Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
Great Firewall
(section)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
===Active filtering=== One function of the Chinese firewall is to selectively prevent content from being accessed. It is mostly made of Cisco, Huawei, and Semptian hardware.<ref>{{cite web|url=https://www.forbes.com/sites/arthurherman/2018/12/10/huaweis-and-chinas-dangerous-high-tech-game/|title=Huawei's (And China's) Dangerous High-Tech Game|last=Herman|first=Arthur|website=Forbes|language=en|access-date=8 October 2019|archive-url=https://web.archive.org/web/20190515103447/https://www.forbes.com/sites/arthurherman/2018/12/10/huaweis-and-chinas-dangerous-high-tech-game/|archive-date=15 May 2019|url-status=live}}</ref><ref>{{cite web|url=https://c5is.com/cisco-huawei-and-semptian-a-look-behind-the-great-firewall-of-china/|title=Cisco, Huawei and Semptian: A Look Behind the Great Firewall of China|date=15 December 2014|website=C5IS|language=en-US|access-date=8 October 2019|archive-url=https://web.archive.org/web/20190714193154/https://c5is.com/cisco-huawei-and-semptian-a-look-behind-the-great-firewall-of-china/|archive-date=14 July 2019|url-status=live}}</ref> Not all sensitive content gets blocked; in 2007, scholar Jedidiah R. Crandall and others argued that the main purpose is not to block 100%, but rather to flag and to warn, in order to encourage self-censorship.<ref>{{cite book |author1=Oliver Farnan |author2=Alexander Darer |author3=Joss Wright |title=Proceedings of the 2016 ACM on Workshop on Privacy in the Electronic Society - WPES'16 |chapter=Poisoning the Well |year=2016 |pages=95β98 |doi=10.1145/2994620.2994636 |isbn=9781450345699 |s2cid=7275132 }}</ref> An illustrative but incomplete list of tactics includes: {| class="wikitable" |- !Method !Description |- |IP range ban using [[Black hole (networking)|black holes]] |The Chinese firewall maintains a list of [[IP address|IP ranges]] that are automatically dropped ([[Black hole (networking)|network black-holing]]).<ref>{{Cite web |title=Forbidden: China Geo-Blocking Americans from Accessing Supreme People's Court Website and Published Decisions|url=https://www.chinaiplawupdate.com/2022/11/forbidden-china-geo-blocking-americans-from-accessing-supreme-peoples-court-website-and-published-decisions/ |access-date=2025-01-17 |website=www.chinaiplawupdate.com}}</ref> Because of the complexity involved in maintaining a large, up-to-date banned network list with dynamic IPs (and as this method has proven incompatible with services using [[content delivery network]]s) it is usually used as a last resort, with other blocking methods preferred (such as filtering based on [[Quality of service|QoS]]). |- |[[DNS spoofing]], filtering and redirection |One part of the Chinese firewall is made of liar DNS servers and [[DNS hijacking|DNS hijackers]] returning incorrect IP addresses.<ref>{{cite web |url=http://pcwizardpro.com/how-to-unblock-websites-in-china/ |title=how to unblock websites in China |date=26 January 2018 |publisher=pcwizardpro.com |access-date=27 January 2018 |archive-url=https://web.archive.org/web/20180127084214/http://pcwizardpro.com/how-to-unblock-websites-in-china/ |archive-date=27 January 2018 |url-status=live }}</ref> Studies seems to point out that this censorship is keyword-based.<ref name=":0">{{cite web|url=https://www.usenix.org/system/files/conference/foci14/foci14-anonymous.pdf|title=The Great DNS Wall of China - Analysis of the DNS infrastructure|access-date=2019-06-01|archive-url=https://web.archive.org/web/20190403121058/https://www.usenix.org/system/files/conference/foci14/foci14-anonymous.pdf|archive-date=2019-04-03|url-status=live}}</ref> Contrary to popular belief,<ref>{{cite web|url=https://news.ycombinator.com/item?id=16772035|title=8.8.8.8 goes pretty well in the Chinese market. (8 being a popular number.) I th... {{!}} Hacker News|website=news.ycombinator.com|access-date=31 May 2019|archive-url=https://web.archive.org/web/20200326175426/https://news.ycombinator.com/item?id=16772035|archive-date=26 March 2020|url-status=live}}</ref> foreign DNS resolvers such as [[Google Public DNS]] IP address 8.8.8.8 are reported to work correctly inside the country; however, these DNS servers are also subject to hijacking as their connections are not encrypted: DNS queries do reach the DNS server, but if the request matches a banned keyword, the firewall will inject a fake DNS reply before the legitimate DNS reply arrives. The vast majority of these fake responses contain public IP addresses of U.S. companies, including Facebook, Twitter, and Dropbox.