What happened?

From October 2011, Wikipedia started to fully support HTTPS connections on all language versions. This meant that for the Chinese language Wikipedia, the Great Firewall of China (GFW) could not selectively block sensitive content. This also meant that hundreds of articles that are blocked on the HTTP version of Wikipedia, were freely accessible to Chinese internet users if they simply added an ‘S’ behind HTTP.

On May 31, 2013, GFW began to block the encrypted version of Wikipedia through port blocking. HTTPS connections are usually established on port 443 while HTTP connections are on port 80. GFW only blocks Wikipedia’s IP on port 443.

All language versions of the encrypted version of Wikipedia are also blocked. See the testing data on our system for Chinese WikipediaEnglish Wikipedia and Wikipedia.

Consequence of the block

The HTTPS version of Wikipedia is blocked while the HTTP version is not. This method forces users inChina to use the unencrypted HTTP version, which is subject to keyword filtering; hundreds of articles are blocked including articles on Tiananmen Square protests.

Why

It surprises us that GFW took one and a half years to respond to the support of HTTPS on Wikipedia. One explanation of the slow reaction is that Wikipedia by default uses HTTP and only a minority of visitors to the site would use HTTPS.

But what caused GFW to target Wikipedia after all this time? One factor is that as we near the Tiananmen Square anniversary, Wikipedia has an extensive article on this incident. However, this cannot be the only factor as the encrypted version remained untouched in June 2012.

Another factor might have something to do with us. Freeweibo has been actively targeted by GFW. One of our mirror domains was blocked last week, only four days after its launch.

Coincidentally, we began to reference Wikipedia articles on our search pages from May 20th. Since then, “六四” has almost always been one of the top search terms on Freeweibo. A search for “六四” on Freeweibo will present an abstract of the Wikipedia article and a link to Wikipedia, both of which are embedding resources directly from Wikipedia using HTTPS.

However, Freeweibo is blocked in China so blocking the encrypted version of Wikipedia will not affect Freeweibo users as they are already using circumvention tools.

Maybe GFW believes that references to the encrypted version of Wikipedia would proliferate and decided to take action before use of the encrypted version became too widespread. This has been exactly the case for the default encrypted connection to Gmail.

Why is HTTPS so important?

In China, HTTPS is power. If the service is too important to block completely and all-encrypted, it offers the only way that Internet users in China can access information in an unrestricted way. That is, the authorities can’t track what they do on the website, and they can’t block content selectively. HTTPS takes the power away from the censors and puts it back in the hands of the ordinary users. There is nothing else like it. The censors hate it. Sites like Wikipedia should love HTTPS.

A major battle lost for information flow

In September last year, Wikipedia founder Jimmy Wales threatened to make default connections to Wikipedia encrypted if the UK passed a snooping bill. However, China has long been known to use deep packet inspection to examine all outgoing traffic and also blocks traffic to certain articles on Wikipedia. Why didn’t Wikipedia make its HTTPS version default for Chinese users? It might simply be that Wikipedia staff hold Chinese readers in less regard to English ones and did not even discuss this change internally in the first place.

It might be that they did discuss this action but feared that China would block the entire website again and decided against it. If this is in fact what happened, they made a very wrong decision.

When Gmail switched to HTTPS this troubled the Chinese authorities greatly yet they have not taken the drastic step to block Gmail completely. In the case of Github, which enforces HTTPS connections, the authorities actually backed away from blocking the site.

Wales has been critical of Google’s operations in China, but Google went HTTPS-only on Gmail four years ago. Still, we regret that we did not spend time trying to convince Wikipedia to switch to their encrypted version as a default or to enforce HTTPS on their Chinese subdomain earlier. Wales and his team at Wikipedia should have come under fire earlier for not taking the right steps in China.

Still not too late for Wikipedia

Jimmy Wales is quoted as saying:

“Currently we’re broadly available in China, but they continue to filter certain pages,” says Wales. “… and we think it’s a stable situation. We don’t approve of the filtering at all, but we can’t stop them from [doing it],” he adds.

That is simply not true. What Wikipedia can do now is to resolve to a different IP address that is not interrupted by GFW (for example, 208.80.154.225) and more importantly switch HTTPS to default or enforce HTTPS. Such changes will only take minutes to implement and take effect. If those changes were made, Wikipedia would take the chance that the site would be fully blocked, however, based on the existing evidence, it’s more likely that GFW would leave Wikipedia alone.

Wikipedia is now collecting user feedback on this block. But the situation is clear enough with our analysis and the feedback collected so far. They should act immediately rather than do nothing but observe the situation.

Current Wikipedia Executive Director Sue Gardner will be stepping down later this year. On her resignation she said:

“There are many organizaations and individuals advocating for the public interest online — what’s good for ordinary people — but other interests are more numerous and powerful than they are. I want that to change. And that’s what I want to do next.”

If you do leave feedback for Wikipedia, make sure you tell Gardner that she can make that change right now! You can also contact Wikipedia and urge them to make the change now.

How to get around this

Because GFW only blocks port 443 on 208.80.154.225 and 208.80.154.235 (so far), we can manually resolve domains to other IP owned by Wikipedia to bypass the block. However, unless Wikipedia officially resolves to those IP and switch HTTPS to default, GFW can easily block port 443 on those IP addresses too.

Add the following address to hosts file

208.80.154.225 zh.wikipedia.org

208.80.154.225 en.wikipedia.org

208.80.152.211 upload.wikimedia.org

Related Block

China has a long history of disrupting Wikipedia. You can read about it on Wikipedia. A much more comprehensive version is available in Chinese.

A similar block was used against Google Docs and Google Groups to force users to connect through HTTP. Back then, GFW used SSL certificate filtering. Since Google set HTTPS for viewing Google Groups as default, GFW has poisoned the domain. For Google Docs, GFW seems to back away from blocking it at all, leaving both HTTP and HTTPS unblocked.

Correction - June 10, 2013

Our original story incorrectly referred to Sue Gardner's role at Wikipedia. As per Wikimedia's response to us: Sue Gardner is the Executive Director of the Wikimedia Foundation, the non-profit that operates Wikipedia.