Friday, January 15, 2016

All of Wikipedia blocked and unblocked in China before the Internet conference

In May 2015, Chinese Wikipedia was completely blocked in China. On December 4 however, all versions of Wikipedia were blocked, but only for two days. When the block was lifted, the Chinese versions of the website remained were still inaccessible from China.

The block was noteworthy for two reasons.

In a speech ahead of his visit to China in December, Wikipedia founder Jimmy Wales indicated he would enter discussions with the Chinese authorities around the blocking of the sites. As noted in the story:

...Mr Wales admitted that trying to convince China to lift the block may be harder this time around than in the past, due to technological changes to the site’s encryption meaning the government cannot see which specific pages an individual is viewing.

"Which means they're no longer able to filter out certain pages. So they have a choice of all of Wikipedia or none," he said, meaning negotiation that occurred in the past about single pages are no longer viable.

After the speech made news, the authorities blocked all versions of Wikipedia, including the English one, likely in response to Jimmy’s speech. I applaud Jimmy’s decision to continue to make available an encrypted version of Chinese Wikipedia and his commitment to fighting censorship.

The technological aspects of the block were equally interesting. The authorities blocked the encrypted version of Wikipedia based on the TLS certificate of * in addition to using the older blocking method of DNS poisoning The TLS certificate blocking means that all HTTPS versions of Wikipedia (regardless of language) were blocked.

This action by the authorities is likely a direct response to Jimmy’s mention of “blocking all of Wikipedia or none of it”. The authorities were sending a message and trying to force the online encyclopedia to switch back to HTTP. However, even if Wikipedia did this, the Chinese version of the site would still be blocked because of DNS poisoning.

The connection reset against the TLS certificate is a novel approach to censorship. I believe that this is the first time that this method has been implemented by the Chinese authorities. This also renders the traditional method of using host files to bypass DNS poisoning ineffective.

When the user is trying to access an encrypted website, for example, the user and the server will first TLS handshake to establish an encrypted tunnel. The server will present a certificate to prove it is really Wikipedia, rather than someone else who is trying to hijack the connection. In this case, Wikipedia uses a wildcard certificate, namely, * and all language versions of Wikipedia use this certificate. Because this certificate is used to establish the encrypted connection, it is sent in the clear and can be readily seen in transit. The GFW hence looks for this fingerprint (we don’t know the exact fingerprint, as GFW can also use the wildcard certificate hash or signature equally well with common name) and blocks the encrypted channel from ever being established.

This is a novel censorship method as it only blocks the HTTPS version of the site. When a user accesses the HTTP site in plaintext, there is no TLS handshake and no certificate exchange, hence HTTP traffic would not be disrupted. But in the case of Wikipedia, because it employs HSTS,  no HTTP traffic is allowed. Hence, all of Wikipedia appears to be blocked.

Wednesday, January 13, 2016

VPN hosted on Microsoft Azure China forced to shut down

What happened?
Many Internet users in China use VPS or SSH to bypass GFW. Technical savvy users prefers to rent a VPS and build their own VPN/SSH rather than buying a commercial product. The dedicated VPS offers more reliable and faster connection and they can share it with their friends and families without additional cost.
But in Jan 2016, Microsoft Azure China issued a statement below, stating that the customers should “conduct self-examinations and rectifications immediately”. According to the statement, MIIT (Ministry of Industry and Information Technology) identified several Azure customers who build VPN and demanded the shutdown of the service.

What does it mean?

Technical savvy users can choose other VPS providers to host VPN/SSH such as Amazon EC2 or

Active probing can discover VPN/SSH. In Sept, 2015, Tor published an article on GFW's active probing system (Chinese version translated by me). According to the research encrypted connections originating from China to abroad that looks like Tor, VPN or SSH protocols are probed by GFW. This means if a Chinese user establish an encrypted connection to bypass censorship, the GFW will first use statistical principles to roughly identify those suspicious encrypted connection. Then GFW will pretend to be a Chinese client trying to connect to the server, aka probing the server. Based on the server’s response, GFW can know for sure whether the server is used to bypass censorship.

Users of circumvention tools should be aware. Using circumvention tools such as VPN/SSH can help bypass censorship and sometimes even encrypt data, however it cannot hide the fact that the users are subverting censorship and this action by itself might be a red flag to trigger actions.