What is the Great Firewall of China and how does it work?

China is infamous for its internet censorship program, widely known as the Great Firewall of China (GFW).  

In this article, we look at what the GFW is and how it prevents citizens of mainland China from accessing the free and open internet.

What is the great firewall of China?

Since 1998, the government of mainland China has been concerned about the internet, which it perceives as a source of social and political threats to the regime’s cultural values and ideology. At the same time, it has always recognized the internet’s utility in fueling economic growth. 

Its response was to build a regulatory framework supported by a far-ranging and increasingly sophisticated system of internet censorship known officially as the Golden Shield project — known outside of China as the Great Firewall of China.

The first phase of the GFW was completed in 2006, but it has since grown in complexity and scope, restricting internet access into and out of mainland China to only three highly-monitored access points. 

The GFW is designed to block Chinese citizens’ access to the uncensored internet via technical censorship measures. It’s not concerned with policing internal dissent. The Communist Party of China (CPC) controls China’s domestic internet using an army of cyberpolice to actively monitor domestic social media channels. 

Get Proton VPN!

One of the most visible aspects of the Great Firewall is that it blocks websites and services that are household names throughout the rest of the world, including all Google services,  YouTube, Instagram, Facebook, Twitter, Wikipedia, and the websites of most major international news organizations.

Also blocked are services designed to bypass China’s censorship measures, including almost all international VPN services.

It is worth noting that the Great Firewall of China covers mainland China, not Hong Kong or Macau. Until recently, these Special Administrative Region(новое окно)s’ internet access was never interfered with and they could browse the  uncensored internet. Hong Kong’s freedom is now threatened by the 2020 Hong Kong national security law(новое окно). Still, both Hong Kong and Macau remain outside the scope of the advanced censorship system that is the Great Firewall of China.

Why does the Great Firewall of China exist?

“If you open the window for fresh air, you have to expect some flies to blow in”

Deng Xiaoping

The primary goal of the Great Firewall is to  control the flow of information into and out of the country. As China opened up to the rest of the world with the economic reforms known as the socialist market economy(новое окно) in the 1980s and 1990’s, its population became increasingly exposed to ideas and attitudes that the CPC saw as a threat to its social values and political ideology.

The arrival and increasing penetration of the internet into Chinese society caused a dilemma for the CPC. They could clearly see the internet’s value as a tool for economic growth — and its ability to  expose the Chinese people to “dangerous” ideas.

However, the GFW also serves a useful secondary purpose. With the GFW, China has effectively built an internet inside the internet, with a captive market of around 700 million internet users (approximately a quarter of all internet users on the planet). 

This has allowed domestic alternatives to international internet services that are ubiquitous elsewhere, to flourish on the Chinese mainland. These include:

The CPC keeps tight control over these services, which serves as a lucrative form of trade protectionism(новое окно). However, it also makes it much easier for the government to monitor and control domestic political dissent and other social trends it disapproves of. 

How does the Great Firewall of China work?

The CPC doesn’t share details about its highly sophisticated internet censorship system with the rest of the world. 

However, various sources, including reports from inside China and lessons learned from long-standing attempts to breach the firewall (often using side-channel (новое окно)analysis), have allowed security experts to surmise at least some of the tactics used to prevent people living in China from interacting with the wider world.

These blocks can be implemented either at the three international exit points monitored directly by the government or by the small number of government-controlled internet service providers(новое окно) (ISPs) that service China’s around 700 million internet users.

Destination IP address blocking

The Chinese government simply blocks connections to address ranges that belong to websites and other internet resources it wishes to censor. 

URL filtering

The government uses transparent proxies(новое окно) to scan URLs, HTTP headers, and the HTTPS Server Name Indication(новое окно) (SNI) for banned keywords.

DNS poisoning

The internet is set up so that DNS queries(новое окно) are usually handled by ISPs. This means the CPC can use the ISPs to aid in its censorship efforts. It often directs ISPs to block or redirect DNS queries to banned websites.

