China Tries To Block Encrypted Traffic

from the collapsing-the-tunnels dept

During the SOPA fight, at one point, we brought up the fact that increases in encryption were going to make most of the bill meaningless and ineffective in the long run, someone closely involved in trying to make SOPA a reality said that this wasn't a problem because the next bill he was working on is one that would ban encryption. This, of course, was pure bluster and hyperbole from someone who was apparently both unfamiliar with the history of fights over encryption in the US, the value and importance of encryption for all sorts of important internet activities (hello online banking!), as well as the simple fact that "banning" encryption isn't quite as easy as you might think. Still, for a guide on one attempt, that individual might want to take a look over at China, where VPN usage has become quite common to get around the Great Firewall. In response, it appears that some ISPs are now looking to block traffic that they believe is going through encrypted means.
A number of companies providing "virtual private network" (VPN) services to users in China say the new system is able to "learn, discover and block" the encrypted communications methods used by a number of different VPN systems.

China Unicom, one of the biggest telecoms providers in the country, is now killing connections where a VPN is detected, according to one company with a number of users in China.
Of course, there are countless ways to encrypt traffic, so all this really does is spur a cat and mouse game -- and the best that can be done is having the system block any traffic that it can't understand. Of course, once you go that far, you're in for a lot of trouble, because there's just a ton of legitimate content you're going to block, pissing off a lot of people. Also, as this game goes on, it'll just spur people to encrypt traffic in a matter that looks identifiable, but which really is not identifiable. Fighting against encryption is a game that can't be won in the long term.


Reader Comments (rss)

(Flattened / Threaded)

  •  
    icon
    Josh in CharlotteNC (profile), Dec 17th, 2012 @ 1:20pm

    Business users

    They're going to have a problem from their business users, especially foreign companies with reps there. If those companies are unable to secure their communications, they are going to be much less willing to do business there.

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Dec 17th, 2012 @ 3:20pm

      Re: Business users

      If they haven't maintained a reliable 24/7 guard on their premises and equipment, it is probable that they are already compromised. Reliable as in no untrusted person allowed to touch any piece of equipment.

       

      reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Dec 17th, 2012 @ 7:49pm

      Re: Business users

      My ex-boss told me that business users can obtain approval through police and a number of departments to get exemption to the VPN block.

      Just that the "a number of departments" list is long and the application procedure is complicated.

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Dec 17th, 2012 @ 3:06pm

    ...ISPs are not looking to...

    Is this a typo? Do you really mean now?

    Ultimately, this isn't surprising about China. Soon the copyright industries will try to follow suit.

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    Rikuo (profile), Dec 17th, 2012 @ 3:13pm

    Cue some copyright maximilist saying in a press release about the next copyright bill that blocking encryption is a good idea because China does it...

     

    reply to this | link to this | view in chronology ]

    •  
      icon
      That One Guy (profile), Dec 17th, 2012 @ 3:31pm

      Re:

      Oh it wouldn't be 'Because China is doing it', it would be 'Because other countries area already doing it'.

      For some strange reason they never seem to want to actually name the countries they are talking about when using them as an example of why stuff like this should be implemented. Can't imagine why...

       

      reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Dec 17th, 2012 @ 3:33pm

      Re:

      Do you really believe that the copyright marximilists are going to force the US government and US companies to give up the use of sending email and documents etc by encryption over the internet all for the sake of a new law of banning encryption on the internet in order to combat piracy. Yep you guessed it they will and in doing so will make it very easy for hackers and terrorists to read the US governments unencrypted email and documents being sent over the internet.

       

      reply to this | link to this | view in chronology ]

      •  
        identicon
        Anonymous Coward, Dec 17th, 2012 @ 6:15pm

        Re: Re:

        the government doesn't have to follow that law of course, laws are for lesser people.

         

        reply to this | link to this | view in chronology ]

      •  
        icon
        Tim Griffiths (profile), Dec 18th, 2012 @ 2:27am

        Re: Re:

        I think there as a bit of reducing to the absurd there but honestly I wouldn't put it past them to try with "exceptions for legitimate use". It's increasingly clear they are simply ready to burn everything down around them rather than give up what they have or try to change. It's just sad that something that is a relatively minor part of the economy has powerful enough lobbies that it's already screwing up other sectors on the back of this.

