Analysis of the Gfw's Unconditional Port 443 Block on August 20, 2025
Posted5 months agoActive4 months ago
gfw.reportTechstoryHigh profile
heatednegative
Debate
80/100
Great Firewall of ChinaInternet CensorshipCybersecurity
Key topics
Great Firewall of China
Internet Censorship
Cybersecurity
The Great Firewall of China (GFW) implemented an unconditional block on port 443 on August 20, 2025, causing widespread disruption, and sparking concerns about internet freedom and potential economic impact.
Snapshot generated from the HN discussion
Discussion Activity
Very active discussionFirst comment
6m
Peak period
73
0-6h
Avg / period
14.5
Comment distribution145 data points
Loading chart...
Based on 145 loaded comments
Key moments
- 01Story posted
Aug 20, 2025 at 12:27 AM EDT
5 months ago
Step 01 - 02First comment
Aug 20, 2025 at 12:33 AM EDT
6m after posting
Step 02 - 03Peak activity
73 comments in 0-6h
Hottest window of the conversation
Step 03 - 04Latest activity
Aug 22, 2025 at 5:43 PM EDT
4 months ago
Step 04
Generating AI Summary...
Analyzing up to 500 comments to identify key contributors and discussion patterns
ID: 44958621Type: storyLast synced: 11/20/2025, 7:40:50 PM
Want the full context?
Jump to the original sources
Read the primary article or dive into the live Hacker News thread when you're ready.
There's no authentication so anyone can pretend to be you. Traditional methods of verifying the sender (HMAC) would take so many hours to transmit that the physical propagation paths you're communicating through will probably collapse before you deliver the smallest verified message.
If you need to communicate information, FT-8 is not for you.
You do need a time source though. GPS is generally used for that but it doesn't need to be extremely accurate with FT-8 like with some other protocols.
I would imagine using it for a regular "I'm ok" message for the home front in such a situation using pre-arranged contents.
I tried it while staying in a high rise hotel and the experience was great. Instant acknowledgement and super reliable communication
If it's on purpose, I think you have the most likely motivation.
A mistake that also weirdly increments some TCP fields for the three subsequent RST packets when that's not how the existing GFW devices behave would need some explanation before you could conclude it to be the most likely explanation.
[1] https://en.wikipedia.org/wiki/Cherbourg_Project
Every major power has polluted near Earth space as a show of power.
[0] https://planet4589.org/space/con/star/planes.html
(On general principles, you could argue you'd need 1:1 launch vehicle parity (number, not payload) to defeat a satellite constellation this way. For each satellite launch, you'd need one corresponding anti-satellite launch into that same, newly-defined orbit).
Starlink satellites are pretty low and experience a lot of drag, with square-cube law working against you. Your shrapnel's orbit will likely decay pretty rapidly.
Relevant, Chinese domestic media reporting on China's own perspective:
https://www.scmp.com/news/china/science/article/3178939/chin... ("China military must be able to destroy Elon Musk’s Starlink satellites if they threaten national security: scientists" (2022))
> "Researchers call for development of anti-satellite capabilities including ability to track, monitor and disable each craft / The Starlink platform with its thousands of satellites is believed to be indestructible"
"Easy to bring down" vs. "believed to be indestructible"—some tension there!
And I doubt China would want to make LEO impossible to move through anyway. It’d affect China badly as well
Also, fairly easy to find from the air.
The only thing that could bypass is GPS + laser links (meaning physically aiming a laser both on the ground AND on a satellite). You cannot detect that without being in the direct path of the laser (though of course you can still see the equipment aiming the laser, so it doesn't just need to work it needs to be properly disguised). That requires coherent beams (not easy, but well studied), aimed to within 2 wavelengths of distance at 160km (so your direction needs to be accurate to 2 billionths of a degree, obviously you'll need stabilization), at a moving target, using camouflaged equipment.
This is not truly beyond current technology, but you can be pretty confident even the military doesn't have this yet.
The moon is 700 times farther away than the starlink satellites (or twice that, if you consider the bounce), so I find it hard to imagine that it would be impossible to communicate with much closer satellites over laser when both sides can have an active transmitter.
However, this solution is going to stop working when a cloud drifts past.
