Tuesday, December 30, 2014

Gmail completely blocked in China

All Google products in China have been severely disrupted since June of this year and Chinese users have not been able to access Gmail via its web interface since the summer. However, email protocols such as IMAP, SMTP and POP3 had been accessible but are not anymore. These protocols are used in the default email app on iPhone, Microsoft Outlook on PC and many more email clients.
On December 26, GFW started to block large numbers of IP addresses used by Gmail. These IP addresses are used by IMAP/SMTP/POP3. Chinese users now have no way of accessing Gmail behind the GFW. Before, they could still send or receive emails via email clients even though Gmail's web interface was not accessible.
Google's own traffic chart shows a sharp decline of Chinese traffic to Gmail.
Below is a ping request to the Gmail SMTP server, which is completely inaccessible in China.
Chinese users now have absolutely no way of using Gmail, except through the use of circumvention tools. GFW started to partially disrupt Gmail years ago with periodical disruptions and throttling to make it look as if Gmail servers were unstable. Then GFW blocked all Google websites in June 2014. Now GFW has blocked email client access to Gmail.  I believe cutting Gmail/Google off in one stroke would draw too much attention, even in China.  So GFW has been cutting Google services gradually and has now finally completed the grand mission of completely eliminating Google's presence in China.

Tuesday, November 18, 2014

China just blocked thousands of websites

The Chinese censorship authorities have DNS poisoned *edgecastcdn.net, which means all subdomains of edgecastcdn.net are blocked in China. EdgeCast is one of the largest Content Delivery Networks (CDN) in the world and provides its cloud services to thousands of websites and apps in China.
I have seen instances of “collateral damage” due to “collateral freedom” over the past few days and have received emails from some smaller website owners wondering why their non-sensitive sites are being blocked by the great firewall.

What's going on?

The disruption to EdgeCast’s service was noted by the company on their website on November 14, 2014, although I noticed a problem on November 12 and the first DNS poisoning on the 13th.
The company's status update still appears on their site:
Please be advised, we are experiencing issues with content delivery in the China region due to suddenly increased restrictions imposed by the Chinese Government. If you are receiving reports from end users not able to view content from within China, please contact our network Operations center to discuss the options available to you.

Some of the recent victims of collateral damage, all EdgeCast clients, include:
Sony Mobile’s global and Chinese sites are both blocked.
The Atlantic will, sadly, not be able to claim that their website was blocked due to the aggressive nature of their reporting on China.
The project website of Drupal (drupal.org) is blocked. Drupal is used as a back-end framework for many websites worldwide. Administrators of those websites in China will face disruptions when trying to update Drupal or install extensions.
Firefox browser add-ons are another victim. Firefox's addons.cdn.mozilla.net is hosted on EdgeCast. Firefox users in China will not be able to install any add-on for Firefox.
Gravatar is used by many websites to show profile images. The images are hosted on EdgeCast and any website that uses Gravatar in China will be displaying broken images.

Other blocked websites include speedtest.net and deviantart.com. It is hard to tell what websites may be affected because different sites might have different elements (i.e. images) that rely on EdgeCast. Anybody who appears on the EdgeCast customer list is potentially affected.


The great firewall (GFW) is attempting to block access to collateral freedom mirror sites, which are hosted in the global cloud infrastructure. GFW cannot distinguish traffic to the  mirror sites and other traffic to the cloud provider which means that they cannot block access to the mirror sites without blocking access to the all sites hosted by the CDN. This is forcing the authorities to make a decision between allowing uncensored access to the global internet or blocking global CDNs all together, which will come at a significant economic cost.


EdgeCast removed the status update on its website, but have published a blog post about their current problems in China:

We have been hearing from our CDN and Monitoring partners throughout the industry and our own customers that more sites, CDNs and networks are being filtered or blocked by the Great Firewall of China. This week we’ve seen the filtering escalate with an increasing number of popular web properties impacted and even one of our many domains being partially blocked… with no rhyme or reason as to why.
At Verizon EdgeCast we have put policies in place to help our customers mitigate the effects of this most recent filtering but expect this to be an ongoing issue for our customers seeking to reach Chinese users (users in China). For any customers who are seeing their delivery impacted, please log in to your EdgeCast portal. Here you will find instructions on your portal home page on how to best mitigate filtering or blocking.
For those of our customers who are frustrated by this, we share your frustration, as does the whole content delivery and hosting industry. Rest assured that we stay committed to work with our global ISP partners and do our best to mitigate the effects of these filtering policies to ensure a clear path to your users and customers in China.

