How to ensure Internet privacy in China?
August 10, 2006 12:54 AM Subscribe
I'm living in a Chinese university dorm. I was running Web traffic through an SSH tunnel, and about 10 minutes into reading about China's Internet censorship (which naturally includes lots of blocked terms as examples, like "falun gong" and "Tibet"), the service staff in this building knocked on my door.
They said "安全检查," which translates as "safety inspection." (On my dictionary, "检查" also translates as "to censor," but I'm sure that's not the right meaning in this case.) They peeked in the room when I opened the door (but they didn't come in). After they left, I looked around, and they didn't give anyone else on my floor a safety inspection. Also, I've been living here for 45 days and haven't had an inspection before. I went up to the front desk to clarify the reason for the inspection, and they told me that it happens on a weekly basis--but I've never even seen or heard of it happening.
Two questions here:
1) Is it reasonable to think this could be part of the Chinese government's Internet censorship policy? (When I signed up for Internet, I had to give my room number and passport.) I'm not afraid, but I'm just a little creeped out by this.
2) How can I protect against a man-in-the-middle attack? In other words, how can I get the correct public key for my SSH server? I didn't have it before I came to China, and I have noticed that my Web proxy frequently put up "certificate changed/inaccurate" notices, so I wouldn't put it past the Chinese government to listen in on "secure" connections by sending different certificates.
They said "安全检查," which translates as "safety inspection." (On my dictionary, "检查" also translates as "to censor," but I'm sure that's not the right meaning in this case.) They peeked in the room when I opened the door (but they didn't come in). After they left, I looked around, and they didn't give anyone else on my floor a safety inspection. Also, I've been living here for 45 days and haven't had an inspection before. I went up to the front desk to clarify the reason for the inspection, and they told me that it happens on a weekly basis--but I've never even seen or heard of it happening.
Two questions here:
1) Is it reasonable to think this could be part of the Chinese government's Internet censorship policy? (When I signed up for Internet, I had to give my room number and passport.) I'm not afraid, but I'm just a little creeped out by this.
2) How can I protect against a man-in-the-middle attack? In other words, how can I get the correct public key for my SSH server? I didn't have it before I came to China, and I have noticed that my Web proxy frequently put up "certificate changed/inaccurate" notices, so I wouldn't put it past the Chinese government to listen in on "secure" connections by sending different certificates.
I was chatting with a friend on AIM a few weeks ago and after she typed "falun gong" she got logged off. She's said this happens to her pretty often when she mentions a buzzword like that.
posted by gramcracker at 1:07 AM on August 10, 2006
posted by gramcracker at 1:07 AM on August 10, 2006
Note for gramcracker's friend:
Chinese youth have discovered this phenomenon and so use FLG to refer to falun gong and GCD to refer to gongchan dang (the communist party). YMMV
posted by jweed at 1:23 AM on August 10, 2006
Chinese youth have discovered this phenomenon and so use FLG to refer to falun gong and GCD to refer to gongchan dang (the communist party). YMMV
posted by jweed at 1:23 AM on August 10, 2006
If you have someone you can ask for the key in the US you could get them to tell it to you over Skype. They would basically have to bug your room to get it at that point.
Don't do anything that'll bring those execution vans around, kay?
posted by shanevsevil at 1:33 AM on August 10, 2006
Don't do anything that'll bring those execution vans around, kay?
posted by shanevsevil at 1:33 AM on August 10, 2006
Have someone post to a blog you can access less SSH tunnel.
Have them break the sections of the keys up and put them in as invalid html entities, doing simple substitution of letters for numbers so you'd turn 01:a1:aa:34:21:bc:7d:a4:ea:56:a4:a1:1a:c5:fa:9f
Into...
01:11:11:34:21:23:74:14:51:56:14:11:11:35:61:96
Then...
01;[paragraph]11;
Etc.
Use this to build the key in a text file on your local computer, assuming that it's secure to input data only if it has remained in your custody for the entirety of your stay.
Should be cool unless they find this, then find the blog...
posted by Matt Oneiros at 1:49 AM on August 10, 2006
Have them break the sections of the keys up and put them in as invalid html entities, doing simple substitution of letters for numbers so you'd turn 01:a1:aa:34:21:bc:7d:a4:ea:56:a4:a1:1a:c5:fa:9f
Into...
01:11:11:34:21:23:74:14:51:56:14:11:11:35:61:96
Then...
01;[paragraph]11;
Etc.
Use this to build the key in a text file on your local computer, assuming that it's secure to input data only if it has remained in your custody for the entirety of your stay.
Should be cool unless they find this, then find the blog...
posted by Matt Oneiros at 1:49 AM on August 10, 2006
01; and 11; should read as "& # 01;" and "& # 11;"
And would appear as 01; and 11; respectively. Unless it passes through software which eats bad entities.
posted by Matt Oneiros at 1:52 AM on August 10, 2006
And would appear as 01; and 11; respectively. Unless it passes through software which eats bad entities.
posted by Matt Oneiros at 1:52 AM on August 10, 2006
Ahh, no entities on mefi. "appears as" would show character not found boxes, if mefi permitted. You'd then need to view source to find the numerical codes.
And you'd need a mask that demonstrates which numbers are supposed to be letters. That could just look like a bunch of line segments. White and black corresponding to specific character positions dependant on a given length of the image (in pixels), white or black could represent either alphabetic characters or numeric ones.
It's too late for this, I should go to bed.
posted by Matt Oneiros at 1:56 AM on August 10, 2006
And you'd need a mask that demonstrates which numbers are supposed to be letters. That could just look like a bunch of line segments. White and black corresponding to specific character positions dependant on a given length of the image (in pixels), white or black could represent either alphabetic characters or numeric ones.
It's too late for this, I should go to bed.
posted by Matt Oneiros at 1:56 AM on August 10, 2006
In order to trust your SSH tunnel you need:
* valid, trusted copy of SSH before you start using the untrusted network
* fingerprint of machine to which you are connecting before you try to connect over the untrusted network
You also need good software and hardware security so that you can be confident that your computer has not be compromised (in which case the SSH client and saved keys cannot be trusted).
posted by beerbajay at 2:42 AM on August 10, 2006
* valid, trusted copy of SSH before you start using the untrusted network
* fingerprint of machine to which you are connecting before you try to connect over the untrusted network
You also need good software and hardware security so that you can be confident that your computer has not be compromised (in which case the SSH client and saved keys cannot be trusted).
posted by beerbajay at 2:42 AM on August 10, 2006
Best answer: From what I've heard of China, I think they did notice your illicit browsing, and they were checking to see if you were Chinese. If you were, you'd probably be in jail. They don't usually mess with foreigners too much.
As far as avoiding a man-in-the-middle attack... the other comments here are making you go through a LOT of work for no good reason. They're trying to get you to hide your public key. It's called a public key for a reason... it doesn't matter if anyone else knows it. It's perfectly okay if everyone in the world knows the public key. You don't have to encrypt it or mask it in any way... you just have to be sure that the public keys are exchanged correctly, without interference.
The way to do that is to have someone read you the fingerprint over the phone while you verify you've gotten that same fingerprint on the computer. If that's the case, you're good, and they can't easily decrypt your traffic. It DOES NOT MATTER if they snoop on your phone call and learn the public key. That information is not useful to them. That would let them encrypt a message to you, but it would not allow them to decrypt other messages that you have received. Only your private key can do that.
Usually, most SSH clients will store a given server's key locally, and will pop up a big flashing warning if it changes. So if you can pre-exchange the keys in a safe place, you can be quite certain you're not being attacked. Obviously, since you're in China, you can't do that now, you'll have to go for the two-channel authentication. If you can get onto a safe network, though, you can pre-exchange your keys.
I've read that some browsers 'leak' DNS info when they're browsing via an SSH proxy. If you have another computer handy, you might want to snoop your traffic while you're browsing to make sure DNS lookups aren't being done locally. You want those done remotely too. DNS lookups give away a lot of info.
posted by Malor at 2:45 AM on August 10, 2006
As far as avoiding a man-in-the-middle attack... the other comments here are making you go through a LOT of work for no good reason. They're trying to get you to hide your public key. It's called a public key for a reason... it doesn't matter if anyone else knows it. It's perfectly okay if everyone in the world knows the public key. You don't have to encrypt it or mask it in any way... you just have to be sure that the public keys are exchanged correctly, without interference.
The way to do that is to have someone read you the fingerprint over the phone while you verify you've gotten that same fingerprint on the computer. If that's the case, you're good, and they can't easily decrypt your traffic. It DOES NOT MATTER if they snoop on your phone call and learn the public key. That information is not useful to them. That would let them encrypt a message to you, but it would not allow them to decrypt other messages that you have received. Only your private key can do that.
Usually, most SSH clients will store a given server's key locally, and will pop up a big flashing warning if it changes. So if you can pre-exchange the keys in a safe place, you can be quite certain you're not being attacked. Obviously, since you're in China, you can't do that now, you'll have to go for the two-channel authentication. If you can get onto a safe network, though, you can pre-exchange your keys.
I've read that some browsers 'leak' DNS info when they're browsing via an SSH proxy. If you have another computer handy, you might want to snoop your traffic while you're browsing to make sure DNS lookups aren't being done locally. You want those done remotely too. DNS lookups give away a lot of info.
posted by Malor at 2:45 AM on August 10, 2006
I wrote the SSH Dynamic Forwarding code (-D flag).
The only realistic way to get safe web browsing, in that DNS doesn't leak, is to use Firefox with the following configuration:
http://www.imperialviolet.org/deerpark.html
Have you seen cert invalid references for known good sites, like online banks and otherwise? If so, you may have some local ugliness. If not, I doubt there's any national scale MITM'ing. It's more likely that:
A) They saw a DNS lookup somewhere "unsafe"
B) You have spyware on your machine
B is completely feasible, and indeed likely, if you ever browsed unprotected through their web link.
posted by effugas at 8:15 AM on August 10, 2006 [2 favorites]
The only realistic way to get safe web browsing, in that DNS doesn't leak, is to use Firefox with the following configuration:
http://www.imperialviolet.org/deerpark.html
Have you seen cert invalid references for known good sites, like online banks and otherwise? If so, you may have some local ugliness. If not, I doubt there's any national scale MITM'ing. It's more likely that:
A) They saw a DNS lookup somewhere "unsafe"
B) You have spyware on your machine
B is completely feasible, and indeed likely, if you ever browsed unprotected through their web link.
posted by effugas at 8:15 AM on August 10, 2006 [2 favorites]
(Yes, I have an insane stunt that lets SSH DNS proxying be safe for IE. You basically have to set your system name server to 127.0.0.1, then run the UDP NS here. This will cause all UDP DNS requests to be retried over TCP, which you can -L53:127.0.0.1:53 forward. But this is a bit complex...)
posted by effugas at 8:17 AM on August 10, 2006
posted by effugas at 8:17 AM on August 10, 2006
You got picked up for looking at stuff they think you shouldn't be looking at, that's for sure.
They sent someone to your place to check it out, and most likely what happened was that they saw you were a foreigner and decided to forget about it for one of two reasons: 1.) They don't think you can speak Chinese, or 2.) a foreigner getting into trouble often times is more a headache for them than it is for the foreigner. (paperwork and all that).
This has happened to me a lot of times. When I was living in China, I'd routinely use a webproxy or something to get to a wikipedia article or something, and some time later, the PSB would come a knocking. No biggie. Just know they're watching from now on. Asking anyone what that was will just get some bullshit face-saving answer.
posted by taschenrechner at 8:50 AM on August 10, 2006
They sent someone to your place to check it out, and most likely what happened was that they saw you were a foreigner and decided to forget about it for one of two reasons: 1.) They don't think you can speak Chinese, or 2.) a foreigner getting into trouble often times is more a headache for them than it is for the foreigner. (paperwork and all that).
