I was expecting this to be "why" as a policy matter, but instead it's a technical description (mostly about the fact that SMTP is different from HTTP, for people who might not appreciate that).
I guess the idea may be that Chinese people are not supposed to have or use Gmail accounts, but are allowed to communicate with other people who do. (This isn't necessarily a super-bizarre distinction to imagine a government making; the cost of not being allowed to exchange e-mail with anybody on Gmail is really quite high.)
Edit: also, people have told me that there is a legal restriction in China on the ability to listen on (some?) TCP ports or allow a hosting subscriber to do so (!) -- you're supposed to have a government license to have a TCP listener and your hosting provider or ISP can be punished for allowing you to operate one if you don't have the license. That means that Chinese Internet users couldn't easily set up their own personal mail servers free of government oversight and surveillance. So they can write to Gmail users all they like, but it may be trickier to receive a reply except via a government-approved mailserver.
Agreed, it is a technical explanation to political decisions.
The Chinese government wants to be able to access the communications of their people. They can do that as long as their email providers are cooperative. There is no need to disrupt communications to ensure this is the case, they simply need to keep Chinese citizens from using uncooperative providers.
Let's write a webpage-to-gmail proxy! Send an email with a subject like http://news.ycombinator.com/ to a special email address and it will reply with the text of that page in the body of the email.
oh man, I remember browsing FTP servers over email back in the early 1990s, when I had email access but not FTP access. It was incredibly slow and typos were to be avoided at all costs! https://en.wikipedia.org/wiki/FTPmail
no they filter many different ports and do deep packet inspection on anything that is not encrypted and will block if contains certain content. There is a set list of banned words that will get content blocked instantly. VPN traffic is usually blocked once it is identified as being unlicensed vpn, you need a license to run a vpn server. So these vpn companies will rotate their ips multiple times per month and have special clients that keep the list updated just to avoid the GFW
I've noticed that the firewall really doesn't like TLS connections. It doesn't block them outright, but it does slow the traffic, and periodically break the connection. Basically they just try to interfere with it enough that you don't bother.
I run mail servers (based in the US) for my company (based in China). My employees don't understand why I make them use these email accounts that time out every twenty minutes or so, or drop connections randomly. I've explained why we do it this way, and they understand the security, but still don't really get why I bother.
So port 25 in the GFW is open for outbound connections? My mailserver spam-log tells me that much every other second.
I wonder what weight Spammers had in the decision to allow port 25. Though when I think about it, spammers are probably a negligible faction compared to the businesses that would shut down if they couldn't communicate with international clients on Gmail anymore.
It would be interesting, as other commenters already remarked, to see what STARTTLS does to the connection.
It is a dynamic blacklist. It also uses pattern matching and machine learning to detect some undesired behaviors. It will not cut out SSH connections but will recognize the traffic shape of HTTP traffic over it.
I wonder what else the Great Firewall of China will pass.
(Or what your local ISP will pass.) There are lots of other protocols to try. TP4 (Windows 2000 supported that.) Xerox Network Architecture. QNX remote message protocol. Those are non-TCP protocols, at the IP level. Almost nobody uses any of those, but they're defined for IP.
At the TCP level, there are lots of ports other than port 80. What about FTP, and SSH? TFTP? POP? NetBios? IMAP? NNSP? NNTPS? Blocked or ignored?
They're getting pretty sophisticated. For example, SSH used to work just fine. When I was there last year, SSH would work fine for standard terminal stuff, but would die if I used it in SOCKS proxy mode. It was similar for a lot of VPN protocols I tried. Often the connection would work, but then die as I tried to use it. Typically I couldn't reconnect for a while after that. From what I've read, they're doing traffic analysis and machine learning to try to block things based on usage rather than simply protocol, port, or destination.
Erotica is bad, but torrents (isoHunt, etc.) are OK. The New York Times and the Economist are blocked, but strangely, Amnesty International, the BBC, and Wikileaks are permitted.
They probably have a big productivity boost by not having Twitter, YouTube, Facebook, and Instagram.
I know it was probably just a joke, but they have local equivalents for Twitter and the rest, so productivity is no doubt just as bad.
This is one of the interesting aspects of the system. It started out as just a tool for censorship, but it's becoming a tool for protecting local businesses from outside competition as well.
Google Search has been blocked over the last two years, even through the CN site that redirects to HK. Mobile is possibly an exception, but I never had an Android phone so don't know.
Mobile wasn't an exception (I haven't been in China for a year, but I was there for two years before that); my phone was cut off from all google services.
Edit: I say cut off; that's not entirely true. I couldn't communicate with google from my phone. I could visit Google Play in a web browser, tell it to install something, and the install would hit my phone just fine.