Monday, October 20, 2014

China collecting Apple iCloud data

After previous attacks on Github, Google, Yahoo and Microsoft, the Chinese authorities are now staging a man-in-the-middle (MITM) attack on Apple’s iCloud.

I have posted previously about MITM attacks on Google and Github and broke the news about the recent attack on Yahoo.  Refer to the appendix at the end of this post to see technical evidence of the attack.
This case is different, however, for a few of reasons.

This is clearly a malicious attack on Apple in an effort to gain access to usernames and passwords and consequently all data stored on iCloud such as iMessages, photos, contacts, etc. Unlike the recent attack on Google, this attack is nationwide and coincides with the launch today in China of the newest iPhone. While the attacks on Google and Yahoo enabled the authorities to snoop on what information Chinese were accessing on those two platforms, the Apple attack is different. If users ignored the security warning and clicked through to the Apple site and entered their username and password, this information has now been compromised by the Chinese authorities. Many Apple customers use iCloud to store their personal information, including iMessages, photos and contacts.

What should users do to counteract this attack? Internet users in China should first use a trusted browser on their desktops and mobile devices - Firefox and Chrome will both prevent users from accessing iCloud.com when they are trying to access a site that is suffering from a MITM attack. Qihoo’s popular Chinese 360 secure browser is anything but and will load the MITMed page directly.
If users have ignored the security warnings, they should find an undisrupted connection to iCloud.com. This can be accomplished by using a VPN or by finding a different internet access point because the GFW’s MITM is not that stable. They should also enable two-step verification for their iCloud accounts. This will protect iCloud accounts from attackers even if the account password is compromised.
Technical evidence of attacks against iCloud.com (Apple) and login.live.com (Microsoft)
The GFW (Great Firewall of China) is now wiretapping Apple’s iCloud. GFW implemented a MITM attack on iCloud using a self-signed certificate.
The authorities only attacked IP Not all users in China are affected because the iCloud DNS might return different IP addresses.
Hotmail MITM

Thursday, September 4, 2014

Authorities launch man-in-the-middle attack on Google

What happened?

From August 28, 2014 reports appeared on Weibo and Google Plus that users in China trying to access google.com and google.com.hk via CERNET, the country’s education network, were receiving warning messages about invalid SSL certificates. The evidence, which I include later in this post, indicates that this was caused by a man-in-the-middle attack.
While the authorities have been blocking access to most things Google since June 4th, they have kept their hands off of CERNET, China’s nationwide education and research network. However, in the lead up to the new school year, the Chinese authorities launched a man-in-the-middle (MITM) attack against Google.


There is a clear incentive to implement a man-in-the-middle attack against Google. Google enforced HTTPS by default on March 12, 2014 in China and elsewhere. That means that all communication between a user and Google is encrypted by default. Only the end user and the Google server know what information is being searched and returned. The Great Firewall, through which all outgoing traffic from China passes, only knows that a user is accessing data on Google’s servers - not what that data is. This in turn means that the authorities cannot block individual searches on Google - all they can do is block the website altogether. This is what has happened on the public internet in China but has not happened on CERNET.
The authorities know that if China is to make advances in research and development, if China is to innovate, then there must be access to the wealth of information that is accessible via Google. CERNET has long been considered hands off when it comes to censorship, for this very reason. Even long blocked services such as YouTube and Google+ are available via CERNET. In contract, on the public internet in China, Google Scholar is blocked and the China version of the site redirects users to the Hong Kong version of the site, which is also blocked.
Up until last month, access to Google remained relatively unfettered for those accessing the properties via CERNET. Instead of just outright blocking Google on CERNET, which would have raised the ire of students, educators and researchers across China, the authorities felt that a MITM attack would serve their purpose. By placing a man-in-the-middle, the authorities can continue to provide students and researchers access to Google while eavesdropping or blocking selective search queries and results.

Has it happened before?

At the beginning of last year, the Chinese authorities staged a country-wide MITM attack on Github.

