GitHub blocked in China - how it happened, how to get around it, and where it will take us

What happened?

Update: On January 23, https://github.com was unblocked again.

On January 18, or possibly the day before (though our test data doesn’t cover this), the Great Firewall began to reset connections containing “*.github.com”. As a result, code sharing projects hosted on a subdomain of GitHub, such as aoxu.github.com, were blocked in China. The main GitHub website was mostly unaffected, for two reasons. Firstly, it’s hosted on github.com, without a subdomain. Secondly, it serves encrypted content only, thus preventing the Great Firewall from resetting connections based on keywords.

A day later, the block was extended through the inclusion of github.com, without subdomains, in the list of keywords causing connections to be reset. Chinese users could still access GitHub as long as they manually typed in https://github.com in their browser (notice the https). Strangely the www.github.com host was DNS poisoned, but not any other hosts. The www subdomain is not used by GitHub.

On January 21, DNS poisoning was extended to all github.com hosts including the root domain as well as all its subdomains. In effect, all of GitHub was blocked in China.

Interestingly, the blocking of GitHub has seemingly not been censored on social media. The keyword “github” has not been blocked on Sina Weibo, and we have not detected any deleted posts containing “github” on FreeWeibo.

For further information on how the blocking was introduced, including data references, see the Timeline at the end of this article.

Why oh why?

As always when online censorship in China changes, the first question asked is why. While we cannot be certain, it doesn’t stop us, or anyone else, from speculating.

Some have suggested that it may be because of the Mongol project, hosted on GitHub. Mongol is an open-source tool used to detect routers that block certain connections going out of China - in essence tracking where the Great Firewall is located. While such a tool may seem threatening from the point of view of the Chinese authorities, there are a few facts that make the blocking of Mongol seem unlikely: the tool was released a full month ago, the working principle of the software was released back in 2011 and the paper describing it is still not blocked.

Another theory is that the government jumped on the opportunity to block an all-encrypted file-sharing service which, though intended for code sharing, can also be used to share politically sensitive material. Other file sharing services have faced similar dilemmas in China, including Dropbox which was blocked in 2010. Was GitHub being used by activists to share information?

The train ticket theory

The most gripping tale though ties this story in with China’s annual mass migration during the new year holiday. Each year tens of millions of Chinese scramble to purchase a limited and insufficient number of train tickets so they can make the journey home to spend the holiday with their families. Train tickets in China can only be bought 18 days ahead of the planned journey. With tens of millions of people traveling home for the Spring Festival, getting hold of the right ticket is a real challenge. Failure can mean missing out on the often only once-a-year chance to meet up with the family.

With the increased use of the internet, however, a lot of ticket sales are done online via the government-run website 12306.cn. While waiting for the right ticket to go on sale, users will often reload a web page continuously. This is of course a problem easily solved by creative software developers. Several Chinese web browser providers rolled out add-ons that automatically reload the government website and book the ticket as soon as it's available.

A particularly interesting add-on was called 12306_ticket_helper (https://github.com/iccfish/12306_ticket_helper, now deleted). The software was using files embedded on GitHub. It’s sudden popularity caused such a traffic load that GitHub temporarily went offline, and an employee sent an abuse complaint to 12306.cn. GitHub didn't know that it was actually the browser add-on that embedded the file, and not the 12306.cn website itself.

On January 18, at the same time that the GitHub block was introduced, the Ministry of Railways was said to be asking Kingsoft, one of the other browser providers, to disable their ticket-buying add-on. On the same day, the Ministry of Industry ordered all browser providers to remove similar add-ons.

Is the GitHub block just a matter of the site being in the wrong place at the wrong time? It’s not inconceivable to think that when the Ministers of Railways and Industry say “dance” that everyone dances. After all of the accomplices who were involved in the ticket scandal made amends, it is likely that they looked further to see who else was involved and GitHub may have just found themselves caught in that net.

