Using Content Delivery Networks To Circumvent The Great Firewall Of China

from the digital-cat-and-mouse dept

Thu, Dec 3rd 2015 11:20pm — Glyn Moody

Techdirt has written many times about the online cat-and-mouse game being played out in China, whereby people adopt various technical approaches to get around official censorship, the authorities find ways to block them, forcing Internet users to find new methods, and so on. According to a recent report in The New York Times, the Chinese government is adopting even more severe measures against those who try to circumvent the Great Firewall:

The Chinese government is shutting down the mobile service of residents in Xinjiang who use software that lets them circumvent Internet filters, escalating an already aggressive electronic surveillance strategy in the country's fractious western territory.

The problem here is that it's pretty obvious when people are using things like VPNs, and so it's easy to punish them as China is now apparently starting to do. A clever new approach, discussed in the MIT Technology Review, avoids that shortcoming by using a key aspect of the modern Internet's infrastructure: content delivery networks (CDNs). As the post explains: when you visit a popular website, your computer is usually directed to download it from the servers of a content delivery network, a company such as Akamai that website operators pay to store copies of their data on many servers around the world so people can access it faster. Use of content delivery networks is very common among major sites and growing; Cisco expects a majority of all Internet traffic to pass through them within a few years.
A new plug-in called CacheBrowser, available for Chrome currently and Firefox soon, takes advantage of this fact. When someone in China requests a site that makes use of CDNs to deliver its content, the plug-in routes it directly to the CDN hosting it, without calling on a DNS server. Taking this approach makes the request immune to so-called "DNS interference" by the authorities, which is the most common way China blocks access to forbidden sites. Even if all traffic is intercepted and analysed, there is no way for the Chinese authorities to find out which site on the CDN is being accessed, provided an encrypted connection is used -- yet another reason to move all Internet connections to HTTPS.

For encrypted requests, the government censors must either allow the traffic to connect to the site mirrored on the CDN, or block access to the CDN itself, and thus to every site using that CDN. Since so many popular and important sites now make use of CDNs, blocking them would have a major impact on Chinese business and research, as well as on the general public. Provided the perceived cost of that damage outweighs the adverse effects of allowing unfettered access to banned sites, the Chinese government is unlikely to block these encrypted connections to major CDNs.

A paper by the two creators of CacheBrowser (pdf) gives more details of exactly how it works, and ways in which it might be attacked. One they don't mention appeared in an earlier Techdirt post about China's struggle to reconcile the needs of its citizens to access useful and important information online with the government's desire to block material it deems harmful. The approach employed there was to use a "man-in-the-middle" attack against Google to allow state censors to check what was being searched for. Maybe something similar would work against CacheBrowser. If the idea of using CDNs to by-pass the Great Firewall starts to catch on, we will doubtless find out.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: cdns, china, content delivery networks, free speech, great firewall, privacy

15 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Anonymous Coward, 4 Dec 2015 @ 12:30am

OT: not just China -- what about the Great American Firewall?
Two weeks ago, the recording industry put out an album that was expected to be a blockbuster, so I decided to investigate the methods they were using to fight file-sharing. (In short, the record company was hitting Google and a few popular torrent sites fast and hard but completely ignoring most everything else)

It surprised me to discover that I was blocked out of many "pirate" websites, which were accessible through some proxy sites but not directly accessible. (Even many "normal" proxy sites were encountering these blocks.) Changing to an alternative DNS server (such as Google's 8.8.8.8 and a few others) made no difference. So I tried two free dialup ISPs, and the problems remained: TPB and other torrent sites were inaccessible -- as were a large number of proxy sites whose URLs were suggestive of file sharing in some way.

I already knew that for several years many European countries were actively blocking so-called "pirate" websites, but it was a rude awakening to learn that here in the good ol' USA -- supposedly the land of the free -- that internet censorship is rife.

I'm curious to know just how many websites (file-sharing-related or otherwise) are blocked in the USA, and which ISPs are the worst censors?
[ link to this | view in thread ]
orbitalinsertion (profile), 4 Dec 2015 @ 12:42am

Since so many popular and important sites now make use of CDNs, blocking them would have a major impact on Chinese business and research, as well as on the general public.