         

        reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Dec 18th, 2012 @ 12:38am

      Re:

      Then you just ignore the law and use your encryption anway.

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Dec 17th, 2012 @ 3:25pm

    Wot!?

    The chinese now are easy prey for 4chan.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Dec 17th, 2012 @ 3:28pm

    Perhaps this is all a ploy by a bunch of old timers to force the world back to the pre-internet era because they are angry that technology such as online banking didn't exist when they were younger.

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    Zakida Paul (profile), Dec 17th, 2012 @ 3:34pm

    Compromising encryption would be a disaster for every business on the planet.

    What potential customer will do business with a company who cannot secure their payment data?

    China are digging their own grave here. In their efforts to control what their citizens do online, they are making the country look like a terrible place to do business.

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Dec 17th, 2012 @ 3:36pm

      Re:

      They did THAT years ago. Hasn't stopped idiots from buying from them.

       

      reply to this | link to this | view in chronology ]

      •  
        identicon
        PRMan, Dec 17th, 2012 @ 4:33pm

        Re: Re:

        I know. I mean, we still see food products from China on the grocery shelves. How? After all the horror stories of just deplorable practices performed by the Chinese food industries (including dead dogs from chew strips), how is it that markets keep buying from them?

         

        reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Dec 17th, 2012 @ 3:36pm

    It's a good thing that holding general elections every few years prevents politicians trying to pass this sort of legislation.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Tim, Dec 17th, 2012 @ 3:36pm

    confusing typo

    I believe you meant "are now looking"

    > In response, it appears that some ISPs are not looking to block traffic that they believe is going through encrypted means.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Dec 17th, 2012 @ 3:54pm

    Does this mean we can start stealing Chinese peoples credit card information, not the other way around?

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Dec 17th, 2012 @ 3:55pm

    During the SOPA fight, at one point, we brought up the fact that increases in encryption were going to make most of the bill meaningless and ineffective in the long run, someone closely involved in trying to make SOPA a reality said that this wasn't a problem because the next bill he was working on is one that would ban encryption.

    I believe it was not banning, but regulating encryption. Sort of like concealed carry. You have to demonstrate a need. Nation security, terrorism, ya know.

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Dec 17th, 2012 @ 4:00pm

      Re:

      You have to demonstrate a need. Nation[al] security, terrorism, ya know.

      According to the US gov intellegence, "communication" itself is a "national security, terrorism, ya know" issue, so for once, the government's interpretation of law may work in our favor.


      Maybe we can make them look as foolish as the MPAA in a can't have it both ways trap?

       

      reply to this | link to this | view in chronology ]

    •  
      icon
      JWW (profile), Dec 17th, 2012 @ 8:08pm

      Re:

      I have a need.

      How about, don't snoop on my network communications?

       

      reply to this | link to this | view in chronology ]

      •  
        identicon
        Anonymous Coward, Dec 17th, 2012 @ 10:18pm

        Re: Re:

        I doubt that would be a compelling argument. I wouldn't be the least bit surprised to see some sort of license required for using encrypted transmissions. And I'll bet national security is the justification.

         

        reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Dec 18th, 2012 @ 12:42am

      Re:

      Like I said, just ignore the law and use your encryption WITHOUT the required licence

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    Michael, Dec 17th, 2012 @ 4:00pm

    Chinese Encryption

    The next thing you know, they are going to be putting tiny messages in their cookies.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Dec 17th, 2012 @ 4:15pm

    I don't see how it could work...

    Banning encryption or making it hard/impossible to use proxies/VPN is possible ONLY if a new standard is implemented globally where no person can be allowed to be administrator on their own computer.

    Even trying is highly likely to remove every business relying on VPN's, cloud services and proxies from the market IMO. Https has to go as well so say fare-thee-well to any service using encrypted login. Banks, amazon, online franchises, personal cloud storage and so on.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Dec 17th, 2012 @ 4:16pm

    LOLCATS

    I imagine it won't be long before someone designs a system that encodes hidden steganographic traffic in cat images...

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Dec 17th, 2012 @ 4:34pm

    Funny I was just wondering if it is possible to hide a VPN or bittorrent inside fake internet use. ISP or govt gets innocuous traffic info...

