Monday, December 5, 2016

China not only blocked Google but is trying to block all mentions of Google

Early this year, Google was DNS poisoned in China. Now is also added as a blacklisted keyword by GFW.  It is confirmed by HikingGFW.

This means that not only google will be blocked, any URL that included will be blocked as well.  For example, if you're reading news on the CNN, which is mostly accessible in China. However, if an article's URL includes, say, the article will be automatically blocked as well. Only HTTP sites will be affected by this kind of block though. It further illustrates the importance of ubiquitous adoption of HTTPS.

The block is not limited to All google country versions are added by GFW as a blacklisted keywords, for example and

This means that Chinese authority not only wants to block all of Google completely but also wants to block all mentions and reference to Google entirely. This marks a monumental increase on the Chinese Internet censorship. 

Monday, October 31, 2016

Google and Mozilla announced distrust of WoSign and StartCom

Google stated that 
Beginning with Chrome 56, certificates issued by WoSign and StartCom after October 21, 2016 00:00:00 UTC will not be trusted.
Mozilla stated that
If you receive a certificate from one of these two CAs after October 21, 2016, your certificate will not validate in Mozilla products such as Firefox 51 and later.
Apple already distrusted WoSign but has so far took no action for StartCom.

Microsoft has made no announcement regarding WoSign or StartCom. I called for Microsoft to distrust WoSign and StartCom to follow the same steps taken by other root stores to protect its users.

Saturday, October 1, 2016

Apple announces block of WoSign

In light of Mozilla's findings listed and, Apple has decided to block WoSign from its products.

In light of these findings, we are taking action to protect users in an upcoming security update.  Apple products will no longer trust the WoSign CA Free SSL Certificate G2 intermediate CA.
To avoid disruption to existing WoSign certificate holders and to allow their transition to trusted roots, Apple products will trust individual existing certificates issued from this intermediate CA and published to public Certificate Transparency log servers by 2016-09-19. They will continue to be trusted until they expire, are revoked, or are untrusted at Apple’s discretion. 
I applaud Apple's swift action and hope other browser vendors follow up as soon as possible. Mozilla's final decision is pending till Qihoo 360 (WoSign's dominant share holder), StartCom and Mozilla's in person meeting next Tuesday.

Saturday, September 3, 2016

StartCom operated solely by WoSign in China - an analysis of the new StartCom website

I reported earlier that StartCom was secretly purchased by WoSign from the technical aspects and the business aspects. I'm now going to provide an analysis of the new StartCom website. The new StartCom website was launched in Dec 2015, one month after alleged WoSign's purchase.

Now I'm going to analyze the new Startcom website. The analysis further affirms the conclusion that StartCom was outright purchased by WoSign, rather than being in a partnership with WoSign.
As a native Chinese speaker, I can easily identify mistakes made in English caused by the influence of Chinese. The new StartCom webpage seems to completely designed and implemented in China.


 StartCom Transparency
All issued SSL certificate is logged in Google Log server and other third party logs
with embedded SCT data in the SSL certificate.
This message appears at the bottom of all StartCom products.
Chinese doesn't have plural form or Subject-Verb Agreement. Hence "All issued SSL certificate is logged"

This is the exact same slogan on the WoSign's website
WoSign Transparency 
All issued SSL certificate is logged in Google Log server and other third party logs with embedded SCT data in the SSL certificate.
A word by word copy. This affirms the conclusion that StartCom was purchased by WoSign.


It takes just one minute to
Register your account to
Get Free SSL certificate
And free Email certificate
Chinese doesn't have capitalization, hence this weird capitalization in every new line.
No article in Chinese, hence "Get Free SSL certificate"

the StartPKI page

It uses very poor English such as
Sign-up and Paid
Just tell us what you want
Give you a unbelievable price
Sign agreement online
Paid the setup fee
We do not have tense or article in Chinese and the errors on "paid" and "a unbelievable price" are probably due to that. 

If you are using StartSSL, the certificate and certificate path look like this way that the issued by is StartCom
Hmm, No!

StartResell  launched in May 2016

Start to sell, make big money!
Setup your own website, start to sell your brand SSL certificate to your customers. Post customer’s identity information to StartSSL, StartCom charge the validation cost only with 50% off discount, all certificates issued from your intermediate CA is FREE. StartCom don’t charge your certificate cost, you make big money!
StartResell is in the background, you focus your sales, we do everything for you including PKI system, CRL and OCSP distribution, identity validation etc., we will use your company name to call your customer for identity validation, no other contact to your customer
Chinese grammars allow complete sentences to be separated by comma. Those are all run-on sentences in English.
Chinese doesn't have Subject-Verb Agreement, hence "StartCom charge"
We are sometimes confused on what preposition to use for a specific word, hence "focus your sales" "contact to your customer"

No any prepay and deposit need, just need to pay the dedicated Intermediate CA setup fee and annual maintenance fee;
"No any prepay" is translated word by word from Chinese, "没有任何预先付款”, which is very typical in various Chinese advertisements.


