All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Website Hijacked/Censorship
Hello, a few days ago a few south korea users of my site are being directed to a page of the local government, this page says that my game can only be published in korea if a local publisher is hosting it.
The https version of the website works without problems, but when the users access the http version everyone is redirected with 302 to another page.
At first I thought that it could be a block via DNS and I tried to change the dns of the users or mess with the hosts file but didnt work.
The fun part if i make a telnet to port 80 it actually reaches CloudFlare server and answer with a 400 Bad Request.
I was wondering if anyone has any suggestions to circumvent this or force the page to be redirected to the https version before the hijack happens in the http version.
I currently have to recommend that all South Korean players use vpn to play and it's pretty bad
Comments
Use a .htaccess to force SSL
Im already using it somehow it gets hijacked before
Yikes..
Makes sense, that they even catch the 301/2 before you get redirected to TLS.
I think HSTS preloading would help in this case. But as you are using Cloudflare i dont know if thats doable (mabye with a paid subscription?)
But HSTS might have some drawbacks too
Any example of drawbacks?
Apparently HSTS isnt supported by IE(Top 1 popular browser in Korea)
As far as I know:
When you have problems with https connections to your server it wont be reachable for most of your customers. If HSTS is used http traffic will be disallowed, therefore http will be blocked. This is browser based.
I dont know how HSTS affects loading external/other resources via http but these could be blocked too
Cloudflare has firewall rules, check those under firewall settings
Respect the law?
What game is it? lol. Pr0n?
Use encrypted SNI, DoH, and TLS 1.3 https://lwyh.gitlab.io/encryption/2019/02/19/encrypted-sni.html
But how to circumvent big chief DNS?
This happens a lot in my country too. When I use normal http sometimes , it will be redirected into an ads page. This never happen when I specifically type https on the browser.
use https only
No matter what game it is if you want to have a racing game in South Korea, it should be published by a South Korean company.
Maybe because of the trojan nature.
HSTS works in chrome just tested.
Any solution for IE?
IE?
Use it to dl firefox, then uninstall.
HSTS won't entirely solve the problem as some users will have to do that initial non-secure request.
https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security#Limitations
https://hstspreload.org/
Not sure about IE. If you can get all major browsers to understand you're using HSTS, problem solved.
It seems that HSTS is enabled by default (IE 11) according to Microsoft.
EDIT: Changed hyperlinked text for greater clarity
Which is created by politicians are above the law?
South Koreans use Internet Explorer: It's the law.
A government online system requires users to enter information and receive a digital certificate which South Korean online merchants can use to identify consumers. But the system relies on an ActiveX control, and therefore requires the use of Internet Explorer.
WOW, and people think the UK is bad... that is nuts, I had no idea S.Korea is a dictatorship.
It's not like you cannot have Chrome/Firefox co-exist with IE. Just tell your users to switch to Chrome/Firefox for HSTS that is needed to access your site and use IE for everything else. That way, you have no latency issues associated with VPN. Surely it isn't a crime to have another browser on the computer?
It's kinda difficult to force almost 10,000 Korean users to download another browser
I live in South Korea, and the government is doing that for few years now. To bypass warning.or.kr, you should either use a VPN or some kind of anti-dpi tool. Or you could use HSTS preload for now. However, the government is now enforcing SNI based blocks so you should also enable ESNI. Most porn sites and illegal gambling sites are blocked.
Edit : yours look like it's due to game rating issue. It's illegal in south korea to published games that are not rated by the government. (Big companies like Google is allowed to thouh through their Play Store and Apple AppStore. There's a seperate law for that although I don't know how that exactly works)
Messing with DNS/hosts/etc. won't work since it's done on the ISP level with a 302 redirect injected to the webpage.
Dont let IE users connect to the site maybe force them to use a different browser.
That actually isn't the case now. Most plugins are now changed to exe-based ones (which only supports Windows) and it now sucks even more since unlike the old ActiveX controls which only started when you go into the specific webpage, the new plugins are running in the background constantly hogging computer resources....:(
Edit : some does have MacOS and even Linux support but not all of them does...
I understand but that's better and easier than a VPN in terms of latency, until the government decides to give up on their blocking (probably a major bug exploitation in IE will do that trick).
Wow, thanks for the information. I didn't know they are trying to control the internet China-style in South Korea. I guess it is good there are so many cloud services now for "rent-and-throw-away" VPNs by the hour.