Satellite broadband?
Just curious what China plan to do as Satellite broadband becomes more readily available?
China now blocking ESNI-enabled TLS 1.3 connections, say Great-Firewall-watchers
China is now blocking encrypted HTTPS traffic that uses TLS 1.3 with ESNI enabled, according to observers at the Great Firewall Report (GFR). TLS is the foundation of secure online communication and hides content users wish to access or have generated so it can pass over the internet without being observed by unrelated parties …
-
-
Tuesday 11th August 2020 06:50 GMT RAMChYLD
Re: Satellite broadband?
What other countries with an asshole government already do- outright ban dishes that do not bear the logo of authorized satellite providers in their country and ban dishes beyond a certain size (for example, dishes can be no bigger than two feet diameter). The Malaysian government is doing this.
-
This post has been deleted by its author
-
-
-
Tuesday 11th August 2020 11:04 GMT Anonymous Coward
Re: Satellite broadband?
Well, satellite operators are still commercial enterprises, not a charities.
I have yet to find an organisation clocking serious cash that didn't love money a lot more than "freedom" (IMHO, the "freedom" banner is usually only waved around to get around pesky laws or politics that stand in the way of ever more profit), so I suspect a bit of sponsorship may go a long way to adjust the broadcast envelope. No doubt they will try to get a bidding war going.
Your choice if you deem that cynical or realistic.
-
Thursday 13th August 2020 21:56 GMT JCitizen
Re: Satellite broadband?
Some satellites transmit and receive in regular RF, and can be easily used by free loaders, because they are not encrypted. I don't know if you could upload encrypted data to them or not. I forgot the details, but it was in either an article here on the Reg or ZDNet, and I was surprised to hear any unencrypted traffic was on satellite any more. The article didn't say if it was C band or Ku band, and that used to make a big difference in the past.
If your antenna was directional enough, detecting the upload signal might just be difficult enough to avoid CCP police; and the Great Firewall of China cannot control all Pacific Rim traffic like that. Coverage over most of the coastal Chinese state should be pretty evident. The article wasn't clear how much of this "hacking" is totally free - of course all of the download side is. The equipment was amazingly cheap and easy to find amongst junk electronic enthusiasts. It wouldn't surprise me that jammers are setup by the PRC government though; just like the Russians used to attempt when Radio Free Europe was in operation.
-
-
Tuesday 11th August 2020 12:43 GMT Jon 37
Re: Satellite broadband?
There are lots of things that China can do:
* Make it illegal to own an unlicensed satellite transmitter, with serious punishments.
* Direction-finding equipment to track down unlicensed satellite transmitters.
* Require satellite operators that provide broadband in China to use a Chinese downlink so China can monitor, filter, and identify who sent what traffic.
* Threats to satellite operators that provide broadband in China without co-operating with the Chinese government.
* If the satellite operator has other businesses (e.g. Facebook), block those other businesses if the satellite operator does not comply with Chinese law.
* Jamming satellite communications frequencies used by the satellite broadband providers that are not co-operating with the Chinese government.
* Anti-satellite missiles.
Note: Not saying I approve, but I'm a pragmatist and think mainstream satellite broadband is something China will be able to mostly control. Won't be perfect, but will be good enough for them. They are worried about mass protests growing into revolution, they're not worried about a few campaigners who can be thrown in prison. Sadly there is no technical fix for the Chinese censorship, it needs political change... which the current leaders are trying to block with censorship and other tools.
-
-
-
Tuesday 11th August 2020 12:59 GMT Anonymous Coward
Re: 1984
There's thing that people who keep banging the "1984" drum always forget: in the book, there is no good side. All sides use the exact same techniques, and whatever they call their ideology is explicitly irrelevant. They're only different labels affixed to the same oppression tools.
-
Tuesday 11th August 2020 16:48 GMT RM Myers
Re: 1984
Yes, I've noticed the great firewall around the UK which blocks access to subversive websites, like El Reg. Plus the number of cartoonists getting put into jail for doing caricatures of Johnson/Trump/Merkel/other western leader is truly terrifying. Winnie the Pooh would definitely approve.
-
-
Wednesday 12th August 2020 10:31 GMT Anonymous Coward
Re: 1984
"Yes, I've noticed the great firewall around the UK which blocks access to subversive websites [...]"
The current Westminster government is intent on removing the established checks and balances that limit their grab for authoritarian powers. When this government fails to deliver the milk and honey promised to their supporters - then the same voters will offer a unapologetic tyrant unfettered power.
Any open-ended provisions for use by the government need to be evaluated not against the scruples of the current politicians - but how those powers could be abused in the future.
-
-
-
Tuesday 11th August 2020 07:04 GMT tip pc
I’m surprised China don’t just use a massive transparent proxy and just mim everything, permitting tls1.3 and everyone with nothing to hide being non the wiser.
It’s probably the easiest closest comparison to what currently happens in the west.
At least China are open about their snooping. Most people in the west don’t know they are being snooped on.
-
-
Tuesday 11th August 2020 12:00 GMT tip pc
"How do you know what cert CN/subject alternate name to forge when SNI is encrypted? How do you get your client to not break the connection if they don’t trust your root cert?"
