Great Firewall of China – What is it And How to Bypass it
11 min. read
Updated on
Share this article
Improve this guide
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Also referred to as The Golden Shield, the project is the responsibility of The Ministry of Public Security (MPS).
The Great Firewall of China is controversial.
While many see it as a human rights violation causing international trade barriers, other regimes like Turkey, Cuba, Belarus, Zimbabwe, and Iran among others have admired and modeled on the technology.
In this piece, we delve deep to provide a thorough examination of the technical and historical aspects of The Great Firewall of China.
We’ll also share a list of the top 10 blocked sites in China and the VPN’s role to bypass this restriction.
Table of contents
History
The Great Firewall of China is a massive surveillance and censoring project.
It got its inspiration from the great Deng Xiaoping’ saying If you open the window for fresh air, you have to expect some flies to blow in.
First, in the year 1997, The National People’s Congress (the sole legislative body in China) enacted the CL97 legislation that criminalized cybercrime in China.
The CL97 law broadly classified cybercrime as crimes that target computer networks and crimes that use computers to carry out.
The State Council is China’s administrative body tasked with the determination of what falls under the ambit of the law. Its decision does not require the approval of the NPC.
It is the latter definition of CL97 crimes carried out by computers as regards cybercrime that the government of China uses to justify its Great Firewall.
Basically, they claim these restrictions benefit the country and its citizens.
The State Council blocks information considered harmful to national security, public order, social stability, and morality.
The year 2003 saw the Chinese government embark on the Golden Shield Project which involved the creation of a massive surveillance and censorship system with the help of Western-based companies.
Implementation
The American-based Cisco provided routers and Firewalls, and Motorola provided wireless communication devices.
Then, the Canadian telecommunication giant Nortel played a fundamental role in the implementation of the Great Firewall of China project.
In 2008 the government of China embarked on Operation Tomorrow aimed at curtailing the youth’s use of internet cafes to view content declared illegal as well as to play video games such as World of Warcraft.
Internet cafe owners have to register their entire customers in logs that are confiscated by the authorities at will.
Moreover, in China, youths under the age of 18 are not allowed in cyber cafes. The ban resulted in the insurgence of underground Black Web Bars.
The Chinese government has used the Firewall to filter content and decide what its citizens can view and what they cannot.
The firewall has been effective in blocking entire websites among them Facebook, YouTube, Twitter, and Yahoo.
Technical elements that comprise the Great Firewall of China
The Great Firewall project continues to improve its censoring techniques by employing multiple methods.
But China goes beyond blocking individual websites.
It does that by applying techniques to scan URLS as well as web content pages for keywords that are blacklisted, thereby blocking such traffic.
The Firewall helps China to control the Internet Gateways where traffic moves between China and the rest of the world.
Related reads:
Methods used by the Chinese government to censor content
IP blocking
IP address blocking is among the easiest Great Firewall of China censorship processes that involve dropping packets destined for blacklisted IP addresses by peering with gateway routers of ISPs in China.
China injects an IP blacklist via BGP (Border Gateway Protocol) using null routing.
It then transmits null routes for destinations. So there’s no chance you’ll be able to access a site that uses a blocked IP address.
Though null routing blocks the outward bound traffic while allowing the inbound one, it is effective in blocking websites as most internet communication can only establish with two-way interaction.
IP blocking is easy to implement as it is a minor burden for ISPs and no special devices are required.
However, IP blocking has its share of weaknesses:
- The blacklist of IPs needs constant updating
- Content providers can give ISPs a hard time by choosing to change or rotate IP addresses
- There’s the danger of China accidentally leaking the null routes to ISPs in the neighboring countries.
DNS tampering and hijacking
DNS tampering is a technique that involves falsifying the response returned by the DNS server either through DNS poisoning or intentional configuration.
The server lies about the associated IP address hence users are given a false address for censored sites.
The Great Firewall of China disturbs DNS resolution through the use of DPI devices that are strategically deployed near all Gateways.
Thus, they can monitor each DNS query that originates from any end computer or DNS server inside China.
The technique is used to censor websites such as Facebook, Youtube, Twitter, and much more.
If you’re in China and query, for instance, www.facebook.com, the Great Firewall of China will inject a fake DNS reply with an invalid IP address that arrives earlier than the legitimate one.
A combination of DNS tampering and IP blocking can censor blacklisted sites as well as servers at both the domain and IP levels. Routers are also used by the Chinese government to disrupt unwanted communication.
Collateral DNS damage
DNS techniques though powerful, can and have resulted in unintended consequences in various circumstances.
When the Chinese government employs DNS techniques, the Firewall has no capacity to distinguish between traffic going out of the country and incoming traffic.
