> The use of VPNs in China can provide individuals access to the international internet, but in China, it can be a potential legal risk. In 2017, the Chinese government declared all unauthorized VPN services to be illegal.[94] An example of the use of this punishment is Vera Zhou, a student at the University of Washington, who, when visiting her Hui parents in Xinjiang, China, used a VPN to access her school homework. She was arrested and sent to a Xinjiang internment camp from October 2017 until March 2018, followed by house arrest after her release. She was not able to return to the US until September 2019.[95][96]
→ https://www.chinafile.com/extensive-surveillance-china
→ https://www.rfa.org/cantonese/news/student-01272020075256.ht...
It looks like 周月明 (Vera Yueming Zhou) was sent to a Chinese concentration camp mostly because she was part of a religious minority and not necessarily for using a VPN to access the University of Washington’s website.
> Vera was living in her hometown of Kuytun (Kuitun) in Ili Prefecture, an area directly north of the Tian Shan mountains that borders Kazakhstan. She had been trapped there since 2017, when—in the middle of her junior year at the University of Washington, where I was an instructor—she had taken a spur-of-the-moment trip back home to see her boyfriend, a former elementary school classmate. Using digital surveillance tools, the Kuytun police had noticed that Vera had used a Virtual Private Network in order to access websites such as her university Gmail account. Given her status as a member of a Muslim minority group, this could be deemed a “sign of religious extremism.”
When I rented a furnished apartment in Saigon back in 2008, there was an ethernet cable on the table and a piece of paper in English that said "Do not visit websites of anti-government propaganda, or pornography, or news such as the New York Times."
Naturally, as the police held my passport for the entire year I was in Vietnam, I was cautious. But after a few days, I just went ahead and openly browsed the NYT for a few minutes. My internet was shut off for about 3 hours. The next time I did it, it was shut off for 24 hours, and then I knew it wasn't a glitch. It wasn't exactly immediate, either; it took a few minutes. I was pretty sure there was a semi-dedicated person assigned to watch my traffic.
That wasn't over a VPN. I wanted them to see my traffic. But I knew running over a VPN would just raise suspicion. When I opened up VPNs to check email after that, I did it from cafes, and I did it in short spurts.
In fact, the US Department of State recommends that all US citizens have a photocopy of their passport with them, when traveling abroad.
I think it may be illegal, but I've heard from people who travel to places where it's sketchy for Americans to travel, that they report their passport as destroyed, get a second copy issued, then keep the first one.
The reasoning is that certain immigration departments see red flags if they see visa stamps from certain other countries, and you may get grief for having visited them. Cuba and the US used to be one, but cross-border rivalries are another. Knowing who hates who and presenting the right passport to receive the stamp would save you grief. Also if you encounter corruption/extortion you can schedule the next flight out and run.
With the electronic ones now I don't know how many places that still works.
Except for that one time when police (of a certain district, not everywhere in China) knocked on people's doors to inspect their phones for VPNs during the "white paper protest" I believe.
My experience is most younger and tech savvy people have a VPN. It’s common / casual, like speeding your car by 10mph on the highway.
Most people are not persecuted for using a VPN, I assume that’s reserved for people who the government already wanted to persecute and just need to give an excuse for why they detained their target.
GFW is sophisticated beyond imagination, one way to detect VPN traffic(or SSL, or SSH) is to observe its patterns and where the traffic is going. It's not too hard to have a blacklist of all VPN vendors too.
shadowsocks was designed to bypass it(to make traffic looking random), I recall its developers were visited by cops and warned to stop doing that.
It's said China built the largest LAN on earth, the government is just too scared by its people to get educated, it's a true parallel universe.
Use of VPNs is... universal... among middle-to-upper-class Chinese. This is obviously not an example of legal risk associated with using a VPN. Rather, it's an example of a punishment coming down on someone who was targeted for other reasons.
An immediate implication is that, if you repealed all the laws against VPNs, nothing about anything would change.
Fwiw My most reliable trick ended up piggie-backing off of a physical line going into Hong Kong from Shenzhen, and when roaming around China, using a vpn to get to that shenzhen gateway. As far as I can recall, that always worked. This led me to believe that most of the vpn traffic analysis (and blocking)was done at the edge of the GFW and not inside of it. Again, this could be outdated by now.
It was blocked immediately and the client could not connect. I had several unknown IPs try to connect prior to the attempted connection.
I was stunned at how water tight the GFW is, it's really unfortunate as I would love to work/travel through China but cannot due to needing an active internet connection.
I used it successfully when I was in mainland China while VPN's, even the ones boasting they could get through the GFW were all hit or miss.
Well, I'm sure the Chinese are tapping it. ;-)
Its more that they are just not actively acting on the content.
“You should…” from any large corporation translates in my mind to “…because we certainly won’t.”
Every morning, our colleagues in China would open their mail client and it would connect to our server abroad.
The first person would usually be OK, but for everyone else, the connection would fail.
