China is infamous for its internet censorship program, widely known as the Great Firewall of China (GFW).
In this article, we look at what the GFW is and how it prevents citizens of mainland China from accessing the free and open internet.
- What is the great firewall of China?
- Why does the great firewall of China exist?
- How does the Great Firewall of China work?
- What websites does the Great Firewall of China block?
- Is it possible to bypass the Great Firewall of China?
- Frequently asked questions
What is the great firewall of China?
Since 1998, the government of mainland China has been concerned about the internet, which it perceives as a source of social and political threats to the regime’s cultural values and ideology. At the same time, it has always recognized the internet’s utility in fueling economic growth.
Its response was to build a regulatory framework supported by a far-ranging and increasingly sophisticated system of internet censorship known officially as the Golden Shield project — known outside of China as the Great Firewall of China.
The first phase of the GFW was completed in 2006, but it has since grown in complexity and scope, restricting internet access into and out of mainland China to only three highly-monitored access points.
The GFW is designed to block Chinese citizens’ access to the uncensored internet via technical censorship measures. It’s not concerned with policing internal dissent. The Communist Party of China (CPC) controls China’s domestic internet using an army of cyberpolice to actively monitor domestic social media channels.
One of the most visible aspects of the Great Firewall is that it blocks websites and services that are household names throughout the rest of the world, including all Google services, YouTube, Instagram, Facebook, Twitter, Wikipedia, and the websites of most major international news organizations.
Also blocked are services designed to bypass China’s censorship measures, including almost all international VPN services.
It is worth noting that the Great Firewall of China covers mainland China, not Hong Kong or Macau. Until recently, these Special Administrative Regions’ internet access was never interfered with and they could browse the uncensored internet. Hong Kong’s freedom is now threatened by the 2020 Hong Kong national security law. Still, both Hong Kong and Macau remain outside the scope of the advanced censorship system that is the Great Firewall of China.
Why does the Great Firewall of China exist?
The primary goal of the Great Firewall is to control the flow of information into and out of the country. As China opened up to the rest of the world with the economic reforms known as the socialist market economy in the 1980s and 1990’s, its population became increasingly exposed to ideas and attitudes that the CPC saw as a threat to its social values and political ideology.
The arrival and increasing penetration of the internet into Chinese society caused a dilemma for the CPC. They could clearly see the internet’s value as a tool for economic growth — and its ability to expose the Chinese people to “dangerous” ideas.
However, the GFW also serves a useful secondary purpose. With the GFW, China has effectively built an internet inside the internet, with a captive market of around 700 million internet users (approximately a quarter of all internet users on the planet).
This has allowed domestic alternatives to international internet services that are ubiquitous elsewhere, to flourish on the Chinese mainland. These include:
- Bilibili and Tencent Video (YouTube)
- Sina Weibo (Twitter)
- Qzone (Facebook)
- WeChat (WhatsApp)
- Zhihu (Quora)
The CPC keeps tight control over these services, which serves as a lucrative form of trade protectionism. However, it also makes it much easier for the government to monitor and control domestic political dissent and other social trends it disapproves of.
How does the Great Firewall of China work?
The CPC doesn’t share details about its highly sophisticated internet censorship system with the rest of the world.
However, various sources, including reports from inside China and lessons learned from long-standing attempts to breach the firewall (often using side-channel analysis), have allowed security experts to surmise at least some of the tactics used to prevent people living in China from interacting with the wider world.
These blocks can be implemented either at the three international exit points monitored directly by the government or by the small number of government-controlled internet service providers (ISPs) that service China’s around 700 million internet users.
Destination IP address blocking
The Chinese government simply blocks connections to address ranges that belong to websites and other internet resources it wishes to censor.
The internet is set up so that DNS queries are usually handled by ISPs. This means the CPC can use the ISPs to aid in its censorship efforts. It often directs ISPs to block or redirect DNS queries to banned websites.
TCP reset attacks
Government cyberpolice can inject forged TCP packets into connections to send end-of-connection requests to blocklisted servers. These TCP reset attacks appear to come from the same infrastructure responsible for deep packet inspection.
Deep packet inspection
Originally developed to detect VPN use, deep packet inspection (DPI) is now an integral part of the Great Firewall. China’s DPI techniques are among the most sophisticated ever developed, making them very difficult to bypass.
Fake SSL root certificates
HTTPS, the encryption system that secures the internet, relies on a web of trust. Connections are validated using SSL certificates, which we trust because we trust Certificate Authorities (CAs) to only issue SSL certificates to verified domain owners.
Over the years, the Chinese government has used root SSL certificates belonging to Chinese CAs to perform multiple man-in-the-middle attacks.
