The Great Firewall of China (GFW) prevents Chinese citizens from accessing online content deemed objectionable by the Chinese government. One way it does this is to search for forbidden keywords in unencrypted packet streams. When it detects them, it terminates the offending stream by injecting TCP RST packets, and blocks further traffic between the same two hosts for a few minutes. Previous studies of Chinese keyword filtering have concentrated on probing for the contents of the forbidden keywords list, identifying regional variations within China, and devising methods for evading the GFW. We report changes since 2014 in the organization and contents of the forbidden keywords list. In particular, we identify and distinguish between three different sub-lists used for HTTP, which contain forbidden terms for a) hostnames, b) page names, and c) search queries. Our experiments reveal that over 86% of the forbidden keywords have been replaced since 2014. By performing finer-grained experiments, we observe some conditions where forbidden keywords do not trigger the GFW blocking mechanisms (e.g., some HTTP headers are ignored), and differences in behavior depending on context (e.g., some keywords are only blocked when paired with the word “search”). We also conducted a pilot experiment to assess whether the GFW is able to detect keywords sent within HTTPS requests, e.g., by tampering with TLS certificates. The results of our experiment provided no evidence for bulk decryption of HTTPS traffic.

The Web Conference is announcing latest news and developments biweekly or on a monthly basis. We respect The General Data Protection Regulation 2016/679.