At the time, almost nothing was known of the GFW and it wasn't as clever as it is now. I found out that the POP connection was quickly blocked after a few minutes, probably triggering some slow firewall rules along the way (it seemed a bit random, so I assumed the firewall setup wasn't unified).
Moving to POPS/SMTPS seemed to improve things for a while, but the connection would still be randomly blocked.
What worked in the end was to use a bunch of random ports instead of the well known ones to accept POP/SMTP connections on the server, and we never had any issues after that, at least until we changed system a couple of years later.
A simpler test is to search "what is my IP" and compare the values returned by different services.
Back then, certain times (early June, big government meetings) would see a crackdown on VPNs where, so far as I could tell, they just threw down crude blanket blocks on anything they sorta-kinda knew was a VPN but couldn't procedurally target-block. It would (usually) still connect but be rate-limited to essentially nothingness.
I always got the vibe that they sort of informally tolerated VPNs above a certain threshold of sophistication, figuring that they were more interested in blocking the low-hanging fruit that the unwashed masses could easily use, rather than something more sophisticated that only a few techno-nerds could utilise. As other posters have said, they'd know who was doing it and preferred to come knocking with a rubber hose if those people caused too much in the way of issues.
Maybe it's good for the world that they burn so much talent and wealth on adding inefficiency to their internal information exchange.
For example they actually bow to American pressure and try to avoid sanctions or other trade problems. As of today their navy could be completely destroyed with like 30% of the US Navy, so any naval blockade is probably unbreakable for them. Iran's hunta would (and did) just say "whatever" and continued tanking the GDP.
Another example - the Chinese intelligence helps domestic industries, even those that are far from the defense business.
>They spend almost the same %GDP as the US does on the US military as on their internal suppression forces.
It's almost as if PRC doesn't spend that much %GDP on military. The waste is PRC spending as much as US on domestic policing, which is not great considering how militarized US policing is. Meanwhile PRC simply doesn't spend that much on defense <2% vs US ~3.5%, if you include guestimates of shadow budgets, 3% vs 6%.
The technologies for resolving America's problems are well understood - majority decision making, parliamentarism, representation and participation of electoral minorities rather than inhibiting the work of the majority, a narrower scope of judicial review and/or a more flexible constitution. But as long as people say, as you do, "it isn't the thing that caused the problem that is the problem, it is some fancy gadget that is the problem", then you will be unable to solve the problems
Stuff like socks5/shadowsocks and wireguard have long been useless. Imagine being in your house, and you want to go out, without anyone seeing you. No matter how well you try, just the attempt itself reveals you are trying - thus you are caught. Same for escaping GFW. A sanctioned VPN or RDP that stays alive without metering, is your best option.
idk if i'm smarter than the GFW but every time I rolled my own censorship-circumvention tool it worked well, even the most lazy way worked. I've never used any VPN provider. And FYI even unchanged WireGuard still works, though there seems to be some offline traffic analysis looking for that, so once a week you'd wake up to your VPN connection broken and had to change ListenPort on the server.
The only annoying thing for me is: f- you AWS, egress too damn expensive!
[1] https://www.fastly.com/blog/a-first-look-at-chromes-tls-clie...
[2] https://gitlab.torproject.org/legacy/trac/-/issues/4744
[3] https://blog.torproject.org/ethiopia-introduces-deep-packet-...
"Allow a connection to continue if the first TCP payload (pkt) sent by the client satisfies any of the following exemptions:
Ex1: popcount(pkt) len(pkt) ≤ 3.4 or popcount(pkt) len(pkt) ≥ 4.6.
Ex2: The first six (or more) bytes of pkt are [0x20,0x7e].
Ex3: More than 50% of pkt’s bytes are [0x20,0x7e].
Ex4: More than 20 contiguous bytes of pkt are [0x20,0x7e].
Ex5: It matches the protocol fingerprint for TLS or HTTP.
Block if none of the above hold."
First rule exploits the IND-CPA property of most encryption. You want to kill traffic that has about 4 bits set to 1 per byte, i.e. traffic that "looks random".
The following rules are exemptions for permissible encrypted or compressed traffic (note that compression, while not IND-CPA, results in high entropy and thus will trigger the first rule).
This could work very well, which is confirmed by the researchers in this paper.
Do you mean "found" by the CCP, or "found" by the researchers? In the case of the CCP it was likely generated through basic statistical analysis, and tuned to minimize side effects and collateral damage below some threshold of acceptability (~0.6% of global traffic unintentionally blocked). In the case of the researchers, the paper details the basic statistical analysis used to discover these rules.
Ex2-4 are just excepting ASCII text, which is used by many unencrypted protocols (e.g. IMAP), but which are high enough entropy that they statistically will fail the first test often.
Ex5 is necessary because TLS is high-entropy (by nature of being encrypted). HTTP is also excepted presumably so e.g. compressed uploads (e.g. images/video) aren't flagged.
