Hacker News new | comments | show | ask | jobs | submit login
Google Can Bring an End to Censorship in 10 Days (greatfire.org)
71 points by nkurz on Nov 23, 2013 | hide | past | web | favorite | 73 comments

> The code-sharing site Github uses encrypted-only access and, perhaps not intentionally, broke the pattern of Internet control in China.

Encrypted-only access is not a solution, it's a patch. Here is how China could break it if they wanted to:

1. Choose domains that you want to monitor in this way. E.g. github.com.

2. Requests to any IP for that domain on port 443 will return a certificate that the Chinese government issued using CNNIC. This is trusted by at least Mozilla: http://snag.gy/E1ftE.jpg (note to self: delete that ca)

3. Requests to any IP for that domain on port 80 will be converted to ssl. So the browser is connected over http to the ISP, and the ISP's servers will connect over https/ssl to Github.

In all instances, monitoring is possible. Forcing ssl is no solution. It does make monitoring harder though, and I suppose that is a good thing already, but all the Chinese government needs to do is throw money at it and the ISPs will be able to handle this.

If they do that, Mozilla, and most of the other browser vendors, will immediately revoke and blacklist that CA.

There was already a lot of debate about adding the CA, but the final consensus was, I believe, "as long as they don't actually abuse it, we should trust them; as soon as we have evidence of someone doing a MITM attack with that CA, we will blacklist it".

How many legitimate websites use that CA? Especially ones Chinese users will visit often? If the browser blocks the CA, those will all break.

Perhaps the browser could do something subtler, but it's not straightforward. Or we could make the https cert protocol more flexible, but changing protocols is hard.

Sourceforge and friends are known for injecting badware into binary installers for open-source software.

It will be interesting to see if the Chinese government makes their own alterations to the Firefox binary installers that pass through their network that add the CA back in.

Nobody checks their installers' GPG keys anyways

> Sourceforge and friends are known for injecting badware into binary installers for open-source software.

Wait... what???

GIMP no longer distributes binaries on sourceforge because sourceforge's installer "bundles third-party offers with Free Software packages. We do not want to support this kind of behavior, and have thus decided to abandon SourceForge."



After reading that it doesn't look to me like they're sneaking into otherwise pure installers or doing it without project's knowledge. "When SourceForge introduced this, it bribed encouraged the top projects to participate by giving them a cut of the take. So these co-operating projects are also knowingly selling their users down the river."

For as long as I can remember Sourceforge's usability has sucked. That's reason enough to avoid it (but omg! free file hosting!) but the installer thing maybe isn't quite as deceptive and malwareish as your first message let on. It's just another facet of their lameness.

Kudos to Gimp for dumping them. Why does anyone stay with them at this point?

Aha, thanks for the clarification. It's good to know SF is only doing this under the consent of project leaders; I was under the impression that they were sneaking it under the radar.

I've actually been disappointed that downloading Firefox is only done over HTTP and I didn't see where SHASUMs for the builds were available. I actually tweeted at them about this and never got an answer: https://twitter.com/andrewdeandrade/status/40000123091669401...

You might be interested in the post we wrote about the Github MITM attack in China: https://en.greatfire.org/blog/2013/jan/china-github-and-man-...

Previously I would only have thought about distrusting a CA like CNNIC, but since the Snowden revelations, I feel like we all need to start questioning just about every CA out there.

The entire CA approach requires me to trust entities that I am not certain are truly trustworthy. After all they all fall under varied jurisdictions and at the end of they day they are owned and operated by individuals that can be bribed or coerced. Furthermore, we don't know what kind of practices each CA has in place to mitigate tampering and prevent subversion of the CA system.

With that in mind, is it possible to make a CA that is distributed (via a DHT) and publicly verifiable. The process to get a certificate from such a distributed CA could be a long, intense process, but at least it would be trustworthy to a degree no other CA could be.

Is Namecoin a viable alternative? Are there others?

