Can everything be broken?

One argument against DRM that pirates often repeat is that “every software out there has been or can be broken”. I hate this argument not only because it is factually wrong, but because most of the time it is being told by people who know nothing about software security, but still they use the same tone as if they said “the skies are blue” or “Microsoft is evil”.

In China, the answer of many people to the Great Chinese Firewall was usage of VPNs. This was also a typical example a typical copyleft fighter would tell you. The communication inside of the VPN tunnel is protected from being spied by (still) reliable cryptography, therefore, our freedom of information is guaranteed.

Well, it was guaranteed. Until China started to block VPN connections. Establishing a VPN connection is a protocol that can be automatically detected on intermediate routers, and the corresponding TCP connection can be disconnected, or optionally shaped down to some barely usable low speeds.

If you also remember that any Internet user in China has to authenticate himself with a passport (also a change introduced in 2012), and you play the situation further, you’ll finally come to the conclusion that Internet freedom is not technically guaranteed in China, and it never was.

For those who don’t believe: you can move VPN to different ports or replace VPN with another protocol alltogether – it doesn’t matter. Chinese government can mandate that only HTTP 1.1 and SMTP are allowed in their land, and close all other ports and protocols by default. You can install a proxy server listening on port 80 and tunelling the Internet over HTTP. The Chinese government can parse this traffic, detect parts of facebook markup and break the TCP connection. You can add SSL to your proxy server. The Chinese government can prohibit SSL usage in their land. SSL handshake is also a thing that can be easily detected automatically. As replacement, they can develop their own fork of the SSL/TLS protocol allowing the proper agencies to filter the traffic, and roll out this protocol in their land so that their web shop still can process payments. You can develop your own non-scannable fork of SSL, and use it with your proxy. The Chinese government can include the handshake sequence of this new protocol to their black list. And to prevent further arms race, introduce a regulation that would severely punish people who install this new version of SSL. You can use steganography and insert some information in harmless educational videos. The Chinese government can create a regulation that posessing a steganography software would automatically make you western spy and punish by death penalty. Would you risk it just to get another portion of cat photos from your facebook news feed?..

The Chinese government has here more pull. Always. And the only reasons preventing them to go deeper are economics and politics. But those reasons can be solved sometimes.

Besides, I think Chinese civilization has a several thousand years long track record of smart and sophisticated solutions to global problems. I mean, global problems, not just filtering of some dumb web traffic.

I’ve read a report that usage of some specific western site is now blocked over VPN. This means, you can establish the VPN session, and access some other western sites over the tunnel, but you can’t access this specific site. My first reaction was: that’s technically improssible! But after a second thought: what if the Great Firewall uses DNS poisoning? You first try to go to over the Chinese Internet. Chinese DNS server gives you a spoofed IP, which is cached in your local DNS client. You see that is blocked, establish VPN, try again – using the same spoofed IP. And it still doesn’t work. Voila. Except: many VPN implementations I’ve seen would reset the local DNS cache and revert the DNS traffic over the VPN tunnel, when the VPN is being established. So that it still remains a mystery.

Being the Chinese government, you surely can invent even more interesting ways to firewall your citizens, without even paying for the traditional firewall software and devices. Most of Chinese PCs I’ve seen have at least one EXE file downloaded and installed from a Chinese web page – for example QQ or PPTV or some game. Do you think it would be hard to add a piece of code to these programs that would detect a facebook home page markup in your browser and do a little whistle blowing to the Chinese version of Homeland Security?..

Therefore, I think it is very important for everybody to stop pretending that internet freedom rights can be technically guaranteed. Only by eliminating this dangerous misconception, we can see the real issues and start working on meaningful answers to this problem – in China, Russia, Iran, or elsewere.

And yes, the answer that I personally think is most promising is the collaboration with the Great Firewall. People who just want to post photos of magnificient Beijing on their Facebook timeline, shouldn’t be prevented doing that. And political activists who want to use Facebook platform to promote their agenda, shouldn’t be able to hold all other people as hostages — no matter what we think about their political program.

For all of you copyleftists who frown on the word “collaboration”, one last thing to consider. Chinese segment of the internet has a very elaborate and successful ecosystem of social networks of various kinds, paid online video and music rentals, online auctions and basically everything the big Internet has. The largest web services have the user base of 400 to 800 millions each. Don’t you think they, at least partially, owe their success the protective effect of the Chinese Firewall? Would 开心网 be happy to see chinese version of Facebook freely available? And 百度 would not necessarily benefit if Google started their full operations again.

Leave a Reply