That "low entropy" is the key to bypassing the GFW isn't surprising at all -- high entropy is all but a necessary feature of most cryptography schemes. (I say "all but" because -- encryption isn't adding information, so unless you compress before you encrypt, it's possible for a (hypothetical) encryption scheme to preserve entropy, according to several objective metrics. I don't know of any that do this, beside the meta scheme of compression before encrypting, followed by steganographically padding the encrypted data afterward. This of course leaks some information through the encryption -- equal to the negentropy of the message -- but it would typically be information that can't be gleaned from context, e.g. that the message is HTML+text.)
So... base64-encode your TLS?
There's at least 1'000 such algorithms at each google-like company.
My university vpn only worked for a few days while studying in China.
But there is this tiny little vpn software being spread around. Not sure if it's true but I remember it's falun gong teaming up with the CIA. Which at the time was able to go undetected, I think they keep rotating the IPS or something.
Was interesting how fast that tool spread "offline" between international students. Also Chinese have it but its less known among them.
Not sure if it still works:https://en.m.wikipedia.org/wiki/Freegate
[Edit] Here is an old hn comment saying it doesn't work anymore and other options that are also hard;
https://signal.org/blog/looking-back-on-the-front/ (2018) https://news.ycombinator.com/item?id=16970199
The easiest bypass I can think of would be to tunnel your connections via TLS. For example socks server tunneled via SSH which in turn is tuneled via TLS to your gateway.
Or perhaps you can somehow get your SSH client to transmit "GET " at the beginning of the connection, have the server ignore those 4 bytes, then proceed as usual.
Can China pressure every domestic company to use their certificate authority allowing them to decrypt all TLS traffic, or be blocked? And block all sites outside China?
[1] https://en.wikipedia.org/wiki/Kazakhstan_man-in-the-middle_a...
2 - they obviously do not want to block all traffic, since they can do it any day, but they don't.
It also becomes an inspiration to others.
SSH is also exempt...
Your mistake is assuming that China has rule of law. If you're in China and you upset Xi enough, you get jailed/disappeared even if you technically didn't break any laws on the books.
It doesn't seem that there are any (long term) solution to bypass the rules ...
So for now, circumvention can live on, but this explains to everyone using fully encrypted protocols exactly why their connections would have been degraded over the past couple years. In the long term, steganography will probably work well as long as users are able to endure much higher costs for traffic (low ratio of true data to apparent data) and as long as the steganographic systems are effective at hiding any statistical fingerprints (very difficult). Protocol mimicry is another strategy, but a paper cited in this work details why successful protocol mimicry is very difficult.[0]
Attempts to disguise circumvention traffic as typical traffic is very difficult, because a lot of fingerprinting information can be gleaned from handshakes and headers. The draw of fully encrypted traffic is that it provides very little variation which can be used to fingerprint and classify different types of usages. However, it's also easy to detect and block en masse -- that much is obvious, but this paper does a great job of showing how China does it and inferences can be made from that to provide a view into China's priorities (how much cost they're willing to incur, rates of false positives they feel is acceptable). Overall, China's blocking current appears to be fairly conservative here, with relatively low rates of false positives.
In wider context, China is constantly updating their detection schemes, they're quite competent at it, and anything which doesn't match typical traffic is at risk.
That is, assuming entry nodes are available as e.g. nginx proxies inside the Chinese ASNs and are allowed to operate serving websites to ASNs from foreign countries.
I'm mentioning nginx because there were some related bypass vulnerabilities in the past, and one could argue that they just missed updating them.
>Houmansadr et al. [39] conclude that mimicking a protocol is fundamentally flawed and suggest that tunneling through allowed protocols be a more censorship-resistant approach. Frolov and Wustrow [35] demonstrate that even when a tunneling approach is used, it still requires effort to perfectly align protocol fingerprints with popular implementations, in order to avoid blocking by protocol fingerprints. For instance, in 2012, China and Ethiopia deployed deep packet inspection to detect Tor traffic by its uncommon ciphersuits [44, 55, 67]. Censorship middlebox vendors have previously identified and blocked meek [29] traffic based on its TLS fingerprint and SNI value [28].
https://www.virustotal.com/gui/url/f530591ff939e09c1cf8bc534...
Also, "it's done for social harmony"; Very few places are as dogmatically hostile towards social good as the US, and are willing to make individual liberty sacrifices so that everyone may be better off. Arguably this is the same rhetoric or philosophy as the "Thin blue line" American cops love.
Also, your average chinese person just doesn't care to see english language media that much. They have diverse (to them) opinions and culture on their homegrown social media systems, and don't feel a need to leave the walled garden of Chinese internet much in the same way most westerners do not feel the need to join Russia's social media apps.
Also, the CCP "brought millions out of poverty" within living memory. Many people there feel that justifies a hell of a lot of vaguely "bad" actions, or makes it way easier to rationalize things.
It's like the cold war.
And yet we can never cut them off because it would be economic suicide.
VPN authors should chose the maximum collateral damage strategy to frustrate GFW authors, make China as close as possible to completely cutting off outside internet. No need to completely evade fingerprinting, instead, do the complete opposite, and try to mimic common protocols, and critical applications as much as possible.