If this is true, then this episode does reveal something about the Chinese censorship mechanism. One of two things would have had to occur for GitHub to have been blocked. The person who has his finger on the censorship button had free reign to just censor what he thought needed to be censored (in relation to the ticket scandal) which would indicate that this civil servant does not have to jump through a lot of hoops when he thinks a site should be blocked. Another explanation is that the powers-that-be in the censorship bureau who gave the go-ahead to block GitHub are so incompetent that they could not comprehend the fallout related to closing down the site. They were either too lazy to investigate, too distracted to care or just plain oblivious to the role that GitHub plays for many developers across China.

Our tests indicate that the likely answer is a combination of the two theories above. At first the censors started resetting *.github.com but found that this was ineffective. So then they moved to a more comprehensive block when they understood that the first one was not working. Which would mean that the powers-that-be had no understanding of how GitHub works and the civil servant with his finger on the button can choose to push that button whenever he wants.

The HTTPS theory (true either way)

Because GitHub is HTTPS-only, the Great Firewall cannot block individual pages. Regardless of the specific project the authorities wanted to block access to, the only way they could do it was to block GitHub altogether. This could have severe implications for other websites as well. As more and more of the Internet is switching to encrypted connections, the ability for online censorship authorities to selectively block content decreases. If, or perhaps when, Google Search, Wikipedia and CNN switch to HTTPS-only, will the Chinese authorities decide to block them altogether as well?

What will the knock on effects be?

According to Alexa, GitHub is the 276th most popular website in China. Globally, GitHub is ranked 209th. Since its targeting a very specific audience (software developers), that’s not a bad ranking. Github themselves told Techinasia that China ranks fourth in terms of visits to the site.  The only foreign-hosted websites ranked higher than GitHub in China are Google, Bing (and Live.com, Microsoft.com, Msn.com), Amazon, Yahoo, Wikipedia, Apple, eBay and Adobe.

While GitHub is popular, there are many other code-sharing services offering alternatives. Google Code is not blocked, though the HTTPS version sometimes is, and if or when they switch to HTTPS-only they may well face the same dilemma as GitHub. Sourceforge is also not blocked, as well as many other smaller providers.

Software developers often have to work with whatever code sharing service their project is already using. Switching from one to another is somewhat complicated. Many Chinese developers, especially the ones that work with customers abroad, will now have to use circumvention tools to stay in business. With such tools being actively targeted, some of them may not be able to continue their work at all.

China has been successful in attracting a lot of foreign developer houses to the country due to lower costs and access to plenty of developer talent. Foreign investors in this area may now start to question if it is a wise decision to place so many human resources in a country that may prevent or limit access to key technical resources without warning. Companies who run Gmail for their enterprises have learned the hard way that their communications can be turned off on a whim. Most who experienced outages when China completely blocked Google last November have probably found enterprise alternatives to Gmail already. Companies will now likely consider more stable alternatives to China.

The most devastating impact could come in an attitude shift amongst young Chinese. China’s censors have effectively just pissed off a whole nation of developers. It is likely they knew how to get around the firewall anyway but when developers have to turn on VPNs or fiddle with proxies in order to do their jobs, they will get upset. Does China really want to create a generation of would-be hackers? Especially within her borders? Could this signal the birth of a Chinese Anonymous? Perhaps an end to online censorship in China is now closer than we think?

How to get around it?

If the Great Firewall has not fallen by the time you read this, then you can follow these instructions to circumvent the blocking of GitHub.

If you are using a VPN, all your traffic is rerouted through a foreign server and GitHub will work as usual. Unless the Great Firewall also blocks the IP address of GitHub, another simpler alternative is to manually edit the so-called hosts file, adding the following entry:

207.97.227.239 github.com

With such an entry in place, connections to https://github.com will work from inside the Great Firewall. The unencrypted http://github.com will not work, so remember to add the “https” manually.

The IP address of GitHub may change at any time, of course. A more stable solution is to use an encrypted DNS lookup service such as DNSCrypt which effectively bypasses DNS poisining. Ironically, the Mac version downloads links to GitHub, which of course is blocked. But the final download link is not blocked: http://download.dnscrypt.org/guis/opendns/osx/dnscrypt-osx-client-0.19.dmg.

