GFW is so effective, and the Chinese alternatives to western web services are better in most cases for local Chinese people, that most locals don't care about the GFW; they're perfectly happy with the Chinese Internet.

      1. Anonymous Coward
        Anonymous Coward

        Re: SSL

        ...that most locals don't care about the GFW; they're perfectly happy with the Chinese Internet.

        And that, in a nutshell, was the true goal of the Great Firewall.

  4. jamesb2147

    Is this new?

    I honestly this was the policy, official or otherwise, for a while now. It's been well known for some time that there are only 3 major VPN providers that work inside China. And there's nothing special about their configs, technically, so it would not be a surprise to learn that they've been sharing data with the Chinese security apparatus, wittingly or not.

    Since they're already doing this (de facto poicy), and they've already announced this in 2015... there doesn't seem to be anything to this at all, except an attempt at raising awareness.

  5. Captain DaFt

    Sub heading?

    Babelfish choked on it and spit this out:

    Liang, ephedra distachya l tasting

    I think something was lost in the mis-translation.

    1. VeganVegan

      Re: Sub heading?

      good medicine tastes bitter

      1. Captain DaFt

        Re: Sub heading?

        Thank you

    2. Anonymous Coward Silver badge
      Paris Hilton

      Re: Sub heading?

      Is babelfish still around? (I'm guessing the web service; the actual ear fish is obviously still around somewhere, but I've misplaced her)

      Google translate brings it up as "Good medicine bitter", which I think is probably close enough.

  6. Kernel

    Hardly unusual

    Well, the Chinese government wouldn't be the only government that doesn't (or alternatively, does) want any 'alternate facts' getting circulated to the citizenry, would they?

  7. Magani
    Big Brother

    Life Reflects Art

    ...without pesky internet users getting information from the outside world.

    Like the fact that the Tiananmen Massacre was a Western media scam according to Chinese search engine Baidu.

    “Until they became conscious they will never rebel, and until after they have rebelled they cannot become conscious.”

    George Orwell, 1984

  8. wolfetone Silver badge

    WIth the Protonmail story last week, I said it'll end up (in the UK at least) that VPN's would be barred by the ISP unless you could produce a certificate to use the service like you would do with a gun license.

    I am very, very sorry that I suggested this could happen, because it's obvious the Chinese Government read the comments section on these articles on El Reg.

    I really, really am sorry x

    1. Charles 9

      Just to toss the other side of the coin, just how far could one get with a steganographed VPN before they caught on?

      1. David Shaw

        how far?

        consider that in Sweden in the 1950's the (forerunner to) Försvarets radioanstalt had wired up a surprisingly large percentage of homes to a centralised morse code click detection system. They were looking for HF transmissions, heading eastwards. This was sort-of a great RF Firewall. Nowadays achieved by a few SDRs e.g. http://hackgreensdr.org:8901/

        What is the budget for the creation of your stegano compared to the budget that will be deployed against you?

        1. Charles 9

          Re: how far?

          "consider that in Sweden in the 1950's the (forerunner to) Försvarets radioanstalt had wired up a surprisingly large percentage of homes to a centralised morse code click detection system. They were looking for HF transmissions, heading eastwards. This was sort-of a great RF Firewall. Nowadays achieved by a few SDRs e.g. http://hackgreensdr.org:8901/"

          And what's that got to do with the price of tea in...ahem, China, given steganography is meant to disguise one type of traffic as less suspicious traffic?

          1. jamesb2147

            Re: how far?

            His point is that your solution is unlikely to be able to keep up with the resources of the Chinese state machinery employed to prevent VPN connectivity.

            This post should be of interest to you: http://blog.zorinaq.com/my-experience-with-the-great-firewall-of-china/

            Padding packets over an SSH tunnel on a random port worked in early 2016... for a day or so at a time.

            1. Charles 9

              Re: how far?

              So they're eventually getting down to a full-fat ban on all unsanctioned encryption (VPN, SSH, whatever), and all sanctioned encryption can be backdoored or is in key escrow. What the blog says is pretty soon they'll just whitelist all external connections, and it'll be pretty hard to defeat it since it's hard to obfuscate all tells.

  9. Mahhn

    For the protection of our society

    We must get a tighter grip on availability of information to the peasants.

    If they knew what they don't know, the world might break out in peace and tranquility.

    How can we maintain power over the masses if they are educated in the ways of the world, what doom shall fall on the privileged heirs of Empires Wealth and Lineage.

    If all else fails we must tear down this Internet of decent to protect ourselves.

    <end inside voice of wannabe gods in China>

    1. Anonymous Coward
      Anonymous Coward

      Re: For the protection of our society

      "If they knew what they don't know, the world might break out in peace and tranquility."

      Whatever medium carries factual news - then it will also be able to carry biased propaganda.

      It is human nature for people to believe what they want to believe - it is not usual for most people to seek out a balanced opinion. It is apparently a sign of intelligence to be able to entertain two opposing views in your mind at the same time. Most people prefer to ignore the inconvenient one - it is then Someone Else's Problem.

  10. Anonymous Coward
    Joke

    Routers

    "They will also have to demonstrate to the Institute of Computing Technology of the Chinese Academy of Sciences that they have hardened up the security of their services to deal with current internet threats."

    So they won't be using Huawei routers then?

  11. JackieTrade

    Damn, it's lame, web neutrality for China is gone for real

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like