I was wondering why so many of my favorite feeds weren't coming into my news reader and I realized (duh!) that I'm in China and Blogger and TypePad are blocked. It's one thing blogging about it from Japan, it's another thing actually being blocked and realizing how much of my world just sort of disappears. There are proxy servers, but I hear that even then, if you use one for too long, they get tracked down and blocked literally while you're surfing...

25 Comments

We have a similar firewall here in Vietnam, but luckily niether Blogger or Typepad are blocked. Perhaps because the underground opposition in Vietnam hasn't discovered blogs yet, I don't know. Dissident sites are blocked of course, as is the BBC News pages in Vietnamese for example.

Oh, and using proxy servers in Vietnam is actually illegal, but I'm not sure if anyone is actually tracking users down.

Using an online aggregator, Firefox + SwitchProxy extension [1], and various proxy lists [2] was helpful while I was in China.

[1] http://jgillick.nettripper.com/switchproxy/
[2] http://www.stayinvisible.com/index.pl

Proxies belong here to the standard equipment and when you know how to install them it takes less than 30 second to get things running. Can be a nuisance still.
You should be able to get the RSS-feeds though, although I get them, a great way to go around the blocks. But when you want to go to those sites you have to use the proxies again.

<geekspeak>


Does the Great Firewall of China also block outgoing ssh connections?


This is what I do in environments where a firewall attempts to restrict my websurfing:







1) activate an proxy mode-enabled Apache server somewhere on an unrestricted location of the Internet, with proxy client connections allowed from 127.0.0.1

2) set up a ssh tunnel from your PowerBook to the unrestricted Apache server

3) configure your browser to use your local tunnel endpoint (127.0.0.1:8080) as its proxy...


Tunnel setup on your PowerBook:

ssh -2 -N -L 8080:127.0.0.1:80 -l mostlyvowels myproxy.mostlyvowels.com


Apache setup on machine myproxy.mostlyvowels.com:

Relevant excerpts from file httpd.conf:

LoadModule proxy_module modules/mod_proxy.so

LoadModule proxy_http_module modules/mod_proxy_http.so

LoadModule proxy_connect_module modules/mod_proxy_connect.so

<IfModule mod_proxy.c>

ProxyRequests On

<Proxy *>

   Order deny,allow

 Deny from all

 Allow from 127.0.0.1

</Proxy>

</geekspeak>




















To the SSH poster: That's great, except the hearsay I've been privy to suggests that the encryption to make SSH tunnels possible is illegal in China. I suppose you may not get caught, though.

And, on the other hand, I suppose reading blogger despite the wishes of the Chinese government is probably illegal anyway :-).

So who is being blocked?

Asheesh Laroia wrote@6:

To the SSH poster: That's great, except the hearsay I've been privy to suggests that the encryption to make SSH tunnels possible is illegal in China. I suppose you may not get caught, though.

The great thing about SSH is that, even if you get caught, the protocol's opacity and polyvalence leaves scope for some reasonable denial. “Wot ? Surfing to illegal sites, me ? I was just downloading my email my company's server ! Honest !”
Surely the people capturing your traffic and who come to knock on your hotel door are not able to crack OS X SSH's AES/Rijndael 128-bit encryption ?
Memo to self: recon a quick escape route from the hotel to the Japanese embassy’s or the Japanese school’s premises in Beijing.

yup without a net connection we cyber junkies feel isolated and lost huh

There's actually an even easier SSH option. If you're using OpenSSH (like the version apple ships), you've got a SOCKS proxy built into your SSH client.

From the docs:

-D port
Specifies a local ``dynamic'' application-level port forwarding.
This works by allocating a socket to listen to port on the local
side, and whenever a connection is made to this port, the connec-
tion is forwarded over the secure channel, and the application
protocol is then used to determine where to connect to from the
remote machine. Currently the SOCKS4 protocol is supported, and
ssh will act as a SOCKS4 server. Only root can forward privi-
leged ports. Dynamic port forwardings can also be specified in
the configuration file.


So, all you need to do is

ssh -D 9876 secure-host-in-the-free-world.co.jp

and then go into your Network prefs, pick the "Proxies" tab and tell it about your new SOCKS proxy on localhost:9876.

You might need to quit apps and restart them to get them to pick up the proxy settings, but once you do, all your traffic (from socks aware apps) will be tunneled over SSH.

Joi - If you need an ssh proxy set up, let me know - I use mine every day and it works well.
If you need ssh run on a funky port, I can do that as well...

The problem with the SSH-as-proxy solutions is that it doesn't tunnel your DNS. So if the authority in question wants to, they can still log the domain names of sites you're browsing. Or, if they're really serious, they could even send you bogus DNS replies, causing you to connect to something entirely different through your tunnel.

A full VPN is a much better solution.