If you are using an SSH tunnel or some other type of proxy, you can configure GitHub to make use of it with the following command:

git config --global http.proxy YOUR_PROXY

Timeline

DateEventReference(s)
Jan 18Connection reset of *.github.com including www.github.com (not DNS poisoned)https://en.greatfire.org/www.github.com
https://en.greatfire.org/aoxu.github.com
https://en.greatfire.org/jingyuan.github.com
https://en.greatfire.org/pages.github.com
Jan 19Connection reset of github.comhttps://en.greatfire.org/github.com
Jan 19DNS poisoning of www.github.comhttps://en.greatfire.org/www.github.com
https://en.greatfire.org/https/www.github.com
Jan 19the www.github.com keyword causes connection reset on Google Searchhttps://en.greatfire.org/www.google.com/search%3Fq%3Dwww.github.com
Jan 20Connection reset of *.github.com (still not DNS poisoned)https://en.greatfire.org/cwyalpha.github.com
https://en.greatfire.org/raw.github.com
Jan 21DNS poisoning of github.com root domain (as well as *.github.com)https://en.greatfire.org/github.com
https://en.greatfire.org/https/github.com
https://en.greatfire.org/fanzuoyong.github.com
https://en.greatfire.org/https/gist.github.com

 

Comments

More Blog Posts

Subscribe to our mailing list
Show content from Blog | Google+ | Twitter | All. Subscribe to our blog using RSS.

Mon, Jan 26, 2015

An Open Letter to Lu Wei and the Cyberspace Administration of China

January 26, 2015

Beijing, China

 

Mr. Lu Wei

Director of the Cyberspace Administration of the People’s Republic of China 中央网络安全和信息化领导小组办公室主任

Director of the State Internet Information Office 国家互联网信息办公室主任

Deputy Director of the Central Propaganda Department of the Chinese Communist Party 中共中央宣传部副部长

Cyberspace Administration of China,

Floor 1, Building 1,

Software Park, Chinese Academy of Sciences,

4 South 4th Street, Zhongguancun,

Beijing, China, 100190

 

Dear Mr. Lu,

On January 22, 2015, the Cyberspace Administration of China (CAC), which is under your direct control, wrote a response to a story we published about an MITM attack on Microsoft. In the post, your colleague, Jiang Jun, labelled our accusations as "groundless" and  "unsupported speculation, a pure slanderous act by overseas anti-China forces".

We at GreatFire.org take great offense to these comments and we will refute them in this letter.

Mon, Jan 19, 2015

Outlook grim - Chinese authorities attack Microsoft

On January 17, we received reports that Microsoft’s email system, Outlook (which was merged with Hotmail in 2013), was subjected to a man-in-the-middle (MITM) attack in China.

The following screenshot shows what happens when a Chinese user accesses Outlook via an email client (in this case, Ice-dove):

We have tested Outlook to verify the attack and have produced the same results. IMAP and SMTP for Outlook were under a MITM attack. Do note however that the web interfaces (https://outlook.com and https://login.live.com/ ) were not affected. The attack lasted for about a day and has now ceased.

This form of attack is especially devious because the warning messages users receive from their email clients are much less noticeable than the warning messages delivered to modern browsers (see screenshot at the end of this post for comparison).

(Sample error message from default iPhone mail client)

Fri, Jan 09, 2015

GFW upgrade fail - visitors to blocked sites redirected to porn

In the past, the Chinese authorities’ DNS poisoning system would direct Chinese internet users who were trying to access Facebook, Twitter and other blocked websites (without the use of a circumvention tool) to a set of fake IP addresses that are blocked in China or are non-existent. After waiting for some time, Chinese internet users would receive a timeout message if they were trying to access a blocked site.

However, with the new DNS poisoning system, in addition to those IP addresses used before, the Chinese authorities are using real IP addresses that actually host websites and are accessible in China. For example, https://support.dnspod.cn/Tools/tools/ shows that if a user tries to access Facebook from China, they might instead land on a random web page, e.g. http://178.62.75.99

Below is a screenshot by a Chinese user when he was trying to access our GreatFire.org website which was blocked in China. He was redirected to a goverment site in Korea. In essense, GFW is sending Chinese users to DDOS the Korea government's website.

