How to unblock websites in China for web owners

Good news, everybody. We've worked out a simpler solution to unblock websites in China. Visit unblock.cn.com for more detail

This is a step by step guide on how to unblock your website for visitors in China without them having to do anything. The Great FireWall of China is a complicated filtering system capable of blocking websites by a variety of methods. The common methods used are IP blocking, URL and Packet filtering by connection reset, TLS (SSL) certificate filtering by connection reset and DNS hijacking.

 

IP blocking

Use CDN (Count Delivery Network) to hide the real IP of your site from GFW. I did a simple test myself. I created a Google site and linked it with 4 subdomains as follows.

CNAME records: (ghs.google.com is currently not blocked in China)

test1.example.com -> ghs.google.com   CDN enabled

test2.example.com -> ghs.google.com

A records: (216.239.32.21 is subject to IP blocking in China)

test3.example.com-> 216.239.32.21  CDN enabled

test4.example.com -> 216.239.32.21

Tests 1 and 2 merely serve to confirm the website is up. Tests 3 and 4 simulate a website with a blocked IP.  I enabled CDN on test 1 and test 3. The CDN I chose is CloudFlare with a free account. (You can pay to go pro or find another CDN if you like, I prefer to stay free.) Here are the test results. Test 1 and test 2 are both accessible in China.  Test 3 is accessible while test 4 is blocked. When CDN is enabled, it serves as a reverse proxy. So test 3 actually resolved to an IP address owned by CDN - CloudFlare in my case - and thus bypassed IP blocking. Unless the GFW blocked CDN's IP addresses, which will also block many other irrelevant websites[1],  IP blocking would not be an issue. [1] However do note that this has not stopped the government from doing exactly this before. The top level domains co.cc and net.ru were both censored for very long periods of time.

 

URL/Packet filtering

If your domain is filtered as a restricted word then full site encryption should be employed. Counter measure 1: get your hands on a SSL certificate and install it on your server or VPS. Some certificates are expensive while others are completely free for an unlimited time.  StartSSL provide free certificates with minimum requirement - only a valid email address at your domain, which can also be obtained free of charge from Google Apps. Counter measure 2: Use Flexible SSL by CloudFlare, one of its SSL options.

 Visitor <-- SSL --> CloudFlare <-- non-SSL --> Origin

That way, you save the fuss of installing a certificate and can enable SSL with a click. However, this requires a pro account with CloudFlare and costs $20/month.

 

TLS (SSL) certificate filtering

This time GFW knows you are using encryption to evade censorship and has decided to censor your certificate which is sent in plain text before an encryption tunnel is established. Two counter measures as before: 1. Because your certificate is completely free and assigned automatically by robots, there's nothing stopping you from changing it constantly as the filtering list of TLS (SSL) certificates updates rarely 2. Use CloudFlare's SSL option. CloudFlare replied to me that multiple sites may use the same certificate. Each site needs to have its own subject alternate name (SAN) and  the common name can be a variation of SSL#.cloudflare.com. So as in the case of IP addresses, GFW can't filter your certificates without blocking a bunch of innocent sites. (Again that didn't stop them before. They could block SSL connections of a bunch of sites and then filter only your domain. With this method other sites could be reached via http only.)

 

DNS hijacking:

This is the toughest blocking measure which is seldom used. Known sites subject to this kind of blocking are *.facebook.com (naked domain included), *.twitter.com (naked domain included), encrypted.google.com, www.kenengba.com. Possibly less than a hundred of sites are blocked in this way. There are two forms of DNS hijacking performed (Wikipedia only documents the first one).

Form 1: When visitors uses local DNS servers controlled by an ISP their inquiries would simply cause a connection timed out error. This is performed by local DNS server.

Form 2: When visitors use foreign DNS servers such as OpenDns, Google Public DNS or even a random non existant  foreign IP,  GFW would return a blocked IP address of some random site to that DNS inquiry. (Look up a non existant address aaa.twitter.com on a nonexistent DNS server 1.1.1.1 in China.)

nslookup aaa.twitter.com 1.1.1.1
Server: 1.1.1.1
Address: 1.1.1.1#53
Name: aaa.twitter.com
Address: 78.16.49.15

How to counter this measure: Do not use your domain. Use an IP address directly e.g: http://12.34.56.78 or https://12.34.56.78. Do note, however, that this will leave your site vulnerable to IP blocking because without a domain, CDN can't be used. Since only prestigious sites are blocked in this way, most companies would have the money and servers to build a encrypted reverse proxy or else have tons of programmers to figure out your next move.

------

The method of distinguishing IP blocking and URL filtering(or both)
If only part of your sites is inaccessible then it's URL filtering only(assume your site is located in one server only)

If your site(www.example.com) is totally inaccessible, visit
http://www.msn.com/www.example.com
http://www.msn.com/.example.com
http://www.msn.com/example.com
respectively in China.
Please wait a few minutes before visiting the next address, because GFW would block all traffic to www.msn.com from your computer for a short time when restricted words is triggered. So wait until you can see www.msn.com(usually a minute) before you try the next one.
If any URL above is unreachable, your site is subject to URL filtering.
(Those who can't run test in China, visit https://greatfire.org and enter URLs above)

Do a ping test in China to determine whether your IP is blocked.