They said that about VPNs 5-7 years ago.
[ link to this | view in thread ]
M. Alan Thomas II (profile), 4 Dec 2015 @ 2:11am

I'd expect to see a push from the Chinese government for home-grown CDNs that don't host (or will internally block) blacklisted content. The most likely route to make that work would be for the government to use a combination of incentives and selective blocking (e.g., slowly rolling out blocks on encrypted connections) to make most major sites transition at least their encrypted content to those CDNs.
[ link to this | view in thread ]
Anonymous Coward, 4 Dec 2015 @ 3:55am

Cut the line and be done with it. Only then can we start dealing with the other hackers, the GHCQ and the NSA.
[ link to this | view in thread ]
Whatever (profile), 4 Dec 2015 @ 5:20am

Nice but....
It's a nice idea and all, but most certainly not an advisable long term strategy. We have all seen in the past where China is more than willing to take out very large sites to resolve what it sees as a problem. It wouldn't be hard for them to take out Akamai or others for an extended period of time, rending the whole circumvention moot.

Moreover, it would just encourage the Chinese government to do more IP based blocking, which would potentially create huge amounts of collateral damage. It's a needless escalation in the battle of the great firewall.
[ link to this | view in thread ]
That One Guy (profile), 4 Dec 2015 @ 5:43am

Re: Nice but....
As opposed to... what exactly? The thin-skinned fools running the Chinese government aren't going to stop so long as someone's willing to defy them, likely the best that can be hoped for is that each way tried will work to bypass their attempts at censorship for long enough for the next way to develop.
[ link to this | view in thread ]
Anonymous Coward, 4 Dec 2015 @ 5:53am

Provided...
Provided the perceived cost of that damage outweighs the adverse effects of allowing unfettered access to banned sites, the Chinese government is unlikely to block these encrypted connections to major CDNs.

That's a big "provided" caveat. You naively and greatly underestimate the Chinese government.
[ link to this | view in thread ]
Whatever (profile), 4 Dec 2015 @ 6:22am

Re: Re: Nice but....
For me the problem is collateral damage. In order to stop it sites that are currently available to the Chinese people may get blocked. Moreover, citizens not realizing they are circumventing the Government blocks may find themselves in trouble with authorities.

The concept of bypassing the Chinese government censorship is admirable. The realities of trying to do so may end up costing more than it's worth, especially if it is just another mole to whack.
[ link to this | view in thread ]
Anonymous Coward, 4 Dec 2015 @ 6:43am

Re: Re: Re: Nice but....
Compliance with the rules of a tyranny that will allow no criticism of itself only enables that tyranny to become even more tyrannical.
[ link to this | view in thread ]
Whatever (profile), 4 Dec 2015 @ 6:53am

Re: Re: Re: Re: Nice but....
Nice sentiment. Perhaps you can take a Tienanmen Square massacre video and go set it up on a main street someone in China and explain it carefully to the people. I am sure you have absolutely no problem going to stand up against tyranny, right?
[ link to this | view in thread ]
That One Guy (profile), 4 Dec 2015 @ 7:20am

Re: Re: Re: Nice but....
The possibility for collateral damage exists for any effective attempt to bypass the censorship imposed by the Chinese government, so unless you're suggesting that those trying to do so just stop trying, 'collateral damage' is going to happen, and the one responsible for the damage are not the ones trying to bypass the censorship, it's the government who's implemented the censorship in the first place.
[ link to this | view in thread ]
Anon, 4 Dec 2015 @ 7:41am

Of course...
Wouldn't an HTTPS connection to Google and browsing their cached data have the same immunity? Except, they block "Raw Google" (TM?); it's only a matter of time before they block other web caches.
[ link to this | view in thread ]
nasch (profile), 4 Dec 2015 @ 8:02am

Re: Provided...
Why wouldn't/couldn't they block HTTPS connections to the CDNs? I doubt the Chinese government cares about user security.
[ link to this | view in thread ]
Anonymous Coward, 4 Dec 2015 @ 11:41am

Re: Re: Re: Re: Re: Nice but....
Nice sentiment. Whatever loves tyrants.
[ link to this | view in thread ]
toyotabedzrock (profile), 5 Dec 2015 @ 7:55pm

China has access to your root certificates. Almost every android device trusts more than one nation states root certificate including China's.
[ link to this | view in thread ]