A research team uncovered that the Great Firewall (GFW) runs a hidden layer of HTTPS censorship. Another team of researchers determined the size of the GFW through a nine-month project measuring Chinese DNS censorship.  Censorship evasion strategy tools and a DNS blocking measurement platform dashboard has also been made available by the researchers.

A Hidden HTTPS SNI Filtering System Layer Found in China’s Great Firewall (GFW)

The first generation of the GFW system censored all HTTPS encrypted web traffic. With or without encrypted HTTPS, Chinese access to the Server Name Indication (SNI) was crucial to flag domains and make unavailable sites the Chinese government did not want the Chinese population to access (Western news sites, YouTube, Twitter, etc. For example, Facebook has been banned from China since 2009. For a complete list of websites blocked in China, a link is found here).

Researchers, doing work on SNI censorship evasion, provide the necessary context: “The server name indication (SNI) field in the TLS handshake reveals the website to which the client wishes to connect. Censors such as China and Iran have thus used the plaintext SNI field to guide their censorship decisions and, in some cases, outright block all traffic that seeks to hide the SNI through encryption (ESNI).” (1, 2)

ESNI was experimentally available as early as 2018 and in late 2020, the Transport Layer Security (TLS) 1.3 introduced a robust encrypted SNI (ESNI) along with Encrypted Client Hello (ECH) in a TLS 1.3 protocol extension. By July of 2020, according to censorship.ai, a new ‘layer’ of the GFW was already introduced to block ESNI connections by, amongst other control mechanisms, dropping packets from client to server. Clearly, out of necessity, a more brute force approach to blocking and censoring a domain.

A researcher on the project, in an interview with The Record, made note of the fact that “this second [GFW ESNI blocking] system is not broadly deployed, as censors are still testing its capabilities, and very few HTTPS connections are using ESNI in the first place.” This year, the same researchers went back to the drawing board and recreated their “mental model” or attribution work on SNI censorship.

Their research in 2020 left the researchers with the understanding that the GFW ran middleboxes dedicated to the censorship of discrete protocols (http, https). This time, the research team uncovered that the GFW, in order to censor HTTPs, runs three middleboxes in parallel: two layers for SNI-based connections and another group of middleboxes dedicated to ENSI-based connection censorship. This second layer of SNI censorship occurs when the TLS handshake is done – and was accidentally noticed when a percentage of SNI evasions failed earlier in a connection while another group of connections failed at the end of the handshake and then killed the Transmission Control Protocol (TCP).

Circumventing ESNI Censorship

Housed at the University of Maryland Department of Computer Science, Geneva (“Genetic Evasion”) is “a novel experimental genetic algorithm that evades censorship by manipulating the packet stream on one end of the connection to confuse the censor. Geneva is comprised of two components: its genetic algorithm and strategy engine. The strategy engine runs a given censorship evasion strategy over active network traffic; the genetic algorithm is the learning component that evolves new strategies (using the engine) against a given censor.”

If you want to explore these censorship evasion techniques, the same researchers discovered 6 client-side and 4 server-side evasion strategies:  “..each of these works with near 100% reliability and can be used to evade the ESNI censorship. Unfortunately, these specific strategies may not be a long-term solution: as the cat and mouse game progresses, the Great Firewall will likely to continue to improve its censorship capabilities.”

The Geneva Github repository is found here.

How Big is the GFW?

A nine-month research project, from April to December of last year, to figure out how “Great is the Great Firewall?”, by measuring China’s DNS censorship, published its findings in June of this year. To perform the research, GFWatch, a measurement platform, was developed in an academic collaboration between researchers from Stony Brook University, University of Massachusetts – Amherst, University of California – Berkeley, and the Citizen Lab at the University of Toronto.

Source:  How Great is the Great Firewall? Measuring China’s DNS Censorship

 

The scope of the DNS measurement project:  Using GFWatch, the team of researchers accessed:

• 534 million distinct domains
• Approx. 411 million domains daily to record and “then verify that the [censorship] blocks were persistent.”

