Hacker Newsnew | comments | show | ask | jobs | submitlogin

I've got a question for security experts. I've always assumed that government should have enough cpu-power to decode a few encrypted emails and some https connection. So why don't China decode https traffics and perform the same filter as for simple tcp connection? And even tough they wouldn't have enough power to do so, why don't they break down the https connection when it is established?



Extremely strong 'military grade' encryption is commonplace nowadays. It doesn't matter whether what yo're encrypting is a casual email or the launch codes for a nuclear weapon, consumer grade encryption such as that in https is fine as long as it's configured and used correctly. The CPU power required to break it is greater than all the CPUs in the world put together running for millions of years.

The problem is that if a way can be found to disrupt the configuration, such as by compromising the certificate chain, then decrypting the message becomes trivially easy.

So reading such a message is usually either impossible, or simple.

-----


> I've always assumed that government should have enough cpu-power to decode a few encrypted emails and some https connection

It doesn't (that we know of), that's pretty much the point of encryption.

Read the excerpt from Schneier's book, presented here:

http://www.schneier.com/blog/archives/2009/09/the_doghouse_c...

-----


> why don't they break down the https connection when it is established?

Apprently they do. Serveral Google domains port 443 were blocked, e.g. https://accounts.google.com so you can't use anything google related, especially Gmail.

-----


> And even tough they wouldn't have enough power to do so, why don't they break down the https connection when it is established?

You have to understand the purpose of China's Great Firewall. A lot of techies think that it's an attempt at 1984-style total control of information. With this in mind, they see a vessel full of obvious leaks, and can't understand why China does things this way. Blocking any connection you can't spy on is a simple solution to these leaks that any techie could come up with, but China doesn't do it (in general). Why not?

It's because the Great Firewall is not intended to be an instrument of total information control. It's intended as an instrument of broad social influence. The Chinese government does not care if you can use ssh or SSL or whatever to bounce through a proxy in the USA to get to an article about the Tiananmen Square massacre. You want to put in effort to seek out that information, go wild. You don't even need to cover your tracks.

This information is out there. They can't stop it, and they know it, and they don't even try. The purpose of censorship is to shape conversation, not eliminate information. Anyone with a little determination can bypass the firewall and read about whatever censored stuff they're interested in. But the vast majority of people don't have a little determination for this stuff. They might hit a link or perform a search, but when it fails, they'll just move on. Thus, while they can't, don't, and don't even try to stop people from knowing about these things, they can and successfully do stop people in general from thinking about them, and guide their attention to other topics.

China doesn't care about a few people using crypto to bypass their censorship. China does care about attracting foreign business, and if travelers couldn't connect to their VPNs and secure web sites then there would be serious trouble with that.

-----




Guidelines | FAQ | Support | API | Lists | Bookmarklet | DMCA | Y Combinator | Apply | Contact

Search: