You can't even have a blog in China without authorization. It doesn't matter if you pay "AWS" for a machine. It won't open port 80 or 443 until you get an ICP recordal. Which you can only do if you are in China, and get the approval. It should also be displayed in the site, like a license plate. The reason "AWS" is in quotes is because it isn't AWS, they got kicked out. In Beijing, it is actually Sinnet, in Nginxia it's NWCD
You can only point to IPs in China from DNS servers in China - if you try to use, say, Route53 in the US and add an A record there, you'll get a nasty email (fail to comply, and your ports get blocked again, possibly for good).
In a nutshell, they not only can shutdown cross border traffic (and that can happen randomly if the Great Firewall gets annoyed at your packets, and it also gets overloaded during China business hours), but they can easily shutdown any website they want.
I laughed when I saw "Nginxia", thinking it was a portmanteau of, well, nginx and wuxia, a Chinese fiction genre. Reality is much less funny when I looked up NWCD, and you likely just made a typo of Ningxia.
"Xia" would map to a single character (code point) in Chinese. For instance, in simplified Chinese, it could be 下 (xia, meaning down), 侠 (martial arts - like the xia in wuxia), or any number of other homophones. Since the characters are already combinatorial, I'm not sure a Chinese speaker would think of this as a portmanteau.
Both KMS and CloudHSM are FIPS 140-2 Level 3 and AWS claims they cannot read private keys from KMS. The main difference is KMS uses IAM and the AWS REST API while CloudHMS uses PKCS #11/JCE and a separate permissions system.
My understanding is that AWS KMS uses AWS designed HSMs and are tightly integrated with all AWS services while while CloudHSM uses LiquidSecurity 2 Cloud HSM adapters and use more conventional APIs
>My understanding is that AWS KMS uses AWS designed HSMs
That's my take as well reading about how they handle firmware (sounds like they're using their own chips, presumably similar to how they use other hardware acceleration and offload)
Actually, they wouldn't really know unless this domain is used. I guess they check the `Host` header to get the domain that targeted this IP and then check where the MX are hosted.
> You can only point to IPs in China from DNS servers in China - if you try to use, say, Route53 in the US and add an A record there, you'll get a nasty email (fail to comply, and your ports get blocked again, possibly for good).
Wait what? So I can DoS any Web site in China by creating a rogue DNS record that points to its IP address, even under a completely unrelated domain? How would they even find those records?
I guess they would find it the moment someone in China using a Chinese resolver tries to resolve your rogue record, since that would recurse to one of the root mirrors in China, which presumably feeds this mechanism.
Seems like a very minor speed bump in your plan, though: presumably something like https://www.chinafirewalltest.com would achieve that, or send a few emails for folks to click.
I wonder if this is actually tied to Chinese domains and Chinese run registrars? That way it would be easy to flag the usage of foreign nameservers and there's no DoS risk.
OK, AWS again, I know it not only complies with Beijing but also Russia and many other dictatorships. Banned domain fronting and recently enforced S3 bucket-based subdomains for government to better inspect.
Their point is if you’re served within China (aka hosted off a chinese IP, or accessing anything from a Chinese IP) it doesn’t matter if the other company interacts or complies with China’s rules - the other half of the transaction will be blocked.
So using DNS hosted outside won’t matter, because the destination Chinese IP will get blocked. Or if using outside hosting, it won’t matter, because anyone in China trying to access it will get blocked. Or anyone trying to publish anything to it the CCP doesn’t like. Presumably also with some follow up in-person ‘check-ins’.
The GFW is a pretty massive and actually impressively effective piece of technology, even if we don’t agree with it’s purpose.
Not only that, it seems to be entirely unimpressive: The premise is that they would be able to allow everything except for what they want to censor, which isn't what they're doing.
If you allow connections to random websites outside of your jurisdiction then you're de facto allowing everything, because people can proxy arbitrary traffic that way. If you don't, you're effectively disconnecting your country from the global internet, which is not an impressive technological feat. Anybody with a backhoe can do a fiber cut.
