China Using Man-In-The-Middle Attack Against Google
from the now,-where-did-they-get-that-idea? dept
One of the most shocking revelations from the Snowden documents was that the NSA and GCHQ are running "man-in-the-middle" (MITM) attacks against Google -- that is, impersonating the company's machines so as to snoop on encrypted traffic to them. They are able to do that through the use of secret servers, codenamed Quantum, placed at key places on the Internet backbone, which therefore require the complicity of the telecom companies. Of course, in countries like China, arranging for Internet streams to be intercepted in this way is even easier, so perhaps the following story on greatfire.org should come as no surprise:From August 28, 2014 reports appeared on Weibo and Google Plus that users in China trying to access google.com and google.com.hk via CERNET, the country's education network, were receiving warning messages about invalid SSL certificates. The evidence, which we include later in this post, indicates that this was caused by a man-in-the-middle attack.Greatfire.org's analysis of why China is using MITM attacks against Google on the education network, rather than simply blocking access completely, is particularly interesting. The problem for the Chinese authorities is that Google has now implemented HTTPS by default:
Google enforced HTTPS by default on March 12, 2014 in China and elsewhere. That means that all communication between a user and Google is encrypted by default. Only the end user and the Google server know what information is being searched and returned. The Great Firewall, through which all outgoing traffic from China passes, only knows that a user is accessing data on Google’s servers -- not what that data is. This in turn means that the authorities cannot block individual searches on Google -- all they can do is block the website altogether. This is what has happened on the public internet in China but has not happened on CERNET.The reason is that access to Google is simply too important for the research community in China. Blocking Google entirely would therefore be counterproductive for the country's future:
The authorities know that if China is to make advances in research and development, if China is to innovate, then there must be access to the wealth of information that is accessible via Google. CERNET has long been considered hands off when it comes to censorship, for this very reason.The MITM approach offers the perfect solution: it allows researchers to get most of the benefit of Google's huge Internet index, but can be used to block selective search queries or results when people try to access sites or information that Chinese authorities want to censor. As the Greatfire.org post suggests, the increasing use of encrypted connections for online services means that MITM attacks are likely to become much more common -- and not just in China.
Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: attacks, blocking, censorship, china, man in the middle, mitm
Reader Comments
Subscribe: RSS
View by: Time | Thread
Emphasis mine. China doing it is not really a surprise but the really surprising bit is that we actually expect countries like the US, UK and even some other European ones to do the exact same. Will we be surprised to learn the NSA is doing the same (and I believe they are at this very moment)?
[ link to this | view in chronology ]
Re:
China already blocks Google. If you want to use it, you have to accept the MITM (which HTTPS makes very obvious).
On the US and Europe, if there is MITM of Google (which, as I said, HTTPS makes very obvious), it will cause a shitstorm.
And newer browsers make the MITM even more difficult. Chrome already pins Google's certificates. Firefox is going to do the same next version.
[ link to this | view in chronology ]
Re: Re:
This is already done in the US and Europe, and thanks to forged certs HTTPS does not make it obvious. There is no resulting shitstorm.
[ link to this | view in chronology ]
Re: Re: Re:
Thus, [citation needed].
[ link to this | view in chronology ]
Re: Re: Re: Re:
Yes, cert pinning helps some, but it's far from foolproof and doesn't really address how MITM attacks are actually being done by the pros (hacking the target machine and replacing certs). Also, currently only Chrome and (recently) Firefox does this.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
Of course, if you control the target's machine (which you need to add a new cert), the target has already lost; Chrome even disables cert pining in that case (it assumes it is a "legitimate MITM" by the machine's owner).
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re:
"if you control the target's machine (which you need to add a new cert), the target has already lost"
You don't actually need to control the machine totally to do this, but you do need to hack it. In many (typically business) installations, you don't even need to touch the target's machine -- you only need to subvert the proxy or AD server.
