Very sad. Though I have an alternative apple account outside CN, prepared for this long time ago, it still brings me some inconvenience. These days you can't trust any mega corp, they will eventually store our (Chinese citizen's) data in CN.
Another explanation is the upcoming 19th National Congress of CCP. Recently many policies have been published to restrict freedom of speech, indicating the leader now might desire another 5 year presidency.
So does the Great Firewall do deep packet inspection? I take it that it does, and blocks any protocols that it detects that allow tunneling/traversing the firewall.
What if there was a method of changing the standard data formats to be randomized based on one time authorization codes? So your SSH/SSL/L2TP/etc was mangled around to something corresponding to a one time auth function. Basically pre-encrypting or obfuscating to avoid the deep packet inspection.
When you have the data about a lot of normal traffic, you can easily spot the abnormal traffic. Then, slow it down or stop it. False positives aren't a huge priority, I don't imagine.
Related to this, this an interesting paper that clarifies how the Great Firewall discovers Tor nodes by doing active probing: https://nymity.ch/active-probing/imc2015.pdf. No deep packet inspection is necessary when you pretend to be a Tor user and can identify the typical response for a Tor node.
Speedify got pulled Saturday morning: "your application will be removed from the China App Store because it includes content that is illegal in China, which is not in compliance with the App Store Review Guidelines: 5. Legal"
It sucks that you can't simply sideload apps like with Android (it is possible but has many restrictions). That's my main gripe with iOS. Without Apple's servers your device is virtually useless. Apple pulling those apps would be a non-issue.
What exactly is a "VPN app" for iOS? How does it work? I was under the impression that iOS natively supports VPNs through IPsec (and perhaps a few other technologies), and that it doesn't have tap/tun devices, nor it allows installing kernel drivers to create tap/tun devices so you could not use e.g. OpenVPN.
So what do these VPN apps actually do? Are they just a front-end for some service, but the phone still uses IPsec? If that is the case I assume you can configure IPsec manually?
Can someone explain? A link to some technical document would be amazing.
Apple allows to implement new VPN protocols as a sandboxed plugin that communicates with the network manager; this was implemented in iOS 9 as part of the larger ios8 effort of implementing sandboxed plugins like custom keyboards.
A vpn app contains such a plugin, plus the required user interface to login/configure the service. The user downloads the app, configures it providing credentials (or gets auto configured through a MDM) and then the vpn network appears in Settings, among the other VPNs created with a builtin protocol like IPSec.
The vpn plugin is obviously sandboxed with the minimum possible privileges.
Thank you very much for this explanation. It would be great if macOS worked the same. Personally, I try to use IPsec VPNs as much as possible, and then I use the built-in networking on my laptop, but quite often my clients require of me to use their Cisco AnyConnect VPN, which basically requires installing kernel modules.
Edit: actually after reading your link, it appears Network Extension is supported by macOS as well? That would be great news, if vendors would also update their apps to use it.
OpenVPN can do both routed and bridged connections on macOS without kernel modules (using a tun/tap device, as it does on other Unixish platforms). This requires administrative privileges though, which is what Apple's API is designed to avoid.
> OpenVPN can do both routed and bridged connections on macOS without kernel modules (using a tun/tap device, as it does on other Unixish platforms).
But macOS doesn't have a tun/tap device. It needs kernel drivers to create one.
In either case, my main gripe is with Cisco AnyConnect, not OpenVPN. Cisco AnyConnect is very popular, I haven'd had any client use OpenVPN, though many do use IPsec.
The legit apps are mostly VPN policy/configuration managers. You give them permission to hook into the built in consumer and business level VPN capabilities built into iOS without giving them ability to MITM all the traffic on the device.
Mostly the apps give you tools to select the edge / country you want to connect to, whether you want DNS ad blocking, and a way to use App Store subscriptions to pay for VPN. They can also give you easy on/off 3D Touch or widgets, or show you dashboards of usage.
You can use an app to create a VPN profile then remove the app, it’s not needed. You can also load VPN profiles other ways, without an app.
As far as I have been able to figure out and remember from my time in China...
Businesses are technically allowed to have VPNs. China still relies on foreign companies and a lot of Chinese companies rely on for example adwords to promote their business outside of CN.
(this doesn't mean it's uncommon for CN to try to hack into these VPN tunnels, but the goal is not blocking access, and more about corporate espionage).
The Great Firewall also operates on a (customer) ISP level (rules and DPI varies per ISP and city) and not so much on outgoing traffic.
Most western companies rent fiber directly that is not affected by the GFW.
For example I know they could easily spot OpenVPN traffic and send RST packets to the host (also any DNS request with vpn is often send to a honeypot). IPsec had better chances of success (perhaps because that was less common?).
