Finding Holes in the Great Chinese Firewall

Despite the Chinese government’s continuing crackdown on freedom of expression, putting hundreds of so-called VPN servers out of business and closing down access for millions of Chinese eager for information from outside, it’s still possible to find holes in the Great Chinese Firewall, according to a study by a UK-based consumer advocacy organization.

Nonetheless, they are closing fast as Chinese authorities raise the stakes in their scramble to limit information. On March 31, the Chinese government pushed out an update to the Great Firewall blackholing hundreds of VPN servers, private networks extending across public networks that enable users to send and receive without detection.

The Great Firewall was developed in the 1990s under the so-called “Golden Shield Project” by the Bureau of Public Information and designed to limit access to foreign information sources, blocking such popular foreign applications as Google, Facebook, Twitter and Wikipedia. Its secondary goal is to nurture domestic sites such as Tencent and Alibaba.

The effect has been a decades-long kind of guerrilla war between the government and computer-savvy hackers seeking to get around it. Some Chinese sources have regarded the Great Firewall with a certain amount of contempt. But that has begun to change. Today the government is systematically detecting VPNs. If authorities detect you searching for the wrong thing, internet access can be turned off by overwhelming any device with polite requests to shut up.

China’s system of high-tech spying is pervasive, according to the new study, by a UK-based consumer web site named Comparitech: “When you’re online in China, someone is always watching. VPNs have never been more important. and they’re being systematically detected and shut down by the government in really advanced and upsetting ways.”

Comparitech, a remote team of 30 researchers, writers, developers, and editors covering a wide range of online services including VPNs, password managers, ID theft protection, antivirus, internet providers, network monitoring, and more, decided to find out how effective the government’s shutdown really is.

The company rented a server in Shenzhen and set out to test 59 VPN providers to see whether it was still possible to get around the Great Firewall, checking each to see if it was possible to connect to banned websites and get around regional content bans.

Every bit of internet traffic going in or out of China is wiretapped, according to the Comparitech study. Seven backbone connections serve the country, with each monitored, logged, checked, and double-checked by farms full of servers.

Information is routinely combined with location and call information from mobile providers to provide an astonishing amount of data on every citizen.

“What they’ve built is a nationwide stateful firewall– a big, powerful tool for keeping track of each and every session created by each and every device across the entire country,” the study said. “It’s tracking you, and it’s smart enough to know whether you’re having counter-revolutionary thoughts and shut them down on the fly.”

Censorship is so pervasive that people familiar with the Great Firewall often make a distinction between “Chinese internet”—a walled garden of state-monitored website, apps, and services—and “rest-of-world (RoW) internet.” There is no such thing as internet privacy or freedom in China unless you take steps to protect yourself, according to the study.

Comparitech VPN testing in China

Although VPNs remain the primary means of bypassing the Great Firewall and many are blackholed, a distinct few can reliably get through. The demand for them is high.

Comparitech developed an automated testing suite and added all 59 VPN providers. Each provider connects, opens a command prompt, and the test logs ping results to Facebook, Twitter, Twitch, Reddit, Instagram, and Wikipedia. They each log two DNS lookups, hopefully returning American servers for YouTube and Netflix. UiPath takes a final screenshot, then disconnects before starting on the next provider.

The test pits every provider’s recommended configuration against China’s best defenses.

After testing, the researchers found mixed results, they said. Few VPN providers can beat the Great Firewall. Their existing servers have been “blackholed” and their connections aren’t secure enough to avoid Chinese state detection of new servers. Standard OpenVPN connections, and even dedicated servers are being detected and shut down.

The providers who fared best all had to use additional encryption over and above what OpenVPN traditionally offers. More than one provider made use of the OpenVPN scramble extension that obfuscates packet headers in order to avoid detection by automated network defense systems.

“When you’re shopping for a VPN in China, that extra layer of security isn’t really optional,” the researchers say. “It’s the key to a reliable connection that will beat Party wiretapping.”

China’s first line of defense is, and always will be, blackholing sites and services via border gateway protocol, which was designed to allow routers to communicate efficiently and tell other routers which resources are and aren’t available, according to the study.

Changes made in China’s biggest state-run routers propagate automatically via BGP, which puts the Chinese internet authority in every ISP in the country. The state enforces their blacklist by using the technology exactly as intended, just with the worst possible motivation. Sites disappear across the entire country when China updates their routers.

OpenVPN is under attack

OpenVPN is the most popular protocol for establishing private networks, in China and everywhere else. The government can’t shut it down completely because of its utility in enterprise networks.

But, the researchers found, “they’re getting smarter and faster at finding unauthorized OpenVPN traffic.” It’s possible to establish an OpenVPN server outside of China, but it is inevitably blocked within a day or two.

The study cites Proton, headquartered in Geneva, as an example of a provider is unable to adapt to China’s evolving defenses.

VPNs can still bypass censorship and maintain privacy in China

In order to take basic steps to protect yourself online in China, you need a VPN,” according to the researchers. “But the government is getting better and better at detecting them. We saw VPNs that succeeded at our testing use next-generation obfuscation to hide their servers from the internet censors’ blackhole.”

But high encryption is no longer sufficient. Packet headers themselves need to be protected.

“Unless more VPN providers do a better job of hiding themselves, they’ll find themselves unable to compete in the country. Not only has the Great Firewall gotten better at detecting VPNs in use, China has also taken steps to block VPN websites and app store listings for VPNs. Domestic VPN providers that offer access to the outside world have been shut down. The war goes on.