Not Disagreeing with you but ZScaler claim to have that sussed, i suspect their solution requires a trusted root installed on all hosts, but china could do that.
https://www.zscaler.com/blogs/corporate/tls-13-busting-myths-and-debunking-fear-uncertainty-doubt
"The Zscaler advantage
Zscaler is a true inline SSL proxy. It terminates the SSL connection established by the client and establishes a new SSL connection to the server; from a client’s perspective, Zscaler becomes the server and from the original SSL server’s perspective, Zscaler becomes the client. Considering that Zscaler is not just inspecting the SSL traffic on the wire, but terminating the connections, Zscaler has full visibility to the CN (Common Name), and other certificate parameters typically not visible to a passive SSL inspection devices."
-
Wednesday 12th August 2020 21:00 GMT Jon 37
The SNI is encrypted ... with a key that the client got from DNS. So all you have to do is MITM the DNS traffic to replace that key with one you know.
Browsers do DNS-over-HTTPS to try to stop that, but they can't use ESNI for the connection to the DNS server (there's a chicken-and-egg problem), so you can intercept and forge that initial connection to the DNS server. (Assuming you have subverted a CA or have installed your own CA root certificate on all devices - but that's necessary for all TLS interception).
-
-
-
Tuesday 11th August 2020 11:10 GMT Anonymous Coward
a - traffic is routed via the US. Of course, that's always "accidental", but it happens. Especially the big ones use one and the same cert for TLS/SSL, so getting the private key to that communication is not hard.
b - governments have been known to keep pretending they need something to hide the fact that they have access to technological advances. If you want any evidence of that, read what the UK let happen during WW II to prevent the Germans discovering that their Enigma encryption had been cracked. There's no reason to assume that has changed.
-
Wednesday 12th August 2020 16:11 GMT Kabukiwookie
You're probably right.
The only reason the US wouldn't do the same as China is if they can already capture your traffic at the end points.
Remember that according to the Snowden revelations, Microsoft was one of the first ones to cooperate with US agencies. That started back in 2007 if I remember correctly.
-
-
Tuesday 11th August 2020 22:23 GMT tip pc
“Sorry? In the "west" our TLS traffic is already being intercepted on an industrial scale?”
That’s not what I wrote.........
I wrote.....
“ I’m surprised China don’t just use a massive transparent proxy and just mim everything, permitting tls1.3 and everyone with nothing to hide being non the wiser.”
Anyway, some research links for you
https://www.gov.uk/government/news/uk-to-introduce-world-first-online-safety-laws
https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/504192/Operational_Case_for_the_Retention_of_Internet_Connection_Records_-_IP_Bill_introduction.pdf
https://www.theverge.com/2016/11/23/13718768/uk-surveillance-laws-explained-investigatory-powers-bill
Spot any similarities in my suggestion and my links?
...............
-
-
Tuesday 11th August 2020 09:26 GMT rg287
TLS1.3 isn't just about mathematically more secure ciphers or ESNI.
TLS1.3 also mandates cipher suites with Forward Secrecy. This breaks MITM boxes because you can't just siphon off a data stream and decrypt it at will using your private/internal Certificate (as plenty of banks & corps do using a private Certificate Authority). Cipher Suites with Forward Secrecy generate a new - ephemeral - secret key for every session.
Also, as noted - ESNI complicates the process of knowing what domain the user is requesting and presenting the user with an appropriate spoofed certificate.
This is all by design, has created many headaches in corps with regulatory requirements to monitor everything going across their networks. It is telling that China have just thrown in the towel and banned it outright.
-
Tuesday 11th August 2020 11:25 GMT Anonymous Coward
China is not interested in snooping - it's interested in outright blocking anything it deems dangerous for the Party. They don't even need much snooping, they will just arrest you and "extract" all the information they need - just look at the recent arrests in Hong-Kong.
Most people don't understand how worse the Chinese situation is.
-
-
-
-
Tuesday 11th August 2020 13:36 GMT keith_w
Re: Own goal?
yes it has.
TLS/1.3 is supported in all versions of Chromium-based Edge (and will be supported on all platforms. The Chromium based Edge just went GA so this should be good to go. Chrome and Firefox and other chromium-based browsers support TLS 1.3.
https://devblogs.microsoft.com/premier-developer/microsoft-tls-1-3-support-reference/
-
Tuesday 11th August 2020 15:27 GMT Lee D
Re: Own goal?
To my knowledge, Windows Update does not use a web browser to load its updates.
It's the internal Windows crypto APIs connecting to a specific service - there's no way that they're using TLS1.3, or any installed web browser - especially ChromiEdge, which isn't on most machines - for that.
It's not even BITS any more, it's some peer-to-peer-supporting thing.
-
Tuesday 11th August 2020 17:10 GMT Ken Hagan
Re: Own goal?
There's no technical reason to use *any* encryption, since the update files are signed, but that's not my point. MS *could* gratuitously use a transport that they know is blocked by some users with the intention of being awkward. They might even try to justify it on privacy grounds, since the updates that you query for, request and retrieve, give away information about your system.
Why would they be awkward? Well, there is a Chinese version of pretty much every major western player in technology (search, tat bazaars, social media, ...). Sooner or later, there will be a Chinese "Windows-compatible" OS as well. (They must surely have the source code. It's just waiting for Winnie-the-Pooh to give it his sign-off.) Once that happens, there is no money for MS in China and they might as well close the door behind them.
-
-
-
-
-
Tuesday 11th August 2020 17:00 GMT RM Myers
Re: Huh
AI, well machine learning, has been used for many useful tasks, particularly where the underlying problem is simple pattern matching, or in this case, randomly generating potential solutions and then testing them. The problem is people trying to use it for complex tasks (e.g., autonomous driving) and the absolute blitz of BS concerning its capabilities.
Biting the hand that feeds IT