Comments

More Blog Posts

Subscribe to our mailing list
Show content from Blog | Google+ | Twitter | All. Subscribe to our blog using RSS.

Wed, Mar 19, 2014

Bing Bests Baidu Censorship

Abstract

Independent research from Xia Chu has shown that, in addition to non-China content, Bing censors a vast amount of content that is hosted inside China and which is not censored by China-based internet companies like Baidu. After communicating our issues with Microsoft, Bing removed certain censorship rules (kudos to Bing), but much work remains to be done.

We recently called for Microsoft to release its transparency report for Bing (as have others - full disclosure, Rebecca sits on our advisory board).  Microsoft has yet to respond to this request. But Xia’s independent research of Bing’s China censorship policy could be regarded as a de facto transparency report for the search engine.

In this thorough study, the results of which we have verified, Xia examined Bing's SERP (search engine results page) for over 30,000 sensitive and nonsensitive query terms, and launched these queries from both inside and outside of China. Comparing and examining these results, plus querying with special search operators, reveals unprecedented detail on Bing's China filtering practices.

The main findings from Xia’s research include:

  • Bing has a list of “forbidden” terms where no results are shown. 139 such terms have been identified.

  • Bing has a blacklist of websites that it never shows to China users. 329 such websites are identified. (5 have been lifted after our communication with Microsoft.)

Thu, Feb 13, 2014

Setting Bing's Broken Record Straight

We can also now trace complicit Bing Chinese censorship back to 2009 as highlighted by Nicholas Kristof. It looks like Microsoft has indeed changed its censorship mechanism after our research made headlines this week. But Bing is still seriously flawed on two fronts: its algorithm favors pro-Chinese government websites by default on all search terms in simplified Chinese and their front end mistakenly delivers explicit censorship of search results on some search terms for users from all over the world.

Wed, Feb 12, 2014

No error here: Microsoft deploying Chinese censorship on global scale

Microsoft says: “The results themselves are and were unaltered outside of China”. This is simply not true.

Tue, Feb 11, 2014

Bing practicing Chinese censorship globally

Our latest research indicates that Microsoft’s search engine Bing is censoring English and Chinese language search on its home page in order to exclude certain results. We have also noticed that Bing is practicing subtle censorship with search results. In both instances, Bing is filtering out links and stories that the Chinese authorities would deem damaging.

Thu, Jan 23, 2014

Massive blocking of foreign media in China

After Tuesday’s report Leaked Records Reveal Offshore Holdings of China’s Elite by ICIJ, China blocked a number of major newspaper websites. All websites below were blocked after publishing copies of the original report. They're all listed as the publishing partners for “Chinaleaks” stories on ICIJ's website. The Great Firewall rarely blocks non-Chinese websites. Many of them have published the Chinese version of the report which probably explains the unusual development.

Newspaper

Main Language

Article

http://www.icij.org

English

Chinese

http://www.theguardian.com

English

Subscribe to our blog using RSS.

Comments

I am reading your post now and see that "CloudFlare" is 100% blocked in China. Does that means that your current suggested method does not work?

Cloudflare is 100% restricted rather than blocked. The method will work. Although connection to your website might be slow

You really need a VPN if you stay in China for more than a couple of days, most good sites are blocked there. The block on Facebook is the most annoying one, and also my gMail account didn`t work every time (without VPN I mean)
Anyway, I used VPN, it unblocked all sites when I connected it.
VISIT: http://www.highspeedvpn.com

