BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

Edit Story

China's Great Firewall Tests Mysterious Scans On Encrypted Connections

This article is more than 10 years old.

In the cat-and-mouse game between Chinese censors and Internet users, the government seems to be testing a new mousetrap--one that may be designed to detect and block tunnels through its Great Firewall even when the data in those tunnels is aimed at a little-known computer and obscured by encryption.

In recent months, administrators of services with encrypted connections designed to allow users secure remote access say they've seen strange activity coming from China: When a user from within the country attempts to reach a server abroad, a string of seemingly random data hits the destination computer before he or she can connect, sometimes followed by that user's communication being mysteriously dropped.

The anti-censorship and anonymity service Tor, for instance, has found that many of its "bridge nodes"--privately-placed servers around the world designed to connect users to the rest of Tor's public network of traffic re-routing computers--have become inaccessible to Chinese users within hours or even minutes of being set up, according to Andrew Lewman, the project's executive director. Users have told him that other censorship circumvention services like Ultrasurf and Freegate have seen similar problems, he says. "Someone will try to connect, then there's a weird scan, and the bridge stops working," says Lewman. "We see weird things all the time, but this is a semi-consistent weird thing, and it's only coming from China."

Lewman believes that China's internet service providers may be testing a new system that, rather than merely block IP addresses or certain Web pages, attempts to identify censorship circumvention tools by preceding a user's connection to an encrypted service with a probe designed to reveal something about what sort of service the user is accessing. "It's like if I tell my wife I'm going bowling with my friends, and she calls the bowling alley ahead of time to see if that's what I'm really doing," says Lewman. "It's verifying that you’re asking for what you seem to be asking for."

But so far, Lewman says Tor's developers haven't determined how that probe is able to see what's an encrypted connection to a Tor server and what's merely a connection to an encrypted banking or ecommerce site, which in theory should both look to a snooping government like indecipherably scrambled web traffic. The Chinese government after all, wouldn't be likely to block all encrypted connections, such as corporate VPNs, Lewman points out. "If Foxconn were disconnected from Apple, that would be big problem," he says.

In the mean time, only a small fraction of Tor's Chinese users are experiencing the issue, implying that it may be just a subset of Chinese broadband providers experimenting with the new tool, says Lewman.

China's sniffing around encrypted traffic isn't limited to the United States. Leif Nixon, an IT security administrator at the National Supercomputer Centre of Sweden at Linkoping University, says he independently spotted the phenomenon hitting his servers a full year ago, when Chinese students or researchers tried to log on to the Centre's systems through SSH connections, and wrote a blog post about his findings earlier this month. "I don't know what the probes are supposed to accomplish," he wrote at the time. "My only guess is that the government is looking for certain services it doesn't approve of, like open proxies or Tor relays, and that precise fingerprinting may be too expensive. Instead, they resort to an inspection method similar to fuzzing, where pseudo-random data is thrown at the server, just to see what happens."

"It also matches the known repulsive censorship the Chinese government subjects its citizens to," he added. "I strongly dislike this probing of our systems that the Chinese government appears to be performing."

Another security engineer at a supercomputing center in the U.S., who asked not to be named, says he saw similar anomalies in as many as 20% of cases where users connected from China. "We initially thought it was an attack. But now it looks more like a probe to see if this is something they want to censor," says the engineer. "I've never seen anything quite like it, myself."

Since the clampdown around the 60th anniversary celebration of the founding of China's communist regime and the country's very public censorship spat with Google, China has been on the hunt for censorship circumvention tools. But the country had previously focused on blocking services based on their IP addresses, an endless game of "whack-a-mole" as new servers aiming to help circumvent the government's censorship with new IP addresses constantly appear around the world, says Tor's Andrew Lewman.

In 2009, Iran similarly began trying to distinguish connections to Tor bridge nodes from other encrypted traffic and block the service, Lewman says. Tor responded by finding ways to change its behavior to better fit in with other services online, such as adjusting how often it changed the SSL certificate that identifies the service to users.

Lewman says he doubts China could implement a similar system across the entire country, with its hundreds of millions of Web users. Nevertheless, Tor's staff hopes to stay a step ahead of China's censors. "We're working on figuring it out," says Lewman. "It's quite a curiosity."