StartEncrypt Pro
Need an account in StartSSL, get the API token and API certificate;
Install and run, no any coding, support Windows server and Linux server;
Not just get the SSL certificate automatically, but install it automatically;
Not just Encrypted, but also identity validated to display EV Green Bar;
Not just 90 days period, but up to 39 months, more than 1180 days;
Not just low assurance DV SSL certificate, but also High assurance OV SSL and EV SSL;
Not just for one domain, but up to 120 domains with wildcard support;
For OV SSL and EV SSL, just charge the validation cost annually, certificate is FREE!
Again, run on sentences, word by word translation of "no any coding", "not just... but..." .

About US
Mr. Nigg thought: CAs (Certification Authorities) main duties are authentication, the customer should be charged only for authentication labor costs, the certificate file is just the carrier of the authenticated data, it is a digital file that can be issued by the system automatically, at this case the cost is almost negligible, it can be completely free of charge! For comparison, why is a newspapers more expensive than toilet paper? Because of its valuable content! It's the same with digital certificate, the certificate subject information is the verified information, without it a certificate would be worthless.
This paragraph supposedly described Eddy Nigg's thoughts. This is obviously not written by Eddy Nigg but someone from China.
Again, plural form, run on sentences. "Mr. Nigg thought:" the colon usage here is correct in Chinese.
The overall phrasing, the comparison are very much Chinese too.

Such common grammatical or semantical mistakes are littered across the entire website of StartCom. Besides, the overall way of phasing is very much Chinese. I'm hard pressed to find even one error-free paragraph in natural English on the StartCom site.


The above shows that the website was designed and implemented solely in China by WoSign without any English speaker involved. As even a casual inspector who is a native English speaker can immediately identify problems with the official site, we can only assume that StartCom currently has no non-Chinese staff or even staff who speak fluent English. This further affirms the conclusion that StartCom was outright purchased by WoSign, rather than being in a partnership with WoSign.

Friday, September 2, 2016

WoSign's secret purchase of StartCom; WoSign threatened legal actions over the disclosure

I called for WoSign's revocation earlier this week for its utter ignorance over security. However, WoSign is cross signed by StartCom. Meaning that as long as StartCom is trusted, even if WoSign is manually distrusted, all certificates from WoSign are still considered valid. What's more, now it looks like StartCom is actually purchased by WoSign.

A former StartCom employee broke the news that WoSign's secretly purchased StartCom in Nov 2015 without any notice to the public or StartCom users . He posted his finding on , all evidence from publicly available sources, and not bounded by NDA.
On Aug 30, Someone posted WoSign's secret purchase to the thread "Incidents involving the CA WoSign". On Sept 1st, the content was taken down from the website.

September 1, 2016:
I'm currently going under legal review of the site.
Content will not be available during this period.

If you want to see the original content, please go to mirror I also attached the full article at the end of this blog post.

As the content was removed in the original site and people are discussing the security of WoSign and StartCom and wondering about the missing article, I posted the mirror to the thread.

The CEO of WoSign Richard Wang, aka Gaohua Wang, the crucial person mentioned in letsphish, stated that
OK I try to say some that I wish I don't violate my company confidential policy.

1. Eddy told me that this guy is the former employee of StartCom, he violates the signed NDA that he must shutdown the site within the limit time. Every re-distribution the wrong information will heavy his penalty (including site cache or mirror site). I am sure every company don't like its former employee to expose company's confidential information.

2. WoSign invested in 5 companies worldwide including in North America, Europe and Asia (China), but my company is a private company that no any liability to expose everything that we don't like to expose. And Mozilla also don't have the policy that every CA must expose its shareholder and director.
3. Please don't bind WoSign incident problem with StartCom, it is two independent company that one registered in China and one located in Israel. StartCom and WoSign have maintained a business relationship for many years since 2011 when WoSign startup CA business. And WoSign root is cross signed by StartCom root due to the problem that root inclusion took long time.
Best Regards,
However, as you can read in the article, WoSign and StartCom currently share critical infrastructure, director and user trust. This purchase might also be able to explain the security nightmare of StartEncrypt, a StartCom copycat of LetsEncrypt, launched in 2016. A Google search of StartEncrypt will bring up a full page of results titled "StartEncrypt considered harmful today"