<ref>{{Cite arXiv |last1=Hoang |first1=Nguyen Phong |last2=Niaki |first2=Arian Akhavan |last3=Dalek |first3=Jakub |last4=Knockel |first4=Jeffrey |last5=Lin |first5=Pellaeon |last6=Marczak |first6=Bill |last7=Crete-Nishihata |first7=Masashi |last8=Gill |first8=Phillipa |last9=Polychronakis |first9=Michalis |date=2021-06-03 |title=How Great is the Great Firewall? Measuring China's DNS Censorship |class=cs.CR |eprint=2106.02167 }}</ref> Typical circumvention methods include modifying the [[Hosts file]], typing the IP address instead of the domain name in a [[Web browser]] or using [[DNS over TLS]]/[[DNS over HTTPS|HTTPS]].<ref>{{Cite arXiv |last1=Hoang |first1=Nguyen Phong |last2=Polychronakis |first2=Michalis |last3=Gill |first3=Phillipa |date=2022-02-01 |title=Measuring the Accessibility of Domain Name Encryption and Its Impact on Internet Filtering |class=cs.NI |eprint=2202.00663 }}</ref> |- |[[Uniform Resource Locator|URL]] filtering using transparent proxies |The Chinese firewall is made of [[Transparent proxy|transparent proxies]] filtering web traffic. These proxies scan the requested [[Uniform Resource Identifier|URI]], the "Host" Header and the content of the web page (for HTTP requests) or the [[Server Name Indication]] (for HTTPS requests) for target keywords.<ref>{{cite web |url=https://blog.xeovo.com/what-is-the-great-firewall-of-china-and-why-you-should-care/ |title=What is the Great Firewall of China and why you should care |date=30 December 2021 |publisher=xeovo.com |access-date=2 January 2024 |archive-date=8 August 2024 |archive-url=https://web.archive.org/web/20240808050047/https://blog.xeovo.com/what-is-the-great-firewall-of-china-and-why-you-should-care/ |url-status=live }}</ref> Like for DNS filtering, this method is keyword-based. Encrypting the Server Name Indication (Encrypted Client Hello or ECH) can be used to bypass this method of filtering. It is currently in development by the [[Internet Engineering Task Force|IETF]],<ref>{{cite news|url=https://datatracker.ietf.org/doc/draft-ietf-tls-esni/|title=draft-ietf-tls-esni-03 - Encrypted Server Name Indication for TLS 1.3|newspaper=Ietf Datatracker|access-date=13 June 2019|archive-url=https://web.archive.org/web/20190606041824/https://datatracker.ietf.org/doc/draft-ietf-tls-esni/|archive-date=6 June 2019|url-status=live}}</ref> and is enabled by default for supported websites in [[Firefox]] and [[Chromium (web browser)|Chromium]] ([[Google Chrome]], [[Microsoft Edge]], [[Samsung Internet]], and [[Opera (web browser)|Opera]]).<ref>{{cite web|url=https://blog.mozilla.org/security/2018/10/18/encrypted-sni-comes-to-firefox-nightly/|title=Encrypted SNI Comes to Firefox Nightly|website=Mozilla Security Blog|date=18 October 2018 |access-date=2020-02-11|archive-url=https://web.archive.org/web/20200324233735/https://blog.mozilla.org/security/2018/10/18/encrypted-sni-comes-to-firefox-nightly/|archive-date=2020-03-24|url-status=live}}</ref><ref>{{cite web|url=https://blog.cloudflare.com/encrypt-that-sni-firefox-edition/|title=Encrypt that SNI: Firefox edition|date=October 18, 2018|website=The Cloudflare Blog|access-date=February 11, 2020|archive-url=https://web.archive.org/web/20200214223249/https://blog.cloudflare.com/encrypt-that-sni-firefox-edition/|archive-date=February 14, 2020|url-status=live}}</ref><ref>{{cite web |url=https://chasersystems.com/blog/disabling-encrypted-clienthello-in-google-chrome-and-why/ |title=How to disable TLS Encrypted ClientHello in Google Chrome using PowerShell |author=<!--Not stated--> |date=9 October 2023 |website= |publisher=Chaser Systems Ltd |access-date= |quote= |archive-date=21 February 2024 |archive-url=https://web.archive.org/web/20240221182758/https://chasersystems.com/blog/disabling-encrypted-clienthello-in-google-chrome-and-why/ |url-status=live }}</ref><ref>{{cite web |url=https://chromestatus.com/feature/6196703843581952 |title=Feature: TLS Encrypted Client Hello (ECH) |author=<!