TL;DR
Yes, China can potentially decrypt SSL/TLS traffic passing through its ISPs, but it’s not a simple ‘on/off’ switch. They primarily use forced certificate installation and man-in-the-middle (MITM) attacks. You can mitigate this risk with VPNs, end-to-end encryption, and awareness of compromised certificates.
Understanding the Threat
China has a history of attempting to intercept and decrypt internet traffic for censorship and surveillance purposes. Here’s how they do it:
1. Forced Certificate Installation
This is their main method. ISPs distribute root certificates that are trusted by browsers and operating systems. If your device trusts a certificate issued by a Chinese authority, the ISP can then intercept and decrypt traffic.
- How it works: The ISP presents a fake SSL certificate for websites you visit. Because your device already trusts their root certificate, it accepts the fake one.
- Impact: Allows them to read all unencrypted data sent between your device and those websites.
2. Man-in-the-Middle (MITM) Attacks
Similar to forced certificates, but more targeted. They intercept traffic and re-encrypt it with their own certificate.
- How it works: Your connection appears normal, but the ISP is secretly reading your data.
- Impact: Same as forced certificates – complete visibility of your unencrypted data.
3. Great Firewall (GFW) Deep Packet Inspection
While not direct decryption, the GFW can identify and block encrypted traffic based on patterns or known signatures.
Protecting Yourself
Here’s how to reduce your risk:
1. Use a VPN (Virtual Private Network)
- How it works: A VPN encrypts all your internet traffic and routes it through a server outside of China, bypassing the GFW and ISP interception.
- Choosing a VPN: Select a reputable provider with strong encryption protocols (OpenVPN, WireGuard) and a no-logs policy. Research providers known to work reliably in China.
- Installation & Connection: Download and install the VPN software on your device. Connect to a server location outside of China before browsing.
# Example OpenVPN connection command (replace with your VPN provider's details)2. End-to-End Encryption
Use services that provide end-to-end encryption by default.
- Messaging: Signal, WhatsApp (ensure end-to-end encryption is enabled).
- Email: ProtonMail, Tutanota.
3. Check for Compromised Certificates
- Browser Warnings: Pay attention to browser security warnings about invalid or untrusted certificates. Do not proceed if you see these warnings unless you are absolutely certain of the website’s legitimacy.
- Certificate Transparency Logs: Use tools like crt.sh to search for certificates issued by suspicious authorities.
4. Keep Software Updated
Regularly update your operating system, browser, and security software to patch vulnerabilities that could be exploited.
- Operating System: Enable automatic updates whenever possible.
- Browser: Chrome, Firefox, Safari all receive regular security updates.
5. Use HTTPS Everywhere
The HTTPS Everywhere browser extension automatically switches connections to the secure HTTPS version of websites whenever available.
6. Be Aware of Public Wi-Fi
Avoid using public Wi-Fi networks in China, as they are often unencrypted and easily monitored.
Important Considerations
- VPN Blocking: The Chinese government actively blocks many VPNs. You may need to try several providers to find one that works reliably.
- Certificate Updates: The list of trusted root certificates can change, so stay informed about new threats and update your devices accordingly.
- No Guarantee: Even with these precautions, complete security is not guaranteed. China’s cyber capabilities are advanced and constantly evolving.