After I posted the letphish mirror in the thread, he replied to me personally that
Please remember this sentence:
Every re-distribution the wrong information will heavy his penalty (including site cache or mirror site).
You are harming him!
I replied that
You stated that he was a former employee of StartCom in 2015. After he left the company, what he learnt from public sources in 2016 is not bound by NDA. I do not appreciate you holding him hostage to suppress public and crucial information on understanding the trust of CA. Since WoSign is trying so hard to suppress such critical information, it's especially important for us to understand the consequences of such info.
I call for a detailed investigation over WoSign's purchase of StartCom and the current status of StartCom. If StartCom is deemed untrusted in connection with WoSign, it should be revoked as well.
I further call for all current users of WoSign or StartCom to switch to Let's Encrypt as soon as possible.
Start Commercial LTD "is" an Israeli Certificate Authority, Their certificates are trusted by billion of devices (computers, mobile phones, routers, etc) and they claim to be "the 6th biggest CA in the world". StartCom launched it's activities as we know it today around 2006 with the brandname StartSSL.
Their site didn't had much UI changes during those years. Until 2016...
February 16th, 2016, Pierre Kim in his security blog wrote about why he stopped using StartSSL. The article was about how some of StartSSL's infrastructure is hosted in China/by Chinese companies. But he showed only small part of the whole picture, not going into who owns StartCom and the brandname StartSSL.
Reviewing StartCom registry in the Israeli company directory reveal that on November 1st, 2015 all the shares of the private held company were transfered to a UK based company named "StartCom CA Limited". This company, "StartCom CA" is owned by Gaohua Wang, who is of Chinese nationality.
But no news about it. 2016 is a major year for StartCom, new UI, new tools and new features, and yet, no news regarding the new ownership. The only news related to the matter was a minor post about expending their activities in China.
In the previous part we saw that the ownership of the company has switched, from Israeli hands to Chinese hands (via a UK based company to operate as a front organization). Pierre Kim in his blog post showed that some of StartSSL infrastructure is hosted in China/by Chinese companies. In this part I will present that currently (June 2016) StartSSL is operating from China (their employees are located in China).
During the first half year of 2016 I've contacted StartSSL several times. The first time was when I notified them about their SPF TXT records being incorrect [1], the reply was originated from (China Telecom, CHINANET Guangdong province network) with the "Content-Language" equals to "zh-cn" and the localtime of the email was UTC+0800. The email is signed with "" private key.
The second time I've contacted StartSSL was in regard their OCSP replies for expired certificates [2], again the reply was originated in China (China Telecom, CHINANET Guangdong province network) with China's localtime (UTC+0800).
The third and last time I've contacted StartSSL was regarding their expired certificates on some of their hosts [3], this time the reply seem to be generated via some kind of a ticket system, but still from China. The ticket system itself (MX server at least) seem to be in China, (21ViaNet(China),Inc), and the person who replied to my email was also from China, (China Telecom, CHINANET Guangdong province network) with "Accept-Language:" set to "zh-cn".
And what about StartSSL automated emails, old ones (during January) seem to originate in China, they came from (China Telecom, CHINANET-BJ) [4]. But later ones, come from (China Telecom (Americas) Corrporation (CTUC)) [5]. According the the whois, this is a Chinese company with an IP infrastructure in the US, but the localtime is still set to China's localtime.
In part 1 I showed that all shares from Start Commercial LTD (company based in Israel) were transferred to a front organization in the UK, named "StartCom CA Limited", which their sole director is Gaohua Wang. In part 2 I showed that StartSSL is actually operating from China (last verified, June 2016). In this part I will disclose who actually owns StartCom and more specifically the "StartSSL" brandname.
The key figure is Gaohua Wang (aka Richard Wang). It may not be so easy to connect him to the company in matter (searching for "Gaohua Wang certificate authority" will do the trick), but Gaohua Wang is also a director of another CA company based in China, named WoSign [1].
StartCom doesn't share this information with their customers, past, present and probably near future. I even tried to ask them directly via their Live Chat, but they haven't given me a straight answer ("not really", "close relationship" and "share infrastructure") [2] [3]. It seem StartCom is trying really hard not to disclose that StartCom was sold indirectly to a Chinese company.
Lets break down the answers to the question "Did WoSign bought you?"
"Not really" - WoSign didn't bought StartCom directly, Gaohua Wang (which also owns WoSign) used a front organization in the UK to buy StartCom.
"Close Relationship" - StartCom in the past cross-signed some of WoSign's intermediate CA, you may consider it as "close relations".
"Share Infrastructure" - This will explain Pierre Kim's post, but it doesn't explain why StartCom will require that, most StartSSL's customers are in Europe and in the US, not in China nor Asia [4].
But there are holes in the story. Why the operations (mail replies, core service like '') is in China? When trying to dial the Israeli number (+972.8.634.4170) I got an unplugged number tone [5], is the office in Israel is unavailable? But some of StartCom infrastructure is still hosted in Israel.
I will conclude with that, the same person (Gaohua Wang) owns WoSign and StartCom. I will leave connecting the dots for you...

[1] Hong Kong Compaies Registry - WoSign Director Index - IMG
[2] Live Chat with Danny - Part 1 - IMG *
[3] Live Chat with Danny - Part 2 - IMG *
[4] According to BuiltWith - IMG
[5] Trying to dial the Israeli extension - AMR
About the author 
My name is Itzhak Daniel, during 2015 I was an employee of StartCom. I don't speak on behalf of StartCom. I believe companies that are responsible for securing our internet should be transparent regarding their activities and who stands behind them.
Comments, requests, etc can be sent using this contact page or by any other means mentioned on it.

