Using Content Delivery Networks To Circumvent The Great Firewall Of China

from the digital-cat-and-mouse dept

Techdirt has written many times about the online cat-and-mouse game being played out in China, whereby people adopt various technical approaches to get around official censorship, the authorities find ways to block them, forcing Internet users to find new methods, and so on. According to a recent report in The New York Times, the Chinese government is adopting even more severe measures against those who try to circumvent the Great Firewall:

The Chinese government is shutting down the mobile service of residents in Xinjiang who use software that lets them circumvent Internet filters, escalating an already aggressive electronic surveillance strategy in the country's fractious western territory.
The problem here is that it's pretty obvious when people are using things like VPNs, and so it's easy to punish them as China is now apparently starting to do. A clever new approach, discussed in the MIT Technology Review, avoids that shortcoming by using a key aspect of the modern Internet's infrastructure: content delivery networks (CDNs). As the post explains:
when you visit a popular website, your computer is usually directed to download it from the servers of a content delivery network, a company such as Akamai that website operators pay to store copies of their data on many servers around the world so people can access it faster. Use of content delivery networks is very common among major sites and growing; Cisco expects a majority of all Internet traffic to pass through them within a few years.
A new plug-in called CacheBrowser, available for Chrome currently and Firefox soon, takes advantage of this fact. When someone in China requests a site that makes use of CDNs to deliver its content, the plug-in routes it directly to the CDN hosting it, without calling on a DNS server. Taking this approach makes the request immune to so-called "DNS interference" by the authorities, which is the most common way China blocks access to forbidden sites. Even if all traffic is intercepted and analysed, there is no way for the Chinese authorities to find out which site on the CDN is being accessed, provided an encrypted connection is used -- yet another reason to move all Internet connections to HTTPS.

For encrypted requests, the government censors must either allow the traffic to connect to the site mirrored on the CDN, or block access to the CDN itself, and thus to every site using that CDN. Since so many popular and important sites now make use of CDNs, blocking them would have a major impact on Chinese business and research, as well as on the general public. Provided the perceived cost of that damage outweighs the adverse effects of allowing unfettered access to banned sites, the Chinese government is unlikely to block these encrypted connections to major CDNs.

A paper by the two creators of CacheBrowser (pdf) gives more details of exactly how it works, and ways in which it might be attacked. One they don't mention appeared in an earlier Techdirt post about China's struggle to reconcile the needs of its citizens to access useful and important information online with the government's desire to block material it deems harmful. The approach employed there was to use a "man-in-the-middle" attack against Google to allow state censors to check what was being searched for. Maybe something similar would work against CacheBrowser. If the idea of using CDNs to by-pass the Great Firewall starts to catch on, we will doubtless find out.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Filed Under: cdns, china, content delivery networks, free speech, great firewall, privacy


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 4 Dec 2015 @ 12:30am

    OT: not just China -- what about the Great American Firewall?

    Two weeks ago, the recording industry put out an album that was expected to be a blockbuster, so I decided to investigate the methods they were using to fight file-sharing. (In short, the record company was hitting Google and a few popular torrent sites fast and hard but completely ignoring most everything else)

    It surprised me to discover that I was blocked out of many "pirate" websites, which were accessible through some proxy sites but not directly accessible. (Even many "normal" proxy sites were encountering these blocks.) Changing to an alternative DNS server (such as Google's 8.8.8.8 and a few others) made no difference. So I tried two free dialup ISPs, and the problems remained: TPB and other torrent sites were inaccessible -- as were a large number of proxy sites whose URLs were suggestive of file sharing in some way.

    I already knew that for several years many European countries were actively blocking so-called "pirate" websites, but it was a rude awakening to learn that here in the good ol' USA -- supposedly the land of the free -- that internet censorship is rife.

    I'm curious to know just how many websites (file-sharing-related or otherwise) are blocked in the USA, and which ISPs are the worst censors?

    reply to this | link to this | view in chronology ]

  • icon
    orbitalinsertion (profile), 4 Dec 2015 @ 12:42am

    Since so many popular and important sites now make use of CDNs, blocking them would have a major impact on Chinese business and research, as well as on the general public.