Google search, Drive, Sheets, Docs, Gmail (normal web/app) are all blocked; with ZPN proxy on Android (but not on desktop for some strange reason) Search, gmail and drive work, but sheets/docs are broken for me still. I'm in Shanghai.
Google search is definitely blocked. (Source: I'm in China.) The "unblocked" there seems to be a typo since the "duration of blockage" column says "to present", which is correct.
Regarding social media, of course, the local social media are popular enough that practically nobody would use the American ones even if they were all unblocked tomorrow.
The fascinating part is it varies geographically within China too, so for instance Github is not blocked on the coast (at least in Shenzhen) but is definitely blocked out in Xinjiang.
The mistake you're making is that the Chinese government has chosen one standard and applied it consistently throughout the web. I imagine they've applied it like a game of wack-a-mole: if a group embarrasses them, they block it. Otherwise you can continue rockin' in China. There is a national law against pornography, so that's not surprising.
I imagine that isoHunt and the BBC and Wikileaks just haven't caused China enough trouble yet.
That seems more like a complaint about just unicom. It looks like China has a problem similar to the US when it comes to ISP monopolies, except that theirs are state owned and there was no period of free market competition where people could realize how good it can be.
And potentially blocked adaptively. I haven't tried it recently, but it used to be fun to hit up a search engine while in China, search for "tiananmen square," and watch as the search site suddenly went "down" for about ten minutes.
Which is odd since Tiananmen Square is one of the main tourist attractions in Beijing. Did the government conclude that all English speakers are using it as metonymy for 6/4 or that there's too great a chance that English-language materials about the place will discuss it?
I imagine it's some of both. If I do a Google search for it, the top result and about half of the first page are about the protests, and the famous "tank man" image, which is no good at all from their point of view.
The post only tells part of the story. There are at least two places that GFW can (and does!) block email traffic as long as the traffic goes through GFW:
1. By DNS poisoning your domain name. There's nothing special, when GFW decide to DNS poisoning your domain, all query types will be poisoned, including your MX record.
2. By TCP reset your SMTP connection to MTA (or forge reply from the other end) if the sender or recipient is something special.
For #1, this is happening to my domain name yegle.net. This could be demonstrated via a DNS query sent from outside of China to any servers (even it's not a DNS server) in China (see examples in the end of this comment).
For #2, this is happening to my gmail account. Try connect to an MTA in China from outside of China, as soon as you type "MAIL FROM: MY_EMAIL_ADDRESS", you'll get a TCP reset. (see examples in the end of this comment). If you are sending email from China to my email address, you'll get a forged reply saying the email address doesn't exist (again see example in the end of this comment).
In order to make sure you can send/receive email from/to China, you need to make sure the sender and receiver's email service support [StartTLS](https://en.wikipedia.org/wiki/Opportunistic_TLS).
// TEST FROM OUTSIDE OF CHINA
$ dig MX yegle.net @54.222.60.218
; <<>> DiG 9.9.5-3ubuntu0.8-Ubuntu <<>> MX yegle.net @54.222.60.218
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9506
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;yegle.net. IN MX
;; ANSWER SECTION:
yegle.net. 2654 IN A 8.7.198.45
;; Query time: 176 msec
;; SERVER: 54.222.60.218#53(54.222.60.218)
;; WHEN: Mon Sep 19 13:13:17 PDT 2016
;; MSG SIZE rcvd: 43
// TEST FROM OUTSIDE OF CHINA
$ dig MX yegle.net @8.8.8.8
; <<>> DiG 9.9.5-3ubuntu0.8-Ubuntu <<>> MX yegle.net @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17621
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;yegle.net. IN MX
;; ANSWER SECTION:
yegle.net. 299 IN MX 10 aspmx.l.google.com.
yegle.net. 299 IN MX 20 alt1.aspmx.l.google.com.
yegle.net. 299 IN MX 30 alt2.aspmx.l.google.com.
yegle.net. 299 IN MX 40 aspmx2.googlemail.com.
yegle.net. 299 IN MX 50 aspmx3.googlemail.com.
;; Query time: 24 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Sep 19 13:13:27 PDT 2016
;; MSG SIZE rcvd: 171
// TEST FROM OUTSIDE OF CHINA
$ telnet mail.kingsoft.com 25
Trying 219.141.176.248...
Connected to telecom.mail.kingsoft.com.
Escape character is '^]'.
220 mail.kingsoft.com ESMTP
EHLO gmail.com
250-mail.kingsoft.com
250-8BITMIME
250 SIZE 52428800
MAIL FROM: cnyegle-AT-gmail-com
Connection closed by foreign host.
// TEST FROM INSIDE OF CHINA
$ telnet aspmx.l.google.com 25
Trying 209.85.225.27...
Connected to aspmx.l.google.com.