Monday, August 29, 2016

Chinese CA WoSign faces revocation after issuing fake certificates of Github, Microsoft and Alibaba

One of the largest Chinese root certificate authority WoSign issued many fake certificates due to an vulnerability.  WoSign's free certificate service allowed its users to get a certificate for the base domain if they were able to prove control of a subdomain. This means that if you can control a subdomain of a major website, say, you're able to obtain a certificate by WoSign for, taking control over the entire domain.

In deed, this has been seen in the wild in multiple instances as reported in the thread, aggregated here. I've notified related parties about the possible fake certs.

Possible fake cert for Github -- confirmed fake

Update: is down after my post. Google's CT log here

Possible fake cert for Alibaba, the largest commercial site in China  -- confirmed fake

Possible fake cert for Microsoft

What's more shocking is WoSign's behavior after the vulnerability was disclosed to them.
WoSign never reported this misuse to root programs as required. WoSign's audit report didn't include such misuse either.

WoSign completely lacks the security knowledge needed for operating a CA. In the thread discussing potential sanction against WoSign,  WoSign stated that
For incident 1 - mis-issued certificate with un-validated subdomain, total 33 certificates. We have posted to CT log server and listed in, here is the URL. Some certificates are revoked after getting report from subscriber, but some still valid, if any subscriber think it must be revoked and replaced new one, please contact us in the system, thanks.   
14 months after the disclosure to WoSign about the vulnerability to obtain fake certificates, WoSign did nothing to address the mis-issued certificate.
WoSign doesn't even seem to understand the security flaw disclosed. WoSign stated "Some certificates are revoked after getting report from subscriber, but some still valid, if any subscriber think it must be revoked and replaced new one, please contact us in the system, thanks"

Let's recall how the attack works. Say, I want to acquire a fake cert issued to Github allows me to control the subdomain I then go to WoSign to demonstrate my control of WoSign then issue me cert for but also, which allows me to attack the entire domain.

WoSign should have revoked certs issued with this vulnerability immediately.  Instead, 14 months after the disclosure, WoSign's responded that, me, an attacker, should contact WoSign about this mis-issued cert and ask WoSign to revoke it. And this statement was posted in a thread about potential sanctions against WoSign! How WoSign, the largest CA in China can be such lack of security knowledge is beyond comprehension.

I originally didn't advocate for a revocation of WoSign in the thread.
The news about possible sanction against WoSign was reported by Solidot (the Chinese version of Slashdot). Out of 12 comments in total (at the time of writing), 8 of them call for revocation of WoSign, the rest talks about the general bad security practices in China. In most Chinese institutions, most checks and verifications are just formality. Contracting to the case of CNNIC CA, I'm not advocating for an outright removal of WoSign (even though I revoked the CA personally). But the incorrect notBefore date suggests that a mandatory inclusion of CT of all certs ever issued is needed. Of course, WoSign needs to address other issues raised by Matt and Ryan in addition to the CT requirement. 
In light of WoSign's utter ignorance on security knowledge of CA, I call for revocation of WoSign from all root programs and blacklist all intermediate cert operated by WoSign and corss-signed by StarCom immediately.

Friday, July 29, 2016

Wooyun management arrested in China for disclosing vulnerabilities to the gov

I blogged earlier that Wooyun was forced to shut down with rumors that the management was arrested for reporting vulnerabilities of government's assets.

This has been confirmed by Southern Weekly. This marks a huge step backwards for information security in China. Rather than rewarding white hats to submit issues to vulnerability disclosure platform, the government took the shocking approach to shut down the platform. Arresting the white hats for penetrating the system regardless of his intent might be justified in a legal sense, but shutting down a platform that itself doesn't perform any hacking is just ridiculous. Without the vulnerability disclosure platform, white hats, let alone black hats are more likely to sell the vulnerability in the grey markets.  Even if the white hats trying to contact the asset owner to patch the vulnerability, such notifications are commonly ignored in China. The end result is that many more vulnerabilities will be unpatched due to the government's hostile attitude.

In China, we have a saying that it's much easier to solve the people who raise the issues rather than the issue itself. You can see such attitude in many political events and I won't be surprised by this attitude at all. But this time, the gov takes one step further: The gov is not even solving the people who raise the issues, but the messenger. This is truly 掩耳盗铃.

Thursday, July 21, 2016

Wooyun,the most famous white-hat vulnerability disclosure website in China, forced to shut down

On July 20, Wooyun, the most famous white-hat vulnerability disclosure website in China cannot be accessed. Later in the day, the site posted a bizarre notice saying that Wooyun system is undergoing some update and that people should listen to Wooyun rather than rumors. 

As most Chinese know, system update or system maintenance very often times mean that the site is shut down temporarily or permanently by the government.  Rumors are the high level management of Wooyun were taken away by the police. Such rumors are censored on the sites such as Zhihu. 