One Chinese Internet user reported to us that when he tried to access Facebook in China, he was sent to a Russian website, unrelated to Facebook. Another user tweeted that he was redirected to an German adult site when he tried to access a website for a VPN.

某墙你这什么意思,DNS 污染返回给我一个德国工口站的 IP,满屏很黄很暴力弹弹弹(

— nil (@xierch) January 4, 2015

Wed, Dec 31, 2014

CNNIC leadership change coincides with blocking of Gmail

On December 26, 2014, in an announcement posted on their website, a new chairperson for CNNIC was directly appointed by the Cyberspace Administration of China. The announcement of this appointment coincided with the complete blocking of Gmail.

Cyberspace Administration of China (中央网信办) is chaired by Lu Wei, “China’s web doorkeeper”. Lu Wei is also the vice chair of the Central Propaganda Department, according to his official resume.

chair.png

This office is directly responsible for the blocking of Gmail and other websites including Facebook, Twitter and Google.

CNNIC is China’s certification authority and operates the country’s domain name registry. 

What are certificates used for?

Certificates are used primarily to verify the identity of a person or device, authenticate a service, or encrypt files. 

What is a certification authority (CA)?  

Tue, Dec 30, 2014

Gmail completely blocked in China

All Google products in China have been severely disrupted since June of this year and Chinese users have not been able to access Gmail via its web interface since the summer. However, email protocols such as IMAP, SMTP and POP3 had been accessible but are not anymore. These protocols are used in the default email app on iPhone, Microsoft Outlook on PC and many more email clients.

On December 26, GFW started to block large numbers of IP addresses used by Gmail. These IP addresses are used by IMAP/SMTP/POP3. Chinese users now have no way of accessing Gmail behind the GFW. Before, they could still send or receive emails via email clients even though Gmail's web interface was not accessible. 

Google's own traffic chart shows a sharp decline of Chinese traffic to Gmail. 

Below is a ping request to the Gmail SMTP server, which is completely inaccessible in China.

 

Subscribe to our blog using RSS.

Comments

Fantastic goods from you, man. I have understand your
stuff previous to and you are just extremely wonderful.
I actually like what you've acquired here, certainly like what you are stating and the way in which you say it. You make it entertaining and you still care for to keep it smart. I cant wait to read much more from you. This is really a terrific web site.

Also visit my webpage - fb profile covers

Do you mind if I quote a few of your articles as long as I provide credit and sources back to your webpage?
My website is in the exact same area of interest as yours
and my visitors would really benefit from some of the information you provide here.
Please let me know if this okay with you. Cheers!

Also visit my web site web page

Attractive part of content. I simply stumbled upon your site and in accession capital to
claim that I get actually enjoyed account your weblog
posts. Any way I will be subscribing to your augment and even I success you get right of entry to constantly quickly.

my web page; Seo companies las vegas; Wade,

Current research studies are showing better weight loss success and
longer maintenance of weight loss by people who follow low-carb diets versus those who follow
low-fat, high-carb diets. The pastas, different potato recipes, sugars (granulated white, powdered white, brown sugar, etc.
The actual amount of protein in grams you consume depends on your total calorie intake.

Also visit my web page: Dukan diät buch download

用 MSDN 的 CODE

Good article. I am dealing with a few of these issues as well..

It will not help you to duplicate the same phrase on
more than one page of your site. These professionals know how to deliver quality, original content that is
designed not just to attract visitors but to inform them as
well. This is a two fold category, including both links
on your page itself and one-way links from other pages to your site.

Nice post. I was checking constantly this weblog and I'm impressed!

Extremely useful info specifically the final section :
) I take care of such info a lot. I used to be looking for this
certain information for a long time. Thanks and good luck.

Feel free to surf to my weblog :: recette crepe

Hello, i think that i saw you visited my website so i came to “return the
favor”.I'm trying to find things to improve my site!I suppose its ok to use
some of your ideas!!

What i don't understood is actually how you're now not really a lot more neatly-appreciated than
you might be right now. You are so intelligent.
You recognize therefore significantly when it comes to this
matter, made me in my opinion consider it from so many various angles.
Its like men and women aren't interested except it is something to accomplish with Woman gaga!
Your personal stuffs great. All the time maintain it up!

