China Tries To Block Encrypted Traffic
from the collapsing-the-tunnels dept
During the SOPA fight, at one point, we brought up the fact that increases in encryption were going to make most of the bill meaningless and ineffective in the long run, someone closely involved in trying to make SOPA a reality said that this wasn’t a problem because the next bill he was working on is one that would ban encryption. This, of course, was pure bluster and hyperbole from someone who was apparently both unfamiliar with the history of fights over encryption in the US, the value and importance of encryption for all sorts of important internet activities (hello online banking!), as well as the simple fact that “banning” encryption isn’t quite as easy as you might think. Still, for a guide on one attempt, that individual might want to take a look over at China, where VPN usage has become quite common to get around the Great Firewall. In response, it appears that some ISPs are now looking to block traffic that they believe is going through encrypted means.
A number of companies providing “virtual private network” (VPN) services to users in China say the new system is able to “learn, discover and block” the encrypted communications methods used by a number of different VPN systems.
China Unicom, one of the biggest telecoms providers in the country, is now killing connections where a VPN is detected, according to one company with a number of users in China.
Of course, there are countless ways to encrypt traffic, so all this really does is spur a cat and mouse game — and the best that can be done is having the system block any traffic that it can’t understand. Of course, once you go that far, you’re in for a lot of trouble, because there’s just a ton of legitimate content you’re going to block, pissing off a lot of people. Also, as this game goes on, it’ll just spur people to encrypt traffic in a matter that looks identifiable, but which really is not identifiable. Fighting against encryption is a game that can’t be won in the long term.
Filed Under: china, encryption, free speech, vpns
Comments on “China Tries To Block Encrypted Traffic”
Business users
They’re going to have a problem from their business users, especially foreign companies with reps there. If those companies are unable to secure their communications, they are going to be much less willing to do business there.
Re: Business users
If they haven’t maintained a reliable 24/7 guard on their premises and equipment, it is probable that they are already compromised. Reliable as in no untrusted person allowed to touch any piece of equipment.
Re: Business users
My ex-boss told me that business users can obtain approval through police and a number of departments to get exemption to the VPN block.
Just that the “a number of departments” list is long and the application procedure is complicated.
…ISPs are not looking to…
Is this a typo? Do you really mean now?
Ultimately, this isn’t surprising about China. Soon the copyright industries will try to follow suit.
Re: Re:
Is this a typo? Do you really mean now?
Oops. Yes. Fixed. Thanks.
Cue some copyright maximilist saying in a press release about the next copyright bill that blocking encryption is a good idea because China does it…
Re: Re:
Oh it wouldn’t be ‘Because China is doing it’, it would be ‘Because other countries area already doing it’.
For some strange reason they never seem to want to actually name the countries they are talking about when using them as an example of why stuff like this should be implemented. Can’t imagine why…
Re: Re:
Do you really believe that the copyright marximilists are going to force the US government and US companies to give up the use of sending email and documents etc by encryption over the internet all for the sake of a new law of banning encryption on the internet in order to combat piracy. Yep you guessed it they will and in doing so will make it very easy for hackers and terrorists to read the US governments unencrypted email and documents being sent over the internet.
Re: Re: Re:
the government doesn’t have to follow that law of course, laws are for lesser people.
Re: Re: Re:
I think there as a bit of reducing to the absurd there but honestly I wouldn’t put it past them to try with “exceptions for legitimate use”. It’s increasingly clear they are simply ready to burn everything down around them rather than give up what they have or try to change. It’s just sad that something that is a relatively minor part of the economy has powerful enough lobbies that it’s already screwing up other sectors on the back of this.
Re: Re:
Then you just ignore the law and use your encryption anway.
Wot!?
The chinese now are easy prey for 4chan.
Perhaps this is all a ploy by a bunch of old timers to force the world back to the pre-internet era because they are angry that technology such as online banking didn’t exist when they were younger.
Compromising encryption would be a disaster for every business on the planet.
What potential customer will do business with a company who cannot secure their payment data?
China are digging their own grave here. In their efforts to control what their citizens do online, they are making the country look like a terrible place to do business.
Re: Re:
They did THAT years ago. Hasn’t stopped idiots from buying from them.
Re: Re: Re:
I know. I mean, we still see food products from China on the grocery shelves. How? After all the horror stories of just deplorable practices performed by the Chinese food industries (including dead dogs from chew strips), how is it that markets keep buying from them?
Re: Re: Re: Re:
The answer is noodle bowls. That is why I keep buying from them.