But the reason for it is not clear and there are several guesses. 

Information analysis platform in the public security bureau 

On July 19, someone submitted a vulnerability regarding arbitrary code execution in the analysis platform of 公安部一所 (Ministry of Public Security research institute) 

The Baidu cache is reset by GFW indicating some possible government action

SQL Injection on the United Front Work Department

On July 18, someone submitted a vulnerability regarding SQL Injection of 中央统战部 (
the United Front Work Department.) 

This vulnerability disclosure page is not index by Baidu, indicating possible censorship.

SQL injection on Center for Disease Control and Prevention and hospitals in Beijing

On May 20, someone submitted a vulnerability regarding SQL injection of 北京疾控中心 (Center for Disease Control and Prevention and hospitals in Beijing). The hacker has obtained sensitive data on various hospitals as shown below.

Vulbox, another famous platform has stopped to receive new vulnerabilities. 

Thursday, June 30, 2016

China cracks down on mobile games

On May 24, 2016, State Administration of Press, Publication, Radio, Film and Television published new regulations requiring all mobile games to obtain license from the agency before publication.  On June 30, Apple notified Chinese game developers that they were required to fill in license number and date of approval when submitting games to App Store.

Obtaining a permit for game is a long and bureaucratic process. First, the applicant has to have a Internet publication license to even qualify for the process, which takes months to obtain and virtually disqualifies all individual developers and all foreign companies. Second, the game has to be be submitted to the government for approval. The game has to be submitted again if any content change is significant. After the game release, the applicant is required to provide stats about the game to the government as well.

This regulations basically banns all individual game developers and foreign games and creates significant obstacles to moderate large gaming companies. It lengthens the release cycle significantly and imposes strong censorship to games. Games that reference politics, history and any sensitive subjects basically have zero chance to get approved.

Friday, June 24, 2016

China's censorship order to Github caused Streisand effect

Recently, the Chinese gov sent a censorship order to Github demanding the removal of political content. Github complied and restricted the access from China. However, Github also posted the censorship request publicly, making it one of the few publicly available censorship order towards foreign companies.

The content in question was posted on March 9, 2016 and received little attention and no replies. However, after the removal order and the content being restricted from China, the content received 166 comments, some of which visited the content because of international exposure. The content is even translated into English.

Even though the content cannot be accessed in China, copies of the content is already made on other repo's (copy 1, copy 2, copy 3). Those copies are still accessible in China. Interestingly, those copies are hosted on repo that were DDOSed by Great Cannon last year. It remains to be seen whether China will send take down request to Github, DDOS Github, block Github or do nothing to prevent further Streisand effect.

Wednesday, June 22, 2016

Cyberspace Administration of China sent take down request to Github

What happened? 

According to Github official gov-takedowns repo, Cyberspace Administration of China send a take down request to Github on June 8, 2016. The request is reproduced below.

Cyber Security Association of China
To whom this might be concerned at GitHub:
The post at vilifies our President Xi as a murder suspect, which is a groundless and malicious slander. We hereby express our strong concern and request you to take it off your website at the earliest time possible.
Cyber Security Association of China
June 8, 2016
Address: No.190 Chaoyangmennei Street, Dongcheng District, Beijing. Zip Code: 100010

The content requested to be taken down is reproduced below.


4、關於習正甯的母親,檔案中寫道:“郝明珠於1935年12月和當時的陝甘邊蘇維埃主席習仲勳結婚,共同生活九年之後,1943年10月,由於雙方性格方面的問題而離婚,此時28歲的郝明珠依然年輕美貌,但從此以後未嫁,獨自艱辛撫養5個孩子中倖存的3個子女。” 而習仲勳的第二任妻子,“齊心(1926- ),1943年4月與習仲勳相識。1943年冬天兩人論及婚嫁。兩人於1944年4月28日在綏德地委結婚,共育有四子女。”習仲勳還沒和郝明珠離婚時就和齊心勾上了,剛和郝明珠離婚馬上就娶了齊心,齊心比郝明珠要小10歲。用今天的話來說,齊心就是個小三,是小三上位。而郝明珠被拋棄後,僅28歲,獨自撫養三個子女,終生未嫁,這很不尋常,原因一方面是因為,她可能比較傳統,對習仲勳懷有舊情,另一方面的原因很可能是,她把希望寄託在和習仲勳生的三個孩子身上,特別是習正寧,希望他能承父業。
7、習正甯評價弟弟習近平“不但能吃苦,腦袋靈,會來事,而且跟上級下級的關係都處得非常好”, (見 ),說明習近平鑽營、拍馬的功夫很到家,搞些非法交易不在話下。

What does it mean? 

It is very very rare for CAC to send a taken down request to a foreign company. The reason for CAC to issue this take down request is probably the previous unsuccessful DDOS attack on Github by Great Cannon. Despite almost days of outage of Github, the company being attacked refused to take down content that was offensive to the Chinese government. It eventually employed various technical counter-measures including akamai to fend off the attack while keeping the offensive content up. 

