On the night of August 20, 2025, something extraordinary and unsettling happened in China’s cyberspace. For about 74 minutes, the nation’s infamous Great Firewall (GFW) blocked all traffic over TCP port 443, the standard port for HTTPS communication.
This event not only disrupted countless websites and services but also raised alarm bells across the global tech and cybersecurity community. The shutdown, caused by forged TCP reset packets, temporarily severed China’s internet users from much of the secure web.
In this post, we’ll unpack what happened, explore the technical mechanics behind the outage, and analyze what it might mean for the future of internet censorship and global connectivity.
Understanding Port 443 and Why It Matters
Before diving into the incident, it’s worth revisiting why port 443 is so critical.
- Port 443 is the default TCP port used by the HTTPS protocol.
- When you type a URL starting with
https://, your browser communicates with the server over port 443. - This channel is encrypted using SSL/TLS, which protects the confidentiality and integrity of data in transit.
Blocking it effectively means blocking encrypted web traffic. Without it, users can only fall back on HTTP (port 80), which is unencrypted and insecure.
In today’s digital ecosystem – where everything from banking apps and messaging platforms to cloud services relies on HTTPS – the significance of port 443 cannot be overstated. Shutting it down, even briefly, is like cutting oxygen from the modern internet.
The Incident: 74 Minutes of Silence on Port 443
According to network monitoring groups and multiple reports, the disruption began at 00:34 Beijing time and ended at 01:48. During this window:
- Every attempt to establish a connection on TCP port 443 from within China was reset.
- The blocking was consistent across ISPs and regions, pointing to central intervention rather than a localized outage.
- Other ports – such as 22 (SSH), 80 (HTTP), and 8443 (alternative HTTPS) – remained unaffected.
This precise targeting suggests intentional action rather than a random technical glitch.
Immediate Impact
The outage disrupted:
- Access to foreign services like Google, Apple iCloud, Tesla’s remote connectivity systems, and countless SaaS providers.
- Domestic platforms that rely on external secure APIs or cloud hosting.
- Cross-border communication for businesses and individuals.
For ordinary Chinese users, it manifested as websites failing to load, apps refusing to sync, and secure services simply timing out.
Technical Mechanics: How the Block Worked
Reports from network researchers indicate that the GFW employed a known censorship technique: injection of forged TCP reset packets (RST+ACK).
What Are RST Packets?
In TCP communication:
- An RST (reset) packet tells one side of a connection to immediately terminate the session.
- An ACK (acknowledgment) packet confirms receipt of data.
- Combining the two (
RST+ACK) signals a hard stop to the connection.
When injected into a TCP stream, such packets can abruptly kill connections – even if the communicating parties didn’t intend to disconnect.
How the GFW Used RST+ACK
Here’s what happened:
- A user in China attempted an HTTPS request (say, to
https://example.com). - The connection request reached the GFW.
- Instead of forwarding the request normally, the GFW injected fake RST+ACK packets into the stream.
- The client interpreted this as a legitimate reset from the server and closed the connection.
The result? Every attempt to use port 443 appeared to “fail” instantly.
This technique is stealthy in that it doesn’t block packets outright at the firewall level; instead, it creates the illusion of legitimate disconnections.
How This Differs from “Normal” Censorship?
The GFW usually relies on:
- DNS poisoning (returning fake IP addresses for blocked domains).
- IP blacklisting (blocking connections to certain addresses).
- Keyword-based filtering (resetting connections containing banned phrases).
But this event was different. Instead of targeting specific domains or content, it went after the entire port 443 protocol-wide.
That’s akin to banning not just specific books but shutting down all libraries.
Why Only Port 443?
The choice to block only 443 is intriguing.
- Port 80 (HTTP) was untouched. This allowed unencrypted browsing to continue.
- Port 22 (SSH) was untouched. Developers and sysadmins still had access to remote servers.
- Port 8443 (alternative HTTPS) was untouched. Some services continued to function if they were configured on this port.
This selective precision hints at an experiment or test run, rather than a full-blown attempt to cut off secure communication indefinitely.
Theories Behind the Outage
So, why did China’s GFW take such a drastic step, even for just over an hour? Several theories are circulating.
