How to build a "great firewall of China" -- do it poorly


I'm not in the business of helping countries be repressive, but I started thinking what I would do if I were the Chinese internet censor. I don't think I'm giving them any secrets, but these thoughts may affect our own plans on how to fight such censors.

The most important realization was that I wouldn't want to make my great firewall really strong. That it was not only easier, but possibly better, to make it possible to bypass it with a moderate amount of determination. Not trivial, as in "hold down the shift key" but not requiring cypherpunk level skills.

The reason is that if I allow such holes, I can watch who uses them, and watching them is more valuable to the secret police than plugging them. And if the holes don't require fancy data encryption and hiding techniques, most people seeking to bypass the firewall will do so unencrypted, making it far easier to watch what is done. But even if people encrypt, they do reveal who they are. So long as there are not immense numbers, that's enough to give me a good dissident watchlist.

My goal as censor would be to tune the filtering so that the true dissidents can all bypass it, but make it hard enough that I don't get so many people on my watchlist that I can't handle the size of it. The censors know they can't keep information from the truly determined, even in the most repressive regimes. They just need to keep it from the masses. (Even the masses will hear rumours in any society, but they will always just be rumours.)

This explains why many of the proxies people have put up to let people bypass the firewall remain themselves unblocked. This also can be explained by inefficiency of maintaining the block-list, but this time I am prepared to attribute something to malice rather than incompetence. Especially if the proxies are unencrypted I would not want to block them -- unless they go so popular that I could no longer track the users.

This is one of the problems with the Google China decision. In the past, use of the firewall-blocked was not suspicious, though typing certain phrases into it may have been. Now, with censored, use of suggests you are trying to get past the censorship at least. A big win for surveillance. Google is, wisely, not keeping logs in China, but that doesn't stop the international gateways from keeping the logs.

(Read on for some anti-censor techniques.) To surf securely you would need a proxying tool which didn't connect to known anti-censor proxies or follow detectable patterns. One popular suggestion is to use the SSL port (443) which has end to end encryption. But SSL is still too rare on our networks, so random PCs popping up accepting SSL requests still could be noticed.

To make this truly work, you need a large network of mundane sites to which Chinese people would commonly make SSL connections. Those mundane sites would have to agree to run proxies in their SSL sessions. This would not be a secret -- the agents, pretending to be dissidents, would quickly learn what sites were doing this -- so the only workable approach is to have lots of ordinary people doing lots of SSL traffic to these sites.

To make this happen, more sites need to start routinely using SSL. This is in fact quite rare. Even sites that do accept SSL by default (You can go to for example) are rarely used in this fashion today. Almost never will you see a cross site https link of the sort I just used, in part because such links would technically break on a tiny number of browsers. The net would have been better off with an opportunistic encryption system that always encrypted if it could, but could fall back to unencrypted. In fact, this could have been the default for http, or we could create a new variant to try this.

I just noticed if you go to you get redirected back to an unencrypted session! GMail will let you stay encrypted with a bit of work.

If several major sites, foreign sites popular with the Chinese, were to start routinely using SSL with all the Chinese, dissident or otherwise, they could then offer an undetectable proxy service to allow access to uncensored information, and it could grow large enough to be useful. At that point the Great Firewall could consider blocking SSL to such a site, shutting off the site entirely, and the site would have to decide what to do. But that's a far-off situation for now.

Other ideas include stegonography for the truly cautious. For stego, data is hidden inside photos, music and other large files. Nobody can detect it's there. To use this the files must come from ordinary sites (so it's not suspicious) and it must not look odd that you are downloading lots of images/music. This is a good approach but does not scale to use by large numbers of people. It is right for the core dissidents, though.

Of course, the use of internet cafes, already popular in China, as well as wireless links, is another important step. Such cafes are believed to be watched, however. I was last in China in 2002, so I don't know how widely open wireless links have spread.


I surf at work with and watch Youtube. I can read my gmail too. It rocks ! So simple to use and so powerful.
You even don’t need to install it.

Add new comment