The most notable example occurred in 2015, when Google proved that the Chinese CA CNNIC was abusing its position of trust by issuing unauthorized digital certificates for several Google domains. In response, some browsers stopped accepting certificates issued by CNNIC. However, this block was not enforced on other Chinese CAs, and browsers continue to accept new Chinese CAs since.
The 2017 National Intelligence Law of the People’s Republic gives the Chinese government the formal power to ask any Chinese CA for the use of their root certificates.
Blocking access to app downloads
All access to websites that offer ways to bypass GFW restrictions (such as VPNs and Tor) are blocked. All Google services are blocked, including the Google Play Store, so Android users can’t download VPN apps.
If you use an Android in China, you must instead download apps from one of the several domestic app stores, such as Tencent MyApp or Baidu Mobile Assistant. These stores often contain apps of dubious provenance but no international VPN apps.
The Apple App Store remains accessible from within China, but in 2017 Apple complied with China’s demands to remove all major international VPN apps from its app marketplace.
What websites does the Great Firewall of China block?
China now blocks thousands of websites, including protonvpn.com and proton.me. Some of the more notable blocked sites include:
- Facebook, Messenger, and Instagram
- Google services and apps (including Calendar, Docs, Maps, Play Store, etc.)
- Hong Kong Free Press
- New York Times
- Steam Store
- The Guardian
- Wall Street Journal
It’s important to note that while the GFW is incredibly sophisticated, it isn’t entirely impenetrable. In fact, its implementation is rather inconsistent within China. Websites blocked in one province might be accessible in the next. Theoretically subversive websites can sometimes be accessed freely while innocuous ones devoid of objectionable or politically sensitive material are banned.
Even Google services have occasionally been reported as available in some areas in recent years.
Is it possible to bypass the Great Firewall of China?
There are no reliable ways to consistently bypass the GFW of China. This includes almost all VPN services, which can be detected using China’s highly advanced DPI systems, even when using obfuscation technologies that are useful elsewhere.
Other technologies can be helpful, although results are usually very hit-and-miss. You can counter DNS poisoning with third-party DNS services that encrypt DNS queries using DNS over TLS (DoT) or DNS over HTTPS (DoH). Similarly, you can evade URL filtering using Encrypted Server Name Indication (ESNI). ESNI is now supported in Firefox but not Chrome (yet).
Another tool reported to be effective is Shadowsocks. Created by a Chinese developer specifically to bypass Chinese censorship, this tool creates SOCKS5 proxy connections to a server you rent yourself. This makes it unlikely that Chinese authorities have placed this server’s IP address on a blocklist.
The effort and resources the CPC has poured into the Great Firewall demonstrates how potent free speech can truly be.
Here at Proton VPN we believe that free speech, access to unfiltered information, and the ability to freely form friendships and exchange ideas with others around the world is a fundamental human right.
Tools offered by Proton VPN, such as Stealth protocol and Alternative routing have proven effective at defeating censorship in places such as Russia, Iran, and Egypt. While we at Proton have yet to find a way to consistently bypass the GFW, we support efforts everywhere to defeat online censorship.
Frequently asked questions
Google was happy to enforce the Communist Party of China’s (CPC) censorship restrictions for years in return for access to the 700 million internet users in China. However, in 2009, the CPC banned all Google services following a dispute over accusations that the Chinese government was complicit in cyberattacks on Google websites.
Google responded by refusing to censor content in China, including refusing to remove videos on YouTube that showed police beating protesters during riots in Tibet.
The Chinese government blocked access to Facebook in 2009 when protesters used it to organize resistance to authorities during deadly riots in the western Xinjiang region. When the government demanded Facebook to hand over the protesters’ identities and information, Facebook refused to comply, leading to the block.
The Chinese government blocked Twitter at the same time it blocked Facebook, and for the same reason — protesters used it during the 2009 Ürümqi riots to organize themselves and share information.
There are no laws specifically against using a VPN in China. In fact, the use of domestic VPN services is very popular in China, although these must be registered, and they must submit logs to the government. In 2019, a man in Guangdong province was fined 1,000 Yuan (approx. $145) for accessing foreign websites using the Lantern VPN app. This is the only known example of someone getting into trouble simply for using a VPN, although there has been a crackdown on people running unlicensed domestic VPN services. In 2017 the municipality of Chongqing city announced fines for VPN users, but as far as we know, no one has ever been charged. All of this is quite remarkable for a country where, according to a 2019 survey by GlobalWebIndex, 29% of China’s 700 million internet users use VPNs.
All major international social media platforms are blocked by the Great Firewall. This includes Facebook, Instagram, Twitter, and Quora. However, there is a thriving social media culture in China on domestic platforms such as WeChat, Sina Weibo, and Douban. These platforms must give the Chinese government access to their systems and comply with its censorship orders.