The Great Cannon incident drew international attention and probably prompt the gov not to repeat such attacks, hence the take down request. 

As of this moment, the content, and in fact the entire repo cannot be viewed when accessing from China. It can be access normally when accessing outside of China.

GFW cannot selectively blocking this content without blocking all of Github because Github uses HSTS. 

The content is posted at Program Think's repo. Program Think is a very famous blogger in China remaining anonymous while posting about computer science, politics and philosophy. 

We will see Chinese gov's next move when they notice the content is not taken down and their take down request being posted by Github publicly. 

Saturday, June 18, 2016

WSJ Chinese and Reuters Chinese have zero coverage over Lam Wing-kee's story

When Lam Wing-kee's story is attracting international attention from media inside and outside of China, WSJ Chinese and Reuters had no literally zero coverage on the news.


In contrast, NYTimes Chinese, FT Chinese and SCMP Chinese all have great coverage on the story. Notably, FT Chinese is currently not blocked in China and should have the most incentive to self-censor and suppress the related reporting; SCMP Chinese is currently owned by Alibaba's Jack Ma, a famous entrepreneur in mainland. Despite such pressure, all those above media carried out candid reporting on Lam Wing-kee's news.

Perhaps more notably, even Chinese state media has reported about Lam Wing-kee's story. Global Times published an article stating Lam Wing-kee's story while criticizing that Lam Wing-kee doesn't provide any evidence. The article was deleted. Mainstream Chinese media also reported on the story and unsurprisingly all taking the government's side. But still they do have reporting on the story.

WSJ and Reuters international version in English both widely reported on Lam Wing-kee. It's unfathomable why WSJ Chinese and Reuters Chinese will have no coverage at all, if not for self-censorship.

Friday, May 27, 2016

All of Tumblr blocked in China because of a 29s porn

What happened?

Tumblr is officially blocked in China beginning yesterday, joining the long block list of similar services such as wordpress, blogspot, etc.  Blogger and Google sites has been blocked since 2009 and wordpress joined them in 2011. Almost all foreign web services that involves user generated content have been blocked in China, including Facebook, Twitter, Youtube, Instagram. GFW clearly has noticed political content on Tumblr years ago but somehow decided not to block all of Tumblr till now.  According to Alexa, Tumblr is ranked 153 in China, rather well for a foreign website.

I'm not shocked at all that Tumblr is finally blocked. In fact, the opposite is true, that I'm very shocked that Tumblr is not blocked till now. Many individual blogs on Tumblr has long been blocked for years., tumblr of famous circumvention tool fqrouter has been blocked since 2013;, or Corruption China, has been blocked since 2014.

Reason behind the block

Tumblr is probably blocked because of 陆家嘴不雅视频. It refers to a 29s porn video spreading like crazy on the Chinese social network and was later reported by major media and newspapers. The video was deleted by censorers on Chinese social network. But the original video comes from stalkeryan{.}tumblr{.}com (NSFW) and the tumblr supposedly hosted the full version of this video and many other videos like it. The blogposts on tumblr has been deleted.  But the video is still available if accessed directly.  vt{.}tumblr{.}com/tumblr_o40da56RLU1v5eoup_480{.}mp4 (NSFW)

This is the first time a major website is blocked for non-political reasons.

Technical details

Tumblr is blocked by 
1) connection reset based on blacklist. "" is blacklisted and any URL containing such word will trigger the blocking by GFW. 
2) DNS poisoning based on blacklist "" and exact match of "". Any subdomain of tumblr such as "" will trigger GFW to inject fake DNS response. 

Those are the most severe methods of blocking. GFW could have chose to block the specific subdomain of the offending tumblr like before, but GFW probably think enough is enough and decided to block all of it. 

Thursday, May 19, 2016

You should never use Sogou English

Sogou in China just launched two products in collaboration with Bing. One is Sogou English and the other is Sogou Scholar.

Either products are crappy quality at best. 

The Sogou English search is extremely incompetent

 Using Sogou English and searching for Android Studio, we only see 5 results returned by Sogou. At the end of the page, it states that the search technology is provided by Bing and Sogou. 

In comparison, a search for Android Studio on Bing or Google returns 13 million search results. It's unfathomable that how such an incompetent product can be launched. 

The Sogou English search is redundant to Bing

Bing is almost the only foreign search engine that is accessible in China. There is just no reason for users to choose a much inferior product when the original product is easily accessible. 

The censorship of Sogou English is much overdone even by the Chinese standards

Searching Tiananmen on Sogou English returns no results at all because of Tiananmen square incident of 1989. Such a broad search censorship is unseen except in the most exceptional circumstances even in China. 

In comparison, when searching tiananmen on Baidu, the No.1 search engine of China,  general information about tiananmen is returned while information about the protest is censored. Same goes for Bing in China. This means that Sogou voluntarily goes beyond the mandate of censorship and even prevent its users of accessing much generic non-political information. 