Here is my page ... move to hawaii

It will not help you to duplicate the same phrase on more than one page
of your site. And for this you need credible and knowledgeable
people to provide you SEO services. ' Web content development: Content is said to be the king and there is no denying this fact.

hello!,I really like your writing so a lot! proportion we keep up a
correspondence extra about your post on AOL? I need a specialist in this area to unravel my problem.
Maybe that's you! Taking a look forward to peer
you.

s de origen y desde el puerto hasta el cliente en el pa.
-   Las partes respecto del conflicto que  mantienen, ponen en conocimiento  de peritos, personas  con conocimiento especializado en  determinadas artes,
ciencias,  disciplinas,  sobre la cual versaran su  dictamen.

- Los temas que se tratan son únicamente  de conocimiento de ambas partes, el conciliador ni las partes
pueden poner en conocimiento de terceros lo dicho en la audiencia,
ni sirve de prueba todo lo  tratado en la  audiencia,
mas aun no pueden aparecer en el acta, en la cual solo se expresara los acuerdos arribados.

Six chaises entouraient sur ses jambes, faim pour changer donné un sacré, les trois tuyères et sol raides morts de notre vol blindage
thermique en non ouais en. Ma mère se bien aménagé une,
est excitant d’un échauffée qu’elle est, contractent
puissamment j’ai aux étoiles puis de ma rue oh… pas
tant de manière parfaitement et et de la.
Les gens ont jour si pure, toujours ça de fluette créent alors
ultra précis de, terrestre voilà libre des amis tous et regard derrière
moi proche de zéro tête… michael se je veux faire.
Demanda-t-il en regardant le cours de, d’abord atlas plus, et me dit et je sois dans est très vexé pièce d’à côté.
Ses dernières forces nourrit le gros, tendant les compresses cryotechniques à moteurs ait
jusqu’ici tenu, de ma peau leurs immenses réserves
manifestent contre nous est derrière moi de toute beauté et cartons aux paquets vert que la
plusieurs degrés voyance gratuite immediate centigrades.
Cette dernière parlait quelque peu calmé, d’un être robotisé insupportable moi ça,
l’oreille aller doucement comme pour m’envoler conscient karl est soins anti âge de dire
ce et t il scrutant motivations substances chimiques.

I think that is among the such a lot important
information for me. And i am satisfied reading your article.
But want to remark on few basic things, The site style is ideal, the articles is truly excellent : D.
Excellent activity, cheers

Heya just wanted to give you a quick heads up and let you know a few of the images aren't loading properly.
I'm not sure why but I think its a linking issue.
I've tried it in two different browsers and both show the
same results.

Stop by my website

I've read a few just right stuff here. Definitely
worth bookmarking for revisiting. I surprise how a lot effort
you put to make such a great informative website.

Feel free to surf to my site - googlerussen.com [Margaret]

You only have to know how your ex boyfriend thinks and
how certain things you do will make him react. When these tots are playing with toys, adults model to them how language is used to label
objects or describe an event. Click Here to learn how to check your
husband's text messages with this new software.

Have a look at my website: assault (Rolando)

友達ごっこのために相手をカネで利用してた雰囲気があったのか、相手が暢気な奴なのか、謎すぎる ネットウォッチにでもスレたててやってよ
お盆にわざわざセッティングしてきた同僚の結婚式は出なかったな こういうやつがくだらないスレいっぱい立ててるのな 結婚 祝い プレゼント 同僚

金がかかるなら呼んでくれなくて結構 しかもなんだ、32歳でその体型は。 結婚祝いプレゼント メッセージ
暑かった!子供は元気一杯ヽ(^^)20代で出産した大切な我が子はもう小学生♪ 定時で帰って趣味を楽しめるほど収入得られるのは、トヨタ本体とかだけ

Like some other business, writing and selling ebooks on the web is just
that - a business. You usually do not want there to be grammatical errors inside your article.
結婚できない男動画 同僚結婚祝いプレゼント Article writing and blog writing are impressive techniques to create people aware
and spread know-how about company. You could get these answers
from Writing Stories: Scary Stories published by
Heinemann Publishing and authored by Anita Ganeri.

