Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
China Privacy IT Your Rights Online

China Cracks Down On International VPN Usage (thestack.com) 68

An anonymous reader writes: China's government has announced a 14-month crackdown on the use of unauthorised Virtual Private Networks (VPNs), commonly used by visitors and native activists, amongst others, to communicate with the world beyond the Great Firewall of China. Sunday's announcement [Chinese] from the Ministry of Industry and Information Technology reiterated regulations first outlined in 2002, but which have since been subject to sparse, selective or lenient enforcement. The new announcement promises a 'clean up' regarding the VPN situation in China, beginning immediately and running until March of 2018.
This discussion has been archived. No new comments can be posted.

China Cracks Down On International VPN Usage

Comments Filter:
  • by Anonymous Coward

    Guess we'll have to switch to SSH and HTTPS tunnels instead of brazenly using IPSec and OpenVPN. Got the message loud and clear. :D

    • by Anonymous Coward on Monday January 23, 2017 @02:22PM (#53722491)

      Guess we'll have to switch to SSH and HTTPS tunnels

      Yes, but you can't win that game.

      If that would ever become popular, it too can be blocked. Also that is beyond the ability of the average person to do. If they "solve" the problem for 99.9% of the population, that's what matters.

      The end game is bigger and bigger swaths of the open internet being blocked, until what's left is a white list of approved web destinations, with maybe some special exceptions being made for companies, exceptions not available to the average person.

      The internet once held the promise of freedom for all. Now it holds the chains of oppression for all. With each passing year we have seen more and more control, monitoring, and lockdown, not just in China, but all over the world. Some of that was imposed externally, like from the Chinese government, and some we freely signed up for by re-centralizing the decentralized network handed to us by its creators. It is simply too succulent a target for those who would be your masters to ignore.

      Governments want it for power over the population. Corporations want it so you are locked into their portals. People want it because in mass they are stupid and cheerfully walk into their own cages.

      We are not winning the war on internet freedom. We are losing it, badly. It is more heavily censored, controlled, and monitored than at any time in its history, and that shows no signs of slowing down.

      Captcha: prevails.

      • by Anonymous Coward

        Dear fellow netizen. This is one of the greatest posts I have seen in these pages in a long time. It sums up the essence of everything that is at stake. Kudos.

      • Re: (Score:2, Interesting)

        by Anonymous Coward

        Yep, get used to it. Because there isn't anything you can do about it. Sure the 0.0001% may be free to use what they want, (That 0.0001% being the people who can mess with ASM, and do hardware glitching to meet their own ends.) but the vast 99.9998% of people just made a new master for them to bow down to. Even better is what happens when we get hard AI that will ensure continuous monitoring and oppression.

        So why the grim future? Well because as history shows, people don't give a fuck about something until

    • by sc0rpi0n ( 63816 )

      Guess we'll have to switch to SSH and HTTPS tunnels instead of brazenly using IPSec and OpenVPN. Got the message loud and clear. :D

      ISPs appear to throttle TCP connections to outside the GFW to 50kB/s. Since SSH runs over a single TCP connection, you will be accessing the internet at 0.4MBit. SSH connections are also long lived and easy to identify.

      Shadowsocks to a server in Hong Kong with good peering (say Microsoft Azure East Asia datacenter) works well. Cheap VPS providers in HK have lousy connections to China with significant package loss.

  • OpenVPN port tcp/443. How are you going to stop that? I have one of those for... reasons, I keep bandwidth usage low to avoid volume based detectors.
    • My understanding is that some deep packet inspection methods can determine if potentially encrypted data is being passed through a filter. Obviously it's going to be error prone, but what does that matter when the general plan is to sufficiently inconvenience people so they don't even try. I doubt the PRC cares that maybe the odd innocent bystander's data gets hit as a false positive.

      As a counter to that, I have read of encryption schemes that will bypass this kind of filtering, but it's going to be a lot s

      • by Anonymous Coward

        It's worse than that; last I checked OpenVPN doesn't even try to hide the nature of its traffic. There are some alternatives and projects in development that attempt to find a solution to this, but most of them seem to rely on TOR; missing the point that where VPN connections are being filtered so will TOR.

        • To be fair, OpenVPN isn't really designed to obfuscate the nature of the traffic any more than IPSec does. Both are about creating secure tunnels, with OpenVPN being very easy to configure and maintain as opposed to the pain that is IPSec. I use OpenVPN a lot, both for our road warriors, and to create the secure tunnels between our locations. In that role it really is an incredibly nice piece of software. But if I were looking at making something whose intent was to disguise that I was encrypting traffic at

      • My understanding is that some deep packet inspection methods can determine if potentially encrypted data is being passed through a filter. Obviously it's going to be error prone, but what does that matter when the general plan is to sufficiently inconvenience people so they don't even try. I doubt the PRC cares that maybe the odd innocent bystander's data gets hit as a false positive.

        As a counter to that, I have read of encryption schemes that will bypass this kind of filtering, but it's going to be a lot slower as a lot more junk data has to be thrown in to fool detection. Good for low-bandwidth needs like passing text-based emails and the like, but not much good for anything high bandwidth like voice communications.

        IIRC there is a patch for OpenVPN to make a tcp:443 based VPN appear to be a genuine https connection, even to DPI

    • by v1 ( 525388 ) on Monday January 23, 2017 @02:06PM (#53722339) Homepage Journal

      It's actually not all that difficult to spot vpn traffic. Run some DPI and just simply look at the size of the packets being exchanged. L2TP/IPSEC/etc will all have very regular size exchanges that virtually uniquely identify them. Doesn't matter how you encrypt or tunnel it if you don't change the payload sizes.

      It's like saying "You can't block my bittorrent client if I just change my port!" Actually, yes we can. And we do. Quiet easily actually.

      I haven't looked closely into TOR to see if it pads with random size data, (betting they DO) but that's what they need to do with vpn to seriously defend against traffic analysis.

      Even with that, it's still not bulletproof, but it dramatically increases the work and false positives on the detection side of the fence.

      • It's actually not all that difficult to spot vpn traffic. Run some DPI and just simply look at the size of the packets being exchanged.

        You are talking simple in THEORY, but not in practice. We're talking about sniffing the traffic of a COUNTRY, not a small office. That takes serious hardware and serious money if they don't want to crawl. Sounds like they are ready to turn on some system. But like all things internet, it will only take a short time for people to learn how to get around it.

        • by aliquis ( 678370 )

          Of course they can simply demand that whomever provides access / if they do it themselves have to filter it?

        • by dbIII ( 701233 )

          That takes serious hardware and serious money

          The sort a country has.

      • by Anonymous Coward

        No need for that mental masturbation, just google great firewall probing, the system just stores the host and attempts to connect later, if the Tor connection succeeds the host is blocked.

        http://www.cs.kau.se/philwint/static/gfc/

        https://idea.popcount.org/2013-07-11-fun-with-the-great-firewall/

    • by Anonymous Coward

      How are you going to stop that?

      Trivially? That is actually dead simple to detect and block, genius. Your DPI just has to presumes that the only thing on 443 should be SSL.

      You would have to obfuscate your packets in some way (e.g. padding/splitting them prior to encryption, and then embedding them in SSL traffic). Vanilla OpenVPN does not do this. OpenVPN over stunnel gets you a little closer, but not all the way, IMHO. Even once you do that, statistical analysis of sources and destinations alone (e.g. normal users don't have a ton o

    • timing and sizes are different so they can in fact catch it :(

  • by Ritz_Just_Ritz ( 883997 ) on Monday January 23, 2017 @01:55PM (#53722273)

    When I used to go to China, I often found that access to sites I need to use to do my work were blocked in whole or in part. Without setting up a vpn, I can't do my work. And even then, it was always a cat and mouse game as the connections were randomly terminated.

    So now I just avoid going there at all if I can help it.

     

    • by sims 2 ( 994794 )

      What you mean like this guy?
      https://yro.slashdot.org/story... [slashdot.org]

    • I agree. It's almost as bad as going to the US.

    • Countries shotting themselves in the foot is a global competition these days, it seems...
    • by Mashiki ( 184564 )

      A lot of people are, this policy is going to be something that will start to draw companies back out of China on top. It's easy to see the reasoning as to why they're implementing this policy though. It's Trump. [ft.com](or if you're not a FT sub you can read the synopsis here [breitbart.com].) Not him, in itself, but the idea that a populist can rise through the ranks and throw the entire establishment on end. Hell China has banned anything to do with the US election, is requiring heavy censorship on all CN sites that have com

  • by magarity ( 164372 ) on Monday January 23, 2017 @02:04PM (#53722321)

    A couple of years ago visiting China my TMobile phone's plan included unlimited data at 2G speeds. I got sites that were normally banned to Chinese users as if I were in the US, so I suspect it routed straight to TMobile somehow but never got the details. I wonder if this crackdown will stop that access?

    • by Xrikcus ( 207545 )

      At the moment roaming data seems to be unfiltered as far as I can tell. I assume they are working on the basis that they know that these people are foreign, so there is no benefit to filtering the traffic. VPNs have been hit and miss enough recently that I have been suspecting they have been experimenting with blocking them, although as that includes our corporate VPNs it may be coincidence.

    • by tlhIngan ( 30335 )

      A couple of years ago visiting China my TMobile phone's plan included unlimited data at 2G speeds. I got sites that were normally banned to Chinese users as if I were in the US, so I suspect it routed straight to TMobile somehow but never got the details. I wonder if this crackdown will stop that access?

      2G access used something called Mobile IP. What happens is that your phone establishes a tunnel to your home provider and gets the IP from your home provider that way. The phone uses the tunnel to send data

      • All IP traffic is still brought across the network back to your home carrier (Usually in a VPN funnily enough). Local Break Out, or "LBO" is there in 3G/4G land, and while supported in software the mobile network as it was written when the EU wanted to get rid of the roaming charges nobody has ever picked it up. As the business model of a break out gateway (Also requiring a new APN) was limited to before roaming charges were scrapped, nobody bothered setting up a provider for it.

        So in your instance as a US

  • I my experience, it is everyone under 30 using a VPN, at least in the cities.
  • by AHuxley ( 892839 ) on Monday January 23, 2017 @07:25PM (#53725145) Journal
    A few of the better VPN providers might not have as many issues.
    Due to skill and cash flow they can try to avoid deep packet inspection.
    The deep packet inspection is looking for any use of an encrypted VPN protocol.
    Deep packet inspection is the result of a few vendors that sell into China. Deep packet inspection can be understood.
    Any quality VPN provider could look at what deep packet inspection is sold to China and then protect its VPN users.
    • by sc0rpi0n ( 63816 )

      Any quality VPN provider could look at what deep packet inspection is sold to China and then protect its VPN users.

      Do you really think that any of the infrastructure for the GFW runs on imported foreign hardware? Many western telcos have been switching to products from ZTE and Huawei because of lower prices and products that match their requirements. China has regulation in place that forbids use of imported networking equipment for 'sensitive sectors' and actively favours local companies in many industries.

  • This is great. Many more people in China are now aware of the problem, due to the public announcement. So many more people are questioning "why?" and signing up for overseas VPN services. In any case, we have adapted technology already to avoid their DPI and more countermeasures are ready for the next escalation. The more you tighten your grip, the more star systems will slip through ..

"Being against torture ought to be sort of a multipartisan thing." -- Karl Lehenbauer, as amended by Jeff Daiell, a Libertarian

Working...