Scientists discovered a hidden layer of the “Great Firewall of China”

Daniel ZimmermannOctober 5, 2021

0 87 1 minute read

A group of scientists from the University of Maryland presented a report on a hidden layer discovered in the Great Firewall of China. It turned out to be a secondary HTTPS filtering system SNI, running in parallel with the first one launched last year.

The fact is that within the Great Firewall of China there are various censoring mechanisms that work with different protocols. Its most powerful and technically advanced part is the system that works with encrypted HTTPS traffic, and this mechanism is split into two separate systems. The first and oldest of these works by intercepting HTTPS connections in the early stages, and then examines the SNI field, which contains data about the domain that the user is trying to access. Thus, the SNI field allows the Chinese government to block access to unwanted sites.

The second mechanism, introduced last year, is broadly similar to the first, but works with HTTPS connections, which use modern protocols that encrypt the SNI field (like eSNI). Since this system cannot “see” which domain the user is trying to access, all connections in which eSNI fields are found are blocked. The second mechanism has not yet become widespread and seems to be still in the testing phase, as few HTTPS connections use eSNI in general.

Now experts from the University of Maryland write that they have discovered a secondary HTTPS SNI filtering system running in parallel with the one launched last year. The researchers told The Record that the discovery was made by accident, back in 2019. According to experts, the discovered system is as effective as the first level of HTTPS censorship, although it interferes with what is happening already at the last stages of the connection.

We began to notice strange strategies in which Geneva [bypass censorship system] bypassed censorship during the first part of the TLS handshake (where the censorship was supposed to take place), but still could not advance further in the handshake. At the time, we did not fully understand what it was, but since then our tools and understanding of the Great Firewall of China have improved, so now we realize that these were strange results.
We do not know for sure what it is, but it seems that this mechanism is specific to HTTPS: we do not see the same behaviour in other protocols that are censored.Kevin Bock told reporters.

Great Firewall of China

Experts summarize that a few years ago the Great Firewall of China was presented to specialists as a single whole, but now it becomes clear that it consists of different sets of middleboxes working in parallel with each other, and each of them is designed to censor different protocols.

Our discovery means that the Great Firewall of China uses at least three different middleboxes in parallel for HTTPS censorship: two for SNI-based connections and another family of middleboxes for censoring ESNI-based connections.the report says.

Let me remind you that we wrote that “Great Firewall of China” blocks 311,000 domains, and 41,000 of them – by mistake.

Sending