I think the author wasn't suggesting to end surveillance, too, just censorship. Unless you're saying that the Chinese government could just do MITM attacks and serve the readers different stuff.

I see no reason why they couldn't, but good point. I had indeed replaced 'censorship' with 'surveillance' in my mind.

Surely, this is an (admittedly broad and difficult) issue with CAs and the trust element of SSL authentication. By the theory of SSL, an 'attacker' is not supposed to have control over a 'trusted' CA, so SSL is 'supposed to' protect against this.

> By the theory of SSL, an 'attacker' is not supposed to have control over a 'trusted' CA, so SSL is 'supposed to' protect against this.

Every major government has a CA cert in your browser. SSL was obviously designed to be subverted in exactly this way. You won't even get a warning. Google pins their own certs in their own browser, but Moxy's Convergene.io or something like TACK would need to be implemented by Google and Mozilla for you to have a fighting chance.

Exactly. But the important point is that the current situation with CAs may be flawed, but since ultimately the user has control over which certificates to trust, it will be possible to use better trust models (like convergence.io) to eliminate censorship. After that, we can indeed use encryption to fight censorship.

Is convergence.io still a viable project? Last time I checked the github repo it looked to be abandoned.

I only thought of the Chinese govt issuing a certificate after writing half the post. Initially I was just going to comment on the easy possibility of MITM attacks. These would fail whenever anyone forced https into their address bar, but I think less than 5% of the people do that. That would mean just refusing connections for the <5% and still sniffing everyone else.

Strict transport security (http://en.m.wikipedia.org/wiki/HTTP_Strict_Transport_Securit...) is an attempt to prevent exactly this. However assuming that the user is always on a MITM'd connection, a preloaded list in the browser becomes necessary.

Yes, doing this attack after a site is already publicly known is hard because of HSTS (if Github uses it), but slowly caches will expire and browsers will reset themselves, and the amount of http traffic will increase a lot.

How is the author overlooking the most obvious course of action the Chinese government could take?

China could easily block Google outright -- while the Github reversal the author mentions is certainly surprising, Google represents only a small sliver of Chinese search engine use [1] and probably wouldn't result in much of a mass outcry.

[1] http://thenextweb.com/asia/2013/09/17/baidu-still-tops-china...

Sincerely, you're wrong.

GreatFire.org exists to end China's censorship - they have pondered long, researched, and have not missed your point.

China's weakness is they cannot censor where it crimps the economy too much.

Read: Collateral Freedom https://openitp.org/pdfs/CollateralFreedom.pdf

China blocking all Google products would make such a backlash in China that it's not a feasible move for the China government. Just as with Github, too many people would complain about losing $$ in the economy.

Gmail, Android, Chrome, Picasa, Google Drive, Docs, Translate, Maps, Scholar, Books, Earth, AppEngine, Research, Hangouts. Too many Chinese rely on these financially, and in their jobs.

GreatFire.org is right. This is a superb defrocking of censorship that will work.

The real question is why isn't Google doing this.

You've never been to China, have you?

Access to gmail is spotty and unreliable, like most other google services. Android phones connect to Chinese android market and most have alternative chinese only app markets. If google where to stop access to android market, people would get pissed, but switch app-provider.

For the rest, these are barely used services. I don't even think hangouts are accessible, since it's a part of Google+, which is blocked. Maps? Year, it's nice, but so is Baidu maps. Picasa? Which economy is impacted by picasa?

> China's weakness is they cannot censor where it crimps the economy too much. It's brilliant.

While this is true, google is not one of them.

I've been going to China since 1985 (28 years), speak Chinese and Japanese, and read the newspapers fluently in both.

How about Amazon?

To be fair, a number of those are regularly and/or completely blocked in China, e.g. Google Drive[1] and encrypted.google.com[2] completely (if I'm reading those right) and gmail[3] often enough to be notable.

[1] https://zh.greatfire.org/https/drive.google.com

[2] https://zh.greatfire.org/encrypted.google.com

[3] https://zh.greatfire.org/https/mail.google.com

Also, Android in China is completely degoogleified. No Google accounts, no Play, no GMail...

