OK, AWS again, I know it not only complies with Beijing but also Russia and many other dictatorships. Banned domain fronting and recently enforced S3 bucket-based subdomains for government to better inspect.
Their point is if you’re served within China (aka hosted off a chinese IP, or accessing anything from a Chinese IP) it doesn’t matter if the other company interacts or complies with China’s rules - the other half of the transaction will be blocked.
So using DNS hosted outside won’t matter, because the destination Chinese IP will get blocked. Or if using outside hosting, it won’t matter, because anyone in China trying to access it will get blocked. Or anyone trying to publish anything to it the CCP doesn’t like. Presumably also with some follow up in-person ‘check-ins’.
The GFW is a pretty massive and actually impressively effective piece of technology, even if we don’t agree with it’s purpose.
Not only that, it seems to be entirely unimpressive: The premise is that they would be able to allow everything except for what they want to censor, which isn't what they're doing.
If you allow connections to random websites outside of your jurisdiction then you're de facto allowing everything, because people can proxy arbitrary traffic that way. If you don't, you're effectively disconnecting your country from the global internet, which is not an impressive technological feat. Anybody with a backhoe can do a fiber cut.
You’re just ignorant of what it does. The GFW autodetects and blocks a truly impressive number of tunnel encapsulation schemes, VPN’s, etc. and blocks a wide variety of proxy attempts.
It really isn’t dumb at all, and is quite difficult to get past.
It also auto detects ‘problematic’ content in near realtime for a huge swath of things. It does deep packet and content inspection, including of a bunch of encrypted traffic that it really shouldn’t be able to.
At massive (national) level scale.
Don’t get me wrong. It’s evil. But it’s an impressive bit of evil kit.
> The GFW autodetects and blocks a truly impressive number of tunnel encapsulation schemes, VPN’s, etc. and blocks a wide variety of proxy attempts.
They made a list of tunnel systems that don't attempt to disguise themselves and then blocked them. That's not really that hard, and it meanwhile causes lots of innocuous things to be blocked. There are uses for a tunnel other than bypassing censorship.
The hard thing is to block the ones that actively attempt to look like something they're not, and release updates to change their profile whenever the authors notice it being blocked, while still allowing the thing they're attempting to look like.
> It also auto detects ‘problematic’ content in near realtime for a huge swath of things. It does deep packet and content inspection, including of a bunch of encrypted traffic that it really shouldn’t be able to.
All of this is assuming the content is being distributed unencrypted or is otherwise leaking its contents through e.g. having a specific data length, none of which an encapsulation method is required to expose.
Sure, that’s why saying things like Tianmen square - over voice audio - in a game with an encrypted connection to the server gets everyone’s connections in China severed, even when the game servers are in another country and the game company has nothing to do with it.
The GFW is run by the definition of a Nation State Actor/NPT. They’re not perfect, or omniscient, but they aren’t fools or incompetent either.
And knowing all the people taking the ‘totally secret’ backdoor is not even a complex trick.
Folks like the NSA in the US have to stay in the shadows, and have a tiny budget and population to draw experts from. What do you think happens when they get to be direct, obnoxious, AND somewhat public in a national pride kind of way?
> Sure, that’s why saying things like Tianmen square - over voice audio - in a game with an encrypted connection to the server gets everyone’s connections in China severed, even when the game servers are in another country and the game company has nothing to do with it.
You're describing something that seems like an urban legend/coincidence. What technical means are you suggesting they're using to determine the contents of a voice chat over an encrypted connection?
> And knowing all the people taking the ‘totally secret’ backdoor is not even a complex trick.
That's assuming it can be distinguished from ordinary traffic.
If your device goes direct when you want to read the Wikipedia article on the Streisand Effect but you also have a browser that proxies traffic through a random AWS VPS in Virginia when you want to read about something they don't want you to know, how are they supposed to tell that the latter is that and not just a regular arbitrary third party webserver?
> Folks like the NSA in the US have to stay in the shadows, and have a tiny budget and population to draw experts from. What do you think happens when they get to be direct, obnoxious, AND somewhat public in a national pride kind of way?
It becomes easier to find way to thwart what they're doing because any random device can be used to determine if or how something is being blocked instead of only the devices of high-risk people who can't afford to test the fences.