     

    reply to this | link to this | view in chronology ]

    •  
      icon
      Colin (profile), Dec 17th, 2012 @ 4:48pm

      Re: possible to hide a VPN or bittorrent

      Actually, I was thinking that since I never had any trouble downloading torrents while I was living in China, I suggest that VPN people could change their protocols to make the traffic look like torrent traffic. This would bypass the blockage and as a bigger bonus, those accused of piracy by the MPAA and other criminal organisations could just smile sweetly and say "sorry, you must be mistaken I was simply connected to the secure tunnel to my place of work - your detection software must be broken".

       

      reply to this | link to this | view in chronology ]

  •  
    icon
    OldMugwump (profile), Dec 17th, 2012 @ 4:44pm

    Perhaps it had to come to this...

    This is the culmination of at least 35 years of official concern about the effects of personal computers.

    I'm old enough to remember. As soon as computers became affordable to individuals in the late 1970s there was talk about "licensing" computer users. Talking Heads even wrote a song about it (Life During Wartime).

    The good guys won, the bad guys lost.

    Then, even before the Web, we had the Clipper chip. The EFF was created in response. And again the good guys won.

    Then we had the CDA, and then CDA2. And again, the bad guys lost and the lovers of liberty won.

    In the West, the war is mostly over (yet eternal vigilance remains the price of liberty).

    Not so in the rest of the world, as last week's ITU conference in Dubai demonstrated.

    I say - let them try it. Let them lock down all the VPNs, shut off all the traffic they can't parse. Let's have the knock-down, drag-out fight between the hackers and the suits.

    Stuart Brand was right. Information wants to be free. I know math. I know about stenography. I know about economics.

    I know who will win.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    out_of_the_bob, Dec 17th, 2012 @ 6:12pm

    Google reptilians have been resisted, but for how long?

    of course foreign devil mike would oppose glorious china's attempt to wrestle with the evil influence which threatens to disrupt cultural harmony. no doubt tehse google sponsored attacks on the PRC whcih spew from mike's mouth fail to notice the sheer amount of cultural evil which spreads from the internet to the public mind

    for shame mike google for shame.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Chris Maresca, Dec 17th, 2012 @ 6:30pm

    Simple solution

    Use an https/SSL tunnel. Virtual impossible to distinguish from actual HTML pages and almost impossible to block.

    You can do this with openVPN by running over port 443 - http://en.wikipedia.org/wiki/OpenVPN

    Setup your VPN service on AWS and you run it for peanuts (e.g. $20/month or less) and get an IP that's not likely to be blocked.

    Beyond that, there are new peer to peer VPN systems. N2N is one of them - http://en.wikipedia.org/wiki/N2n

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Dec 17th, 2012 @ 7:57pm

      Re: Simple solution

      No. They're just disconnecting any encrypted channel that connects for over 10-15 minutes (varies), plus a 5-10 minutes (varies again) block to the same host.

      This plus the rule that there can be only 1 ISP exist per building in China makes trouble for most VPN users. (My ex-boss have to rent a flat on an adjacent building that use a different ISP just to workaround that. A wireless router bridging two networks + router that able to form VPN by multiple IP endpoint makes the network mostly work...)

       

      reply to this | link to this | view in chronology ]

      •  
        identicon
        Anonymous Coward, Dec 18th, 2012 @ 10:05am

        Re: Re: Simple solution

        it would be pretty hard to stop N2N as it would just re-route traffic through a different node....

         

        reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Dec 17th, 2012 @ 6:40pm

    It was only a matter of time before VPNs came under fire. If I was in the VPN business, I'd start getting ready for the idiot brigade.
    They're trying to make ISPs legally responsible, they're trying to make search engines legally responsible, they'll try to make VPNs legally responsible. Third party, fourth party, fifth party, doesn't matter to idiots: the more people they can sue, the better!

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    Lorpius Prime (profile), Dec 17th, 2012 @ 7:34pm

    >Fighting against encryption is a game that can't be won in the long term.

    Although I'd certainly like this to be true, I'm not convinced it really is. Certainly the cat-and-mouse game seems likely to continue indefinitely, but it seems to me that simple nature will always favor the people trying to discover and decrypt information, and not the people trying to keep information hidden and secret.

     

    reply to this | link to this | view in chronology ]

    •  
      icon
      That One Guy (profile), Dec 17th, 2012 @ 11:38pm

      Re:

      It comes down to sheer numbers though. There will always be drastically more people concerned with protecting their privacy, than there will be those for whom 'privacy' is a term they consider to only apply to their own actions.