--Not stated--> |date=12 December 2023 |website=Chrome Platform Status |publisher=[[Google]] |access-date=21 February 2024 |quote= |archive-date=22 January 2024 |archive-url=https://web.archive.org/web/20240122130352/https://chromestatus.com/feature/6196703843581952 |url-status=live }}</ref> However, in July 2020, [[iYouPort]], the [[The University of Maryland|University of Maryland]], and the [[Great Firewall Report]], reported that the GFW blocks TLS connections using some encrypted SNI extension in China. |- |[[Quality of service]] filtering |Since 2012, the GFW is able to "learn, filter, and block" users based on traffic behavior, using [[deep packet inspection]].<ref name="guardvpn2">{{cite news|url=https://www.theguardian.com/technology/2012/dec/14/china-tightens-great-firewall-internet-control|title=China tightens 'Great Firewall' internet control with new technology|last=Arthur|first=Charles|date=14 December 2012|work=guardian.co.uk|access-date=8 March 2013|publisher=The Guardian|location=London|archive-url=https://web.archive.org/web/20130910001533/http://www.theguardian.com/technology/2012/dec/14/china-tightens-great-firewall-internet-control|archive-date=10 September 2013|url-status=live}}</ref> This method was originally developed for blocking VPNs and has been extended to become part of the standard filtering system of the GFW. The method works by mirroring all traffic (using a [[network tap]]) to a dedicated analytics unit, that will then deliver a score for each destination IP based on how suspicious the connection is deemed to be. This score is then used to determine a [[Packet loss|packet loss rate]] to be implemented by routers of the Chinese firewall, resulting in a slowed connection on the client side. The method aims to slow down traffic to such an extent that the request times out on the client side, thus effectively having succeeded in blocking the service altogether. It is believed that the analytics system is using [[Side-channel attack|side-channel]] (such as the handshake headers, and packet sizes) to estimate how suspicious a connection is.<ref>{{cite web|url=http://blog.zorinaq.com/my-experience-with-the-great-firewall-of-china/|title=My Experience With the Great Firewall of China|website=blog.zorinaq.com|language=en|access-date=1 June 2019|archive-url=https://web.archive.org/web/20160701195829/http://blog.zorinaq.com/my-experience-with-the-great-firewall-of-china/|archive-date=1 July 2016|url-status=live}}{{Self-published source|date=October 2020}}</ref> It is able to detect traffic protocols (such as SSH tunneling, [[Virtual private network|VPN]] or [[Tor (anonymity network)|Tor]] protocols), and can measure the [[Entropy (information theory)|entropy]] of packets to detect encrypted-over-encrypted traffic (such as HTTPS over an SSL tunnel). This attack may be resisted by using a pluggable transport in order to mimic 'innocent' traffic, and never connect to 'suspicious' IPs by always having the circumvention software turned on, yet not proxy unblocked content, and the software itself never directly connects to a central server.<ref>{{cite web|url=https://www.usenix.org/system/files/conference/foci12/foci12-final2.pdf|title=How the Great Firewall of China is blocking Tor|access-date=2022-01-27|archive-url=https://web.archive.org/web/20220127204429/https://www.usenix.org/system/files/conference/foci12/foci12-final2.pdf|archive-date=2022-01-27|url-status=live}}</ref> |- | Packet forging and [[TCP reset attack]]s |The Chinese firewall may arbitrarily terminate TCP transmissions, using [[Packet injection|packet forging]]. The blocking is performed using a TCP reset attack. This attack does not block TCP requests nor TCP replies, but sends a malicious TCP RST packet to the sender, simulating an end-of-connection. Side channel analysis seems to indicate that TCP Resets are coming from an infrastructure co-located or shared with QoS filtering routers.<ref>{{cite web|url=https://www.cl.cam.ac.uk/~rnc1/ignoring.pdf|title=Ignoring TCP RST send by the firewall|access-date=2019-06-01|archive-url=https://web.archive.org/web/20190611203524/https://www.cl.cam.ac.uk/~rnc1/ignoring.pdf|archive-date=2019-06-11|url-status=live}}</ref> This infrastructure seems to update the scoring system: if a previous TCP connection is blocked by the filter, future connection attempts from both sides may also be blocked for short periods of time (up to a few hours). An efficient circumvention method is to ignore the reset packet sent by the firewall.