デニムジーンズの歴史観 高いバランス研究所多次元意識の分野での仕事のための伝説の場所苦悩の服や苦悩のシャツレディースアバクロンビー&フィッチ長袖Briefing申す詞など聞し召さぬ様にて、わたらせ給ふこそ然るべけれ』とは曰ひしなりけり。常慶も塩辛き男なれば、家康が笑ひし腹加減も大に塩辛かりけり。天下を取りし後だに此くhttp://www.22gs5.com/それは暑い外であるとき。だから評論家はそれらが醜い呼び出すことができます汗を離れてウィッキングによって足を冷却するがショルダーバッグ クロエ媒体の幅でサイズ5から11で提供されています一部のモデルには、古代中国の秘密と答えたために彼女のきれいな料理についての彼女の友人に尋ねたカスケードコマーシャルで大衆化された 欧州全域ジングルカルゴン広告は現地の言語に翻訳され、同じフレーズやジングルを備えて[要出典]それらは以下の通りです:ブルガリア: - 。 クロアチア: Perilica dulje IVI UZカルゴン。 チェコ: Dlouh ivotプロヴァイpraku、Vカルゴン。 デンマーク: Vaskemaskinerレバーlngere MEDカルゴン。 オランダ語: Wasmachinesリーベンランガーはカルゴンに会った。 英語: 洗濯機はカルゴンで長生きする。 フランス語: レ·溶岩·リンゲdurentプラスlongtemps AVECカルゴン。 ドイツ: Waschmaschinenリーベンlnger MITカルゴン。 ハンガリー: Calgonnal mosgpはtovbb lです。 トルコ: Makinanz uzun yaar Calgonla。 イタリア語: ラ·ヴィーヴlavatriceディπ詐欺カルゴン。 (2008年の前に ラlavatriceヴィーヴ·ディパイ詐欺Calfort)ポーランド語: Dusze ycie kadej pralkiカルゴンへ。 ポルトガル語: Prolongue VIDAダSUA mquina、COMカルゴン。 ルーマニア: マシーナ·デspalat traieste舞MULT CUカルゴン。 ロシア: 、カルゴン。 セルビア語: スロベニア語:​​ ダpralni stroj BO dlje ivel、dodajカルゴン。 スペイン語: AlargueのLa Vidaデsuのlavadora、詐欺カルゴン。 ウクライナ: 、ギリシャ語 、カルゴン。 文化的な参照が音楽ドクタードレーの参照は、その良いマリファナを言って、慢性的なアルバムで ラット-TAT-TAT-TAT-TATの製品は、 カルゴンのようにあなたをお持ち帰りします。 ヒップホップ集団ウータン·クランは、 それを振り払うの中で永遠に彼らのアルバムウータンで、マライア·キャリーの2005年のアルバムミミの解放からのサードシングル を、カルゴンの私を奪うを組み込む彼らの曲 ブラックシャンプーに キャリーが歌う ジャストカルゴンコマーシャルのように、私は本当にここから上ってもらわなく... カニエ·ウェストのアルバム後期登録は、歌が言及 ゴーン ...我々はカルゴンの完全な浴槽のような泡に慣れて... 死んだ友人への参照インチ 彼らの1992年のレンガオフもパンクバンドL7の曲の中で参照カルゴン ダイエットピルは、( ...カルゴンは、私が今日やった事から私を奪うことはできません。)重いアルバムです。 アンダーグラウンドヒップホップグループ、Modill、彼らの歌の中で参照カルゴンは、生命と発声ラインのMCレーシングの詳細彼の不満は、 私はプレイステーション、カルゴンは、私を奪うことを考え、Parkayようにspittin '韻を集中しなければならない至福へのセンド·ミー ! バンド、クレム人を傷つけるような、彼らの歌の中で参照カルゴン、彼らのアルバム、ファッションのゴーストオフ 古代中国の秘密のブルース( カルゴンは私を奪う)。 彼らの曲 Sympothtyでシアトル参照カルゴンからグループ 都市の殺人事件はリードシンガービリーSmortが言うとき、 私は時々私の肛門をきれいにカルゴンを使用しています。 ヒップホップグループクルックドLettaz は、カルゴンの私を奪う!組み込む タイトル話し言葉/詩曲 ソー·ロング友達で彼らのアルバム、灰色の空インディーヒップホップグループのジム·クラス·ヒーローズ参照カルゴンをオフトラックのコーラスに、トラヴィス·マッコイが嘆くときに 私はそのカルゴンの一部が離れて行動を私を取る必要があります 、すぐに 。 トラックは、彼らPAPERCUTクロニクルアルバムに表示されます。 曲の中のリルバウワウによる バウワウ(私の名前だ)、ゲストラッパーがスヌープ·ドッグ カルゴンカルゴンは私を奪う、私は私の甥Jに汚い汚いにいるよ。と言う ディクシー·チックスの歌 カウボーイは私を奪うというスローガンに触発された カルゴン、私を奪う! インキュバスの歌、 Calgoneは(科学のアルバムオフ)、 浴槽と泡の良さに感謝し、目立つラインで取り上げ、製品カルゴンに触発されました。 衝動(セントルイス·バンド)ヴァンダル、オレンジ郡、カリフォルニアのパンクバンド、それはあなたの選択のコメ平野だ を歌う彼らのアルバムのオフステレオトゥーマッチこれは何ですか 彼らの曲の中でそれは私を奪うカルゴンのように 歌ったり、 揚げ/人力車に乗って/彼らは白とあなたのような色の白を作るための古代/明るい中国の秘密取るよね菜売の媼 勿体(もつたい)ない事を御云ひでない。罰(ばち)でも当つたら、どうおしだえ?Briefing バッグ 2013女性http://www.inrsi.com/レディースアバクロンビー&フィッチベルトサッカー選手は常にメンズ 財布 ランキングとても簡単です! 経済の発展における社会進歩ゴム 心電図のパターンは、非マーキングトラクションを提供していますシーバイクロエ 長財布http://www.feilcbfenghuangyule.com/

Ostanio dużo czytam blogów, stron a także bywam na forum dyskusyjnym gazety.pl.
Ta strona mnie bardzo zaciekawiła, dodałam sobie ją do ulubionych. Pozdrawiam Anita :)
Nie gram w [url=http://gry.wpyte.pl]gry za darmo[/url] na facebooku!

Add new comment

Filtered HTML

  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <blockquote> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
By submitting this form, you accept the Mollom privacy policy.