The VPN (and information control) targets mostly local Chinese. They don't care too much about tourists (collateral damage).
When I travel there I noticed that if I am roaming on the mobile network (with U.S. carrier SIM card but service provided via China Unicom), Facebook was accessible, do you know why?
You data is routed as phone network data to your U.S. carrier, who has the gateway to the internet. This is because mobile data protocols were originally not designed with the Internet in mind, but as a separate network. The internet gateways were added on later.
Now, if china makes them pull shadowsocks(R) clients from the apple/app/itunes store...then we'll know they are serious. Sorry for all the vpners in china on apple, at least you can go get a cheap android device in china and monkey around and patch together a mobile vpn based solution of some sort.
Unfortunately, this method has been blocked years ago. Well, not blocked completely, but the speed slows down to zero (packet loss grows up to 100%) within a couple of minutes making it practically unusable.
It's possible to detect even if the packets can't be decrypted (there are commercially available solutions for corporate firewalls as well). This post gives some interesting insight into some of their blocking capabilities.[1]
Can anyone in China confirm if the solution in this article (padding the packets to random lengths) still works? I'm heading out to China later this year and it would be nice to have this as a backup if my VPN doesn't work.
It's trivial to detect SSH connections if you do deep packet inspection. Doing it for all connections and even on non-standard ports would require a significant amount of power however. That might not be a problem for the chinese government.
The assertion made on NPR this morning was that it was likely that the 'approved' VPN clients that remain on the App Store are likely to have backdoors to the state.
I have no knowledge on that, so if that's an absurd assertion, please feel free to let me know.
1. Google complied with the China's censorship laws for a while, but since no good deed goes unpunished - they got hacked by China. Only afterwards did they decide to leave the Chinese market altogether and no longer censor their Chinese results. They do get blocked now, from time to time (or depending on keyword, I forget).
Really? To me it sounds more like an abbreviated way to say:
"Despite their polished 'Designed in California' efforts to strike a tone that resonates with the affluent organic free-range eco-democratic westcoast set, when the rubber hits the road, Apple kowtows to authoritarian despots if the profits are 'iphone-scale'."
Does that also sound like flamebait to you? If so, then I suggest you introspect about where and why your fires burn.
To a degree. Every business has to follow the law of their head office and umbrella group. When local law is inconsistent with head office law, then a grey area is entered. If this grey area is not reconcilable, then head office wins and local office capitulates or shuts down if pushed to that extent.
All companies jump when the country they are in tells them too. At most we can complain during Apple share holder meetings of our displeasure for them to do business in a country whose activities we do not agree with. There are far greater transgressions happening in other countries than blocking VPN but where is the concern for sales within them?
Lastly, we don't have the right to tell China what is right for China. We can say we don't agree but similarly do we listen to China when they tell us what they don't like?
They absolutely stake out moral positions on issues like these all the time. The difference is they only do it in the West where rule of law prevails and they can actually exert influence.
They've done it with various anti-LGBT efforts that have taken place around the US, they've done it with the fight with the FBI and they're doing it right now in Australia [1], among others.
What they don't do is shoot themselves in the head in some misguided attempt at ideological purity.
There are various things on this spectrum that any business can choose to do, or not do: use child labor, use political prison labor, dump toxic waste in public streams and rivers (after funding lobbyists to make it legal), etc.
You're absolutely right; there's a moral dimension there, too.
(And not just in China. For instance, Apple banned an app I used to keep rough tabs on how many civilians my democratically elected government was killing with drone strikes.)
There's a even strong chance I'd actively hamper company operations surrounding the project, and bust out psychological warfare on management until fired.
Actually those silly trainings that most of us have to do at companies of similar size about company culture say exactly that, that it is preferable to lose a business than do immoral stuff.
Of course no one takes them seriously, because the actual reality on the field is that nothing other than profits matter.
Sure I would. Chinese market is already dominated by Android. Only those with a lot of money can buy Apple and people with a lot of money have influence.
I would love to see the party trying to come up with an excuse for their VIPs and their angry daughters for an Apple block.
That is a misperception. You think Apple made so much money in China because only the rich but iPhones? Chinese people are willing to save/spend several months of their salary for the newest iPhone due to its status symbol.
So this is part of a Chinese Government strategy to get Apple out of the market?
Even more reasons to not do it. If Chinese Government decided they want you out, you will be out. Why not take some advertisement with them for the rest of the world? They surely knew how that works with the FBI problem.
Oh, I see, they only take on "moral" issues when it comes to the US elections?
Companies like Apple, Google, and Facebook can sway the world right into totalitarianism via their support of censorship and disregard for basic human rights. If these companies do side with the least common denominator, where does that leave the rest of us?
https://news.ycombinator.com/item?id=14880659