    They said that about VPNs 5-7 years ago.

    reply to this | link to this | view in chronology ]

  • icon
    M. Alan Thomas II (profile), 4 Dec 2015 @ 2:11am

    I'd expect to see a push from the Chinese government for home-grown CDNs that don't host (or will internally block) blacklisted content. The most likely route to make that work would be for the government to use a combination of incentives and selective blocking (e.g., slowly rolling out blocks on encrypted connections) to make most major sites transition at least their encrypted content to those CDNs.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 4 Dec 2015 @ 3:55am

    Cut the line and be done with it. Only then can we start dealing with the other hackers, the GHCQ and the NSA.

    reply to this | link to this | view in chronology ]

  • icon
    Whatever (profile), 4 Dec 2015 @ 5:20am

    Nice but....

    It's a nice idea and all, but most certainly not an advisable long term strategy. We have all seen in the past where China is more than willing to take out very large sites to resolve what it sees as a problem. It wouldn't be hard for them to take out Akamai or others for an extended period of time, rending the whole circumvention moot.

    Moreover, it would just encourage the Chinese government to do more IP based blocking, which would potentially create huge amounts of collateral damage. It's a needless escalation in the battle of the great firewall.

    reply to this | link to this | view in chronology ]

    • icon
      That One Guy (profile), 4 Dec 2015 @ 5:43am

      Re: Nice but....

      As opposed to... what exactly? The thin-skinned fools running the Chinese government aren't going to stop so long as someone's willing to defy them, likely the best that can be hoped for is that each way tried will work to bypass their attempts at censorship for long enough for the next way to develop.

      reply to this | link to this | view in chronology ]

      • icon
        Whatever (profile), 4 Dec 2015 @ 6:22am

        Re: Re: Nice but....

        For me the problem is collateral damage. In order to stop it sites that are currently available to the Chinese people may get blocked. Moreover, citizens not realizing they are circumventing the Government blocks may find themselves in trouble with authorities.

        The concept of bypassing the Chinese government censorship is admirable. The realities of trying to do so may end up costing more than it's worth, especially if it is just another mole to whack.

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 4 Dec 2015 @ 6:43am

          Re: Re: Re: Nice but....

          Compliance with the rules of a tyranny that will allow no criticism of itself only enables that tyranny to become even more tyrannical.

          reply to this | link to this | view in chronology ]

          • icon
            Whatever (profile), 4 Dec 2015 @ 6:53am

            Re: Re: Re: Re: Nice but....

            Nice sentiment. Perhaps you can take a Tienanmen Square massacre video and go set it up on a main street someone in China and explain it carefully to the people. I am sure you have absolutely no problem going to stand up against tyranny, right?

            reply to this | link to this | view in chronology ]

        • icon
          That One Guy (profile), 4 Dec 2015 @ 7:20am

          Re: Re: Re: Nice but....

          The possibility for collateral damage exists for any effective attempt to bypass the censorship imposed by the Chinese government, so unless you're suggesting that those trying to do so just stop trying, 'collateral damage' is going to happen, and the one responsible for the damage are not the ones trying to bypass the censorship, it's the government who's implemented the censorship in the first place.

          reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 4 Dec 2015 @ 5:53am

    Provided...

    Provided the perceived cost of that damage outweighs the adverse effects of allowing unfettered access to banned sites, the Chinese government is unlikely to block these encrypted connections to major CDNs.

    That's a big "provided" caveat. You naively and greatly underestimate the Chinese government.

    reply to this | link to this | view in chronology ]

  • identicon
    Anon, 4 Dec 2015 @ 7:41am

    Of course...

    Wouldn't an HTTPS connection to Google and browsing their cached data have the same immunity? Except, they block "Raw Google" (TM?); it's only a matter of time before they block other web caches.

    reply to this | link to this | view in chronology ]

  • icon
    toyotabedzrock (profile), 5 Dec 2015 @ 7:55pm

    China has access to your root certificates. Almost every android device trusts more than one nation states root certificate including China's.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Techdirt Gear
Shop Now: Copying Is Not Theft
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.