China takes censorship seriously and has been enforcing programs to control various forms of online content. The most widely known example of this is China’s program to block websites they deem inappropriate known as the Great Firewall or “The Golden Sheild Project” (learn more HERE). Some examples of popular western websites blocked are Facebook, Google, Twitter and Youtube.
You can test if a website is blocked in China by going to http://www.greatfirewallofchina.org/ . The next screenshot shows Facebook is blocked however my website is permitted (as of now … who knows after this post).
The latest steps to enforce Internet censorship in China is preventing how people are bypassing the Great Firewall. I have friends in China that post on Facebook so people are doing it. Usually people use either proxies or VPN to get around China’s filtering. Proxies work until the proxy’s website is added to a blacklist. This means people have to adapt as their trusted proxies are blocked. VPN works as long as the technology is permitted since the traffic is encrypted as it passes through the Great Firewall.
Recently, there has been a few articles covering how China is increasing security measures to block VPN technology. Here is an interesting article posted in the Internal Times. Here is one from techcrunch. Apparently there has been a upgrade to what applications and content is being blocked by China’s firewall policies including ports and protocols needed to permit VPN services. This turns China’s censorship concerns into business problems for users requiring VPN access to international resources.
How is China doing this? Most firewall vendors have jumped on the “next generation security” bandwagon by extending capabilities from stateful firewalling to application controls, content filtering, intrusion prevention, traffic behavior monitoring and anything else they can fit into a single appliance. This means monitoring all ports and protocols rather than just general traffic. An example is identifying a user’s system is windows 8 running a specific version of Firefox browser accessing Farmsville on Facebook. You can learn more about some example offerings from Cisco that can do all of this HERE (Sourcefire) and HERE (Web Security Appliance WSA). Most vendors selling content filters and application layer firewalls offer basic forms of these features.
Controls for these types of solutions can be as granular as permitting Facebook but blocking posting, chat, playing games and so on. Controls can also be one way meaning permitting Dropbox to download however denying the ability to upload to Dropbox. Other controls can be in place such as throttling specific types of traffic, capturing and analyzing specific file types (IE block but analyze any ZIP files), decrypting SSL traffic (too see encrypted Google, Banking traffic, etc.), monitoring behavior such as port scanning and so on. So it is very likely China is not only enhancing its ability to block but also improving the ability eavesdrop on citizens using the Internet. This shouldn’t be shocking after all the noise behind what the NSA has been doing for years according to the Snowden Reports. Most likely most major governments have trending programs in place to identify threats and better understand how citizens feel towards different subjects.
Various vendors reaction to these China’s new controls over VPN are warnings that services may be interrupted for a unspecified time. This is a sticky situation as vendors are not responsible for “hacking” around a government’s desire to deny services while customers are demanding services to work. So technically speaking, vendors are suppose to share how to permit and block services. It is up to the service provider to open required ports and protocols for the technology to work. Most vendors will have to honor a request to deny their technology meaning customers experiencing VPN outages may not see a “fix” until China changes its policy, which probably won’t happen anytime soon.