Researchers Discover Hidden Layer of the Great Firewall of China

By Riley ThompsonTechnology News

Researchers Uncover a Hidden Layer in the Great Firewall of China

A team of scientists from the University of Maryland has published a report about a newly discovered layer within the Great Firewall of China. This new layer is a secondary HTTPS SNI filtering system that operates in parallel with the first system, which was launched last year.

How the Great Firewall Works

The Great Firewall of China uses various censorship mechanisms that work with different protocols. Its most powerful and technically advanced component is the system that handles encrypted HTTPS traffic, which is divided into two separate systems.

  • The first and oldest system intercepts HTTPS connections at the initial stages and examines the SNI (Server Name Indication) field, which contains information about the domain the user is trying to access. This allows the Chinese government to block access to unwanted websites.
  • The second mechanism, introduced last year, is similar but works with HTTPS connections that use modern protocols encrypting the SNI field (such as eSNI). Since this system cannot “see” which domain the user is trying to access, it blocks all connections where eSNI fields are detected. This mechanism is not yet widespread and appears to still be in the testing phase, as few HTTPS connections currently use eSNI.

The New Discovery

Now, experts from the University of Maryland report that they have found a secondary HTTPS SNI filtering system operating in parallel with the one launched last year. The researchers told journalists at The Record that this discovery was made by accident back in 2019. According to the experts, the newly discovered system is just as effective as the first layer in censoring HTTPS, although it intervenes at the later stages of the connection.

“We started noticing strange strategies where Geneva [a censorship circumvention system] bypassed censorship during the first part of the TLS handshake (where censorship was expected to occur), but still couldn’t proceed further in the handshake. At the time, we didn’t fully understand what this was, but since then our tools and understanding of the Great Firewall have improved, so now we realize these were unusual results.

We’re not sure exactly what this is, but it seems to be specific to HTTPS: we don’t see the same behavior in other censored protocols,” said Kevin Bock to journalists.

Multiple Parallel Systems

Experts summarize that just a few years ago, the Great Firewall was seen as a single entity, but it’s now clear that it consists of different sets of middleboxes operating in parallel, each designed to censor different protocols.

“Our discovery means that the Great Firewall uses at least three different middleboxes in parallel to censor HTTPS: two for SNI-based connections and another family of middleboxes for ESNI-based connections,” the report states.

Leave a Reply