Using Content Delivery Networks To Circumvent The Great Firewall Of China
from the digital-cat-and-mouse dept
Techdirt has written many times about the online cat-and-mouse game being played out in China, whereby people adopt various technical approaches to get around official censorship, the authorities find ways to block them, forcing Internet users to find new methods, and so on. According to a recent report in The New York Times, the Chinese government is adopting even more severe measures against those who try to circumvent the Great Firewall:
The Chinese government is shutting down the mobile service of residents in Xinjiang who use software that lets them circumvent Internet filters, escalating an already aggressive electronic surveillance strategy in the country’s fractious western territory.
The problem here is that it’s pretty obvious when people are using things like VPNs, and so it’s easy to punish them as China is now apparently starting to do. A clever new approach, discussed in the MIT Technology Review, avoids that shortcoming by using a key aspect of the modern Internet’s infrastructure: content delivery networks (CDNs). As the post explains:
when you visit a popular website, your computer is usually directed to download it from the servers of a content delivery network, a company such as Akamai that website operators pay to store copies of their data on many servers around the world so people can access it faster. Use of content delivery networks is very common among major sites and growing; Cisco expects a majority of all Internet traffic to pass through them within a few years.
A new plug-in called CacheBrowser, available for Chrome currently and Firefox soon, takes advantage of this fact. When someone in China requests a site that makes use of CDNs to deliver its content, the plug-in routes it directly to the CDN hosting it, without calling on a DNS server. Taking this approach makes the request immune to so-called “DNS interference” by the authorities, which is the most common way China blocks access to forbidden sites. Even if all traffic is intercepted and analysed, there is no way for the Chinese authorities to find out which site on the CDN is being accessed, provided an encrypted connection is used — yet another reason to move all Internet connections to HTTPS.
For encrypted requests, the government censors must either allow the traffic to connect to the site mirrored on the CDN, or block access to the CDN itself, and thus to every site using that CDN. Since so many popular and important sites now make use of CDNs, blocking them would have a major impact on Chinese business and research, as well as on the general public. Provided the perceived cost of that damage outweighs the adverse effects of allowing unfettered access to banned sites, the Chinese government is unlikely to block these encrypted connections to major CDNs.
A paper by the two creators of CacheBrowser (pdf) gives more details of exactly how it works, and ways in which it might be attacked. One they don’t mention appeared in an earlier Techdirt post about China’s struggle to reconcile the needs of its citizens to access useful and important information online with the government’s desire to block material it deems harmful. The approach employed there was to use a “man-in-the-middle” attack against Google to allow state censors to check what was being searched for. Maybe something similar would work against CacheBrowser. If the idea of using CDNs to by-pass the Great Firewall starts to catch on, we will doubtless find out.