New Circumvention Tools For Restrictive Internet Environments
Internet censorship in China has been tightening substantially since the autimn months of 2013. Blocked web sites, deleted postings on social media, and tight control of news and information sites are common. It is part of a campaign to control thought and enforce neoMaoist ideology in China, to the great detriment of truth and function necessary for a modern, civilized, society to exist. Chinese services, controlled by the government, are vastly predominant on the internet due to blatantly protectionist elimination of foreign competition. Network users who want to use email, news, file storage, or other services of their own choice must use VPN technology to evade Chinese censorship.
During the last days of May, 2014, the Chinese censorship screen (nicknamed the Great Firewall of China or GFW) tightened more in a substantial upgrade. The ability to automatically detect and block VPNs improved. Certain Google services were added to the GFW blacklist, along with Edgecast and other content delivery networks. Even HSBC was blocked from acces on the Chinese internet! HSBC wasn't guilty of any specific transgression, but was using servers included in a wide swath of IP addresses deemed unfriendly to the Chinese Communist Party interests. Imagine the harm to businesses and academic institutions resulting from the increased censorship. Deals can't be made. Research can't be conducted. People can't work together to do what is necessary for learning or commerce. In fact, it is more and more difficult to simply get news or do any kind of person to person activity without the blessing of Big Brother. Some things, by the way, are none of Big Brother's business to know or sanction. By February, 2015, the GFW had upgraded to block more foreign internet resources AND most widely used VPNs.
Amusingly, the mainstream news media began reporting the Chinese censorship upgrades only after widespread complaints arose from several large VPN services being added to China's blacklist. It appears the real news is China's end of tolerance of circumvention technology and moves toward pulling the plug on access to any foreign media. Welcome to the Chinese intranet!
GFW Upgrades Cause Upgrades In Circumvention Technology
The attack on circumvention technology specifically uses deep packet inspection for recognizing and blocking VPN connectivity. Services which use a multitude of IP addresses, obfuscated data, and peer-to-peer connections are successfully circumventing China's GFW.
- VPN data packets are easy to recognize because data is formatted according to the protocol being used.
- The initial VPN connection is easy to recognize and the initial key exchange can be blocked.
- Weaker VPN implementations may be subject to "man in the middle" attacks, using fake keys to allow government access to the encrypted data.
- The GFW recognizes, blacklists, and blocks nearly all popular VPN types within minutes of a user trying to use a VPN server.
- The GFW is distributed in nature, functioning on servers operated by Chinese internet service providers. Thus, blockages are not identical from one region to another.
- The GFW seems to have a weakness in that VPN services using new, unblocked IP addresses are less successfully blocked.
- The GFW is less effective against obuscated VPNs - services which encrypt the initial handshake and have no recognizable data packet format.
New Breed VPNs Effective Against Chinese GFW Upgrades
Let us begin with the most promising new arrival into the field of censorship circumvention tools: Psiphon. Psiphon, Inc. is a corporation in Canada, and it creates software designed to enable internet users to access the global internet free of hindrance by national firewalls or censorship. Psiphon's underlying VPN technology is L2TP/IPSec with obfuscated SSH protecting the initial VPN handshake from deep packet inspection. German broadcaster Deutche Welle has partnered with Psiphon for distribution of the software for listeners wishing to access DW's textual and streaming media. Psiphon is easy to use: start the application, make the connection, and enjoy unrestricted internet.
Users of the Tor Browser are successfully evading the GFW thanks to a technology called Pluggable Transports. Tor uses "bridge" servers to enable users to connect to the network through hidden servers and not attempt direct access to IP addresses already known to censorship authorities. Pluggable Transports are a collection of disguises that make Tor traffic resemble other kinds of traffic, thereby defeating the deep packet inspection programs. As long as the GFW permits some kind of connection to the outside world, Pluggable Transports can carry encrypted Tor traffic.
GoAgent is software for Linux, Mac, and Windows computers which circumvents censorship barriers by using a large network of proxy servers and secure HTTPS connections. It provides fairly wide bandwidth for large web pages, images, and streaming media. GoAgent does not offer the same level of strong encryption as a full-on VPN, so one should bear that in mind when using it. It is, however, much better than the earlier generation of independent web proxy servers. There have been suspected attempts by authorities to conduct man in the middle attacks, but GoAgent is well designed and resistant to faked security certificates. The system is designed to securely find and use servers and not fail due to any particular sever being blocked."
The Leap Encryption Access Project aims to provide all internet users access to secure communication. Users interface with the system through an application called "Bitmask" and select services they want to use - currently limited to the VPN and encrypted email. Bitmask is easy to use! It eliminates hassles by being self-configuring, so the end user does not search for servers, deal with keys, or get involved with critically important technical exercises. Bitmask's underlying VPN technology is OpenVPN, so it is well known and secure. As of version 0.8.1, Bitmask's protocol obfuscation is effective against the Great Firewall of China. It has been verified to work very well indeed on Android, Linux Mint 17, and Ubuntu 14.04.
In Summary: VPNs Defeat the GFW Until China Pulls the Plug
China is going deeper into a state of neoMaoist isolation. Their allies: Russia, Iran, Pakistan, and North Korea, are similarly determined to control thought and its expression in the media. What they can't control, they will block. Even if their citizens' or visitors' human rights are violated, they will censor the internet. Even if it causes disastrous economic consequenses, they will block the internet. Any person who intends to can evade the censorship restrictions by optaining and using the VPN software listed above. Even with sophisticated deep packet inspection, the censorship software used by governments cannot stop a properly deployed VPN service.
Global unrestricted internet is available to users of this new breed of circumvention tools until governments completely cut all access to the internet. The issue is as simple as that.
Tags:New VPNs, Psiphon, Softether VPN, OpenVPN