Will it happen again?

The short answer is yes. I predicted last year that because of the increased shift to encryption, man-in-the-middle attacks were likely to become an increasingly tempting choice for the authorities.

The Details

There have been multiple user reports from those using CERNET about fake certificates when accessing Google. Netresec did a great forensic analysis of the MITM attack on Github. I contacted Netresec with the wire captures below. They concluded that all evidence indicates that a MITM attack is being conducted against traffic between China’s nationwide education and research network CERNET and Google. The machines performing the MITM attack are most likely injecting packets somewhere at the outer border of CERNET, where they are peering with external networks. Their full forensic analysis is available online.
I do not have data ourselves to show how or if this happened. I have relied on the sources listed below. Many of these sources were used in this report on Solidot.
Screenshot taken by Weibo user
The screenshot shows the user trying to access Google using the Chrome browser and receiving a warning about an invalid SSL certificate. For Chrome and Firefox users, the browser won’t allow you to bypass the certificate warning for Google because Google enables HTTP Strict Transport Security (HSTS).
Another screenshot by the same user compared the certificate he received with a normal connection (on the left) and a connection under the man-in-the-middle attack (on the right).
Reports on Google Plus
WireShark capture files
I have some WireShark capture files. If you need to examine them, please contact me. Redacted versions appear in the Netresec report.
Copy of fake SSL certificate
Uploaded to Google drive (copy hosted by me). This fake certificate has been seen by multiple users. See below for a comparison of the current valid certificate and the fake one used during the attack.

What should you do

You should never click through when you see a certificate warning. You should use Firefox or Chrome as these browsers won’t even allow you to click through the warning for websites that use HSTS (like Google and Github). If you click through the warning, your Google account credentials can be stolen, which means all your Gmail can be read by the attacker.  

Wednesday, June 18, 2014





64黑丝行(@emmaxiryssu 3 tweets, 10 followers) 用号召让大家穿“黑丝”的方法阻扰黑衣游行。
— 64黑丝行 (@emmaxiryssu) June 2, 2014

还有更加隐蔽的五毛。这个五毛假装是为大家安全着想,并在图片中给出了5条安全建议,有几百字。建议包括了不要带手机等。其看似是为了安全考虑,实际上大部分人出去不可能不带手机,这样一说很多人估计会迟疑不敢参加纪念六四活动。这种卑劣的手段,五毛在茉莉花期间也使用过。 特别注意,这条推特有119次转推,显然是机器伪造的。(我们的@GreatFireChina目前有1万多人关注,一般转推只有十几次。)
【紧急通告:六四纪念集会骚扰频现 各位网友做好安全应急淮备】最近几日,香港、台湾、美国等地组织了黑衫行参加纪念六四二十五週年游行示威活动,活动过程中发生了数起骚扰事件,遭不明身份人员殴打抢劫,身体和财务遭到损失。请注意一下事项 pic.twitter.com/KxxDmy5E2D
— TaipeiOldHippie (@taipeioldhippie) June 2, 2014

看看此推文的评论,看起来好像很多去游行的人被打了,实际上都是五毛账号。 这些账号的其他推特有推荐穿黑丝的,有推荐白T恤的,有在简介里写支持民运的,有迷惑性。
之后是 (@vyrigita 2538604674 30 tweets, 0 followers)
是要穿黑山集会么,穿黑衫会被打 小心惹祸上身 活动的时候有人号召 你想过被打了谁来为你负责么
— 王琪 (@vyrigita) June 3, 2014

此人假装好心好意的分析,担心推友人生安全。实际上用心理学来用被打恐吓推友,阻止推友纪念六四。 他的推文被转了30-40次,显然是机器伪造次数的。特别注意,此推文被收集中文推特热点的中文锐推客自动转发了,和其他真正的中文热门推混在一起,迷惑性非常大。

以上证据显示,五毛党没有下线。本文最后提供网上流传的五毛行为准则,未知来源。 4-8条极其下流。

Monday, June 2, 2014

Google disrupted prior to Tiananmen Anniversary

The 25th anniversary of the Tiananmen Square incident is coming. This highlights another fierce battle in the war between China censorship authority and information flow.