Surely that's a good thing?!

The translation of your link for Gmail says Gmail is (only) 9% blocked in China.

If Gmail didn't work 9% of the time, nobody would use it.

right, which is why I said "often enough to be notable". Nearly 1 out of 10 visits blocked would certainly make use of it difficult. However, almost all of the samples for gmail are colored orange, but google translate doesn't do a great job of translating the legend ("矛盾" -> "Contradiction"?), or at least I'm not sure what that means.

--Gmail, Android, Chrome, Picasa, Google Drive, Docs, Translate, Maps, Scholar, Books, Earth, AppEngine, Research, Hangouts. Too many Chinese rely on these financially, and in their jobs-- google docs, google drive, google videos are already blocked in China, google images is almost useless, as it blocks in the second search, then you have to restart the browser to search another keyword for images ( count until 10 before restart the browser ) and even google search is almost useless in most of China, as it takes too long to return the results (except for the big cities, where it works ok) , same for Gmail, it takes 5 minutes to open, and often never opens, the progress bar just stops in the middle.Again, this is not for big cities, but try to open Gmail out of the urban area of big cities and wait. Lan-houses(cyber cafes) dont open Gmail even in big cities. The impact on economy for completely blocking google will be almost zero. I live in China for 10 years, right now using a ssh to open gmail.

The article specifically mentions China blocking Google.

“Google! Do it! If they don't block you, freedom wins. If they do block you, there will be much more opposition to censorship inside China and the system will be forced to change, thus freedom wins too!”

The article describes how the their (small?) group of activists is willing to "bet the house", and that the potential outcome could include Google being blocked.

It's nice that they're willing to see Google blocked, but they're not actually giving up anything if that happens. Google on the other hand is a public company and has a lot more to lose if they're blocked. What would the shareholders say to Google risking the ad revenue from Chinese Internet users? And they're already fighting for marketshare with Baidu ... they could end up losing enough ground to never recover.

The activists might find that tack is a far better way to proceed. Google could easily just say "switching to HTTPS is in accordance with our policies throughout the rest of the world and it's (one way) to protect Chinese users from spying by the NSA (and others). Actively redirecting blocked requests to cached pages would on the other hand offend the Chinese government and would signal Google's true intent.

If you're going to be activists, you need to have a much better understanding of corporate motivations as well as become much more tuned into politics.

Sincerely, that's not correct.

GreatFire.org is at the cutting-edge of research (including from Harvard, Princeton, and many software engineers globally and in China) to end the censorship in China. GreatFire.org is on the front lines of solving censorship.

This idea is new research that works.

Google has a preponderant position in search in 125 nations, and is not hurting that much from retreating to HongKong. Baidu can't even get a foothold going in Japan.

On the other hand, the blunt mercantilism which keeps Google, Twitter, YouTube, Facebook out of China stands to weaken by applying this excellent idea.

Google actually may benefit by responding adroitly to the intentional evisceration of Google by the Chinese government.

The beauty of this research is that it probes a blind spot in China policy not easily remedied, while hitting the one place China cares about - money and the national economy.

I won't dispute that GreatFire.org is at the cutting edge of research, I just think the solution is naive. And you haven't addressed my real point which is that they're giving up nothing (certainly nothing of their own) if Google gets kicked out of China but you've conceded my point that there's an economic reason Google has behaved the way it has.

All I was stating is that part one of the two-part proposal (encrypting all traffic) should be done on it's own - that providing access to blocked content took Google from a passive position to an active one. Most of the students at Tiananmen Square didn't risk getting run over by a tank, but we still talk about the fact they had the courage to rally. If GreatFire.org wants to decides to take on the tank, that's fine, but it's not fair to push Google in front of the tank ... that's their decision to make.

P.S. The article also discusses Google's "Don't be evil" model ... I agree that it would be admirable to also try to abate evil where they can.

P.P.S. After watching the Matt Damon video in another posting, I'm reconsidering blind obedience myself!

