A research team from the University of Maryland in the US has discovered a previously hidden layer in China’s censorship system, the Great Firewall.
The Great Firewall (GFW), introduced in the late 1990s, is a system installed at Internet relay points and Internet service providers in China that allows the government to intercept Internet traffic and block connections to websites and servers that the state does not tolerate. It enables the government to intercept Internet traffic and block connections to websites and servers that the state does not tolerate.
The Great Firewall of China has a variety of censorship mechanisms for different protocols, but one of the most powerful and technologically advanced systems is designed to handle web traffic encrypted with HTTPS.
Currently, there are two independent systems for censoring HTTPS, the first being the oldest, which intercepts HTTPS connections early on and looks at a connection data field called SNI to reveal the domain the user is trying to access.
Even if Chinese censors are unable to decipher the contents of the actual HTTPS connection, the SNI field allows the Chinese government to block users from accessing undesirable sites.
The second system, introduced last year, is similar to the first but supports HTTPS connections that use the latest protocol for encrypting SNI fields.
Because this system cannot see what domain the user is trying to access, GFW simply blocks all connections where the eSNI field is detected, making this censorship mechanism more lax.
This second system does not appear to have been widely deployed, as the censors are still testing its functionality and very few HTTPS connections use eSNI in the first place.
Scholars Find Parallel HTTPS SNI Filtering System
But in a research paper, researchers at the University of Maryland have revealed that they have found a second HTTPS SNI filtering system that works in parallel with the first one.
Kevin Bock, a PhD candidate in the Department of Computer Science at the University of Maryland
This is actually a serendipitous discovery: we found that while Geneva (a censorship circumvention system) circumvents censorship in the first part of the TLS handshake (where censorship is understood to occur), it fails in the deeper part of the handshake.
They found a strange phenomenon where the first part of the TLS handshake (where censorship is understood to occur) evades censorship, but the deeper part of the handshake fails.
We didn’t fully understand it at the time, but as our tools and understanding of GFW have grown, we’ve come to understand this strange result
We don’t know exactly what this is, but it seems to be specific to HTTPS. There is no evidence that this is a test system or development layer, and my hunch is that it is probably a second middlebox running in parallel with the first, acting as a redundancy.
Up until a few years ago, the prevailing model was that GFW works as a monolith; in a paper published in 2020, we discovered that GFW actually consists of a set of different middleboxes that work in parallel with each other to censor different protocols
That said, the HTTP censorship middlebox of GFW is a different system than its HTTPS censorship, and each has its own weaknesses.
This finding means that GFW is running at least three different middleboxes in parallel to censor HTTPS.