Not really, because you'd be using a frequency that passes through clouds. A snow storm or hail is impenetrable, and there are weather events that cause a 1-2 second blackout, as well as cause refraction (which is mostly a challenge in reaiming the beam fast enough to compensate), but anything in the air is fine. Clouds, mist, ... But is aiming at a 1 arcsecond target moving across the sky at at least 1 degree per second from a normal (ie. moving) building really doable with "standard hobbyist telescope mounts" ?
I know 5 years ago we were still doing this with lasers on rockets toward planes, because planes can just keep their angle to a rocket essentially constant. I know there's experiments doing direct laser to satellite, no idea how well that works.
The clouds are however much more of a problem than you're suggesting. One promising infrared band is around 10 microns, but a thick cloud will still scatter that. You'd need a 20cm wide laser beam at that wavelength for it to diverge to a beam width of around 10 arcseconds. Which is basically a reasonably-sized telescope, working in reverse.
Alternatively, you could go for millimeter waves, which would pass through the clouds reasonably well, but then you're well outside the realms of "laser" and into the standard directional dish antenna. And it'd have to be a very large dish to give you a narrow beam. For instance, a rather unsubtle 2 metre wide dish with a 1mm wavelength will give a beam that diverges by 100 arcseconds. And there will probably be omnidirectional leakage which the dastardly authorities are likely to be able to detect. At least visible and infra-red leakage can be easily blocked and concealed, but radio is much harder.
Not true anymore.
> and the antenna will also only operate in an approved zone (depending on your country and account type). You cannot use it in China.
This is still correct.
Though India doesn't have a great firewall so it's much less of an issue for foreigners visiting there.
It’s still true because in order to be operating in a country Starlink has to get approval from the Gov and if the Gov requires Starlink to have to connect through a ground station then they’ll either comply or not operate in that country
If you think this is bad...
You can't even have a blog in China without authorization. It doesn't matter if you pay "AWS" for a machine. It won't open port 80 or 443 until you get an ICP recordal. Which you can only do if you are in China, and get the approval. It should also be displayed in the site, like a license plate. The reason "AWS" is in quotes is because it isn't AWS, they got kicked out. In Beijing, it is actually Sinnet, in Nginxia it's NWCD
You can only point to IPs in China from DNS servers in China - if you try to use, say, Route53 in the US and add an A record there, you'll get a nasty email (fail to comply, and your ports get blocked again, possibly for good).
In a nutshell, they not only can shutdown cross border traffic (and that can happen randomly if the Great Firewall gets annoyed at your packets, and it also gets overloaded during China business hours), but they can easily shutdown any website they want.
I added an A record for subdomain and pointed it at Chinese IP addresses. I wonder if I will get that angry email?
I think the real paranoid people use cloudHSM.
https://www.marvell.com/products/security-solutions/liquidse...
That's my take as well reading about how they handle firmware (sounds like they're using their own chips, presumably similar to how they use other hardware acceleration and offload)
But yeah, they can shutdown anything unless proxy server is widely used. as <Nearly 90% of Iranians now use a VPN to bypass internet censorship>.
So using DNS hosted outside won’t matter, because the destination Chinese IP will get blocked. Or if using outside hosting, it won’t matter, because anyone in China trying to access it will get blocked. Or anyone trying to publish anything to it the CCP doesn’t like. Presumably also with some follow up in-person ‘check-ins’.
The GFW is a pretty massive and actually impressively effective piece of technology, even if we don’t agree with it’s purpose.
If you allow connections to random websites outside of your jurisdiction then you're de facto allowing everything, because people can proxy arbitrary traffic that way. If you don't, you're effectively disconnecting your country from the global internet, which is not an impressive technological feat. Anybody with a backhoe can do a fiber cut.
It really isn’t dumb at all, and is quite difficult to get past.
It also auto detects ‘problematic’ content in near realtime for a huge swath of things. It does deep packet and content inspection, including of a bunch of encrypted traffic that it really shouldn’t be able to.
At massive (national) level scale.
Don’t get me wrong. It’s evil. But it’s an impressive bit of evil kit.