<ref>{{cite web|url=http://www.zdnetasia.com/news/security/0,39044215,39372326,00.htm|title=zdnetasia.com|publisher=zdnetasia.com|access-date=13 June 2011|archive-url=https://web.archive.org/web/20091008214629/http://www.zdnetasia.com/news/security/0,39044215,39372326,00.htm|archive-date=8 October 2009|url-status=live}}</ref> A patch for FreeBSD has been developed for this purpose.<ref>{{cite web|url=https://www.cl.cam.ac.uk/~rnw24/patches/20060607-tcp-ttl.diff|title=FreeBSD patch - ignore TCP RST|access-date=2019-06-01|archive-url=https://web.archive.org/web/20080629073234/http://www.cl.cam.ac.uk/~rnw24/patches/20060607-tcp-ttl.diff|archive-date=2008-06-29|url-status=live}}</ref> |- |[[Man-in-the-middle attack]] with TLS |The [[National Intelligence Law of the People's Republic of China]] theoretically allows the Chinese government to request and use the root certificate from any Chinese certificate authority,<ref>{{cite web|url=https://www.dezshira.com/library/legal/cyber-security-law-china-8013.html|title=Cyber-security Law of the People's Republic of China|website=www.dezshira.com|date=11 January 2018 |language=en|access-date=1 June 2019|archive-url=https://web.archive.org/web/20190601010621/https://www.dezshira.com/library/legal/cyber-security-law-china-8013.html|archive-date=1 June 2019|url-status=live}}</ref> such as [[CNNIC]], to make MITM attacks with valid certificates. Multiple TLS incidents have occurred within the last decade, before the creation of the law. On 26 January 2013, the [[GitHub]] SSL certificate was replaced with a self-signed certificate in China.<ref>{{cite web|url=http://news.ycombinator.com/item?id=5124784|title=GitHub SSL replaced by self-signed certificate in China | Hacker News|publisher=News.ycombinator.com|access-date=15 June 2013|archive-url=https://web.archive.org/web/20140705135606/https://news.ycombinator.com/item?id=5124784|archive-date=5 July 2014|url-status=live}}</ref> On 20 October 2014, the iCloud SSL certificate was replaced with a self-signed certificate in China.<ref>{{cite web|url=https://www.netresec.com/?page=Blog&month=2014-10&post=Chinese-MITM-Attack-on-iCloud|title=Chinese MITM Attack on iCloud - NETRESEC Blog|website=Netresec|date=20 October 2014|access-date=2019-06-10|archive-url=https://web.archive.org/web/20200329044228/https://www.netresec.com/?page=Blog&month=2014-10&post=Chinese-MITM-Attack-on-iCloud|archive-date=2020-03-29|url-status=live}}</ref> It is believed that the Chinese government discovered a vulnerability on Apple devices and was exploiting it.<ref>{{CVE|2014-4449}}</ref> On 20 March 2015, Google detected valid certificates for Google signed by CNNIC in Egypt. In response to this event, and after a deeper investigation, the CNNIC certificate was removed by some browsers.<ref>{{cite web|url=https://nakedsecurity.sophos.com/2015/04/14/tls-certificate-blunder-revisited-whither-china-internet-network-information-center/|title=TLS certificate blunder revisited β whither China Internet Network Information Center?|publisher=nakedsecurity.sophos.com|access-date=18 October 2018|date=2015-04-14|archive-url=https://web.archive.org/web/20181021232209/https://nakedsecurity.sophos.com/2015/04/14/tls-certificate-blunder-revisited-whither-china-internet-network-information-center/|archive-date=21 October 2018|url-status=live}}</ref> Due to the removal being based on proof and not suspicion, no other Chinese certificate authority has been removed from web browsers, and some have been added since then.<ref>{{cite web|url=https://bugzilla.mozilla.org/show_bug.cgi?id=1128392|title=1128392 - Add GDCA Root Certificate|website=bugzilla.mozilla.org|language=en|access-date=1 June 2019|archive-url=https://web.archive.org/web/20200324235853/https://bugzilla.mozilla.org/show_bug.cgi?id=1128392|archive-date=24 March 2020|url-status=live}}</ref> This type of attack can be circumvented by websites implementing [[Certificate Transparency]] and [[OCSP stapling]] or by using browser extensions.<ref>{{cite web|url=http://patrol.psyced.org/|title=Certificate Patrol - a psyced Firefox/Mozilla add-on|website=patrol.psyced.org|access-date=7 July 2019|archive-url=https://web.archive.org/web/20190613113932/http://patrol.psyced.org/|archive-date=13 June 2019|url-status=live}}</ref> |}
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)