1. A Misconfiguration or Human Error
The simplest explanation is that a new filter rule was rolled out incorrectly. Given the complexity of China’s nationwide censorship infrastructure, mistakes are possible.
2. A Stress Test of New Capabilities
Many researchers believe this was a trial run. By blocking 443 briefly, the GFW operators could measure:
- How resilient Chinese services are to HTTPS disruptions.
- Whether businesses and users have reliable fallbacks.
- How international services react to sudden connection resets.
3. A Downgrade Attack Simulation
Another theory is that this was part of testing downgrade attack scenarios. By forcing HTTPS offline, users might resort to HTTP, exposing communications to surveillance and tampering.
4. Political Signaling
Some interpret it as a warning shot – demonstrating that China can, if it wishes, sever secure channels at will. This kind of symbolic power projection aligns with the government’s tight grip over digital infrastructure.
Wider Implications
The brief 443 blackout has several implications for cybersecurity, business, and geopolitics.
Impact on Security
- HTTPS is the backbone of trust online. Without it, users risk man-in-the-middle (MITM) attacks, data theft, and surveillance.
- A forced downgrade to HTTP would expose everything from login credentials to private chats.
Impact on Business
- Chinese companies relying on external APIs, cloud services, or international payment gateways were affected.
- Multinational firms operating in China saw disruption to services that depend on secure tunnels.
Impact on Global Connectivity
- This shows the fragility of centralized control over internet infrastructure.
- Even a short-lived national policy change can have a ripple effect across the global web.
A Look at Similar Precedents
China has a long history of experimenting with censorship tactics:
- 2010s: DNS poisoning and IP blocking became standard GFW practice.
- 2015: The “Great Cannon” was discovered – a tool capable of injecting malicious code into traffic for DDoS amplification.
- 2019–2020: TLS fingerprinting was used to block encrypted connections based on handshake characteristics.
The 2025 port 443 block may be the next evolution – testing how far the state can push without collapsing domestic digital life.
What Researchers Found
Several cybersecurity monitoring groups examined the incident. Their findings include:
- The forged RST packets did not match existing GFW fingerprints, suggesting new hardware or at least new modes of operation.
- Packets were injected consistently across the country, indicating centralized orchestration rather than ISP-level filtering.
- Once the block was lifted, connections resumed instantly – another sign of deliberate control rather than accidental failure.
Could This Happen Elsewhere?
While the GFW is unique in scope, the technique itself – injecting RST packets – is not exclusive to China. Other nations with strong internet control capabilities could, in theory, replicate it.
That said, executing such a precise and nationwide action requires:
- Centralized control over the backbone internet infrastructure.
- Specialized hardware capable of packet injection at scale.
- Political will to disrupt secure communications.
Few countries meet all three conditions at the scale China demonstrated.
What Does This Mean for the Future of HTTPS?
The incident raises important questions for the future:
Can HTTPS be reliably trusted in censored regions?
If a state can reset port 443 at will, encrypted traffic is never guaranteed.
Will alternatives emerge?
Protocols like QUIC (HTTP/3), which often use UDP over port 443, could face similar risks.
Could domain fronting or port shifting help?
Running HTTPS on alternative ports (like 8443) might provide temporary relief—but censorship tools evolve quickly.
Possible Countermeasures
For those designing censorship-resistant systems, this event underscores the need for resilience:
- Protocol obfuscation: Tools like Tor bridges or VPNs with obfuscated transport layers can make traffic harder to fingerprint.
- Multipath routing: Distributing connections across multiple ports and channels reduces dependency on a single point.
- Fallback strategies: Ensuring services can gracefully downgrade or shift ports may help maintain partial availability.
Conclusion: A Glimpse of the Future?
The August 20, 2025, port 443 blackout was short-lived, but its significance is profound.
By shutting down the port that underpins secure web communication, the GFW demonstrated both technical sophistication and political resolve. Whether it was a mistake, a test, or a calculated display of power, the message is clear: the foundations of the global internet are not immune to national intervention.
For cybersecurity professionals, policymakers, and ordinary users alike, this event is a reminder that the openness of the internet can never be taken for granted. Port 443 may have gone dark only briefly – but its shadow lingers.
