This article is part 3 of a 4-part series on service function chaining.
In this post, I’ll be focusing on examples of service function chaining as a means of political manipulation via censorship and outright attacks on opponents.
The Great Firewall of China
Photo by Ryan McLaughlin – CC BY-ND 2.0
While China is by no means the only country in the world to censor the Internet for political purposes, the so-called Great Firewall of China is the largest and most well-known example. The Wikipedia article lists different techniques, all of which are service functions, but the real truth is that we don’t know precisely how it all works, since it happens in secret. What we do know is usually based on inference from empirical testing (see also here), rather than any direct knowledge of the system’s design.
We do get a small peek into the system design (presumably heavily redacted) by examining use case documents for service function chaining written by Chinese ISPs or equipment manufacturers. For example, this one, on service function chaining use cases for home broadband by China Telecom. Section 3 talks about “URL filtering” giving “extra restrictions to the content the approved subscriber wants to access.”
I’ve noticed that “parental control” is a common euphemism that Chinese authors use when discussing censoring technologies, at least in IETF drafts that foreigners are likely to read. The broadband use case document describes a “parental control” service function chain that
allows some legal or appropriate contents to flow to subscribers, while some illegal or inappropriate contents are blocking [sic].
Another draft, posted by representatives of Huawei, a large Chinese equipment manufacturer, noted that increasing reliance on encrypted web communications makes effective “parental control” much harder to achieve.
Encrypted web traffic (https) represents a very significant part of Web traffic and is likely to become the main or even the only method to carry Web data over the Internet. Service functions MUST be able to decrypt such encrypted traffic, e.g. using Secure Socket Layer (SSL).
Yep, that’s right: the Huawei author were suggesting that network operators need the ability to break the encryption on every subscriber’s connection to do their content filtering.
In this case, however, that was a step too far, and IETF members were quick to shoot the idea down (fortunately for the world). For example, from the service function chaining mailing list:
I agree that encryption makes applying content functions harder. But the IETF is not going to mandate operator based decryption of end-to-end encrypted content. Doing so would seem to require that we violate existing RFCs and weaken the effective crypto.
The Huawei draft was never updated and quietly expired last October.
Weaponized Service Functions
In addition to filtering, the Chinese government regularly uses service functions in its network to attack.
Some are “man-in-the-middle” attacks against secure websites, such as last year when the government used forged credentials against users of Apple’s iCloud. The timing of the attack, coinciding with the rollout of iPhone6 and 6 Plus in China makes it likely the attack was designed to “circumvent the improved security features of the new phones by compromising their iCloud credentials and allowing the government to gain access to cloud-stored content such as phone backups.”
The most disturbing so far is the capability to hijack and modify web traffic to turn peoples’ browsers into weapons for a distributed denial of service (DDoS) attack. Greatfire.org is a non-profit dedicated to fighting online censorship in China. In March of this year, Chinese authorities activated a weaponized service function that initiated a massive distributed denial of service attack against greatfire.org itself, then later against github.com’s page which hosted tools developed by them.
And, while these attacks do not appear to have permanently compromised the computers of users they hijacked, it’s entirely within the realm of possibility that they may do in the future. Network providers with this capability wield a great deal of power. They could, for example insert malicious code into web sessions for Chinese subscribers to covertly control their computers, reducing the likelihood of detection by researchers here by only targeting their own people.
It’s not really clear what triggered the Chinese censors to lash out at their anti-censorship fighters at that particular time, but they have showed their hand in terms of capability and lengths they are willing to go to stamp out freedom of expression and the press.