Leif I'm not sure that it is true about DNS, I run an ssh tunnel to my server which runs squid to proxy/cache for me. The DNS lookup happen on the server/proxy side on not on your client if you are using your browser. The proof is that I can see boxes behind the firewall which aren't in DNS and if I hit a domain name that doesn't exist the error comes from the proxy not from my box. Writing this though I just realized you may be talking exclusively about SOCKS which I am not familiar with.

Be carefull not to get yourself (JoiIto.com) blocked. Just talking about how to bypass the Chinese Firewall can get you blocked. It's kind of a limit on your free speech (w/o even living in China), but it depends on how concerned you are about being blocked in another country. J/w, how would you feel if Joiito.com was blocked in China? Would you do anything or just ignore it?

Leif wrote @12:
The problem with the SSH-as-proxy solutions is that it doesn't tunnel your DNS.

Er, with SSH-tunneled HTTP, the destination URLs are directly sent to the proxy in symbolic format; there's thus no need for the local client to attempt its own DNS resolutions. This makes the SSH tunnel much more secure than a SOCKS setup, as people monitoring your traffic won't see any DNS requests at all, and thus won't know which sites you're accessing (assuming the target sites use pure HTTP without SSL). Furthermore, a SOCKS CONNECT packet will contain the target host's DNS-resolved IP address in cleartext format, requiring the use, say, of an additional encryption layer — e.g. SSL — to protect your target destination and your SOCKS traffic payload against eavesdropping and MTM attacks.

The F-ing Great Wall of China!

:D

Hi! I've been living in China for about 4 weeks now and I've found that you can read Blogspot and Typepad blogs by reading their feeds on Bloglines. I haven't tried this with other aggregators, but it might work. I still can't comment on the blogs, but at least it's something!

Sorry. Fake name, etc because I am in China.
The ssh stuff was interesting reading but can someone provide some simple instructions for how to set up Windows systems to access sites that have been b@nned here (in China). It is easy enough for the tech-savvy types to beat the fwall, but much harder for us mere mortals.
Would be really greatful as the main sites providing information on this topic are not available here.

I think I am a lucky dog for my successfully visit your blog. I am a senior student in TianJin, China.
Maybe it is because I am using Teaching area network (I don't known how to translate it. The network I am using is original set for education).
I can't say I hate China, but I can say I hate the Great Firewall of China for it block so many website.

By the way ,I think you can go to http://www.proxy4free.com to select a proxy when you are blocked.

There is always tor

Tor can be trivially blocked due to the reliance on central servers. i2p is fully p2p and is another matter.

http://www.i2p.net/
Blocked in China, but worth getting for unstoppable circumvention.

I can watch youtube form China using Freedur.com. It's really simple small proxy program.
Works fine with youtube and facebook. Even my gmail works.
All sites open correctly and fast. Try it here http://www.freedur.com for free.

I bypass china firewall with www.Freedur.com. Simple, easy and powerful. I can read my gmail too as it supports https.

They try but have not been able to stop me from going anywhere I wish to go on the Internet, there are so many ways to get around it that I don't understand why they even bother unless that is the communist mentality of keeping everyone working regardless if there is any benefit to it.

Leave a comment

8 TrackBacks

Listed below are links to blogs that reference this entry: The Chinese Firewall.

TrackBack URL for this entry: http://joi.ito.com/MT-4.35-en/mt-tb.cgi/2796

The posts that matter by Asian blogs... Hong Kong, Taiwan and China HK's elections are done: full results at ESWN. Looking at the results are Pieter who sees this campaign's dirty tricks as a sign of maturing democracy; Phil who looks at the disappoint... Read More

This is cross-posted at Winds of Change. Asia by Blog is a twice weekly feature, posted on Mondays and Thursdays (the latest edition is here). You can be notified by email when it is updated, just drop me an email at simon-[at]-simonworld-[dot]-mu-[dot... Read More

This is cross-posted at Winds of Change. Asia by Blog is a twice weekly feature, posted on Mondays and Thursdays (the latest edition is here). You can be notified by email when it is updated, just drop me an email at simon-[at]-simonworld-[dot]-mu-[dot... Read More

It's time to have a look at East Asia and what's been making the news in Asian blogs over the past month. We cover China (in depth), as well as Taiwan, Hong Kong, Korea, Japan, and Southeast Asia (Indonesia, Malaysia, Philippines, Singapore et. al). Read More

原文所在:http://joi.ito.com/archives/2004/09/10/the_chinese_firewall.html
[quote]
I was wondering ..

Read More

I was going to write about the wonders of XML and the start of my new class at RIT, but when blogs become news, well... that's news. Microsoft is ready to blunder charge into the Web log "business" (it's a... Read More

The prospect of CFR-inspired muzzling (or attempted muzzling) of American blogs may be a pain, but at least we're not... Read More

It is not to be used for any commercial purposes. Use our free proxy servers for anonymous su Read More

About this Archive

This page is an archive of recent entries in the Business and the Economy category.

Books is the previous category.

Computer and Network Risks is the next category.

Find recent content on the main index.

Monthly Archives