Thursday, May 12, 2016

Apkpure blocked in China is a website that mirrors apps from Google Play and offers downloads on the site directly. It is ranked 4.7K globally and 7.6K in China. It was blocked in China today.

Google Play has long been blocked in China and domestic App Stores are under strict censorship. Consequently,  some Chinese users utilize mirrors like apkpure to download apps.

The blocking method is DNS poisoning of *, which means that any domains ending with is blocked, such as will be blocked. In addition, GFW also used connection reset by blacklisting keyword "", any URL that contains such word is blocked. This kind of blocking is extremely severe.

This blocking is totally expected considering the on-going crackdowns on App markets.

Wednesday, April 13, 2016



Tuesday, March 29, 2016

Google completely blocked by DNS poisoning in China

On March 29, all of Google search domains are DNS poisoned. Google has been blocked in China since last year but the block was only IP block. 
At the time of the writing, the DNS poisoning against all google search domains are still effective. More specifically, the DNS poisoned domains are  *.google.*  and google.*  (* can be anything). However * is NOT DNS poisoned even though is.  This is probably due to some other products hosted on *, for example,

Below is a domain lookup from outside China to a non-server inside of China, it should have returned no results. However, because the GFW injects fake DNS response, we saw fake IP address returned for, and In fact,  all country-specific google search domains are DNS poisoned.  If you're located outside of China, you can independently verify this by typing the same command into terminal and observe whether any fake IP addresses are returned.

Why DNS poisoning now? 

On March 27, for a few hours, Google is fully accessible in China. Google traffic report reflected a few hours of accessibility.

 Many speculate that the techinical reasons behind the "unblock" was due to the fact of Google used a fresh set of IP addresses (e.g report censored already) or that GFW is down. I am still looking into exactly what happened.  However, this led to a storm on Weibo, claiming Google has been unblock. 

But at that time, many users thought the "unblock" was an intentional policy change as many rumors Google would return to China.  Even Hu jixin, the editor of Global Times chimed in on weibo, surprisingly saying that GFW should only be a temporary measure and the long term employment of it can only make Chinese society more fragile, and that the GFW should have some downtime occasionally, and eventually deprecated. The weibo was censored.   

As you can imagine, this short term of accessibility of Google caused so much society reaction and media attention to censorship. By DNS poisoning Google, even if Google adds new IP address in the future or if GFW is down for a short time, local DNS resolver will still return cached fake IP addresses. Hence Google will be blocked without any lapse. 

Sunday, February 28, 2016

CAC closed down Ren Zhiqiang's weibo

Ren Zhiqiang is a retired Chinese real estate tycoon, a member of the Beijing Municipal Committee of the Chinese People's Political Consultative Conference, and a blogger on Sina Weibo with 38 million followers. Nicknamed "Big Gun Ren", he is known for his outspoken criticism of the Communist Party. [ ]

CAC (Cyber Space Administration of China) today requested Sina and Tencent close down his weibo accounts.  In addition, the CAC claimed on CCTV that Ren Zhiqiang published illegal information on Weibo. []

This is noteworthy because Ren Zhiqiang as a powerful individual in China has never get his accounts blocked before despite his sharp criticism against the Chinese government. His weibo is regularly censored however.  Most weibo account blocking happens in the dark without any notice. This is one of the few times where an account blocking is publicly announced by the censorship authority.

A similar event happened last time in 2013. CAC publicly suspended weibo account of He Bing (何兵), the vice president of China University of Political Science and Law, for spreading rumors. []

Thursday, February 18, 2016

Apple V.S FBI and how you can secure your iPhone right now

You might have read Apple's opposition of hacking its own iPhone. You can read an in-depth analysis about the technical obstacles of FBI hacking the iPhone and how Apple can in fact help the FBI bypass the security measures.

This is not the focus of this blog post, however. I am here to help you secure your iPhone in case of an FBI search or search from law enforcement agencies in other countries.

1) You need to have an iPhone 5S, or later.  5S and later have an additional hardware called Secure Enclave, which will protect the integrity of the authentication process even if iOS is compromised. (which is what FBI demanded)
In Apple's own words,  The Secure Enclave is a coprocessor fabricated in the Apple A7 or later A-series processor. It utilizes its own secure boot and personalized software update separate from the application processor. It provides all cryptographic operations for Data Protection key management and maintains the integrity of Data Protection even if the kernel has been compromised.

2) Make a backup of your iPhone locally with iTunes

3) Download Apple Configurator 2 from the Mac App Store.

4) Create a profile to enforce strong password protection and pair-lock.
Open the Apple Configurator 2.
Create a profile by File - New profile
Go to the General Tab, and configure as shown
go to password and configure as shown

Go to Restriction Tab and configure as shown. Pay special attention at the setting marked in red

Exit and save the profile

5) Now that you have the profile, use USB to connect your iPhone with and click prepare in the main interface. You have to turn off find my phone before the preparation if it's turned on. 

