Naked Security Naked Security

China clamps down tighter on web use with new VPN ban

Restrictions will make it harder to reach providers like Facebook, Google and news providers such as the New York Times

The Chinese government has announced new restrictions on operating VPNs that in effect make it illegal to offer them without approval to anyone other than large organisations.

The officials who run the so-called Great Firewall of China have been experimenting with VPN-blocking for a couple of years,  but this is the first time a formal  legal clampdown has been put into effect.

VPNs are a popular way for users who want to bypass internet restrictions to create an encrypted tunnel between their computer and the site they want to visit that filtering systems in between can’t scrutinise.

In practice, the restrictions running from now until March 31 2018 will mainly test the small coterie of providers that offer connections to people trying to bypass the restrictions to reach a long list of foreign sites, including Google, Facebook, Twitter, and every dictator’s biggest peeve,  the New York Times.

The best-known providers include VyperVPN (Golden Frog), StrongVPN, Astrill, and ExpressVPN, all of which are based outside China. This raises the obvious question of how China can stop them.

Presumably, the answer is either by detecting their activity through the firewall or by strong-arming China’s myriad smaller ISPs to stop turning a blind eye to the traffic and get filtering. Whether this will actually work is difficult to assess.

VyperVPN already advertises its Chameleon VPN, which claims it “scrambles OpenVPN packet metadata to ensure it’s not recognizable via deep packet inspection (DPI)”. OpenVPN is the open-source alternative to the PPTP and L2TP/IPSec protocols.

With the effect on providers uncertain – disruption has been reported but it’s hard to say how much – this could be another case of a cat chasing an unexpectedly large mouse.

According to Golden Frog’s co-CTO, Phil Molter: “China has targeted VPN providers in the past but VyprVPN has been able to quickly and effectively update our service to defeat these blocks.”

Couldn’t Chinese users get hold of the Tor browser, or an equivalent such as I2P or Freenet?

Unfortunately, the Great Firewall’s deep-packet inspection also appears to probe for traffic patterns that betray these encrypted connections. When it finds one, it tries to talk to the entry or bridge relay and if it succeeds, it whacks another mole – the relay is blocked.

At least, this description approximates what is known about how Tor is blocked in China, which doesn’t exactly go out of its way to explain any of this.

More concerning is that China sees the relatively small number of people using VPNs as an issue in the first place. Sources suggest that the issue could be sensitivity about political rumours connected to Communist Party officials that might be circulating.

The VPN clampdown comes only days after China announced a similar tightening of restrictions on mobile app stores, which must now register with the country’s Cyberspace Administration.