Imagine trying to send a secret letter. You seal it in a locked envelope. Only the receiver has the key. That’s how HTTPS works on the internet. It encrypts your data. It keeps outsiders from snooping. But what happens when a giant national firewall wants to peek inside? That’s where things get interesting. And complicated.
TL;DR: China’s Great Firewall can’t fully read HTTPS traffic, but it can still interfere with it in clever ways. It uses techniques like DNS blocking, IP blocking, SNI filtering, and active probing. These methods let it detect and block secure connections without breaking encryption directly. The result is slower connections, dropped packets, and many foreign websites becoming unreachable from inside China.
Let’s break this down in a simple way.
First, What Is the Great Firewall?
The “Great Firewall” is the nickname for China’s system of internet censorship and control. It combines laws, technologies, and human monitoring. Its goal is simple: control what people can access online.
It sits between China’s domestic internet and the global internet. Think of it as a massive checkpoint. All traffic going in or out must pass through it.
At this checkpoint, data packets are inspected. Some pass. Some are slowed down. Some are blocked completely.
Quick HTTPS Refresher
Before we dive deeper, let’s understand HTTPS.
- HTTP = standard web traffic. Not encrypted.
- HTTPS = secure web traffic. Encrypted using TLS.
When you connect to an HTTPS site:
- Your browser says hello.
- The server sends a certificate.
- They agree on encryption keys.
- A secure tunnel is created.
After that, everything inside the tunnel is scrambled. Outsiders can see you’re talking to a server. But they cannot easily see what you are saying.
So how can the Great Firewall interfere if it can’t read the encrypted content?
It attacks the metadata and the handshake. Not the secret conversation itself.
Technique #1: DNS Interference
Before you visit a site, your device asks: “What is the IP address of this domain?” That request goes to a DNS server.
The Great Firewall often intercepts this step.
It can:
- Return a fake IP address
- Return no response at all
- Inject an error
This is called DNS poisoning or DNS spoofing.
Even if a website supports HTTPS, if you never reach the correct server, encryption does not matter.
It’s like having a locked door. But you were given the wrong house address.
Technique #2: IP Address Blocking
This method is blunt. But effective.
The firewall keeps a list of banned IP addresses. If your traffic is going to one of them, it is simply dropped.
No warning. No explanation. Just silence.
This creates what users call the famous “connection reset” or “timeout.”
The problem?
Many websites share the same IP address. Especially with cloud hosting.
So blocking one IP may block hundreds of unrelated sites. This creates collateral damage.
Technique #3: SNI Filtering
Now it gets clever.
During the HTTPS handshake, there is a feature called SNI (Server Name Indication).
SNI tells the server which domain you want to visit. This is needed when multiple websites share one IP address.
Important detail: SNI is sent in plain text during the handshake.
That means the firewall can read it.
So if you try to visit:
- blockedexample.com
The firewall sees the domain name in the SNI field. Then it kills the connection.
The encryption hasn’t even fully started yet.
This technique allows precise blocking. Without decrypting anything.
Technique #4: TCP Reset Attacks
Sometimes the firewall doesn’t just drop packets. It forges them.
When it detects forbidden content or domains, it sends a fake TCP reset (RST) packet.
Your browser thinks the server abruptly closed the connection.
In reality, the server may never have seen your request.
This technique is fast. And disruptive.
It’s like someone cutting your phone line the second you say a certain word.
Technique #5: Active Probing
This one feels almost sci‑fi.
When the firewall detects suspicious encrypted traffic, it may investigate further.
For example, VPN connections have recognizable patterns.
The firewall reacts by:
- Connecting to the suspected server itself
- Testing if it behaves like a VPN
- Blocking it if confirmed
This is called active probing.
It turns the firewall into an active participant. Not just a gatekeeper.
Technique #6: Blocking Encrypted SNI and New Protocols
New standards like ESNI (Encrypted SNI) and ECH (Encrypted Client Hello) try to hide the domain name during the handshake.
This makes censorship harder.
So what happens?
Traffic using these newer methods may itself get blocked.
The firewall often blocks unknown or uncommon encrypted protocols by default. Safer for the firewall. Frustrating for users.
Real-World Impact on Users
All these techniques sound technical. But what do they mean for ordinary people?
1. Slow Connections
Extra inspection causes latency. Pages load slower. Especially foreign sites.
2. Random Breakages
Some sites work one day. Fail the next.
This inconsistency confuses users and businesses.
3. VPN Instability
Many individuals and companies rely on VPNs.
But VPN connections often:
- Disconnect unexpectedly
- Get blocked during sensitive events
- Require constant reconfiguration
4. Business Disruption
International companies operating in China face real challenges.
Examples:
- Secure APIs hosted abroad become unreachable
- Cloud services degrade
- Video conferencing tools fail
This increases operational costs.
Some firms create China-specific infrastructure just to cope.
5. Innovation Trade-Off
Modern web technologies depend on strong encryption and global connectivity.
When parts of the encrypted ecosystem are blocked, developers must design around restrictions.
It slows experimentation. And complicates architecture.
Comparison Chart: Firewall Interference Techniques
| Technique | Targets | Reads Encrypted Content? | Precision Level | User Impact |
|---|---|---|---|---|
| DNS Poisoning | Domain lookup | No | Medium | Wrong IP or no connection |
| IP Blocking | Server IP address | No | Low to Medium | Complete site outage |
| SNI Filtering | Domain during TLS handshake | No | High | Immediate connection reset |
| TCP Reset | Active connections | No | Medium | Sudden disconnection |
| Active Probing | Suspicious servers | No direct decryption | High | VPN and proxy blocking |
Can the Firewall Break HTTPS Encryption?
In general, no.
Strong HTTPS encryption remains mathematically secure. The firewall does not typically decrypt traffic at scale.
Instead, it works around encryption.
It blocks before the tunnel forms. Or kills the tunnel early.
This is smarter. And more scalable.
The Cat-and-Mouse Game
Technology evolves. So does censorship.
Developers create:
- Encrypted DNS (DoH, DoT)
- Encrypted Client Hello
- Domain fronting techniques
Censors respond with:
- Protocol fingerprinting
- Traffic pattern analysis
- Blocking entire cloud providers if needed
It’s a constant back-and-forth.
Like an endless chess match.
Why This Matters Globally
China’s Great Firewall is not just a national tool. It is a model.
Other countries study its methods.
The techniques pioneered there influence global debates about:
- Internet sovereignty
- Encryption policy
- Digital rights
At the same time, global tech companies must decide:
- Adapt to local restrictions?
- Or refuse and risk being blocked?
There is no easy answer.
Final Thoughts
HTTPS was designed to protect privacy. And it does that job well.
But encryption alone does not guarantee access.
The Great Firewall shows that you don’t need to read a message to stop it. You just need to control the roads it travels on.
By targeting DNS, IP addresses, handshake data, and traffic patterns, the firewall interferes with secure connections without cracking encryption itself.
Simple idea. Complex execution.
For users inside China, this means a different internet experience. Slower. Narrower. Carefully filtered.
For the rest of the world, it’s a reminder.
The internet is not one single network. It is many networks. Connected by policy as much as by cables.
And sometimes, even a locked envelope is not enough to ensure your message gets through.