TCP reset attacks

Government cyberpolice can inject forged TCP packets(новое окно) into connections to send end-of-connection requests to blocklisted servers. These TCP reset attacks(новое окно) appear to come from the same infrastructure responsible for deep packet inspection.

Deep packet inspection

Originally developed to detect VPN use, deep packet inspection (DPI) is now an integral part of the Great Firewall. China’s DPI techniques are among the most sophisticated ever developed, making them very difficult to bypass. 

Learn more about deep packet inspection

Fake SSL root certificates

HTTPS, the encryption system that secures the internet, relies on a web of trust. Connections are validated using SSL certificates(новое окно), which we trust because we trust Certificate Authorities(новое окно) (CAs) to only issue SSL certificates to verified domain owners. 

Over the years, the Chinese government has used root SSL certificates(новое окно) belonging to Chinese CAs to perform multiple man-in-the-middle attacks. 

The most notable example occurred in 2015, when Google prove(новое окно)d that the Chinese CA CNNIC was abusing its position of trust by issuing unauthorized digital certificates for several Google domains. In response, some browsers stopped accepting certificates issued by CNNIC. However, this block was not enforced on other Chinese CAs, and browsers continue to accept  new Chinese CAs since.

The 2017 National Intelligence Law of the People’s Republic(новое окно) gives the Chinese government the formal power to ask any Chinese CA for the use of their root certificates(новое окно)

Active probing

To help tackle anti-censorship services such as VPNs and Tor, Chinese authorities use active probing(новое окно) to trace connections back to blocklisted IP addresses.  

Blocking access to app downloads

All access to websites that offer ways to bypass GFW restrictions (such as VPNs and Tor) are blocked. All Google services are blocked, including the Google Play Store, so Android users can’t download VPN apps.

If you use an Android in China, you must instead download apps from one of the several  domestic app stores, such as Tencent MyApp or Baidu Mobile Assistant. These stores often contain apps of dubious provenance but no international VPN apps.

The Apple App Store remains accessible from within China, but in 2017 Apple complied with China’s demands(новое окно) to remove all major international VPN apps from its app marketplace.  

What websites does the Great Firewall of China block?

China now blocks thousands of websites, including protonvpn.com and proton.me. Some of the more notable blocked sites include(новое окно):

  • ABC
  • BBC
  • Bloomberg
  • CNN
  • Dropbox
  • Facebook, Messenger, and Instagram
  • Gmail
  • Google services and apps (including Calendar, Docs, Maps, Play Store, etc.)
  • Hong Kong Free Press
  • LinkedIn
  • OneDrive
  • New York Times
  • Pinterest
  • Reddit
  • Quora
  • Reuters
  • Signal
  • Slack
  • Snapchat
  • Spotify
  • Steam Store
  • Twitch
  • Twitter
  • The Guardian
  • Time
  • Vimeo
  • Wall Street Journal
  • Wikipedia
  • WhatsApp
  • YouTube

It’s important to note that while the GFW is incredibly sophisticated, it isn’t entirely impenetrable. In fact, its implementation is rather inconsistent within China. Websites blocked in one province might be accessible in the next. Theoretically subversive websites can sometimes be accessed freely while innocuous ones devoid of objectionable or politically sensitive material are banned.

Even Google services have occasionally been reported as available in some areas in recent years. 

Is it possible to bypass the Great Firewall of China?

There are no reliable ways to consistently bypass the GFW of China. This includes almost all VPN services, which can be detected using China’s highly advanced DPI systems, even when using obfuscation technologies that are useful elsewhere. 

Other technologies can be helpful, although results are usually very hit-and-miss. You can counter DNS poisoning with third-party DNS services that encrypt DNS queries(новое окно) using DNS over TLS (DoT) or DNS over HTTPS (DoH). Similarly, you can evade URL filtering using Encrypted Server Name Indication (ESNI). ESNI is now supported in Firefox(новое окно) but not  Chrome (yet).

