Last March, the buzz around the internet was that China is blocking access to some external sites. Since some clever users have figured out to using a VPN to overcome the issue, the Chinese government also begun to block some VPN implementations (PPTP and L2TP based VPN). Let’s take a simple look at how this kind of Internet censorship can be established.
Starting from the IP address
This actually is a simple explanation geared toward those who want a better understanding of how things work. So let’s say you are based in China. You know that whatever device you are plugging to the internet has a unique IP address attached to it. Every communication you make on the internet is “tagged” with this IP address. On the other side, any server or peer you are talking to on the internet also has an IP address. Just think of it as your postal address so that the factor knows which route to send your letter through.
Censorship directly on your computer
The first censorship can be done on your computer. Let’s say for example that you are working within an organization that has some policies with regard to using the internet (you are probably facing it: major sites like Facebook and Youtube are not allowed to be browsed from your company’s network).
In fact, some companies set some specific proxy configuration on your browser and do not allow you to change it. In fact, the IT administrator is forcing you to go through a proxy server by setting it on your browser. If you are falling into that specific scenario, you can be sure that the IT administrator has setup other ways to blocking you from accessing those websites. In fact, you usually are not allowed to change any settings on your browser. The only solution that comes to my mind for overcoming those kind of Internet censorship is to use some web-based proxy servers. Although it’s not really convenient (most web proxy serve you a lot of ads), at least you can end up accessing some blocked websites.
Why does this solution work most of the times?
It works since more often than not, when blocking websites, IT administrators limit it on a per-destination basis: which means that they centrally maintain a list of websites that their users are not allowed to browse instead of a deny-all and only authorize approved website policy. This actually means that there is a very high probability that the web proxy that you’ll be using won’t be included into the list of website that you are not allowed to browse.
On the part 1 of this series about “simplified view of internet censorship”, we discussed about how this censorship can be performed on your corporate computer. Now let’s go a bit higher on the connection path and discuss about what can be done on the corporate firewall or proxy side of things.
Internet censorship with firewalls
Most of the times, companies have one or two internet connections: this connection being a limited resource, IT administrators tend to limit its usage. The censorship at this stage can take the form of bandwidth limitation (which is still fine since you can still browse most websites although it can be slow), or denial of access to some websites. This is usually done at the firewall side of the company’s router. Simply side, the filtering is done at the router that is acting as a gateway to the internet.
The filtering can be implementing via different solutions:
– either by checking against regular expressions (or regex) the URL of the destination website the user is trying to see. It is then common that IT administrators limit any file download that has the .mp3 extension (or .torrent, .mp4, …)
– or filtering by protocols and ports: this is what is actually done when the IT administrator denies applications like peer-to-peer since those applications actually need to initiate a communication via a specified port. This can be done at the corporate side or at the ISP side
– or by using some publicly maintained database of “blacklisted sites”. Most proxy servers nowadays can use those public database of blacklisted sites
– or by limiting by the originating IP address: as I told earlier, IT administrator has a clear map of IP address-computer database. Because of that, they can say that for your particular IP address, some websites are not allowed to be reached. The only solution for you, for such case, is to use another computer that has eventually less restriction …
Those are simple explanations on what can be done at the corporate or ISP side when it comes to “Internet censorship”. In the next article, we will address it on the country-level.
How this censorship can be done at the country-level side
We all have heard countries who ban access to different services: from China to some countries during the “printemps arabe” where major revolutions happened in most of Arabic countries . It all started with blocking access to major user-generated-content platforms (Twitter, Youtube, Facebook, …). In fact, governments can do so by imposing some kind of control on all international internet gateways in their countries – every internet going through those gateways, they can filter out every traffic based on website address, IP address, protocols, type of content, …
In fact, the number of internet gateway for one country is limited, the main challenge for an entity who wants to filter is to take control (or at least be able to monitor) those gateways. Internet technology has it that everything is following standards and protocols, though easing the filtering process. While some protocols can use different ports randomly, the main challenge for the censor is to filter the initiating connection.
So how does it work from your user point of view: initially, you want to use the regular applications (Skype, instant messaging, …) or go to regular websites (online mail like Gmail, Yahoo, Hotmail, …) or social media platforms (Facebook, Youtube, Twitter, …) then try to use them as you normally do. You either see an error message stating that the access to the site has been blocked (well, at least if they are kind enough to inform you), or you see nothing happening on your computer …
No one-size-fits-all solution
While there is no one-size-fits-all solution for each problem you may be facing, it’s always good to take the following precautions:
– Setup your workaround measures while it’s working. I can’t stress it enough. Figure out how can censorship come to you (based on the articles I just wrote or based on other online resources), and set and test the appropriate workarounds,
– Test either of the following workaround:
- using some web proxy and endure the ads served by those web proxy service providers. Be careful though as some websites aren’t compatible with these implementations,
- use some VPN services so as to send your traffic through a secure and encrypted connection when going out of your country. However, as the China experience pointed out the Chinese Government has also begun blocking some VPN implementations (PPTP and L2TP based). Anyway, SSTP and OpenVPN implementations seem to be working yet (until the port used will be blocked too)
Moreover, with the convergence of ICT technologies, it is now possible to use SMS for example to update Twitter, thereby not using the internet-way, other solutions are expected to go mainstream.
So how can you overcome such censorship? Tor can eventually be you saviour.