IT Jobs
UK boffins douse China's Great Firewall
Cambridge researchers discover censorship bypass
By Sumner Lemon and Nancy Gohring, IDG News Service
Published: 11:08 GMT, 05 July 06
Researchers at Cambridge University claim to have found a way to bypass China's advanced Internet content filter, but it remains far from a breakthrough, warn the others.
In a paper, titled "Ignoring the Great Firewall of China" [pdf], the three authors offer a rare insight into the workings of China's complex filtering system.
The Chinese government filters content by looking for banned keywords contained in data packets sent over the Net, the paper reveals. When a banned keyword is detected, the network router then detects it sending RST (reset connection) packets to both the client computer and the Web server. This then prompts them to break their connection and block the user's access to the site.
Head of Google China leaving to start new venture | Former head of Google China launches $115M investment fund
The RST commands one of the basic components of the TCP protocol, which provides the foundation for communication over the Internet together with the IP protocol.
Once the connection is broken, the Great Firewall's routers continue to block all connections between the two computers for a period of time using RST packets. The length of time varied - ranging from a few minutes to nearly an hour - the researchers said, putting the average at around 20 minutes.
However, since this screening method does not prevent the original packets from getting through, the researchers propose using special software or modifications to firewall software that would ignore RST packets and so continue to send packets and effectively circumvent the Great Firewall.
While the method is novel, it really is nothing new, claims IT expert Michael Robinson, who is based in Beijing. "There's nothing in there I didn't know two years ago," he said, adding that he didn't think the method outlined in the paper would make any difference.
"The connection reset system described in the paper is only one layer of a much larger multi-layer content control system. Using encrypted proxy servers is the only way around all of them," he said.
"Any solution to the connection reset problem would involve just as much work for individual Chinese internet users as it does to set up a proxy connection, and the proxies provide a complete solution, rather than a partial solution as described in the paper," he said.
One of the report's authors, Richard Clayton, disagreed however. He argued that encryption methods don’t typically encrypt the link to the proxies and so traffic is clear when it crosses the firewall and is subject to censorship.
He also noted that authorities in China don’t look kindly on people who run encryption software. Ideally, operating system developers like Microsoft or security software makers like Zone Alarm will start building their TCP/IP stacks to discard the resets as an extra security layer in their products.
"If it’s standard, then it’s harder for authorities to deal with it," Clayton said.
Clayton said he had contacted Microsoft to ask if the company would ever build such a mechanism into its software but the company refused to comment.
If this method was to be used as a method to bypass China's censorship efforts, website operators would also have to support the mechanism on their servers - another hurdle to its realistic implementation.
.gif)
Add your commentComments