Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


China Now Blocking Anyone Using Free SSL Certificates
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

China Now Blocking Anyone Using Free SSL Certificates

ramnetramnet Member, Host Rep
edited June 2013 in General

Hello LET,

The Chinese government firewall as of today is actively blocking anyone using a free StartCom StartSSL certificate on their server. Any IP address that is serving a free StartCom StartSSL certificate will be blocked automatically by the Chinese firewall now.

The only solution to this problem is to immediately stop using a free StartCom StartSSL certificate on your server. This will immediately solve the problem and your IP will be unblocked instantly by the Chinese government firewall. Changing IP addresses will not resolve the problem, only the removal of free Startcom StartSSL certificates resolves the problem. We have had several of our clients in China confirm to us this resolves their problem.

If you want to use SSL and have your server reachable within China, you cannot use a free StartCom StartSSL certificate on your IP address at all, or all traffic to that IP address will be blocked in China.

Thought I would post this here since a lot of VPS users in the Lowendbox community may be affected by this.

http://www.solidot.org/story?sid=35250

Thanked by 2colm Infinity

Comments

  • rds100rds100 Member

    Why would anyone care if the Great Firewall of China is blocking their website?

    Thanked by 1DotMG
  • ramnetramnet Member, Host Rep
    edited June 2013

    @rds100 if you lived in China you might care.

    A lot of people use free SSL certificates to circumvent internet censorship in places like China. That is no longer going to be possible now.

  • Who cares?

  • how about self-signed SSL certs?

  • ramnetramnet Member, Host Rep

    @CoolMoon apparently those still work. They are going after the free SSL certificates that don't throw up big warnings in everyones web browser, like the free ones StartCom / StartSSL give away.

  • Why would anyone care if the Great Firewall of China is blocking their website?

    ...because they want their website to be viewable by the 1.3 billion people in China

    Thanked by 1Daniel15
  • It's unblocked now. F*** GFW!

  • StarryStarry Member, Host Rep

    Speaker of China says: China has the most free internet access in the world. China will never block any websites.

    Thanked by 1doughmanes
  • Removing StartSSL is not leads to automatic unblock, you have to change IP after that, but if you change IP before change cert, the new IP might be blocked very soon as well, there're also reports that self-signed certs been affected (maybe for large traffic or manually detection) and some server with StartSSL not blocked (maybe for they have little traffic via https).

    And, all the IPs that been blocked yesterday had been unblocked earlier today, looks like a warning or a test of new tech, I'm issuing paid certs now...

  • rds100rds100 Member

    I am sure those people in China that are interested in viewing your website outside China already know how to do this (i.e. use a VPN, etc).
    And... why not buy a real SSL if you are worried? it's $3.95/year.

  • ramnetramnet Member, Host Rep

    @AstroProfundis said:
    Removing StartSSL is not leads to automatic unblock

    So far I've had 3 clients today who, upon removing their StartSSL certificates (by disabling SSL altogether), were instantly unblocked by the GFW.

    And, all the IPs that been blocked yesterday had been unblocked earlier today, looks like a warning or a test of new tech

    As of 90 minutes ago I was still seeing StartSSL certificate sites being blocked.

  • awsonawson Member
    edited June 2013

    Cool. Less spam for me!

    Thank you, Chinese government.

    Thanked by 2tux MrObvious
  • edited June 2013

    @ramnet said: were instantly unblocked by the GFW

    This is really interesting, the GFW may have different pattern of blocking on different targets, for me and several people that talked, changing IP is a must.

    @ramnet said: As of 90 minutes ago I was still seeing StartSSL certificate sites being blocked

    All the IPs I know that blocked yesterday (3 of mine, and some other people's with about 10 in total) are unblocked, but we don't know if they would be blocked again so issuing a paid cert seems necessary.

  • marcmmarcm Member

    We use only Global Sign (Alpha SSL) certificates, and we even sell them.
    It is an ignorant attitude to say that you don't care about a huge market like China for your services. We have some very good customers from China and we continue to grow our business with Chinese customers (amongst others). It is 2013, we have a global economy and we should all do our best to participate in it. China is the second largest economy in the world, so it definitively should not be ignored. Businesses who discriminate / isolate themselves from potential customers based on nationality, geographic region, etc. are just making a bad decision.

  • rds100rds100 Member

    @marcm if you care about this huge market i am sure you can afford $3.95 / year for a real SSL cert and not use a free one.

  • marcmmarcm Member

    @rds100 did you read my comment at all? We use only Global Sign certs, and I can assure you that they cost more than $3.95/year.

  • rds100rds100 Member

    @marcm then you have nothing to worry about, because this block only affects the free SSL certs?

  • rm_rm_ IPv6 Advocate, Veteran
    edited June 2013

    I do use StartSSL on some of my websites, and I am not going to stop because of this. In fact these news make me consider turning it on for ALL my sites.
    The reason is simple, any workaround would be is in effect giving up and lending help to the censors; but if I and others don't, and the GFW ends up blocking too many real, useful websites (which also don't really have anything against the chinese government) then maybe:
    1) this policy will be reconsidered;
    2) more and more regular citizens of China will be aware of extent of the censorship and how it prevents them doing their day-to-day harmless activities, and they may decide to "do something" about it (use your imagination as to what) -- even if this will mean just buying a VPN/proxy.

  • JanevskiJanevski Member
    edited June 2013

    I've been thinking, what if the Great Firewall of China is turned off, let's just say for a day, how much improvement there shall be in the connection speed and latency in China? I guess it has great supercomputing performance, but still, considering the number of internet users in China it adds up latency anyway and maybe lowers bandwidth if congested.

  • rds100rds100 Member

    @Janevski i doubt this is from the GFW, they just have more than a billion people there and not enough bandwidth (both international and national backbone capacity) for all.
    Besides there is no competition between ISPs in China so they don't have interest in improving.

  • fapvpsfapvps Member
    edited June 2013

    @ramnet Would you be able to check if our site works trough the firewall?
    Edit: Never mind, Cloudflare uses their own cert... Upgraded to a paid one anyway just in case.

  • LeeLee Veteran

    ___****___

  • Use Free Startcom SSL, get rid of abusers. :)

  • PositiveSSL or AlphaSSL is cheap nowadays.You may use one of them.

  • webflierwebflier Member
    edited June 2013

    Really? Ask any well established LEB providers here if they are willing to losing all their Chinese customers.

    @rds100 said:
    Why would anyone care if the Great Firewall of China is blocking their website?

    Thanked by 1SplitIce
  • So if I use a StartSSL cert, I'll stop getting "Large number of failed login attempts" on my WHM every five minutes?

  • another progress for the gfw,congrates. be proud to be chinese

  • @Mitsuhashi said:
    So if I use a StartSSL cert, I'll stop getting "Large number of failed login attempts" on my WHM every five minutes?

    Great idea :)

Sign In or Register to comment.