China Now Blocking Anyone Using Free SSL Certificates
Hello LET,
The Chinese government firewall as of today is actively blocking anyone using a free StartCom StartSSL certificate on their server. Any IP address that is serving a free StartCom StartSSL certificate will be blocked automatically by the Chinese firewall now.
The only solution to this problem is to immediately stop using a free StartCom StartSSL certificate on your server. This will immediately solve the problem and your IP will be unblocked instantly by the Chinese government firewall. Changing IP addresses will not resolve the problem, only the removal of free Startcom StartSSL certificates resolves the problem. We have had several of our clients in China confirm to us this resolves their problem.
If you want to use SSL and have your server reachable within China, you cannot use a free StartCom StartSSL certificate on your IP address at all, or all traffic to that IP address will be blocked in China.
Thought I would post this here since a lot of VPS users in the Lowendbox community may be affected by this.
Comments
Why would anyone care if the Great Firewall of China is blocking their website?
@rds100 if you lived in China you might care.
A lot of people use free SSL certificates to circumvent internet censorship in places like China. That is no longer going to be possible now.
Who cares?
how about self-signed SSL certs?
@CoolMoon apparently those still work. They are going after the free SSL certificates that don't throw up big warnings in everyones web browser, like the free ones StartCom / StartSSL give away.
...because they want their website to be viewable by the 1.3 billion people in China
It's unblocked now. F*** GFW!
Speaker of China says: China has the most free internet access in the world. China will never block any websites.
Removing StartSSL is not leads to automatic unblock, you have to change IP after that, but if you change IP before change cert, the new IP might be blocked very soon as well, there're also reports that self-signed certs been affected (maybe for large traffic or manually detection) and some server with StartSSL not blocked (maybe for they have little traffic via https).
And, all the IPs that been blocked yesterday had been unblocked earlier today, looks like a warning or a test of new tech, I'm issuing paid certs now...
I am sure those people in China that are interested in viewing your website outside China already know how to do this (i.e. use a VPN, etc).
And... why not buy a real SSL if you are worried? it's $3.95/year.
So far I've had 3 clients today who, upon removing their StartSSL certificates (by disabling SSL altogether), were instantly unblocked by the GFW.
As of 90 minutes ago I was still seeing StartSSL certificate sites being blocked.
Cool. Less spam for me!
Thank you, Chinese government.
This is really interesting, the GFW may have different pattern of blocking on different targets, for me and several people that talked, changing IP is a must.
All the IPs I know that blocked yesterday (3 of mine, and some other people's with about 10 in total) are unblocked, but we don't know if they would be blocked again so issuing a paid cert seems necessary.
We use only Global Sign (Alpha SSL) certificates, and we even sell them.
It is an ignorant attitude to say that you don't care about a huge market like China for your services. We have some very good customers from China and we continue to grow our business with Chinese customers (amongst others). It is 2013, we have a global economy and we should all do our best to participate in it. China is the second largest economy in the world, so it definitively should not be ignored. Businesses who discriminate / isolate themselves from potential customers based on nationality, geographic region, etc. are just making a bad decision.
@marcm if you care about this huge market i am sure you can afford $3.95 / year for a real SSL cert and not use a free one.
@rds100 did you read my comment at all? We use only Global Sign certs, and I can assure you that they cost more than $3.95/year.
@marcm then you have nothing to worry about, because this block only affects the free SSL certs?
I do use StartSSL on some of my websites, and I am not going to stop because of this. In fact these news make me consider turning it on for ALL my sites.
The reason is simple, any workaround would be is in effect giving up and lending help to the censors; but if I and others don't, and the GFW ends up blocking too many real, useful websites (which also don't really have anything against the chinese government) then maybe:
1) this policy will be reconsidered;
2) more and more regular citizens of China will be aware of extent of the censorship and how it prevents them doing their day-to-day harmless activities, and they may decide to "do something" about it (use your imagination as to what) -- even if this will mean just buying a VPN/proxy.
I've been thinking, what if the Great Firewall of China is turned off, let's just say for a day, how much improvement there shall be in the connection speed and latency in China? I guess it has great supercomputing performance, but still, considering the number of internet users in China it adds up latency anyway and maybe lowers bandwidth if congested.
@Janevski i doubt this is from the GFW, they just have more than a billion people there and not enough bandwidth (both international and national backbone capacity) for all.
Besides there is no competition between ISPs in China so they don't have interest in improving.
@ramnet Would you be able to check if our site works trough the firewall?
Edit: Never mind, Cloudflare uses their own cert... Upgraded to a paid one anyway just in case.
_
___Use Free Startcom SSL, get rid of abusers.
PositiveSSL or AlphaSSL is cheap nowadays.You may use one of them.
Really? Ask any well established LEB providers here if they are willing to losing all their Chinese customers.
So if I use a StartSSL cert, I'll stop getting "Large number of failed login attempts" on my WHM every five minutes?
another progress for the gfw,congrates. be proud to be chinese
Great idea