We're not giving up anything of our own, but we really have nothing to give up. If Google ignores this and life goes on, life will go on for us, too. We will continue to do what we are doing. If I could do what we suggest Google does, then I would. But we are not Google. They have the power to do this, they can do it now - we should not have to wait for ten years. Eric Schmidt is saying today that Russia is taking cues from China on web censorship - this idea can stop them, too. It can stop all of them.

I think we're agreeing ... and I think what you're standing up for is admirable, so I'll stand along side you. I also have nothing to give up, so that doesn't mean much - other than we're kindred spirits, perhaps with a real libertarian bent.

Who is funding you?

Why are you tackling censorship in China first and not any other country, like your own?

We are Chinese but we are now considering expanding.

> How is the author overlooking the most obvious course of action the Chinese government could take?

He didn't overlook it, he addressed it specifically. Read the article.

Are you sure Google's big enough in China to have an impact?


Even worse, that's by revenue, not searches:


3% of search is a blip.

[EDIT: Fixed the links mangled by cut-n-paste from other thread]

Did you even read the article? Eric talks about how American designed encryption paradigms will eventually introduce free speech that cannot be stopped or surveilled even in places like China.

What Google's search market shares have to do with that concept is beyond me, though.

The article was not about the technology, but about the ability for Google to unilaterally affect the ability for the Chinese government to surveil their population.

The premise relies on Google being irreplaceable to the Chinese economy.

    We are gambling with Google’s stack that
    they are big enough and important enough
    that the Chinese authorities would not 
    dare block it in mainland China completely.
However, that isn't supported by the data - Google's market share. If Google did something which the government truly objected to, such as offering encrypted proxies (which encrypted search is), then they could block the entire domain and only affect the portion of their population that uses it.

Market share is a good proxy to measure that population, and it's 3%.

I'm not convinced that 3% is large enough to cause the government to give up.

Google doing this would be great, and I do support it. However, the effect would be so much greater if all US companies allied against stuff like this, and form some kind of BSA against censorship and surveillance by governments around the world.

The last time Google did this with the Chinese government, I remember Microsoft was ecstatic at potentially replacing Google in China with Bing, by following the same requests Google wouldn't, from the government, just so they can win even an extra 1 percent market share (which they never did, anyway - Baidu filled the gap).

As long as US companies keep screwing each other over for that extra 1 percent they can gain over their competitors in China, if they do follow China's orders, while the competitors do not, this is going to be a very hard thing to "win". So shame on those who do that.

In the past we have strongly suggested that all sites switch to HTTPS. If this happened on "World Global HTTPS Awareness Day", i.e., at about the same time, then I think China would be faced with some tough decisions.

"How Archer Daniels Midland could end world hunger in just 10 days"

"How the United States Senate could end political gridlock in just 10 days"

Keep in mind this quote comes from the same man who said, "If you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place."

I wish the correct response to that statement (and it's spiritual brother: if you've done nothing wrong, you should have nothing to hide) was as widely known as the statement itself.

As an idea, it should be so thoroughly discredited by now that merely stating it approvingly marks one as either morally deficient, an idiot, or both. Making that statement should be at the same level of social disapproval as, say, suggesting genocide as a reasonable way to deal with undesirable people groups.

As of today, though, regular run-of-the-mill people are unable to formulate why that statement is not just wrong, but ridiculously, appallingly so. I fear learning why will come at a rather significant cost to humanity in general. :(

I guess this is how civilization moves forward. It's not pretty.

What about surveillance by Google itself? What we should be asking ourself is how do we improve https://duckduckgo.com ? or something similar.

While I support the work they are doing, the Chinese themselves don't care all that much about the sites that are blocked. Having lived in China, everyone I spoke to did not care about Facebook being blocked. I'm making a huge generalization but to them if Facebook is blocked then it must not be very important. Why use Facebook anyway when I have QQ?

Changing the public view from within China to fight against censorship is harder but I think it would be far more effective.