They made a list of tunnel systems that don't attempt to disguise themselves and then blocked them. That's not really that hard, and it meanwhile causes lots of innocuous things to be blocked. There are uses for a tunnel other than bypassing censorship.
The hard thing is to block the ones that actively attempt to look like something they're not, and release updates to change their profile whenever the authors notice it being blocked, while still allowing the thing they're attempting to look like.
> It also auto detects ‘problematic’ content in near realtime for a huge swath of things. It does deep packet and content inspection, including of a bunch of encrypted traffic that it really shouldn’t be able to.
All of this is assuming the content is being distributed unencrypted or is otherwise leaking its contents through e.g. having a specific data length, none of which an encapsulation method is required to expose.
Wait what? So I can DoS any Web site in China by creating a rogue DNS record that points to its IP address, even under a completely unrelated domain? How would they even find those records?
Seems like a very minor speed bump in your plan, though: presumably something like https://www.chinafirewalltest.com would achieve that, or send a few emails for folks to click.
https://de.wikipedia.org/wiki/Impressumspflicht (Mandatory real name & address, not only for business, but private persons with web presence, too.
Same for Domain/DNS(which applies to everything in the European Union))
Normally they have to fight VPN issues anyway, but having a sovereign state inject your packets is certainly a fun new one.
It’s good to know the boss.
But there absolutely is also a non-negligible number of Chinese and Indian nationals, who have some type of visa status in the US (especially a green card) who spend many months in their original countries making $200,000 or more per year while living like royalty in their home countries :)
So much has happened since then...
If you get a green card and leave the us for any amount of time, on return the border agent makes a determination on the spot if you intended to live abroad.
Less than six months is simply less suspicious than more.
If the answer is yes, well then it is yet more proof that the US immigration system operates basically extrajudicially just like the IRS and ATF, and only occassionally do the courts pull them back in after much hardship for the plantiff.
Words and policies are supposed to have meaning, and I doubt we'll get any charts or graphs on border refusals per amount of time spent abroad for GC holders.
Green cards are for people who intend to continuously by resident in the united states.
If you go home for 3 months and get a job and rent a house then you no longer continuously reside in the united states.
It's that's simple, but there's no hard or fast rule on how many days.
Not really. People like it in China, regardless of whether they're Chinese.
I took an English teaching certification course in Shanghai. The teachers for that course were used to rotating around the world as the company held courses in various random locations.
One day the teachers asked what was apparently a standard question for them, "are you planning to stay here after you get the certification?"
And they were flabbergasted when everyone answered yes. Apparently in most of the locations that offer CELTA courses, the majority of people come for the course and get out as soon as they can.
The teachers, incidentally, were British and New Zealander, and they were firm about instructing us in teaching British pronunciation. I assume most of the students went on to ignore that part of the curriculum.
Because they have some of the most beautiful scenery and buildings I've seen and I've been to dozens of countries.
Personally I wouldn't go there for remote work, because the internet interference is a pain but a holiday definitely.
The nature spans salt lakes and rainbow mountains akin to South America, to the Northern Lights in Mohe down to karst formations of Guilin shared with Vietnam's Halong Bay.
The cuisine is diverse and dishes popular in places like Xi'an reveal lasting influences dating back to the Silk Road.
If you can't find "somewhere really nice" amongst the myriad people and locations you haven't tried.
Visiting somewhere means submitting yourself to their laws. With China's, that's not an option for me. Having restricted communication with home is a dealbreaker too. I would not let that stand so I'd have to break their laws.
It may be a beautiful country but it's not a beautiful place to be. At least not for someone like me.
Though having said that there are many places I refuse to travel to. The US is currently one as well for obvious reasons.
I'll just say Microsoft is not the only company doing that, and there are also Chinese-owned SAASes which American companies pay for.
Now, the people I work with know that I'm not really located in the same time zone, but I know people who don't bother to mention it. I rarely get phone calls, but I have a roaming connection active for banking/OTP/etc. Plenty of cheap cafes with great WiFi (500mbps+ almost everywhere), and several times cheaper too.
If it wasn't literally 10x cheaper to live abroad than it is to live in Seattle/San Jose, it wouldn't be as prevalent. And not to mention, the quality of life is often better at the 10x cheaper price as well.
