Visitors from many nations flock to China to view one of the world’s architectural marvels: the Great Wall of China. China’s imperial rulers first erected this monumental defensive barrier more than 2,000 years ago to keep out invading armies. Today, China uses a more high-tech wall that functions in reverse, keeping Chinese citizens “inside” when they attempt to access the Internet, as well as limiting foreign influences: the Great Firewall of China.
The Great Firewall, also known as the Golden Shield, isn’t a single security device. Rather, it is a collection of technologies from many different companies designed to filter Internet traffic entering and leaving China. While it may be primarily designed to restrict the activity of Chinese citizens, it also impacts the ability of business travelers and tourists seeking to use the Internet to reach back home.
History of the Great Firewall
The Internet came late to China, arriving in 1993, several years after almost every other country on the planet connected. The Chinese government immediately realized the impact that widespread communication could have on their closed society. Government censors reacted in 1997 when the Ministry for Public Security released a set of regulations governing Internet use in the country. One section, translated by the Congressional Research Service, sums up the Chinese government approach well. It reads:
“Users are prohibited from using the Internet to create, replicate, retrieve, or transmit information that incites resistance to the PRC Constitution, laws, or administrative regulations; promotes the overthrow of the government or socialist system; undermines national unification; distorts the truth, spreads rumors, or destroys social order; or provides sexually suggestive material or encourages gambling, violence, or murder.”
The passage of this law also marked the beginning of China’s Golden Shield project, an effort to filter and censor all Internet traffic in the world’s largest nation. The project began in 1998 and went into full production mode in 2003. The system remains fully operational today and is highly effective, censoring traffic on a wide range of topics deemed offensive by the government.
The Open Net Initiative, a nonprofit organization focused on Internet filtering and surveillance, describes China’s Great Firewall as “one of the most pervasive and sophisticated regimes of Internet filtering and information control in the world.”
Building the Great Firewall
The effectiveness of the Great Firewall lies in its diverse approach to Internet filtering. The system uses a wide range of technologies designed to censor offensive web traffic and defeat the many circumvention methods publicized on the Internet.
As hackers develop new approaches to work around the Great Firewall, the Chinese government builds new countermeasures to defeat those workarounds. The old security adage of defense-in-depth describes the importance of using multiple overlapping controls to achieve important security objectives and the Chinese government certainly embraced that principle in their design.
The most basic mechanism used by the Great Firewall is simple IP address blocking. The Chinese government maintains a blacklist of known undesirable IP addresses and simply blocks all access to those addresses. They may use this technique to ban access to web servers, proxy servers and other devices that jeopardize Chinese government objectives.
In many cases, web sites use many different IP addresses and may rotate those addresses frequently. This is especially true in the era of Infrastructure-as-a-Service, where websites may temporarily lease IP addresses from cloud service providers and then release those addresses when they are no longer needed.
The Chinese government uses DNS poisoning to block sites where a simple IP block isn’t effective. When a user requests the IP address of a blocked domain name, the Chinese DNS servers return poisoned, invalid results, preventing the user from reaching the site and redirecting them to a site considered harmless.
The use of DNS poisoning can impact third parties in surprising ways. When the Chinese government poisons DNS results, they provide a false IP address in response to a DNS query. The unfortunate website located behind that IP address may find itself quickly overwhelmed by a flood of traffic generated by Chinese web users seeking to access blocked content.
Indexing the entire web is a mammoth undertaking and it simply isn’t possible for any organization, even one with the resources of the Chinese government, to build a complete blacklist of undesirable sites. In an attempt to overcome this limitation, the Great Firewall also employs URL filtering that searches the names of web pages requested by users for terms considered subversive. The Great Firewall then blocks access to those pages.
Some users attempt to defeat the Great Firewall by using encrypted HTTPS connections to websites. The thought is that if the communication between the web browser and server is encrypted, the Chinese government won’t be able to see the contents of the communication and filter it.
The Great Firewall also has a workaround for this technology: the man-in-the-middle attack. In this attack, the Great Firewall pretends to be the web server that the user wishes to view and presents a false digital certificate to the user’s browser. If the user is fooled into accepting the certificate, he or she communicates with the Great Firewall, which then passes communications on to the desired website. This position in the middle of the communication allows Chinese government eavesdropping on the connection.
Over the past few months, observers noted an increase in the censorship performed by the Great Firewall. In February, The New York Times reported that the Chinese government added Instagram and Line to the list of blocked social media sites and users behind the Great Firewall reported stepped-up controls that blocked popular techniques used to bypass Chinese filtering.
Defeating the Great Firewall
As long as the Chinese government has attempted to filter communication into and out of China, activists have worked to defeat those controls and provide unfettered access to Chinese citizens and foreigners visiting the country. Some of those efforts have been more successful than others, but they all illustrate the difficulty of cutting off free and open access to information in a technologically advanced world.
One of the primary mechanisms used to defeat the Great Firewall is Virtual Private Networking (VPN). VPNs use encryption to build a secure tunnel between two computing systems or networks. Companies often deploy VPNs that allow traveling users to securely access corporate networks. Travelers to China often use VPNs to connect back to their home networks and then use the unrestricted Internet access from that location to access the rest of the Internet.
The VPN approach was so successful for business users that it quickly spread to Chinese citizens who purchased accounts on commercial VPN services. These services allow Chinese citizens to establish a secure connection to an uncensored country, such as the United States or United Kingdom and then access the Internet as if they were physically located in those countries. The Chinese government noticed this use and recently took technological measures designed to detect and block VPN connections.
Individuals seeking to access the Internet from China also make use of the anonymous Tor network. Like VPNs, Tor uses encryption to obscure the content of Internet communications. It also adds anonymity to those communications by bouncing requests off of several anonymous servers located around the world.
While the Chinese government blocks known Tor servers, many activists operate secret Tor sites, known as “hidden nodes.” These servers, advertised within dissident communities, operate in secret providing access to the Tor network and, by extension, the open Internet.
The battle between the Chinese government and Internet users is a constant struggle between hackers seeking to undermine the Great Firewall and government programmers seeking to upgrade it to continue its censorship. Businesses operating in China and IT professionals supporting Chinese users must be aware of the firewall, the technologies it employs and mechanisms that they may use to defeat the Great Firewall’s filtering and censorship.