Using Content Delivery Networks To Circumvent The Great Firewall Of China

from the digital-cat-and-mouse dept

Techdirt has written many times about the online cat-and-mouse game being played out in China, whereby people adopt various technical approaches to get around official censorship, the authorities find ways to block them, forcing Internet users to find new methods, and so on. According to a recent report in The New York Times, the Chinese government is adopting even more severe measures against those who try to circumvent the Great Firewall:

The Chinese government is shutting down the mobile service of residents in Xinjiang who use software that lets them circumvent Internet filters, escalating an already aggressive electronic surveillance strategy in the country’s fractious western territory.

The problem here is that it’s pretty obvious when people are using things like VPNs, and so it’s easy to punish them as China is now apparently starting to do. A clever new approach, discussed in the MIT Technology Review, avoids that shortcoming by using a key aspect of the modern Internet’s infrastructure: content delivery networks (CDNs). As the post explains:

when you visit a popular website, your computer is usually directed to download it from the servers of a content delivery network, a company such as Akamai that website operators pay to store copies of their data on many servers around the world so people can access it faster. Use of content delivery networks is very common among major sites and growing; Cisco expects a majority of all Internet traffic to pass through them within a few years.

A new plug-in called CacheBrowser, available for Chrome currently and Firefox soon, takes advantage of this fact. When someone in China requests a site that makes use of CDNs to deliver its content, the plug-in routes it directly to the CDN hosting it, without calling on a DNS server. Taking this approach makes the request immune to so-called “DNS interference” by the authorities, which is the most common way China blocks access to forbidden sites. Even if all traffic is intercepted and analysed, there is no way for the Chinese authorities to find out which site on the CDN is being accessed, provided an encrypted connection is used — yet another reason to move all Internet connections to HTTPS.

For encrypted requests, the government censors must either allow the traffic to connect to the site mirrored on the CDN, or block access to the CDN itself, and thus to every site using that CDN. Since so many popular and important sites now make use of CDNs, blocking them would have a major impact on Chinese business and research, as well as on the general public. Provided the perceived cost of that damage outweighs the adverse effects of allowing unfettered access to banned sites, the Chinese government is unlikely to block these encrypted connections to major CDNs.

A paper by the two creators of CacheBrowser (pdf) gives more details of exactly how it works, and ways in which it might be attacked. One they don’t mention appeared in an earlier Techdirt post about China’s struggle to reconcile the needs of its citizens to access useful and important information online with the government’s desire to block material it deems harmful. The approach employed there was to use a “man-in-the-middle” attack against Google to allow state censors to check what was being searched for. Maybe something similar would work against CacheBrowser. If the idea of using CDNs to by-pass the Great Firewall starts to catch on, we will doubtless find out.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Filed Under: , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Using Content Delivery Networks To Circumvent The Great Firewall Of China”

Subscribe: RSS Leave a comment
15 Comments
Anonymous Coward says:

OT: not just China -- what about the Great American Firewall?

Two weeks ago, the recording industry put out an album that was expected to be a blockbuster, so I decided to investigate the methods they were using to fight file-sharing. (In short, the record company was hitting Google and a few popular torrent sites fast and hard but completely ignoring most everything else)

It surprised me to discover that I was blocked out of many “pirate” websites, which were accessible through some proxy sites but not directly accessible. (Even many “normal” proxy sites were encountering these blocks.) Changing to an alternative DNS server (such as Google’s 8.8.8.8 and a few others) made no difference. So I tried two free dialup ISPs, and the problems remained: TPB and other torrent sites were inaccessible — as were a large number of proxy sites whose URLs were suggestive of file sharing in some way.

I already knew that for several years many European countries were actively blocking so-called “pirate” websites, but it was a rude awakening to learn that here in the good ol’ USA — supposedly the land of the free — that internet censorship is rife.

I’m curious to know just how many websites (file-sharing-related or otherwise) are blocked in the USA, and which ISPs are the worst censors?

M. Alan Thomas II (profile) says:

I’d expect to see a push from the Chinese government for home-grown CDNs that don’t host (or will internally block) blacklisted content. The most likely route to make that work would be for the government to use a combination of incentives and selective blocking (e.g., slowly rolling out blocks on encrypted connections) to make most major sites transition at least their encrypted content to those CDNs.

Whatever (profile) says:

Nice but....

It’s a nice idea and all, but most certainly not an advisable long term strategy. We have all seen in the past where China is more than willing to take out very large sites to resolve what it sees as a problem. It wouldn’t be hard for them to take out Akamai or others for an extended period of time, rending the whole circumvention moot.

Moreover, it would just encourage the Chinese government to do more IP based blocking, which would potentially create huge amounts of collateral damage. It’s a needless escalation in the battle of the great firewall.

That One Guy (profile) says:

Re: Nice but....

As opposed to… what exactly? The thin-skinned fools running the Chinese government aren’t going to stop so long as someone’s willing to defy them, likely the best that can be hoped for is that each way tried will work to bypass their attempts at censorship for long enough for the next way to develop.

Whatever (profile) says:

Re: Re: Nice but....

For me the problem is collateral damage. In order to stop it sites that are currently available to the Chinese people may get blocked. Moreover, citizens not realizing they are circumventing the Government blocks may find themselves in trouble with authorities.

The concept of bypassing the Chinese government censorship is admirable. The realities of trying to do so may end up costing more than it’s worth, especially if it is just another mole to whack.

That One Guy (profile) says:

Re: Re: Re: Nice but....

The possibility for collateral damage exists for any effective attempt to bypass the censorship imposed by the Chinese government, so unless you’re suggesting that those trying to do so just stop trying, ‘collateral damage’ is going to happen, and the one responsible for the damage are not the ones trying to bypass the censorship, it’s the government who’s implemented the censorship in the first place.

Anonymous Coward says:

Provided...

Provided the perceived cost of that damage outweighs the adverse effects of allowing unfettered access to banned sites, the Chinese government is unlikely to block these encrypted connections to major CDNs.

That’s a big “provided” caveat. You naively and greatly underestimate the Chinese government.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »