China Cracks Down On International VPN Usage (thestack.com) 68
An anonymous reader writes: China's government has announced a 14-month crackdown on the use of unauthorised Virtual Private Networks (VPNs), commonly used by visitors and native activists, amongst others, to communicate with the world beyond the Great Firewall of China. Sunday's announcement [Chinese] from the Ministry of Industry and Information Technology reiterated regulations first outlined in 2002, but which have since been subject to sparse, selective or lenient enforcement. The new announcement promises a 'clean up' regarding the VPN situation in China, beginning immediately and running until March of 2018.
So... SSH and HTTPS tunnels then? (Score:2, Interesting)
Guess we'll have to switch to SSH and HTTPS tunnels instead of brazenly using IPSec and OpenVPN. Got the message loud and clear. :D
Re:So... SSH and HTTPS tunnels then? (Score:5, Insightful)
Guess we'll have to switch to SSH and HTTPS tunnels
Yes, but you can't win that game.
If that would ever become popular, it too can be blocked. Also that is beyond the ability of the average person to do. If they "solve" the problem for 99.9% of the population, that's what matters.
The end game is bigger and bigger swaths of the open internet being blocked, until what's left is a white list of approved web destinations, with maybe some special exceptions being made for companies, exceptions not available to the average person.
The internet once held the promise of freedom for all. Now it holds the chains of oppression for all. With each passing year we have seen more and more control, monitoring, and lockdown, not just in China, but all over the world. Some of that was imposed externally, like from the Chinese government, and some we freely signed up for by re-centralizing the decentralized network handed to us by its creators. It is simply too succulent a target for those who would be your masters to ignore.
Governments want it for power over the population. Corporations want it so you are locked into their portals. People want it because in mass they are stupid and cheerfully walk into their own cages.
We are not winning the war on internet freedom. We are losing it, badly. It is more heavily censored, controlled, and monitored than at any time in its history, and that shows no signs of slowing down.
Captcha: prevails.
Re: (Score:1)
Dear fellow netizen. This is one of the greatest posts I have seen in these pages in a long time. It sums up the essence of everything that is at stake. Kudos.
Re: (Score:2, Interesting)
Yep, get used to it. Because there isn't anything you can do about it. Sure the 0.0001% may be free to use what they want, (That 0.0001% being the people who can mess with ASM, and do hardware glitching to meet their own ends.) but the vast 99.9998% of people just made a new master for them to bow down to. Even better is what happens when we get hard AI that will ensure continuous monitoring and oppression.
So why the grim future? Well because as history shows, people don't give a fuck about something until
Re: So... SSH and HTTPS tunnels then? (Score:1)
Re: (Score:1)
Are you sure? I am Chinese and lived in Shenzhen for the last few months. I can tell that you are wrong on so many counts.
1. VPN has become inaccessible 90% of the time. No hope there.
2. Most Chinese do not know what's outside. They only read Chinese.
3. There is now a sufficient amount of nationalism among the Chinese, since Huawei phones are kicking asses everywhere, and China has many things that the others don't, such as ubiquitous micro-payments with WeChat and Alipay.
4. The remaining freedom-loving Chi
Re: (Score:1)
Guess we'll have to switch to SSH and HTTPS tunnels instead of brazenly using IPSec and OpenVPN. Got the message loud and clear. :D
ISPs appear to throttle TCP connections to outside the GFW to 50kB/s. Since SSH runs over a single TCP connection, you will be accessing the internet at 0.4MBit. SSH connections are also long lived and easy to identify.
Shadowsocks to a server in Hong Kong with good peering (say Microsoft Azure East Asia datacenter) works well. Cheap VPS providers in HK have lousy connections to China with significant package loss.
OpenVPN port tcp/443 (Score:2)
Re: (Score:2)
My understanding is that some deep packet inspection methods can determine if potentially encrypted data is being passed through a filter. Obviously it's going to be error prone, but what does that matter when the general plan is to sufficiently inconvenience people so they don't even try. I doubt the PRC cares that maybe the odd innocent bystander's data gets hit as a false positive.
As a counter to that, I have read of encryption schemes that will bypass this kind of filtering, but it's going to be a lot s
Re: (Score:1)
It's worse than that; last I checked OpenVPN doesn't even try to hide the nature of its traffic. There are some alternatives and projects in development that attempt to find a solution to this, but most of them seem to rely on TOR; missing the point that where VPN connections are being filtered so will TOR.
Re: (Score:3)
To be fair, OpenVPN isn't really designed to obfuscate the nature of the traffic any more than IPSec does. Both are about creating secure tunnels, with OpenVPN being very easy to configure and maintain as opposed to the pain that is IPSec. I use OpenVPN a lot, both for our road warriors, and to create the secure tunnels between our locations. In that role it really is an incredibly nice piece of software. But if I were looking at making something whose intent was to disguise that I was encrypting traffic at
Re: (Score:2)
My understanding is that some deep packet inspection methods can determine if potentially encrypted data is being passed through a filter. Obviously it's going to be error prone, but what does that matter when the general plan is to sufficiently inconvenience people so they don't even try. I doubt the PRC cares that maybe the odd innocent bystander's data gets hit as a false positive.
As a counter to that, I have read of encryption schemes that will bypass this kind of filtering, but it's going to be a lot slower as a lot more junk data has to be thrown in to fool detection. Good for low-bandwidth needs like passing text-based emails and the like, but not much good for anything high bandwidth like voice communications.
IIRC there is a patch for OpenVPN to make a tcp:443 based VPN appear to be a genuine https connection, even to DPI
Re:OpenVPN port tcp/443 (Score:4, Informative)
It's actually not all that difficult to spot vpn traffic. Run some DPI and just simply look at the size of the packets being exchanged. L2TP/IPSEC/etc will all have very regular size exchanges that virtually uniquely identify them. Doesn't matter how you encrypt or tunnel it if you don't change the payload sizes.
It's like saying "You can't block my bittorrent client if I just change my port!" Actually, yes we can. And we do. Quiet easily actually.
I haven't looked closely into TOR to see if it pads with random size data, (betting they DO) but that's what they need to do with vpn to seriously defend against traffic analysis.
Even with that, it's still not bulletproof, but it dramatically increases the work and false positives on the detection side of the fence.
Re: (Score:2)
It's actually not all that difficult to spot vpn traffic. Run some DPI and just simply look at the size of the packets being exchanged.
You are talking simple in THEORY, but not in practice. We're talking about sniffing the traffic of a COUNTRY, not a small office. That takes serious hardware and serious money if they don't want to crawl. Sounds like they are ready to turn on some system. But like all things internet, it will only take a short time for people to learn how to get around it.
Re: (Score:1)
Of course they can simply demand that whomever provides access / if they do it themselves have to filter it?
Re: (Score:2)
The sort a country has.
Re: (Score:1)
No need for that mental masturbation, just google great firewall probing, the system just stores the host and attempts to connect later, if the Tor connection succeeds the host is blocked.
http://www.cs.kau.se/philwint/static/gfc/
https://idea.popcount.org/2013-07-11-fun-with-the-great-firewall/
Re: (Score:1)
How are you going to stop that?
Trivially? That is actually dead simple to detect and block, genius. Your DPI just has to presumes that the only thing on 443 should be SSL.
You would have to obfuscate your packets in some way (e.g. padding/splitting them prior to encryption, and then embedding them in SSL traffic). Vanilla OpenVPN does not do this. OpenVPN over stunnel gets you a little closer, but not all the way, IMHO. Even once you do that, statistical analysis of sources and destinations alone (e.g. normal users don't have a ton o
Re: (Score:2)
timing and sizes are different so they can in fact catch it :(
Re: (Score:2)
Politicians in the West are also typically as dumb and just as threatened by technology.
By and large, politicians still don't like the Internet, regardless of location and political ideology. They think it takes power away from them. It's a generational issue - most politicians, when they reach national power, are my age, at least, and probably never actually touched a general-purpose computer themselves.
The quicker my generation dies, the better.
I'm OK with that.
--
BMO
Re:I wonder if the realize... (Score:5, Insightful)
The quicker my generation dies, the better.
Dunno how you are, but I may be similar (late 57 here).
So yeah, most of our gen are technical ignoramuses, I'll agree with that. But I disagree it's any better among the younger folks, and in fact in some ways it's worse. Our generation built a free and open internet, on open standards and open protocols. You wanted to run your own IRC or XMPP server, go ahead. It was not a locked down internet. It took the younger set like Zuckerberg to destroy that ethos. And not just him, but masses of people have eschewed those open standards in favor of golden jails like Instagram and Facebook that facilitate centralized censorship and control.
In our generation there were two categories: technically literate people, and people who were not using technology so were not having adverse impact upon its evolution. In the current generation there are two categories: technically literate people, and people who are technically clueless but ARE having an adverse impact on its evolution. Sadly, in both generations the technically clueless outnumber the technically aware by magnitudes, but in our generation the clueless weren't changing the direction with their choices, since they weren't involved at all.
Re: (Score:1)
40s here. I may have been late to the party, but I came to an Internet run by open protocols, IRC, telnet NNTP, SMTP. Want to run NFS across the Net? You could mount wuarchive.wustl.edu/archive read-only (make sure to do a soft mount.)
What have the people like Zuc brought to the ecosystem? Spying, logging, telemetry, centralization. The hacker ethos was replaced by the ka-ching sound of anything goes if you get money for it. There has been nothing brought new by the post-2000 commercial dot-coms that
Another reason to avoid business trips to China (Score:5, Insightful)
When I used to go to China, I often found that access to sites I need to use to do my work were blocked in whole or in part. Without setting up a vpn, I can't do my work. And even then, it was always a cat and mouse game as the connections were randomly terminated.
So now I just avoid going there at all if I can help it.
Re: (Score:3)
What you mean like this guy?
https://yro.slashdot.org/story... [slashdot.org]
Re: Another reason to avoid business trips to Chin (Score:1)
I agree. It's almost as bad as going to the US.
Re: (Score:2)
in southern south America, insulated from the troubles of the northern hemisphere
Hah! You're either ignorant or naive. Wait until your traveller's honeymoon period fades away & then your eyes'll be opened. Despite all of the problems in the West (TM), they ain't nothin' compared to the political & financial instability of the developing South American economies.
Re: (Score:2)
Re: (Score:2)
A lot of people are, this policy is going to be something that will start to draw companies back out of China on top. It's easy to see the reasoning as to why they're implementing this policy though. It's Trump. [ft.com](or if you're not a FT sub you can read the synopsis here [breitbart.com].) Not him, in itself, but the idea that a populist can rise through the ranks and throw the entire establishment on end. Hell China has banned anything to do with the US election, is requiring heavy censorship on all CN sites that have com
Wonder if this applies to TMobile (Score:3)
A couple of years ago visiting China my TMobile phone's plan included unlimited data at 2G speeds. I got sites that were normally banned to Chinese users as if I were in the US, so I suspect it routed straight to TMobile somehow but never got the details. I wonder if this crackdown will stop that access?
Re: (Score:2)
At the moment roaming data seems to be unfiltered as far as I can tell. I assume they are working on the basis that they know that these people are foreign, so there is no benefit to filtering the traffic. VPNs have been hit and miss enough recently that I have been suspecting they have been experimenting with blocking them, although as that includes our corporate VPNs it may be coincidence.
Re: (Score:2)
2G access used something called Mobile IP. What happens is that your phone establishes a tunnel to your home provider and gets the IP from your home provider that way. The phone uses the tunnel to send data
Re: (Score:2)
All IP traffic is still brought across the network back to your home carrier (Usually in a VPN funnily enough). Local Break Out, or "LBO" is there in 3G/4G land, and while supported in software the mobile network as it was written when the EU wanted to get rid of the roaming charges nobody has ever picked it up. As the business model of a break out gateway (Also requiring a new APN) was limited to before roaming charges were scrapped, nobody bothered setting up a provider for it.
So in your instance as a US
Others? (Score:2)
Find a better VPN (Score:3)
Due to skill and cash flow they can try to avoid deep packet inspection.
The deep packet inspection is looking for any use of an encrypted VPN protocol.
Deep packet inspection is the result of a few vendors that sell into China. Deep packet inspection can be understood.
Any quality VPN provider could look at what deep packet inspection is sold to China and then protect its VPN users.
Re: (Score:2)
Don't look for or mention any terms surrounding Tiananmen Square, 1989, tank man, martial law.
The final way out was a VPN. Now thanks to global vendors been allowed to export fast deep packet inspection to China even the VPN issue is now public.
Re: (Score:1)
Any quality VPN provider could look at what deep packet inspection is sold to China and then protect its VPN users.
Do you really think that any of the infrastructure for the GFW runs on imported foreign hardware? Many western telcos have been switching to products from ZTE and Huawei because of lower prices and products that match their requirements. China has regulation in place that forbids use of imported networking equipment for 'sensitive sectors' and actively favours local companies in many industries.
Thanks for raising public awareness (Score:1)