I can give you as much proof as you would like!
Example: https://www.justice.gov/opa/pr/justice-department-announces-...
If you aren't aware: a Virtual Private Network creates a fully encrypted link between you and a remote node. So long as your encryption keys are secure, there's no way for anyone (even a global superpower) to listen to or intrude on that connection. There is no possible way to break into this connection, even with the entire planet's computing resources.
From the outside, all you can see is a stream of encrypted data between two nodes. You cannot tell where the traffic goes once it exits the VPN server or what it contains.
The only way to compromise a VPN connection is the most straightforward and pedestrian: compromise the VPN host and directly spy on their clients with their own hardware.
The GFW certainly can and has detected such encrypted streams and blocked them for being un-inspectable. With a VPN you can perfectly hide what you're doing and you can perfectly prevent intrusion. You cannot prevent someone noticing you're using a VPN. China can simply blanket ban connections that look like VPN traffic. But they cannot tell what you're doing with that VPN.
Besides that, when negotiating a secure connection through unencrypted channels you typically use Diffe-Hillman to establish the encryption keys. As far as I'm aware, this method cannot be broken. Both nodes compute their own private encryption key and do math to create unencrypted data that must be verified by the other node's key. Even if you had full control of the data stream, you can't determine those private keys and cannot break into the encrypted connection that follows.
Also VPNs are typically UDP, but there's no hard requirement as far as I know.
Based on that information, the theory for why a nation state would block https like this for a moment is either an accident, or to only block the low hanging fruit of people who don't use a VPN.
There are special virtual SIM cards that provide access to services from mainland China, as well as VPNs that function normally without issues. I used both while I was in China.
If I understand right, a good next step would would be with eBPF or some type of proxy ignore the forged RST+ACK at the beginning.
Then it would come testing to see if sending a bunch of ACK packets, perhaps with sequence numbers that would when reconstructed could complete the handshake. Trying to send them alongside the SYN+ACK or even before if it can be predicted. Maybe try sending some packets with sequence id 0 as well to see what happens.
See <Ignoring the Great Firewall of China> in 2006. That won't work if RST/ACK was injected to both sides.
> Then it would come testing to see if sending a bunch of ACK packets, perhaps with sequence numbers that would when reconstructed could complete the handshake. Trying to send them alongside the SYN+ACK or even before if it can be predicted. Maybe try sending some packets with sequence id 0 as well to see what happens.
This is an interesting approach already being utilized, namely TCB desync. But currently most people tend to buy VPN/proxy services rather than studying this.
But GFW certainly had the capability to block all ports. So no one really knew.
Unknown. I haven't seen any injected fake DNS or reset packets so far to domestic hosts. But there are rumors that Google's servers in Beijing (AS24424) was once black holed.
> Is GFW a central hub for all traffic between all hosts?
It's supposed to has centralized management system, but not a single hub.
> Or between residential ASNs and commercial ones only?
Yes, the injecting devices are deployed in IXPs, the AS borders. See <Internet censorship in China: Where does the filtering occur?>.
> In the UK and Iran a lot of censorship was implemented by leaning on ISPs at IP level (eg BT Cleanfeed) and with DNS blocks but I haven’t kept up to date with how networks might handle residential hosting.
I believe Iran has more centralized system like China controlled by Tehran.
> Maybe internal traffic is just all banned?
No, internal HTTPS traffic is not banned in that hour.
So what's blocked differs by region
Right now liberal people mostly sit back and wait for things to get better, it's not enough. (Also going and walking up and down is not really effective.)
First they came for the socialists, and I did not speak out because I was not a socialist.
Then they came for the trade unionists, and I did not speak out because I was not a trade unionist.
Then they came for the Jews, and I did not speak out because I was not a Jew.
Then they came for me and there was no one left to speak for me.
And if you talk back? Why, you must be a pedophile or a terrorist, otherwise why would you have anything to hide?
It's gotten bad enough that people here on HN - Hacker News! - non-ironically make more or less this argument.
https://danglingpointer.fun/posts/GFWHistory
Posted 6 days ago (https://news.ycombinator.com/item?id=44898892)
35 more comments available on Hacker News