      On a one-to-one basis, the anti-privacy people do tend to severely outgun the pro-privacy people, true, but when you consider the pro group tends to outnumber the anti group by 1000-1, 10,000-1, 100,000-1... then the odds start swinging the other way.

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    Drew, Dec 17th, 2012 @ 7:40pm

    On a related note, anyone know of a free vpn that currently works in china? I was using freegate but they shut that down earlier this year...

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    Spaceman Spiff (profile), Dec 17th, 2012 @ 8:10pm

    Steganography

    You send "normal" stuff, but that is just a digital envelope. Inside the envelope is real data, that has been encrypted as well, so even if someone detects that there is a payload hidden there, it will still be difficult or impossible to decode without the appropriate keys. Done correctly, steganography is very difficult to detect. You could send a home video that has some "noise" in it... :-)

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Dec 17th, 2012 @ 10:13pm

      Re: Steganography

      What percentage of current infringers do you think would resort to such measures? I believe that the biggest factors are how easy it is to do and how remote any serious consequences are.

       

      reply to this | link to this | view in chronology ]

      •  
        icon
        John Fenderson (profile), Dec 18th, 2012 @ 10:27am

        Re: Re: Steganography

        This isn't about infringers. It would also be pretty easy to make a tool to accomplish this that is simple enough to use that literally everyone can use it without even noticing.

         

        reply to this | link to this | view in chronology ]

      •  
        icon
        Not an Electronic Rodent (profile), Dec 18th, 2012 @ 12:38pm

        Re: Re: Steganography

        I believe that the biggest factors are how easy it is to do and how remote any serious consequences are.
        The very definition of "Stuck in the present".
        If it ever becomes an issue where it is needed to "hide" encrypted data in a manner like this, the nature of the internet makes this certain:
        Within months at the outside there will be 4 dozen apps, 2 dozen of which will be freeware, that present a handy, idiot-proof GUI to do exactly this.

        There's already many to "hide" encrypted data in other encrypted data if you want to and you can even do it for free using nice user-friendly step-by-step instructions if you want. What makes you think it would be any harder to do for Steganography? Right now no-one cares to write a mainstream one, change the law on encryption and that will change.

         

        reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Dec 18th, 2012 @ 1:18am

    China isn't the only country. Other countries are using "deep packet inspection", DPI, to block encryption protocols. Ethiopia is one such country amount several.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Dec 18th, 2012 @ 2:12am

    'Fighting against encryption is a game that can't be won in the long term.'

    the same thing has always been said about 'file sharing' but the entertainment industries have ignored it and are still trying to stop. add to that that a proxie was stopped from giving access to TPB in The Netherlands and a similar court case is on the cards between the BPI and The Pirate Party in the UK, the USA bitch country. i have said for a long time that eventually the can of worms opened by the US entertainment industries over their stupidity and selfishness would have farther reaching effects than they realised. the dangers of stopping encryption traffic are huge, but as long as those industries can stop their music and movies being shared is the main thing. the fact that, for example, banking could easily be drastically affected is irrelevant to them

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    DannyB (profile), Dec 18th, 2012 @ 5:30am

    Allowing only traffic you understand

    > the best that can be done is having the system
    > block any traffic that it can't understand.

    Ah, but maybe I can construct traffic that you think you understand, yet it conceals a deeper meaning.

    I send you pages full of Html and statistically valid text, even made up of real dictionary words.

    You send me more Http requests with get/post parameters or path name elements.

    This is just one example. We might conceal a two-way conversation as your connection to my SMTP server sending a single email.

    The only real trick is the balance of how well concealed the real content is versus how efficient it is.

    Then this technology could be used to avoid repressive regimes such as the RIAA / MPAA.

     

    reply to this | link to this | view in chronology ]

    •  
      icon
      John Fenderson (profile), Dec 18th, 2012 @ 10:28am

      Re: Allowing only traffic you understand

      Yes, this. Or embed it into valid and playable audio or video files (where you can achieve a greater density of encrypted traffic without being detected.) People send home movies all the time.

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Dec 18th, 2012 @ 6:46am

    The tighter your grip the more star systems will slip through.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Dec 18th, 2012 @ 6:46am

    The tighter your grip the more star systems will slip through.

     

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This