The findings: Through the analysis of nine months of data, the researchers found that the GFW:

• Blocks roughly 311,000 domains
• 270,000 blocks were intentional
• 41,000 domains seem to have been blocked by accident.

The researchers then used domain categorization platforms, like FortiGuard, to determine the type of content blocked most often by Chinese authorities.

Source:  How Great is the Great Firewall? Measuring China’s DNS Censorship

DNS Records Outside of China “Polluted” by Chinese DNA-based Censorship:  The GFWatch researchers also uncovered a troubling pattern of DNS pollution in DNS records external to China:

“…poisoned resource records…have tainted public DNS resolvers around the world…in total, we find 77,000 censored domains whose poisoned resource records have polluted the cache of all popular public DNS resolvers that we examined. Of these censored domains, 61K are base censored domains…this finding shows the widespread impact of the bidirectional blocking behavior of the GFW, necessitating the operators of these public DNS resolvers to have an effective and efficient mechanism to prevent these poisoned resource records from polluting their cache, to assure the quality of their DNS service.”

The GFWatch Platform used by the researchers continues to run, is publicly available, and has a continuously updating dashboard: GFWatch Dashboard.

A direct link to the GFW hidden layer discovery research:  Even Censors Have a Backup: Examining China’s Double HTTPS Censorship Middleboxes.

A direct link to the GFWatch DNS censorship measurement research: How Great is the Great Firewall? Measuring China’s DNS Censorship

Related Reading:

Black Swans and Gray Rhinos

Now more than ever, organizations need to apply rigorous thought to business risks and opportunities. In doing so it is useful to understand the concepts embodied in the terms Black Swan and Gray Rhino. See: Potential Future Opportunities, Risks and Mitigation Strategies in the Age of Continuous Crisis

Cybersecurity Sensemaking: Strategic intelligence to inform your decisionmaking

The OODA leadership and analysts have decades of experience in understanding and mitigating cybersecurity threats and apply this real-world practitioner knowledge in our research and reporting. This page on the site is a repository of the best of our actionable research as well as a news stream of our daily reporting on cybersecurity threats and mitigation measures. See: Cybersecurity Sensemaking

Corporate Sensemaking: Establishing an Intelligent Enterprise

OODA’s leadership and analysts have decades of direct experience helping organizations improve their ability to make sense of their current environment and assess the best courses of action for success going forward. This includes helping establish competitive intelligence and corporate intelligence capabilities. Our special series on the Intelligent Enterprise highlights research and reports that can accelerate any organization along its journey to optimized intelligence. See: Corporate Sensemaking

Artificial Intelligence Sensemaking: Take advantage of this megatrend for competitive advantage

This page serves as a dynamic resource for OODA Network members looking for Artificial Intelligence information to drive their decision-making process. This includes a special guide for executives seeking to make the most of AI in their enterprise. See: Artificial Intelligence Sensemaking

COVID-19 Sensemaking: What is next for business and governments

From the very beginning of the pandemic, we have focused on research on what may come next and what to do about it today. This section of the site captures the best of our reporting plus daily intelligence as well as pointers to reputable information from other sites. See OODA COVID-19 Sensemaking Page.

Space Sensemaking: What does your business need to know now

A dynamic resource for OODA Network members looking for insights into the current and future developments in Space, including a special executive’s guide to space. See: Space Sensemaking

Quantum Computing Sensemaking

OODA is one of the few independent research sources with experience in due diligence on quantum computing and quantum security companies and capabilities. Our practitioner’s lens on insights ensures our research is grounded in reality. See Quantum Computing Sensemaking.

The OODAcast Video and Podcast Series

In 2020, we launched the OODAcast video and podcast series designed to provide you with insightful analysis and intelligence to inform your decision-making process. We do this through a series of expert interviews and topical videos highlighting global technologies such as cybersecurity, AI, quantum computing along with discussions on global risk and opportunity issues. See: The OODAcast