Internet censorship in China - Wikipedia, the free encyclopedia
Main article: Golden Shield Project
The system blocks content by preventing IP addresses from being routed through. It consists of standard firewalls and proxy servers at the Internet gateways. The system also selectively engages in DNS poisoning when particular sites are requested. The government does not appear to be systematically examining Internet content, as this seems to be technically impractical. Researchers at the University of California, Davis, and at the University of New Mexico said that the censorship system is not a true firewall since banned material is sometimes able to pass through several routers or through the entire system without being blocked. Details for some commonly used technical methods for censoring are:
The access to a certain IP address is denied. If the target Web site is hosted in a shared hosting server, all Web sites on the same server will be blocked. This affects all IP protocols (mostly TCP) such as HTTP, FTP or POP. A typical circumvention method is to find proxies that have access to the target Web sites, but proxies may be jammed or blocked. Some large Web sites allocated additional IP addresses (for instance, an IPv6 address) to circumvent the block, but later the block may be extended to cover the new addresses.
DNS filtering and redirection
The DNS doesn't resolve domain names or returns incorrect IP addresses. This affects all IP protocols such as HTTP, FTP or POP. A typical circumvention method is to find a domain name server that resolves domain names correctly, but domain name servers are subject to blockage as well, especially IP blocking. Another workaround is to bypass DNS if the IP address is obtainable from other sources and is not blocked. Examples are modifying the Hosts file or typing the IP address instead of the domain name in a Web browser.
Scan the requested Uniform Resource Locator (URL) string for target keywords regardless of the domain name specified in the URL. This affects the Hypertext Transfer Protocol. Typical circumvention methods are to use escaped characters in the URL, or to use encrypted protocols such as VPN and SSL.
Terminate TCP packet transmissions when a certain number of controversial keywords are detected. This can be effective with many TCP protocols such as HTTP, FTP or POP, but web search engine pages are more likely to be censored. Typical circumvention methods are to use encryption means, such as VPN and SSL, to protect the HTML content, or reducing the TCP/IP stack's MTU, thus reducing the amount of text contained in a given packet.
GFW can use a root certificate from CNNIC, which is found in most operating systems and browsers, to make a MITM attack. On 26 Jan 2013, the GitHub SSL certificate was replaced with a self-signed certificate in China by, generally believed, the GFW.
TCP connection reset
If a previous TCP connection is blocked by the filter, future connection attempts from both sides will also be blocked for up to 30 minutes. Depending on the location of the block, other users or Web sites may be also blocked if the communications are routed to the location of the block. A circumvention method is to ignore the reset packet sent by the firewall.
Beginning in 2011, users reported disruptions of Virtual Private Network (VPN) services. In late 2012, the Great Firewall was able to "learn, discover and block" the encrypted communications methods used by a number of different VPN systems. China Unicom, one of the biggest telecoms providers in the country was terminating connections where a VPN is detected, according to one company with a number of users in China.
Other reported methods have included:
It has been reported that unknown entities within China, likely with deep packet inspection (DPI) capabilities, have initiated unsolicited TCP/IP connections to computers within the United States for the purported purpose of network enumeration of services, in particular TLS/SSL and Tor (anonymity network) services, with the aim of facilitating IP blocking.
The Golden Shield Project is owned by the Ministry of Public Security of the People's Republic of China (MPS). It started in 1998, began processing in November 2003, and the first part of the project passed the national inspection on 16 November 2006 in Beijing. According to MPS, its purpose is to construct a communication network and computer information system for police to improve their capability and efficiency. By 2002 the preliminary work of the Golden Shield Project had cost US$800 million (equivalent to RMB 5,000 million or €620 million). Greg Walton, a freelance researcher, said that the aim of the Golden Shield is to establish a "gigantic online database" that would include "speech and face recognition, closed-circuit television... [and] credit records" as well as traditional Internet use records.
A notice issued by the Ministry of Industry and Information Technology on 19 May stated that, as of 1 July 2009, manufacturers must ship machines to be sold in mainland China with the Green Dam Youth Escort software. On 14 August 2009, Li Yizhong, minister of industry and information technology, announced that computer manufacturers and retailers were no longer obliged to ship the software with new computers for home or business use, but that schools, Internet cafes and other public use computers would still be required to run the software.
A senior official of the Internet Affairs Bureau of the State Council Information Office said the software's only purpose was "to filter pornography on the Internet". The general manager of Jinhui, which developed Green Dam, said: "Our software is simply not capable of spying on Internet users, it is only a filter." Human rights advocates in China have criticized the software for being "a thinly concealed attempt by the government to expand censorship". Online polls conducted on Sina, Netease, Tencent, Sohu, and Southern Metropolis Daily revealed over 70% rejection of the software by netizens. However, Xinhua commented that "support [for Green Dam] largely stems from end users, opposing opinions primarily come from a minority of media outlets and businesses".
Convert a list of domain names into IP Addresses
This tool allows you to bulk convert a list of domain names into a list of IP addresses. Simply paste a list of domain names (one per line) and submit the form to batch convert them to the IP addresses for the servers they're hosted on.
domaintoipconverter.com > 126.96.36.199
rumormillnews.com > 188.8.131.52
infowars.com > 184.108.40.206
rense.com > 220.127.116.11
whatreallyhappened.com > 18.104.22.168
zerohedge.com > 22.214.171.124
lewrockwell.com > 126.96.36.199
drudgereport.com > 188.8.131.52
activistpost.com > 184.108.40.206
youtube.com > 220.127.116.11
amazon.com > 18.104.22.168
duckduckgo.com > 22.214.171.124
It would be nice to have a Firefox Add-on to automatically perform this conversion on all bookmarks, and locally store the ip addresses, hint, hint.
There are many VPN services out there too.