China blocks internet anticensorship tools ahead of 20th party congress as the Great Firewall grows in sophistication
- More than 100 people have reported having their servers blocked for using proxies that disguise censorship circumvention as regular web traffic
- The move marks an escalation of the Great Firewall’s censorship ahead of the party congress expected to extend President Xi Jinping’s term in power
The identified protocols are known for their use of transport layer security (TLS), the ubiquitous encryption standard that makes secure communication on the web possible.
This is supposed to make private proxy servers look like normal web traffic, unlike traditional virtual private networks (VPNs).
All of the blocked proxy protocols – trojan, Xray, TLS+Websocket, VLESS, and gRPC – are used in the V2Ray platform that allows users to easily switch between them.
A separate traffic camouflage project called NaïveProxy was found to not be affected, which GFW Report said is because it is designed to make TLS connections look like they are coming from Chromium-based browsers such as Google Chrome or Microsoft Edge.
“This new blocking coincides with the most politically sensitive weeks in China,” GFW Report said in an email to the South China Morning Post. “The first three weeks of October 2022 are expected to be the most politically sensitive time because there are three major events.”
The group referred to the week-long National Day holiday that started October 1, the seventh plenum of the Communist Party’s Central Committee on October 9, and the 20th party congress that starts on October 16th.
The congress, one of the most sensitive political events in years, is set to extend President Xi Jinping’s term in power, making him the first leader since Mao Zedong to get a third term as general secretary of the Communist Party.
It is not currently known precisely how these proxies are being identified and blocked. The GFW Report hypothesised that TLS fingerprinting might be used, but the team has not done any empirical tests yet.
Some users who were blocked said it happened while sending traffic over port 443, which is used for encrypted web traffic over the secure hypertext transfer protocol (HTTPS). Switching ports temporarily allowed users to access the proxy again, but that could result in the server’s internet protocol (IP) address being banned, according to the GFW Report.
V2Ray has been a reliable method of accessing the global internet for many people in China who are technologically savvy enough to use it, or who pay for a subscription service with this technology used on the back end.
“We estimate more than half of all Chinese netizens who circumvent internet censorship use TLS-based circumvention strategies,” GFW Report said, contrasting it with Shadowsocks, which wraps traffic in other types of encryption.
“TLS-based tools have been reportedly blocked before, but we have never seen it blocked on such a scale.”
The ability to recognise proxy traffic patterns allows Chinese internet service providers to quickly throttle or block a server for a specific user.
The GFW Report said that domain names used to help mask the proxy traffic are not being blacklisted by China, meaning the blocks only affect individual users while the domains remain accessible to others.
“This is similar to activity which has taken place in previous years and highlights the fact that, if the authorities wanted to, they could render most circumvention tools ineffective at the flip of a switch, at any time,” said Charlie Smith, the head of the Chinese censorship monitoring website GreatFire who uses a pseudonym to protect his identity.
“Perhaps the more important question is, why don’t the authorities do this all the time?”
The GFW Report found last week that China had recently blocked all subdomains of Google.com, numbering more than 1,100 and affecting a large number of popular services.
Since the earliest days of internet access within China, online censorship has been a cat-and-mouse game between censors and developers. In the case of V2Ray, support for personal domains and TLS was an advancement over Shadowsocks because it made traffic look like it was coming from unblocked websites.
When Shadowsocks censorship started ramping up three years ago, one developer going by Teddy Sun stopped development on a popular installation script for the tool. “It won’t last long,” Sun told the Post at the time. “It will die sooner or later.”
However, Shadowsocks is still in use, and Sun posted on his blog just last month about a new installation method. It has become just one of many tools in an ever-expanding toolbox used by those trying to thwart an increasingly sophisticated censorship regime.
“New tools are [being] and need to be developed at all times,” Smith said. “Obviously, a lot more work needs to be done if we really want to help people freely access information all over the world.”