All public Tor nodes are blocked in China, but the anonymity network is still partially accessible in China using bridges(новое окно) and pluggable transports(новое окно) such as obfs4(новое окно).

Another tool reported to be effective is Shadowsocks(новое окно). Created by a Chinese developer specifically to bypass Chinese censorship, this tool creates SOCKS5 proxy connections to a server you rent yourself. This makes it unlikely that Chinese authorities have placed this server’s IP address on a blocklist. 

Final thoughts

The effort and resources the CPC has poured into the Great Firewall demonstrates how potent free speech can truly be.

Here at Proton VPN we believe that free speech, access to unfiltered information, and the ability to freely form friendships and exchange ideas with others around the world is a fundamental human right.

Tools offered by Proton VPN, such as Stealth protocol (новое окно)and Alternative routing(новое окно) have proven effective at defeating censorship in places such as Russia, Iran, and Egypt. While we at Proton have yet to find a way to consistently bypass the GFW, we support efforts everywhere to defeat online censorship.

Frequently asked questions

Why doesn’t China allow Google?


Google was happy to enforce the Communist Party of China’s (CPC) censorship restrictions for years in return for access to the 700 million internet users in China. However, in 2009, the CPC banned all Google services following a dispute over accusations that the Chinese government was complicit in cyberattacks on Google websites(новое окно).

Google responded by refusing to censor content in China, including refusing to remove videos on YouTube(новое окно) that showed police beating protesters during riots in Tibet.

Why doesn’t China allow Facebook?


The Chinese government blocked access to Facebook in 2009 when protesters used it to organize resistance to authorities during deadly riots in the western Xinjiang region(новое окно). When the government demanded Facebook to hand over the protesters’ identities and information, Facebook refused to comply, leading to the block.

Why doesn’t China allow Twitter?


The Chinese government blocked Twitter at the same time it blocked Facebook, and for the same reason — protesters used it during the 2009 Ürümqi riots to organize themselves and share information.

Is it legal to use a VPN in China?

There are no laws specifically against using a VPN in China. In fact, the use of domestic VPN services is very popular in China, although these must be registered, and they must submit logs to the government. In 2019, a man in Guangdong province was fined(новое окно) 1,000 Yuan (approx. $145) for accessing foreign websites using the Lantern VPN app. This is the only known example of someone getting into trouble simply for using a VPN, although there has been a crackdown on people running unlicensed domestic VPN services. In 2017 the municipality of Chongqing city announced fines(новое окно) for VPN users, but as far as we know, no one has ever been charged. All of this is quite remarkable for a country where, according to a 2019 survey by GlobalWebIndex, 29% of China’s 700 million internet users use VPNs(новое окно).

Does China allow social media?


All major international social media platforms are blocked by the Great Firewall. This includes Facebook, Instagram, Twitter, and Quora. However, there is a thriving social media culture in China on domestic platforms such as WeChat, Sina Weibo, and Douban(новое окно). These platforms must give the Chinese government access to their systems and comply with its censorship orders.

Статьи по теме

s AliExpress reliable?
en
  • Основы конфиденциальности
Chinese shopping platform AliExpress is undoubtedly cheap. But is it also safe and reliable, or you are likely to get scammed?
How to fix a 502 error
en
  • Инструкции
In this article, we explain what a 502 bad gateway error is and explore possible ways to fix it as a visitor to a website.
Watch Thanksgiving Day football with Proton VPN
en
Here's how you can live stream this year's Thanksgiving football games using Proton VPN, whether you're watching from home or abroad.
Where to watch Macy's Thanksgiving day parade
en
Here's how and where to watch Macy's Thanksgiving Day Parade live from anywhere in the world with Proton VPN.
What we've been up to, and what's next
en
  • Новости Proton VPN
Here are the main things Proton VPN delivered this spring and summer and the exciting changes that lie ahead on our product roadmap this winter.
Proton VPN for Windows ARM
en
  • Новости Proton VPN
We’re pleased to announce a new Proton VPN app with native support for Windows devices that use the ARM chipset.