Your comment here seems to imply that we shouldn't count this subversion somehow. If that's what you intend to imply, then I couldn't disagree with you more.
"Chrome even disables cert pining in that case (it assumes it is a "legitimate MITM" by the machine's owner)."
Which is a weakness in Chrome's implementation (there's no such thing as a "legitimate MITM attack.") They felt they had to include this weakness in order to allow certain commonly used cert tricks (telling people to stop doing that is not a commercially viable thing), but it's a weakness nonetheless. Not really that big of a deal in context, though, as cert pinning is simply a hack to reduce the effects of the severe problems we have with root CAs in the first place. I'm not going to complain too much that the band-aid doesn't cover the entire wound.
Techdirt: How the NSA pulls off man-in-the-middle attacks
FLYING PIG: The NSA Is Running Man In The Middle Attacks Imitating Google's Servers
New MitM attacks impersonate banking sites without triggering alerts
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re:
and I was missing the flying pig link: https://www.techdirt.com/articles/20130910/10470024468/flying-pig-nsa-is-running-man-middle-attacks- imitating-googles-servers.shtml
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re:
Well, I guess that depends on which side of the network management infrastructure you sit on.
While I don't like it, my organisation performs what I consider a legitimate MITM.
They have a hardware appliance proxy server that performs MITM attacks against HTTPS traffic on staff internet use except those sites on a whitelist. The whitelist includes mostly financial sites (i.e. banks and internet banking, and other similar known sites). The appliance has it's own certificate, which is inserted into the windows standard desktop build as a trusted cert, so you don't even get errors (unless you install a 3rd party browser like firefox, that doesn't include the cert in it's trusted cert store). The appliance decrypts the incoming/outgoing stream and virus/malware scans it and compares it to a black/whitelist of unauthorised/authorised sites, then re-encrypts it to continue to the site/user.
The organisation has a legitimate interest in limiting it's legal exposure to staff accessing illegal content, and a legitimate interest in virus scanning all incoming/outgoing data.
By using the work supplied computers and internet bandwidth of the organisation, you have to abide by it's acceptable use policy.
[ link to this | view in chronology ]
Invalid Certs?
[ link to this | view in chronology ]
Re: Invalid Certs?
It's a very high cost to pay for a very low return in this case.
[ link to this | view in chronology ]
internet attacks you
[ link to this | view in chronology ]
Listen to the echoing silence...
Yet another casualty in the blind rush to 'Collect it all!' by the spy agencies.
[ link to this | view in chronology ]
easily solved
hand out to the masses and never use these fucktard search engines
[ link to this | view in chronology ]
Re: easily solved
[ link to this | view in chronology ]
Re: Re: easily solved
The TrackMeNot browser extension does just that, if you use FireFox. It even has a checkbox to use words from a list of DHS "red flag" words like "anthrax" and "bomb", if you want to make sure you're jerking their chain occasionally.
[ link to this | view in chronology ]
The Chinese government isn't doing anything shocking or surprising here. They are doing what they need to do to control the internet as best they see fit.
Now if they would just shut down the SSH hackers and comment spammers... ;)
[ link to this | view in chronology ]
Re:
It is not surprising indeed but if it doesn't shock you then you have a problem (which is not surprising considering your history). Anybody with physical access to fibers could theoretically perform such attacks yes but it must NOT happen under any circumstances and one of the issues the article rises is that with encryption becoming more and more common other surveillance-happy Governments will resort to such things.
If you are ok with MITM attacks then start doing all your communications unencrypted and with your real name. Should spare law enforcement the resources to keep track of you.
[ link to this | view in chronology ]
Re: Re:
O have a real problem with misrepresentation. I didn't say I am okay with MITM attacks.
I am not okay with MITM attacks in the free world. However, in the context of China, I understand it just fine. For them it isn't an attack, it's a method by which to control information as they have always done. It would be no different than reading every letter in and out of the country, or deciding what books are allowed in.
Acceptance of a political reality does not mean approval of the methods, only that I understand what they are doing, and in a situation where they have full control over every inbound and outbound packet, it's really not hard to do at all.
If you asked me the same thing about the US government, or the UK govenrment, then I would have a different answer for you. Within that society, that sort of thing is just not acceptable.
[ link to this | view in chronology ]
Re: Re: Re:
It is a sustained attack of a government on its own people so that they can maintain power. It is what the Inquisition tried to do, and it is what Islamic extremists are trying to do when they call for the imposition of Sharia law. Further, such control has a very nasty habit of spreading, because it it finds that a neighboring free people are a threat to its power.
[ link to this | view in chronology ]
Re: Re: Re:
Within that society, that sort of thing is just not acceptable.
It's not acceptable anywhere. This line of thought is tremendously dangerous and I stand by my last comment. If it's ok in China go live there and open your communications. Ah, why would you do that? Crazy eh? But it's ok for the Chinese to deal with it, right?
[ link to this | view in chronology ]
Re: Re: Re: Re:
This is a truly humorous comment on so many levels, that I can't even begin to start. I'll leave it at that.
It's not acceptable anywhere.
It's not exceptable to your moral standards. However, Mike has repeatedly stated that morals should not enter into the discussion. Do you have a problem that some countries have chosen a different system from the pseudo freedom that many people live in? Do you honestly think that it's the only way?
See, I don't agree with the way the Chinese govenment does things, I don't agree with many of their policies. However, I understand what they are doing so none of this surprises me. If anything, it points out a fundamental weakness of the internet that will never go away, which is someone always controls the data as it enters and exits the country. Understanding that the internet is entirely based on a trust that is broken routinely for profit, for political reasons, or just for the pleasure of some 4chan wannabe should be more than enough to give you pause.
It's too bad you cannot understand the difference between understanding something and agreeing (or supporting) something.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
It's not morals. It's scientifically proven that humans change behavior drastically when monitored full time. Also, if we allow such kind of total surveillance to happen many similar movements that shaped society as it is today simple wouldn't and won't be able to take place. They will be killed in their infancy. My problem is that there are megalomaniacs like you who think it's ok to do it. In the past this would simply be impossible in many levels but now with widespread surveillance it can become the norm.
See, I don't agree with the way the Chinese govenment does things
But it's ok if it fits your totalitarian world view. Fascinating. It's just that the US has too much freedom so it's ok that it's reined in, right? You are disgusting.
If anything, it points out a fundamental weakness of the internet that will never go away
On the contrary, it is already being worked on. Censorship is the problem and there are various workarounds, some deployed and some being developed right now. The new surveillance-happy era we are now will just quicken the development.
Understanding that the internet is entirely based on a trust that is broken routinely for profit, for political reasons, or just for the pleasure of some 4chan wannabe should be more than enough to give you pause.
Indeed it is largely based on trust but now that it has been proven that this trust is misplaced people are moving to fix it. There are works going on to make these certifications more hijack-proof.
It's too bad you cannot understand the difference between understanding something and agreeing (or supporting) something.
Your whole speech says you are the one who doesn't understand a thing. The simple fact that you believe that there is a limit to free speech and that there are human beings that can enforce such limits without abusing them already shows your lack of understanding.
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
The same thing can be said when literally any other government or company that operates the pipes does this. It is a straight-up attack. The key is that the communication is being intercepted by people who are not intended to be a party to the communication. That makes it an attack. That the attackers wouldn't agree with the characterization means nothing.
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
Man so 1337
[ link to this | view in chronology ]
Re:
Surprising? No. Shocking? Yes.
[ link to this | view in chronology ]
If I had to choose living a life of hell under repression, or a short life fighting for freedom, I'd choose a short life under freedom. I guess most people don't feel that way, which leaves me to wonder what kind of future humanity has in store for itself.
[ link to this | view in chronology ]