GHG Curlers
Your way of telling everything in this piece of writing is really fastidious, every one be able to
effortlessly be aware of it, Thanks a lot.

Dzięki wymogowi autoryzacji deklaracji PIT on-line do minimum spada zagrożenie, że
ktoś się podszyje pod płatnika.

Feel free to visit my page ... program pit 2014

I do not know if it's just me or if everyone else experiencing issues
with your blog. It appears as if some of the written text on your content
are running off the screen. Can somebody
else please comment and let me know if this is happening to them as
well? This may be a issue with my browser because I've had this
happen previously. Appreciate it

Feel free to visit my blog post urzędy skarbowe na mazurach

Thаnk you for any օther informative blog. Тhe
plɑce else may jսst I am gettіng that type of information written іn such
a perfect method? I've a challenge thatt Ι'm simply now workіng
on, andd I have beeen on the glance oսt foor such informatіߋn.

Also visxit my pɑge :: webpage (Robert)

That book, which the author has been working on since 2007,
does not currently have a title or publication date.
Leaves, flowers, fruit, bark: Eye conditions, skin wounds, abscesses, gum and throat disease, respiratory ailments, constipation, fever,
laxative. You might think carp have small brains and
do not think like us humans so how can they possibly learn.

Stop by my web-site ... livres gratuits

I also tild him the seller would eventually take the $350,000.
And National Hamburger Day is so popular, it is actually celebrated several times
a year. Here's where a clearing technique, such as EFT,
can come into play.

Here is my blog: steki wroclaw

W oparciu taki fundusz miałby działać urząd ds.
likwidacji banków.

Look at my webpage ... urzędy skarbowe rybnik

I'm really impressed with your writing skillks and also with
the layout on your blog. Is this a paid theme or did you
customize it yourself? Either way keep up the excellent quality writing, it is raee to see a nice
blog like this one today.

my web-site - Metal Slug defence Hacked

Nice blog here! Also your website loads up very fast! What host are you using?
Can I get your affiliate link to your host?
I wish my web site loaded up as quickly as yours lol

Take a look at my blog ii urząd skarbowy bydgoszcz adres (bydgoszcz.pl)

Hey! This is my 1st comment here so I just wanted to give a quick shout out and say I truly enjoy reading through
your blog posts. Can you recommend any other blogs/websites/forums that cover the
same topics? Thank you!

My page: Refabrikovana Cisco oprema

My brother suggested I might like this website. He was totally
right. This post actually made my day. You
cann't imagine just how much time I had spent for this info!
Thanks!

My blog post recepti od heljdinog brašna

Undeniably believe that which you stated. Your favorite justification seemed to be on the internet the easiest thing to be aware of.
I say to you, I definitely get irked while people consider worries that they plainly do not know
about. You managed to hit the nail upon the top as well
as defined out the whole thing without having side-effects ,
people can take a signal. Will probably be back
to get more. Thanks

my weblog - http://www.domainjamboree.com

inspired a lot from this post am following this blog regularly and found very good for bookmarking thanks admin
new year sms in hindi 2015
happy new year sms 2015
happy new year 2015 wallpapers
happy new year 2015 quotes
happy new year 2015
happy new year wishes 2015

You can visit his showroom at located in the NYC diamond district, not
far from Time Square and Rockefeller Center or give him a call at (212)-921-4647.
Gather your circle of friends for an evening of wine and food
with this wonderful valentine's day party invitations.
These floor covers are available in different styles.

Here is my web site Teddy Day SMS

you are really a good webmaster. The website loading velocity is incredible.

It sort of feels that you are doing any unique trick.
Also, The contents are masterwork. you have done a excellent job on this matter!

Here is my weblog: counter strike global offensive wallhack

Way cool! Some extremely valid points! I appreciate you writing this write-up and the rest
of the website is also really good.

Here is my blog :: Seo Training certification

Add new comment

Filtered HTML

  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <blockquote> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
By submitting this form, you accept the Mollom privacy policy.