Google started to encrypt search by default in China in March and currently nearly all users will be redirected to the encrypted version automatically. But prior to the anniversary of Tiananmen incident, GFW(Great Firewall of China) began to severely disrupt Google search by disrupting TCP connections to Google IPs.  The block is indiscriminate as all Google services in all countries, encrypted or not, are now blocked in China. This blockage includes Google search, images, translate, Gmail and almost all other products. In addition, the block covers Google Hong Kong(China’s version of Google), Google.com and all other country specific versions, e.g Google France.

It is not clear that the block is a temporary measure around the anniversary or a permanent block. But because the block has lasted for 4 days, it’s more likely that Google will be severely disrupted and barely usable from now on.  I reported the block of Google in 2012 which lasted for 12 hours. Back then, I speculated that the Chinese censorship authority was testing public opinion, or the "block Google" button. Presumably, they have gathered enough information since 2012 to implement a full scale block this time.  It is the strictest censorship ever deployed.

Wednesday, January 22, 2014

Internet outage in China on Jan 21

Yesterday China witnessed one of the largest Internet outages ever. I have three theories about why this outage may have occurred - two related to the Falun Gong but my third theory is that the Chinese authorities set out to attack the mirror websites.

From 15:30 to 16:30 (China time) on January 21, DNS lookup to any domain would incorrectly resolve to Websites inside and outside of China were affected. Even Baidu and Sina were inaccessible. Only software using IP directly (e.g. QQ, VPNs) worked during that time. Attempts to visit any website redirected to, which didn’t respond during that time.  The overwhelming traffic to this IP likely crashed the server.
GFW DNS poisoning begins.
Local DNS servers began to cache incorrect responses. Some large websites in China began to be affected e.g Sina Weibo.
Incorrect DNS continue to spread through Chinese DNS servers. Major websites including Baidu, Sina affected.
DNS poisoning lifted by GFW. But local DNS resolvers cached incorrect responses. Users continued to experience outage.
ISPs around China were manually flushing DNS caches and connections were gradually restored.
I have conclusive evidence that this outage was caused by the Great Firewall (GFW). DNS poisoning is used extensively by the GFW. Some articles that have appeared about this outage suspected that the root DNS server in China was hacked and all domains hijacked to This could explain why DNS servers in China were poisoned. However, during that time, I see that a lookup to, a public DNS operated by Google, returned bogus results if the lookup was done from China. In fact, the Google public DNS was not poisoned; the bogus response could only have been returned by GFW.  If the Chinese root DNS server was hacked, a DNS lookup in China via should have returned a correct response. See the below image from Zhihu.

But why did GFW poison all domains and effectively block all website traffic in China?
This action must have been unintentional. is owned by Dynamic Internet Technology according to an IP lookup, and they are behind the famous circumvention tool FreeGate. Currently, is a mirror site for dongtaiwang.com, a news portal operated by Falun Gong groups.


One hypothesis is that GFW might have intended to block the IP but accidentally used that IP to poison all domains.


Many Chinese media stated that yesterday’s outage may have been due to a hacking attempt. The IP is operated by Dynamic Internet Technology, “mortal enemy number one” of the Chinese government. Some are suggesting Dynamic Internet Technology is behind the outage. However, hacking into a root DNS resolver is not enough to cause this outage, as I explained earlier in this post. They have to hack into GFW. If they are indeed capable of doing that, they can accomplish so much more than messing the entire Chinese internet up. In addition, during that time was not serving any content and with such traffic, it looks more like a DDOS attack against They couldn't use that IP to spread sensitive content during that time. However, from today, they have indeed started to use to distribute mirrors and stopped within a few hours.

Blocking the mirror sites

The mirror site has attracted considerable attention and GFW has tried multiple times to block us. Backend servers are automatically rotated and the GFW automatically scans new URLs and DNS poisons them.  DNS poisoning is not commonly used compared to connection reset. GFW seems to only use DNS poisoning as a last resort when connection reset fails to block a site. The mirror forces GFW to add hundreds of rule-sets to DNS poisoning daily and perhaps it caused the system crash. This is supported by the fact that the new backend domains are no longer automatically blocked.
The backends are improved to prevent automatic discovery from GFW. Perhaps the script operated by GFW acquired a “null” domain from the mirror site and consequently blocked everything.