Escape character is '^]'.
220 mx.google.com ESMTP u6si11379881igw.58
EHLO yegle.net
250-mx.google.com at your service, [183.151.34.162]
250-SIZE 35882577
250-8BITMIME
250-STARTTLS
250 ENHANCEDSTATUSCODES
MAIL FROM:<mail@example.com>
250 2.1.0 OK u6si11379881igw.58
RCPT TO:<cnyegle-AT-gmail-com&g...
42 comments
[ 2.8 ms ] story [ 110 ms ] threadI guess the idea may be that Chinese people are not supposed to have or use Gmail accounts, but are allowed to communicate with other people who do. (This isn't necessarily a super-bizarre distinction to imagine a government making; the cost of not being allowed to exchange e-mail with anybody on Gmail is really quite high.)
Edit: also, people have told me that there is a legal restriction in China on the ability to listen on (some?) TCP ports or allow a hosting subscriber to do so (!) -- you're supposed to have a government license to have a TCP listener and your hosting provider or ISP can be punished for allowing you to operate one if you don't have the license. That means that Chinese Internet users couldn't easily set up their own personal mail servers free of government oversight and surveillance. So they can write to Gmail users all they like, but it may be trickier to receive a reply except via a government-approved mailserver.
The Chinese government wants to be able to access the communications of their people. They can do that as long as their email providers are cooperative. There is no need to disrupt communications to ensure this is the case, they simply need to keep Chinese citizens from using uncooperative providers.
http://www.faqs.org/faqs/internet-services/access-via-email/
Probably worth some karma to update this 14 year old document too.
Although he should've tried using some bad keywords, but that seems to be beyond his level of research.
I wonder if the Great Firewall allows clients to do opportunistic STARTTLS or if it modifies the server response to indicate TLS as being unavailable.
I run mail servers (based in the US) for my company (based in China). My employees don't understand why I make them use these email accounts that time out every twenty minutes or so, or drop connections randomly. I've explained why we do it this way, and they understand the security, but still don't really get why I bother.
[1]: https://stallman.org/stallman-computing.html [2]: git://git.gnu.org/womb/hacks.git
I wonder what other blocked services it is possible to communicate with.
Can you update you twitter account via e-mail from China?
I wonder what weight Spammers had in the decision to allow port 25. Though when I think about it, spammers are probably a negligible faction compared to the businesses that would shut down if they couldn't communicate with international clients on Gmail anymore.
It would be interesting, as other commenters already remarked, to see what STARTTLS does to the connection.
At the TCP level, there are lots of ports other than port 80. What about FTP, and SSH? TFTP? POP? NetBios? IMAP? NNSP? NNTPS? Blocked or ignored?
Google's main search function has not been blocked for the past two years according to Wikipedia:
https://en.wikipedia.org/wiki/Websites_blocked_in_mainland_C...
Erotica is bad, but torrents (isoHunt, etc.) are OK. The New York Times and the Economist are blocked, but strangely, Amnesty International, the BBC, and Wikileaks are permitted.
They probably have a big productivity boost by not having Twitter, YouTube, Facebook, and Instagram.
This is one of the interesting aspects of the system. It started out as just a tool for censorship, but it's becoming a tool for protecting local businesses from outside competition as well.
Edit: I say cut off; that's not entirely true. I couldn't communicate with google from my phone. I could visit Google Play in a web browser, tell it to install something, and the install would hit my phone just fine.
Regarding social media, of course, the local social media are popular enough that practically nobody would use the American ones even if they were all unblocked tomorrow.
I imagine that isoHunt and the BBC and Wikileaks just haven't caused China enough trouble yet.
http://dangerousprototypes.com/blog/2016/06/21/china-stuff-e...
The post only tells part of the story. There are at least two places that GFW can (and does!) block email traffic as long as the traffic goes through GFW:
1. By DNS poisoning your domain name. There's nothing special, when GFW decide to DNS poisoning your domain, all query types will be poisoned, including your MX record.
2. By TCP reset your SMTP connection to MTA (or forge reply from the other end) if the sender or recipient is something special.
For #1, this is happening to my domain name yegle.net. This could be demonstrated via a DNS query sent from outside of China to any servers (even it's not a DNS server) in China (see examples in the end of this comment).
For #2, this is happening to my gmail account. Try connect to an MTA in China from outside of China, as soon as you type "MAIL FROM: MY_EMAIL_ADDRESS", you'll get a TCP reset. (see examples in the end of this comment). If you are sending email from China to my email address, you'll get a forged reply saying the email address doesn't exist (again see example in the end of this comment).
In order to make sure you can send/receive email from/to China, you need to make sure the sender and receiver's email service support [StartTLS](https://en.wikipedia.org/wiki/Opportunistic_TLS).