Comment by outworlder

Comment by outworlder 4 days ago

> Terrible, this is Internet curfew.

If you think this is bad...

You can't even have a blog in China without authorization. It doesn't matter if you pay "AWS" for a machine. It won't open port 80 or 443 until you get an ICP recordal. Which you can only do if you are in China, and get the approval. It should also be displayed in the site, like a license plate. The reason "AWS" is in quotes is because it isn't AWS, they got kicked out. In Beijing, it is actually Sinnet, in Nginxia it's NWCD

You can only point to IPs in China from DNS servers in China - if you try to use, say, Route53 in the US and add an A record there, you'll get a nasty email (fail to comply, and your ports get blocked again, possibly for good).

In a nutshell, they not only can shutdown cross border traffic (and that can happen randomly if the Great Firewall gets annoyed at your packets, and it also gets overloaded during China business hours), but they can easily shutdown any website they want.

leroyrandolph 4 days ago

I laughed when I saw "Nginxia", thinking it was a portmanteau of, well, nginx and wuxia, a Chinese fiction genre. Reality is much less funny when I looked up NWCD, and you likely just made a typo of Ningxia.

Reply View 1 reply

seeknotfind 4 days ago

"Xia" would map to a single character (code point) in Chinese. For instance, in simplified Chinese, it could be 下 (xia, meaning down), 侠 (martial arts - like the xia in wuxia), or any number of other homophones. Since the characters are already combinatorial, I'm not sure a Chinese speaker would think of this as a portmanteau.

Reply View | 0 replies

UltraSane 4 days ago

AWS in China also doesn't have the Key Management Service, which leads to me to conclude it must be pretty secure.

I added an A record for subdomain and pointed it at Chinese IP addresses. I wonder if I will get that angry email?

Reply View 6 replies

bawolff 4 days ago

Or they just dont want to be put in the position of having to give out keys.
I think the real paranoid people use cloudHSM.

Reply View | 4 replies
- UltraSane 3 days ago
  
  Both KMS and CloudHSM are FIPS 140-2 Level 3 and AWS claims they cannot read private keys from KMS. The main difference is KMS uses IAM and the AWS REST API while CloudHMS uses PKCS #11/JCE and a separate permissions system.
  
  Reply View | 3 replies
  
  nijave 3 days ago
  
  The docs say both use HSM. Under "Secure" in the accordion menu https://aws.amazon.com/kms/features/#topic-0
  
  Reply View | 2 replies
Faaak 4 days ago

Actually, they wouldn't really know unless this domain is used. I guess they check the `Host` header to get the domain that targeted this IP and then check where the MX are hosted.

Reply View | 0 replies

LargoLasskhyfv 2 days ago

> It should also be displayed in the site, like a license plate.

https://de.wikipedia.org/wiki/Impressumspflicht (Mandatory real name & address, not only for business, but private persons with web presence, too.

Same for Domain/DNS(which applies to everything in the European Union))

Reply View 0 replies

Hizonner 4 days ago

> You can only point to IPs in China from DNS servers in China - if you try to use, say, Route53 in the US and add an A record there, you'll get a nasty email (fail to comply, and your ports get blocked again, possibly for good).

Wait what? So I can DoS any Web site in China by creating a rogue DNS record that points to its IP address, even under a completely unrelated domain? How would they even find those records?

Reply View 3 replies

hunter2_ 4 days ago

I guess they would find it the moment someone in China using a Chinese resolver tries to resolve your rogue record, since that would recurse to one of the root mirrors in China, which presumably feeds this mechanism.
Seems like a very minor speed bump in your plan, though: presumably something like https://www.chinafirewalltest.com would achieve that, or send a few emails for folks to click.

Reply View | 1 reply
- Hizonner 4 days ago
  
  I swear to use this power only for lulz.
  
  Reply View | 0 replies
fc417fc802 4 days ago

I wonder if this is actually tied to Chinese domains and Chinese run registrars? That way it would be easy to flag the usage of foreign nameservers and there's no DoS risk.

Reply View | 0 replies

fulafel 3 days ago

What about other protocols, could you run eg Gopher or NNTP? I guess IMAP could work as well.

Reply View 0 replies

kotri 4 days ago

Not all Western companies comply with Beijing, like Route53, a name I've never heard of; Cloudflare seems to be most popular in China.

But yeah, they can shutdown anything unless proxy server is widely used. as <Nearly 90% of Iranians now use a VPN to bypass internet censorship>.

Reply View 10 replies

darrenf 4 days ago

AFAIK Route53 is AWS’s managed DNS product, not a company.

Reply View | 9 replies
- kotri 4 days ago
  
  OK, AWS again, I know it not only complies with Beijing but also Russia and many other dictatorships. Banned domain fronting and recently enforced S3 bucket-based subdomains for government to better inspect.
  
  Reply View | 8 replies
  
  lazide 4 days ago
  
  Their point is if you’re served within China (aka hosted off a chinese IP, or accessing anything from a Chinese IP) it doesn’t matter if the other company interacts or complies with China’s rules - the other half of the transaction will be blocked.
  So using DNS hosted outside won’t matter, because the destination Chinese IP will get blocked. Or if using outside hosting, it won’t matter, because anyone in China trying to access it will get blocked. Or anyone trying to publish anything to it the CCP doesn’t like. Presumably also with some follow up in-person ‘check-ins’.
  The GFW is a pretty massive and actually impressively effective piece of technology, even if we don’t agree with it’s purpose.
  
  Reply View | 7 replies