Google Could End Censorship in China in 10 Days - Why doesn't it?


This Guardian article is a "shorter version" of the original article at http://en.GreatFire.org

I'm not native english speaker, so sorry if I wrong. But does Schmidt actually means '10 days'? If I understood correctly Schmidt mean that if we (all people who do internet) starts to encrypt everything (http 2?) then it will be more difficult to do censorship. And he unlikely mean 10 days, probably 10 years.

He meant that Google could encrypt their own traffic in 10 days, and offer mirrors of blocked websites via their cache feature; not that everyone could encrypt all traffic in 10 days.

Can you provide quote for your interpretation? For me "You cannot stop it if it’s a good idea broadly held" sounds more about global technological and ideological shift.

Sorry, Eric Schmidt had said that we could end censorship in a decade (10 years). That's the quote at the top of the article: "We can end government censorship in a decade. The solution to government surveillance is to encrypt everything."

The author of this article, "charlie", is contending that actually, Google could end it in 10 days, simply by turning on encryption for their own service and offering cached versions of any sites that are blocked.

So yes, Schmidt was talking about a global technological shift, while this author was talking about a simple pragmatic step that could be taken by one company, Google, and which they already have the infrastructure for as they already do everything needed (encrypt traffic, offer caches) for their other properties.

that seems to be a great idea, google could also do Germans a favor by hosting "this video is not available in your country" mirrors, right?

It's Google themselves that block the videos on YouTube for German visitors. Their rationale is that this frees them from paying the fantasy fees that GEMA wants from them. https://en.wikipedia.org/wiki/Blocking_of_YouTube_videos_in_...

guess what, China has laws that 'regulate' news and online videos, too

> Critics of our approach will say that the "do it, they might not block you" argument is tenuous at best. But that is not what we are saying. What we are saying is:

>>“Google! Do it! If they don't block you, freedom wins. If they do block you, there will be much more opposition to censorship inside China and the system will be forced to change, thus freedom wins too!”


I don't think the author realizes what a "win" means to corporations. Helping the cause of freedom doesn't turn losing a billion potential customers into a win, it's just the silver lining on a very dark cloud.

No - they are losing market share in search (3%) and if they keep their current course will continue to lose. The opportunity here is to gain one billion customers (well, 600 million now), by freeing the internet in China and hence at least making substantial money on ad sales.

I supposed that encrypted search is better than not, but won't help when the NSA is tapping from inside their machine rooms.

No, because surveillance is censorship too.

As far as I'm aware Google hasn't ever shot anyone in the head, which is a common occurrence in China. (China executes more people than all other nations combined. Real numbers are hard to find, but about 5,000 people in 2009 is accepted for a low end figure by most people. That's 13 per day, or one person every two hours.)

Comparing Google's surveillance to Chinese totalitarian state is obscene.

What about when China gov hacks into Google (has already happened) (and NSA is still happening) and uses Google user data for China Govt "common occurrences"?

Google has employees in China, and making a strong-arm motion like this could put them in danger.

That is a valid point and past Google blog posts have alluded to this danger. I made this point in the longer blog post which appears on our web site, but not in The Guardian article. http://googleblog.blogspot.co.uk/2010/01/new-approach-to-chi...

I feel like this article is extremely short-sighted. If Google did the things that the author suggests, China would simply block all of Google instead. It has done this in the past, and would not hesitate to do so again.

The article postulates an effective outcry, akin to that of the github incident which resulted in success, were that to happen. Perhaps it is you who is shortsighted?

A bold move such as this would, whether it worked or not, at least restore Google's credibility as an avoider of evil, the Google twinkle many of you think has fizzled.

If Google did encrypt traffic in China what would prevent China from serving Google China with a subpoena for the SSL private key under a gag order?

SSL is only a minor speed bump when you have control over trusted root CAs or the ability for "force" installation of your own CA.

You need an SSL certificate:

  Request URL: http://tripstamp.com/api/authenticate
  Request Method: POST

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact