> On 5 Dec 2020, at 00:56, Adam Borowski <kilobyte@???> wrote:
>
> First, an anecdote: to track sleep problems I have, I bought a cheapest
> smartband, a Huawei one. It has almost no controls on its own, and it's UI
> needs a dumbphone (Google or Apple infested) via Bluetooth. Because
> $REASONS¹ I happen to carry two phones, one of them such a dumbphone,
> with no IP network connection 99.999% of the time. Setting up the
> smartband requires a "Huawei account" (but works correctly without network
> later on). Such an account needs a password. Alas, Huawei has weird
> requirements (like, banning spaces and non-alnum chars) so none of my
> usual password schemes work. Pissed off, calling them Nazis would be
> inappropriate so I instead chosen the password to be "1989tiananmen".
> Account creation timed off. I tried multiple times, over a few days,
> both from the phone and from website, on different browsers/OSes/machines/
> networks (I did not suspect a low-level interruption). Finally, choosing
> a different password worked.
>
> So, hmm, how come a https connection gets intercepted by the Great Firewall?
> No hacking by the govt is involved here...

Not at all surprising. The same problem exists with wechat app, the backbone of Chinese society. Passwords are clearly (deliberately I’m guessing) not being hashed on the backend database.