You’re just ignorant of what it does. The GFW autodetects and blocks a truly impressive number of tunnel encapsulation schemes, VPN’s, etc. and blocks a wide variety of proxy attempts.
It really isn’t dumb at all, and is quite difficult to get past.
It also auto detects ‘problematic’ content in near realtime for a huge swath of things. It does deep packet and content inspection, including of a bunch of encrypted traffic that it really shouldn’t be able to.
At massive (national) level scale.
Don’t get me wrong. It’s evil. But it’s an impressive bit of evil kit.
> The GFW autodetects and blocks a truly impressive number of tunnel encapsulation schemes, VPN’s, etc. and blocks a wide variety of proxy attempts.
They made a list of tunnel systems that don't attempt to disguise themselves and then blocked them. That's not really that hard, and it meanwhile causes lots of innocuous things to be blocked. There are uses for a tunnel other than bypassing censorship.
The hard thing is to block the ones that actively attempt to look like something they're not, and release updates to change their profile whenever the authors notice it being blocked, while still allowing the thing they're attempting to look like.
> It also auto detects ‘problematic’ content in near realtime for a huge swath of things. It does deep packet and content inspection, including of a bunch of encrypted traffic that it really shouldn’t be able to.
All of this is assuming the content is being distributed unencrypted or is otherwise leaking its contents through e.g. having a specific data length, none of which an encapsulation method is required to expose.
Sure, that’s why saying things like Tianmen square - over voice audio - in a game with an encrypted connection to the server gets everyone’s connections in China severed, even when the game servers are in another country and the game company has nothing to do with it.
The GFW is run by the definition of a Nation State Actor/NPT. They’re not perfect, or omniscient, but they aren’t fools or incompetent either.
And knowing all the people taking the ‘totally secret’ backdoor is not even a complex trick.
Folks like the NSA in the US have to stay in the shadows, and have a tiny budget and population to draw experts from. What do you think happens when they get to be direct, obnoxious, AND somewhat public in a national pride kind of way?
> Sure, that’s why saying things like Tianmen square - over voice audio - in a game with an encrypted connection to the server gets everyone’s connections in China severed, even when the game servers are in another country and the game company has nothing to do with it.
You're describing something that seems like an urban legend/coincidence. What technical means are you suggesting they're using to determine the contents of a voice chat over an encrypted connection?
> And knowing all the people taking the ‘totally secret’ backdoor is not even a complex trick.
That's assuming it can be distinguished from ordinary traffic.
If your device goes direct when you want to read the Wikipedia article on the Streisand Effect but you also have a browser that proxies traffic through a random AWS VPS in Virginia when you want to read about something they don't want you to know, how are they supposed to tell that the latter is that and not just a regular arbitrary third party webserver?
> Folks like the NSA in the US have to stay in the shadows, and have a tiny budget and population to draw experts from. What do you think happens when they get to be direct, obnoxious, AND somewhat public in a national pride kind of way?
It becomes easier to find way to thwart what they're doing because any random device can be used to determine if or how something is being blocked instead of only the devices of high-risk people who can't afford to test the fences.
If you think this is bad...
You can't even have a blog in China without authorization. It doesn't matter if you pay "AWS" for a machine. It won't open port 80 or 443 until you get an ICP recordal. Which you can only do if you are in China, and get the approval. It should also be displayed in the site, like a license plate. The reason "AWS" is in quotes is because it isn't AWS, they got kicked out. In Beijing, it is actually Sinnet, in Nginxia it's NWCD
You can only point to IPs in China from DNS servers in China - if you try to use, say, Route53 in the US and add an A record there, you'll get a nasty email (fail to comply, and your ports get blocked again, possibly for good).
In a nutshell, they not only can shutdown cross border traffic (and that can happen randomly if the Great Firewall gets annoyed at your packets, and it also gets overloaded during China business hours), but they can easily shutdown any website they want.