Click through the steps, but choose to supervise the device. Also remember to add the profile created in the previous step. 
6) Now let the configurator do its prepare the iPhone. All data currently on your iPhone will be erased!
7) Wait till iPhone is prepared and shows you the welcome screen. In the welcome screen, set up normally but set it up as a new iPhone.
8) On your iPhone, go to Setting- General-Reset- Reset Location & Privacy. This will make your iPhone even distrust the computer your configured it with.

Congratulations! Now you have an iPhone that's beyond most agencies reach when turned off (perhaps not the NSA). However, do remember to turn off your iPhone when a physical take over might occur. Leaving your iPhone on might enable a much larger attack surface. 

Friday, January 15, 2016

All of Wikipedia blocked and unblocked in China before the Internet conference

In May 2015, Chinese Wikipedia was completely blocked in China. On December 4 however, all versions of Wikipedia were blocked, but only for two days. When the block was lifted, the Chinese versions of the website remained were still inaccessible from China.

The block was noteworthy for two reasons.

In a speech ahead of his visit to China in December, Wikipedia founder Jimmy Wales indicated he would enter discussions with the Chinese authorities around the blocking of the sites. As noted in the story:

...Mr Wales admitted that trying to convince China to lift the block may be harder this time around than in the past, due to technological changes to the site’s encryption meaning the government cannot see which specific pages an individual is viewing.

"Which means they're no longer able to filter out certain pages. So they have a choice of all of Wikipedia or none," he said, meaning negotiation that occurred in the past about single pages are no longer viable.

After the speech made news, the authorities blocked all versions of Wikipedia, including the English one, likely in response to Jimmy’s speech. I applaud Jimmy’s decision to continue to make available an encrypted version of Chinese Wikipedia and his commitment to fighting censorship.

The technological aspects of the block were equally interesting. The authorities blocked the encrypted version of Wikipedia based on the TLS certificate of * in addition to using the older blocking method of DNS poisoning The TLS certificate blocking means that all HTTPS versions of Wikipedia (regardless of language) were blocked.

This action by the authorities is likely a direct response to Jimmy’s mention of “blocking all of Wikipedia or none of it”. The authorities were sending a message and trying to force the online encyclopedia to switch back to HTTP. However, even if Wikipedia did this, the Chinese version of the site would still be blocked because of DNS poisoning.

The connection reset against the TLS certificate is a novel approach to censorship. I believe that this is the first time that this method has been implemented by the Chinese authorities. This also renders the traditional method of using host files to bypass DNS poisoning ineffective.

When the user is trying to access an encrypted website, for example, the user and the server will first TLS handshake to establish an encrypted tunnel. The server will present a certificate to prove it is really Wikipedia, rather than someone else who is trying to hijack the connection. In this case, Wikipedia uses a wildcard certificate, namely, * and all language versions of Wikipedia use this certificate. Because this certificate is used to establish the encrypted connection, it is sent in the clear and can be readily seen in transit. The GFW hence looks for this fingerprint (we don’t know the exact fingerprint, as GFW can also use the wildcard certificate hash or signature equally well with common name) and blocks the encrypted channel from ever being established.

This is a novel censorship method as it only blocks the HTTPS version of the site. When a user accesses the HTTP site in plaintext, there is no TLS handshake and no certificate exchange, hence HTTP traffic would not be disrupted. But in the case of Wikipedia, because it employs HSTS,  no HTTP traffic is allowed. Hence, all of Wikipedia appears to be blocked.

Wednesday, January 13, 2016

VPN hosted on Microsoft Azure China forced to shut down

What happened?
Many Internet users in China use VPS or SSH to bypass GFW. Technical savvy users prefers to rent a VPS and build their own VPN/SSH rather than buying a commercial product. The dedicated VPS offers more reliable and faster connection and they can share it with their friends and families without additional cost.
But in Jan 2016, Microsoft Azure China issued a statement below, stating that the customers should “conduct self-examinations and rectifications immediately”. According to the statement, MIIT (Ministry of Industry and Information Technology) identified several Azure customers who build VPN and demanded the shutdown of the service.

What does it mean?

Technical savvy users can choose other VPS providers to host VPN/SSH such as Amazon EC2 or

Active probing can discover VPN/SSH. In Sept, 2015, Tor published an article on GFW's active probing system (Chinese version translated by me). According to the research encrypted connections originating from China to abroad that looks like Tor, VPN or SSH protocols are probed by GFW. This means if a Chinese user establish an encrypted connection to bypass censorship, the GFW will first use statistical principles to roughly identify those suspicious encrypted connection. Then GFW will pretend to be a Chinese client trying to connect to the server, aka probing the server. Based on the server’s response, GFW can know for sure whether the server is used to bypass censorship.

Users of circumvention tools should be aware. Using circumvention tools such as VPN/SSH can help bypass censorship and sometimes even encrypt data, however it cannot hide the fact that the users are subverting censorship and this action by itself might be a red flag to trigger actions.