This has happened to me a lot of times. When I was living in China, I'd routinely use a webproxy or something to get to a wikipedia article or something, and some time later, the PSB would come a knocking. No biggie. Just know they're watching from now on. Asking anyone what that was will just get some bullshit face-saving answer.
posted by taschenrechner at 8:50 AM on August 10, 2006
I consistantly find it interesting that people who go to visit/live China wait until they get to China before searching for 'illegal' terms.
If you check this out, you could just put a snapshot of wikipedia and look up Falun Gong without needing to access it from the internet.
posted by gregschoen at 9:53 AM on August 10, 2006
If you check this out, you could just put a snapshot of wikipedia and look up Falun Gong without needing to access it from the internet.
posted by gregschoen at 9:53 AM on August 10, 2006
Check out TorPark for your anonymous surfing needs.
posted by reverendX at 9:57 AM on August 10, 2006
posted by reverendX at 9:57 AM on August 10, 2006
Response by poster: Thanks a ton for the responses! I think I have gotten a technologically secure setup going finally with the advice here. I don't want to tell what exactly I did for obvious reasons!
I actually thought I was being a bit paranoid in assuming that the Chinese government was checking up on me. It really surprises and frightens me to hear that they're keeping such close tabs. I'll be much more careful in my browsing in the future, but I'm curious: what's the worst that could happen to a foreigner in China just for visiting wikipedia and such?
posted by jbb7 at 10:26 AM on August 10, 2006
I actually thought I was being a bit paranoid in assuming that the Chinese government was checking up on me. It really surprises and frightens me to hear that they're keeping such close tabs. I'll be much more careful in my browsing in the future, but I'm curious: what's the worst that could happen to a foreigner in China just for visiting wikipedia and such?
posted by jbb7 at 10:26 AM on August 10, 2006
The worst that could happen?
You are an American (or otherwise western), right?
As long as you aren't handing out propaganda on campus, they will just turn off your net access if they really don't like what you are doing. Even if you are handing out tibetan liberation stickers, the most they will ever do is deport you. You aren't going to disappear or anything, since it could become a big international issue.
I'd actually recommend that unless you are doing something that you can't have them see, don't use encryption. If you do, you are acting like you have something to hide, which will only make them more suspicious.
China doesn't want any trouble just as much as you. You are obviously on their radar, but as long as you keep to yourself, it's not worth it to them to do anything. However, if you visit "bad" sites more often then neutral sites, or encrypt all your traffic, I wouldn't be too suprised if they bugged your dorm.
posted by darkness at 4:05 PM on August 10, 2006
You are an American (or otherwise western), right?
As long as you aren't handing out propaganda on campus, they will just turn off your net access if they really don't like what you are doing. Even if you are handing out tibetan liberation stickers, the most they will ever do is deport you. You aren't going to disappear or anything, since it could become a big international issue.
I'd actually recommend that unless you are doing something that you can't have them see, don't use encryption. If you do, you are acting like you have something to hide, which will only make them more suspicious.
China doesn't want any trouble just as much as you. You are obviously on their radar, but as long as you keep to yourself, it's not worth it to them to do anything. However, if you visit "bad" sites more often then neutral sites, or encrypt all your traffic, I wouldn't be too suprised if they bugged your dorm.
posted by darkness at 4:05 PM on August 10, 2006
BTW, fuck Firefox for leaking DNS queries. It's been a documented bug for years. Unfortunately, nobody on the project actually cares. If you have a Mac, use Safari instead.
posted by ryanrs at 8:26 AM on August 12, 2006
posted by ryanrs at 8:26 AM on August 12, 2006
« Older Does the cable modem really need to be unplugged... | Best Ways to Maintain Work/Life Balance? Newer »
This thread is closed to new comments.
posted by aeighty at 1:05 AM on August 10, 2006