The Great Firewall of China (GFW) is one of the most sophisticated and far-reaching internet censorship systems in the world. It operates through a complex combination of legal regulation, technical filtering, network monitoring, and active interference with data flows. While many discussions focus on blocked websites and restricted platforms, a deeper and more technical story lies beneath: how the Great Firewall disrupts HTTPS traffic—the very protocol designed to secure and protect modern internet communications.
TL;DR: China’s Great Firewall disrupts HTTPS traffic through methods such as DNS poisoning, IP blocking, Server Name Indication (SNI) filtering, active probing, and TCP reset injection. Although HTTPS encrypts content, metadata like domain names and handshake information often remain visible and can be exploited for censorship. These disruptions lead to connection failures, slowdowns, and certificate errors for users trying to access restricted services. The firewall’s evolving tactics demonstrate that encryption alone does not guarantee accessibility in heavily controlled networks.
Understanding HTTPS and Why It Matters
HTTPS (Hypertext Transfer Protocol Secure) is the backbone of modern internet security. It uses TLS (Transport Layer Security) encryption to protect data transmitted between a user’s browser and a website’s server. This ensures:
- Confidentiality: Third parties cannot easily read transmitted data.
- Integrity: Data cannot be modified without detection.
- Authentication: Users can verify they are communicating with the intended server.
In most parts of the world, HTTPS protects users from hackers and surveillance. However, in China, encrypted traffic presents a challenge to authorities seeking to control information flows. Since HTTPS conceals page content, censorship systems must rely on other visible elements of the connection to determine whether it should be blocked or disrupted.
The Architecture of the Great Firewall
The Great Firewall operates at multiple layers of the network stack and at strategic points within China’s internet infrastructure. International gateways are tightly controlled, meaning that cross-border internet traffic flows through government-monitored chokepoints.
Key techniques used by the firewall include:
- DNS tampering and poisoning
- IP address blocking
- Deep Packet Inspection (DPI)
- TCP reset injection
- Active probing of suspicious connections
When applied to HTTPS traffic, these techniques create disruption even though the traffic payload itself is encrypted.
1. DNS Poisoning and Its Impact on HTTPS
Before an HTTPS connection begins, a domain name must be resolved into an IP address using the Domain Name System (DNS). The Great Firewall frequently intercepts DNS queries and returns incorrect IP addresses for banned domains.
Even if a user attempts to use an encrypted DNS service, interference can still occur at other layers. If DNS poisoning succeeds, the HTTPS handshake never even begins. Users may see:
- Connection timeouts
- “Server not found” errors
- Incorrect website responses
Because DNS is the first step in establishing secure communication, manipulating it remains one of the firewall’s most effective disruption tools.
2. IP Address Blocking
Each website or online service is hosted on a server identified by an IP address. The Great Firewall maintains extensive blacklists of IP addresses associated with prohibited services, such as foreign news outlets, messaging apps, or social media platforms.
When a user attempts to connect to a blocked IP address—even via HTTPS—the firewall can simply drop the packets. The encrypted nature of HTTPS is irrelevant because the connection is terminated before secure communication can proceed.
This method, however, presents challenges:
- Many services share cloud infrastructure and IP addresses.
- Blocking a single IP may disrupt multiple unrelated services.
- Content Delivery Networks (CDNs) frequently rotate IPs.
As a result, IP blocking often causes collateral damage, making it a blunt but powerful instrument.
3. SNI Filtering: Exploiting Metadata in HTTPS
One of the most significant vulnerabilities in HTTPS—until recently—has been the Server Name Indication (SNI) field. During the TLS handshake, the client specifies the hostname it wishes to access. Traditionally, this information was transmitted in plaintext.
The Great Firewall leverages this by inspecting outgoing TLS handshakes. If the SNI value matches a banned domain, the firewall can immediately:
- Inject forged TCP reset packets.
- Terminate the connection.
- Temporarily block further traffic to the destination.
This technique allows precise targeting of individual domains—even when they share IP addresses with permitted sites.
The introduction of Encrypted SNI (ESNI), later incorporated into Encrypted Client Hello (ECH), was designed to address this privacy weakness. However, China has responded by blocking connections that attempt to use ECH with unsupported or suspicious configurations, demonstrating the adaptive nature of the firewall.
4. TCP Reset Injection
Another hallmark of the Great Firewall is its use of forged TCP reset (RST) packets. When the system detects traffic it considers inappropriate, it injects spoofed RST packets into the data stream.
These RST packets:
- Appear to come from one of the legitimate endpoints.
- Signal that the connection should immediately close.
- Often affect both client and server simultaneously.
This method creates sudden interruptions in HTTPS sessions. Users may notice pages partially loading before abruptly failing. Importantly, this does not break encryption itself—rather, it disrupts the underlying transport layer on which HTTPS depends.
5. Deep Packet Inspection Beyond the Handshake
Although HTTPS encrypts content, traffic patterns and metadata remain observable. The Great Firewall utilizes Deep Packet Inspection (DPI) to analyze:
- Packet sizes and timing patterns.
- TLS version negotiation.
- Certificate exchanges.
In some cases, abnormal or non-standard encryption configurations may trigger suspicion. VPN protocols, for example, often attempt to disguise themselves as regular HTTPS traffic. The firewall actively probes suspected VPN servers to confirm their nature and subsequently blocks them.
This cat-and-mouse dynamic has led VPN providers to constantly evolve obfuscation techniques. Yet many commercial VPN services experience periodic disruptions inside China.
6. Active Probing and Server Verification
When suspicious traffic is identified—such as patterns matching circumvention tools—the Great Firewall may initiate active probing. This involves:
- Connecting directly to the suspected server.
- Attempting protocol handshakes.
- Verifying whether the server supports banned services.
If confirmed, the IP address may be temporarily or permanently blocked. This proactive approach extends censorship beyond passive filtering into active surveillance and response.
Image not found in postmeta
Consequences for Businesses and Users
The disruption of HTTPS traffic has significant practical consequences.
For Individual Users
- Frequent connection failures.
- Slower browsing due to repeated handshake attempts.
- Inability to access global platforms.
For Multinational Companies
- Unreliable access to cloud-based tools.
- Interrupted API communications.
- Higher infrastructure costs due to local hosting requirements.
Companies operating in China often deploy localized infrastructure within the country to minimize cross-border HTTPS connections, reducing the likelihood of interference.
Why Encryption Alone Is Not Enough
The Great Firewall demonstrates a crucial lesson: encryption does not equal accessibility. HTTPS protects data integrity and privacy, but it does not conceal all identifying metadata. Domain names, IP addresses, handshake parameters, and traffic behaviors provide enough information for a sophisticated filtering system to make enforcement decisions.
As encryption standards evolve—particularly with broader adoption of TLS 1.3 and Encrypted Client Hello—the technical battle continues. Each improvement in privacy prompts new methods of filtering and disruption.
The Broader Implications
The disruption of HTTPS in China has global implications. It challenges the assumption that internet standards function uniformly across borders. It also raises complex questions about:
- The balance between national sovereignty and open internet principles.
- The limits of technical solutions to political controls.
- The role of global technology companies in adapting to local regulations.
Ultimately, the Great Firewall’s approach illustrates how state-level actors can shape internet behavior even without breaking encryption. By targeting the infrastructure and metadata surrounding HTTPS, it achieves substantial control while leaving the underlying cryptographic protocols intact.
Conclusion
The Great Firewall of China disrupts HTTPS traffic not by cracking encryption, but by exploiting the layers that surround it. Through DNS poisoning, IP blocking, SNI inspection, TCP reset injection, deep packet analysis, and active probing, it undermines secure connections at multiple points in their lifecycle.
This layered model of interference reveals a crucial reality of modern network governance: security protocols are necessary but not sufficient to guarantee open access. In tightly controlled digital environments, the infrastructure itself becomes the enforcement mechanism. Understanding these dynamics is essential for policymakers, engineers, and organizations seeking to navigate or analyze China’s uniquely regulated internet landscape.