It may result in Large-scale Collateral Damage that can affect communication beyond the censored networks.
A good example is where a Canadian-based resolver is required to resolve a query for a site and to do so; the resolver needs to contact a Top Level Domain (TLD) name server in the UK.
Should the path to the TLD authority happen to pass through China, upon seeing the query, Great Firewall will automatically inject a false reply.
And since as discussed earlier, the fake DNS arrives earlier than the legitimate one, the Canadian resolver will accept, cache, and return the incorrect response to the user. Thus the user will not reach the intended web server.
Deep packet inspection
China effectively uses Intrusion Detection System (IDS) to inspect packets of data in traffic so as to establish whether the content together with the keywords matches those that are blacklisted.
The system is intelligent as it does not hinder the transmission of data, but, rather focuses on establishing only blocked content.
It does this by inspecting the first HTTP GET request arriving after a TCP handshake and ignores HTTP responses as well as GET requests before a preceding handshake.
The Great Firewall of China can reassemble both IP fragments and the TCP segments for HTTP connections.
Though the deep packet inspection on-path systems like the one used by the Chinese government are advantageous for being efficient and less disruptive were they to fail, they canât prevent in-flight packets already sent from reaching their intended destinations.
Manual enforcement
China has a massive internet police force of more than 50,000 employees that monitor online content. They have the power to delete offending content manually.
The police unit can order owners of offending sites and internet service providers to delete all materials that are thought to be offensive.
The government employs around 300,000 online commentators (50 cent party) whom they pay 50 cents per post.
The writers originate and post content that promotes the ruling communist party, and counter government critics, and politicians alike.
Self-censorship
Internet censorship in China encourages self-censorship as citizens and visitors alike believe they are being watched.
Enforcement of censorship and the threat of implementation make individuals and businesses exercise self-censorship to avoid legal and economic consequences.
China requires ISPs and companies to exercise control and filter content to ensure that it meets the state guidelines for objectionable content.
Many entities that operate online activities in China have signed a public pledge for self-discipline.
The commitment requires them to identify and prevent the transmission of information that is deemed objectionable by the Chinese authorities.
Leading online platforms in China like Baidu have consciously worked to ensure they meet the requirement of the state as regards censorship.
Top Ten Blocked Sites By The GFC
To check if a website is working or not in China is pretty simple.
You can use a service like blockedinchina.net where you just type the URL of the website and run a test to see if the website is censored or not.
For your quick reference, we have carried out tests to identify the Top Ten blocked sites in China as follows:
Facebook – not accessible from within mainland China
Wikileaks – not accessible from within mainland China
YouTube – not accessible from within mainland China
Not accessible from within mainland China
Not accessible from within mainland China.
Not accessible from within mainland China.
Gmail
Not accessible from within mainland China.
Wikipedia
Not accessible within mainland China.
Dropbox
Not accessible within mainland China.
Snapchat
Not accessible within mainland China.
New York Times
Not accessible within mainland China.
VPN regulation in China
With the Great Firewall, China restricts the freedom of expression.
They limit usernames and avatars and online writers have to register with their real names.
Access to social media networks like Facebook, Twitter, and YouTube is impossible as the Great Firewall blocks them.
The only hope left for residents of China to bypass the extensive censorship is the use of a VPN service.
So it was relatively easy for anyone with a VPN to bypass censorship.
However, China launched a 14-Month nationwide campaign against illegal internet connections including VPN services.
The Ministry of Industry and Information Technology in China released a notice to the effect that special cable and VPN service providers get government approval.
The move has the effect of making VPN services illegal and citizens as well as businesses may face harsh consequences if they oppose.
Can the Chinese people use VPN services to bypass the Great Firewall?
We are yet to see what happens next as we know VPN service providers don’t take any war sitting down.
Their business involves among other things bypassing censorship and unblocking content for their clients.
VPN services and how they bypass the Great Firewall is a topic in its entirety.
However, we can confidently report that ExpressVPN is successfully bypassing the Great Firewall of China and helping Chinese people get access to their favorite websites and apps worldwide.
NordVPN is also a great option for it, although it may need some troubleshooting from time to time.
Conclusion on the Great Firewall of China
China’s internet censorship is extreme owing to the wide variety of laws and administrative regulations that are firmly in place.
The government uses provincial branches of state-owned internet service providers (ISPs) to implement the ever-increasing regulations.
The communist party of China uses the Great Firewall to consolidate power. The tool shuts down the opposition, political activists, and international influence.
That said, there are some upsides. The blocking of Western companies allowed Chinese businesses to grow.
However, the world is now a global village and China is missing out on the big platform.
VPNs are a major solution for bypassing extreme censorship for savvier China residents.