It’s a good thing that holding general elections every few years prevents politicians trying to pass this sort of legislation.
confusing typo
I believe you meant “are now looking”
> In response, it appears that some ISPs are not looking to block traffic that they believe is going through encrypted means.
Does this mean we can start stealing Chinese peoples credit card information, not the other way around?
During the SOPA fight, at one point, we brought up the fact that increases in encryption were going to make most of the bill meaningless and ineffective in the long run, someone closely involved in trying to make SOPA a reality said that this wasn’t a problem because the next bill he was working on is one that would ban encryption.
I believe it was not banning, but regulating encryption. Sort of like concealed carry. You have to demonstrate a need. Nation security, terrorism, ya know.
Re: Re:
You have to demonstrate a need. Nation[al] security, terrorism, ya know.
According to the US gov intellegence, “communication” itself is a “national security, terrorism, ya know” issue, so for once, the government’s interpretation of law may work in our favor.
Maybe we can make them look as foolish as the MPAA in a can’t have it both ways trap?
Re: Re:
I have a need.
How about, don’t snoop on my network communications?
Re: Re: Re:
I doubt that would be a compelling argument. I wouldn’t be the least bit surprised to see some sort of license required for using encrypted transmissions. And I’ll bet national security is the justification.
Re: Re:
Like I said, just ignore the law and use your encryption WITHOUT the required licence
Chinese Encryption
The next thing you know, they are going to be putting tiny messages in their cookies.
I don't see how it could work...
Banning encryption or making it hard/impossible to use proxies/VPN is possible ONLY if a new standard is implemented globally where no person can be allowed to be administrator on their own computer.
Even trying is highly likely to remove every business relying on VPN’s, cloud services and proxies from the market IMO. Https has to go as well so say fare-thee-well to any service using encrypted login. Banks, amazon, online franchises, personal cloud storage and so on.
LOLCATS
I imagine it won’t be long before someone designs a system that encodes hidden steganographic traffic in cat images…
Funny I was just wondering if it is possible to hide a VPN or bittorrent inside fake internet use. ISP or govt gets innocuous traffic info…
Re: possible to hide a VPN or bittorrent
Actually, I was thinking that since I never had any trouble downloading torrents while I was living in China, I suggest that VPN people could change their protocols to make the traffic look like torrent traffic. This would bypass the blockage and as a bigger bonus, those accused of piracy by the MPAA and other criminal organisations could just smile sweetly and say “sorry, you must be mistaken I was simply connected to the secure tunnel to my place of work – your detection software must be broken”.
Perhaps it had to come to this...
This is the culmination of at least 35 years of official concern about the effects of personal computers.
I’m old enough to remember. As soon as computers became affordable to individuals in the late 1970s there was talk about “licensing” computer users. Talking Heads even wrote a song about it (Life During Wartime).
The good guys won, the bad guys lost.
Then, even before the Web, we had the Clipper chip. The EFF was created in response. And again the good guys won.
Then we had the CDA, and then CDA2. And again, the bad guys lost and the lovers of liberty won.
In the West, the war is mostly over (yet eternal vigilance remains the price of liberty).
Not so in the rest of the world, as last week’s ITU conference in Dubai demonstrated.
I say – let them try it. Let them lock down all the VPNs, shut off all the traffic they can’t parse. Let’s have the knock-down, drag-out fight between the hackers and the suits.
Stuart Brand was right. Information wants to be free. I know math. I know about stenography. I know about economics.
I know who will win.
Google reptilians have been resisted, but for how long?
of course foreign devil mike would oppose glorious china’s attempt to wrestle with the evil influence which threatens to disrupt cultural harmony. no doubt tehse google sponsored attacks on the PRC whcih spew from mike’s mouth fail to notice the sheer amount of cultural evil which spreads from the internet to the public mind
for shame mike google for shame.
Re: Google reptilians have been resisted, but for how long?
You remind me of a numbers station
Re: Re: Google reptilians have been resisted, but for how long?
Number stations make far more sense.
Re: Google reptilians have been resisted, but for how long?
… How is it that you’re still here?
Simple solution
Use an https/SSL tunnel. Virtual impossible to distinguish from actual HTML pages and almost impossible to block.
You can do this with openVPN by running over port 443 – http://en.wikipedia.org/wiki/OpenVPN
Setup your VPN service on AWS and you run it for peanuts (e.g. $20/month or less) and get an IP that’s not likely to be blocked.
Beyond that, there are new peer to peer VPN systems. N2N is one of them – http://en.wikipedia.org/wiki/N2n
Re: Simple solution
No. They’re just disconnecting any encrypted channel that connects for over 10-15 minutes (varies), plus a 5-10 minutes (varies again) block to the same host.
This plus the rule that there can be only 1 ISP exist per building in China makes trouble for most VPN users. (My ex-boss have to rent a flat on an adjacent building that use a different ISP just to workaround that. A wireless router bridging two networks + router that able to form VPN by multiple IP endpoint makes the network mostly work…)
Re: Re: Simple solution
it would be pretty hard to stop N2N as it would just re-route traffic through a different node….
It was only a matter of time before VPNs came under fire. If I was in the VPN business, I’d start getting ready for the idiot brigade.
They’re trying to make ISPs legally responsible, they’re trying to make search engines legally responsible, they’ll try to make VPNs legally responsible. Third party, fourth party, fifth party, doesn’t matter to idiots: the more people they can sue, the better!
>Fighting against encryption is a game that can’t be won in the long term.
Although I’d certainly like this to be true, I’m not convinced it really is. Certainly the cat-and-mouse game seems likely to continue indefinitely, but it seems to me that simple nature will always favor the people trying to discover and decrypt information, and not the people trying to keep information hidden and secret.
Re: Re:
It comes down to sheer numbers though. There will always be drastically more people concerned with protecting their privacy, than there will be those for whom ‘privacy’ is a term they consider to only apply to their own actions.
On a one-to-one basis, the anti-privacy people do tend to severely outgun the pro-privacy people, true, but when you consider the pro group tends to outnumber the anti group by 1000-1, 10,000-1, 100,000-1… then the odds start swinging the other way.
On a related note, anyone know of a free vpn that currently works in china? I was using freegate but they shut that down earlier this year…
Steganography
You send “normal” stuff, but that is just a digital envelope. Inside the envelope is real data, that has been encrypted as well, so even if someone detects that there is a payload hidden there, it will still be difficult or impossible to decode without the appropriate keys. Done correctly, steganography is very difficult to detect. You could send a home video that has some “noise” in it… 🙂
Re: Steganography
What percentage of current infringers do you think would resort to such measures? I believe that the biggest factors are how easy it is to do and how remote any serious consequences are.
Re: Re: Steganography
This isn’t about infringers. It would also be pretty easy to make a tool to accomplish this that is simple enough to use that literally everyone can use it without even noticing.
Re: Re: Steganography
The very definition of “Stuck in the present”.
If it ever becomes an issue where it is needed to “hide” encrypted data in a manner like this, the nature of the internet makes this certain:
Within months at the outside there will be 4 dozen apps, 2 dozen of which will be freeware, that present a handy, idiot-proof GUI to do exactly this.
There’s already many to “hide” encrypted data in other encrypted data if you want to and you can even do it for free using nice user-friendly step-by-step instructions if you want. What makes you think it would be any harder to do for Steganography? Right now no-one cares to write a mainstream one, change the law on encryption and that will change.
China isn’t the only country. Other countries are using “deep packet inspection”, DPI, to block encryption protocols. Ethiopia is one such country amount several.
‘Fighting against encryption is a game that can’t be won in the long term.’
the same thing has always been said about ‘file sharing’ but the entertainment industries have ignored it and are still trying to stop. add to that that a proxie was stopped from giving access to TPB in The Netherlands and a similar court case is on the cards between the BPI and The Pirate Party in the UK, the USA bitch country. i have said for a long time that eventually the can of worms opened by the US entertainment industries over their stupidity and selfishness would have farther reaching effects than they realised. the dangers of stopping encryption traffic are huge, but as long as those industries can stop their music and movies being shared is the main thing. the fact that, for example, banking could easily be drastically affected is irrelevant to them
Allowing only traffic you understand
> the best that can be done is having the system
> block any traffic that it can’t understand.
Ah, but maybe I can construct traffic that you think you understand, yet it conceals a deeper meaning.
I send you pages full of Html and statistically valid text, even made up of real dictionary words.
You send me more Http requests with get/post parameters or path name elements.
This is just one example. We might conceal a two-way conversation as your connection to my SMTP server sending a single email.
The only real trick is the balance of how well concealed the real content is versus how efficient it is.
Then this technology could be used to avoid repressive regimes such as the RIAA / MPAA.
Re: Allowing only traffic you understand
Yes, this. Or embed it into valid and playable audio or video files (where you can achieve a greater density of encrypted traffic without being detected.) People send home movies all the time.
The tighter your grip the more star systems will slip through.
The tighter your grip the more star systems will slip through.