Another Reason To Deploy Encryption Widely: Spiking China's 'Great Cannon' Attack

from the reasons-to-be-crypto dept

A couple of weeks ago, Mike provided an in-depth analysis of China's new tactic in its longstanding efforts to restrict access by its population to material that challenges the official narrative. This powerful DDoS attack has now been dubbed "China's Great Cannon" by researchers in a fascinating analysis published by The Citizen Lab. As Mike pointed out, one reason why this new approach has been developed is that it is not possible to block individual URLs when HTTPS traffic is involved. Thus, ironically, the increased use of encryption -- which is meant to protect users online -- led to the development of a powerful new digital weapon that potentially makes them not just victims, but even part of the attack. However, encryption is also a remedy, as The Citizen Lab researchers write:
Our findings in China add another documented case to at least two other known instances of governments tampering with unencrypted Internet traffic to control information or launch attacks -- the other two being the use of QUANTUM by the US NSA and UK’s GCHQ. In addition, product literature from two companies, FinFisher and Hacking Team, indicate that they sell similar "attack from the Internet" tools to governments around the world. These latest findings emphasize the urgency of replacing legacy web protocols, like HTTP, with their cryptographically strong versions, like HTTPS.
However, the remedy is only partial. Writing on his blog, Brian Krebs quotes Bill Marczak, one of the lead authors of the Great Cannon report, as saying:
Relying on an always-on encryption strategy is not a foolproof counter to this attack, because plug-ins like https-everywhere will still serve regular unencrypted content when Web sites refuse to or don't offer the same content over an encrypted connection. What's more, many Web sites draw content from a variety of sources online, meaning that the Great Cannon attack could succeed merely by drawing on resources provided by online ad networks that serve ads on a variety of Web sites from a dizzying array of sources. "Some of the scripts being injected in this attack are from online ad networks," Marczak said. “But certainly this kind of attack suggests a far more aggressive use of https where available."
This confirms that encryption is no panacea, but is certainly worth deploying. The fact that it can make China's Great Cannon attacks harder, if not impossible, should also give pause to government officials around the world as they try to demonize encryption and call for it to be weakened or even banned.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: ddos, encryption, great cannon, great firewall, https


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. identicon
    Anonymous Coward, 14 Apr 2015 @ 2:42am

    Great Cannon

    I dunno. Maybe something got lost in the translation, but I think naming it The Grand Cannon would sound better than The Great Cannon.

    It doesn't make it any less ominous, but it does have a nicer ring to it!

    link to this | view in thread ]

  2. identicon
    Rich Kulawiec, 14 Apr 2015 @ 2:47am

    Yet another reason to block/blacklist/firewall advertising

    "Some of the scripts being injected in this attack are from online ad networks"

    Of course they are, since the worthless morons running those ad networks have failed, for YEARS, to make even token efforts to ensure the security and integrity of the content they're serving. (They're much too busy spying and invading privacy.) As a result, ad networks are knives held to the throats of Internet users and should be blocked, blacklisted and firewalled whenever and wherever possible.

    link to this | view in thread ]

  3. icon
    frank87 (profile), 14 Apr 2015 @ 2:52am

    link to this | view in thread ]

  4. identicon
    Call me Al, 14 Apr 2015 @ 3:14am

    Re: Great Cannon

    It is continuing naming form for Chinese things.

    "The Great Wall" leads to "The Great Firewall" which then leads to "The Great Cannon".

    link to this | view in thread ]

  5. identicon
    Anonymous Coward, 14 Apr 2015 @ 3:22am

    Re: Re: Great Cannon

    Doh! I certainly feel dumb and embarrassed now!

    Thank you for the insight and now I think it's time for me to get some coffee and wake up this lame brain of mine!

    link to this | view in thread ]

  6. identicon
    Anonymous Coward, 14 Apr 2015 @ 3:24am

    Except China will ´simply´ ban/MitM encryption which they can feasibly do.

    link to this | view in thread ]

  7. identicon
    Yes, I know I'm commenting anonymously, 14 Apr 2015 @ 3:58am

    HTTPS everywhere

    It should help greatly if tools like HTTPS everywhere remembered which sites they can connect to with the encrypted protocol (store that info locally). Then (optionally) prompt the user what to do when it cannot connect securely to one of these.
    There are similar plugins for scripts and 3rd party content that allow the user control without having to spend too much time on these settings.

    link to this | view in thread ]

  8. icon
    Richard (profile), 14 Apr 2015 @ 6:54am

    Do you really think other governments are on our side?

    This confirms that encryption is no panacea, but is certainly worth deploying. The fact that it can make China's Great Cannon attacks harder, if not impossible, should also give pause to government officials around the world as they try to demonize encryption and call for it to be weakened or even banned.

    Most officials of most governments are cheering China on under their breath. It is only in pubklic that China is condemned. In private they have the same agenda. It is just the remaining barriers of free speech and democracy that stop them saying so publicly.

    link to this | view in thread ]

  9. identicon
    Anonymous Coward, 14 Apr 2015 @ 8:14am

    But think of the children, Glyn!

    link to this | view in thread ]

  10. identicon
    Anonymous Coward, 14 Apr 2015 @ 9:39am

    Switching to HTTPS might work, unless FBI director James Comey demands a frontdoor into HTTPS too.

    link to this | view in thread ]

  11. icon
    John Fenderson (profile), 14 Apr 2015 @ 9:51am

    Re:

    Since the feds insist that the backdoor they want isn't a backdoor, and it's clearly not a front door either, I would like to appease them by coining a new word for it.

    It's a frackdoor.

    link to this | view in thread ]

  12. icon
    terry (profile), 14 Apr 2015 @ 12:49pm

    When will a billion Chinese let its government know they have had enough of being the target of the likes of The "Great Cannon".

    link to this | view in thread ]

  13. icon
    John Fenderson (profile), 14 Apr 2015 @ 12:53pm

    Re: Re: Great Cannon

    To my ears, the name has multiple levels of meaning. One is what you just said here. The other is that I take it as a sly reference to the Low Orbit Ion Cannon that it resembles.

    link to this | view in thread ]

  14. icon
    Padpaw (profile), 14 Apr 2015 @ 10:09pm

    combatting tyranny home or abroad

    link to this | view in thread ]

  15. icon
    M. Alan Thomas II (profile), 14 Apr 2015 @ 10:19pm

    Re: Great Cannon

    The Grand Cannon series (I through V) were strategic weapons in the Macross universe. /geek

    link to this | view in thread ]

  16. icon
    M. Alan Thomas II (profile), 14 Apr 2015 @ 10:22pm

    It will also spike Comcast's ability to inject popups into people's browsing in the event of detecting network-utilizing malware / copyright strikes.

    link to this | view in thread ]

  17. icon
    GEMont (profile), 15 Apr 2015 @ 12:40pm

    And now for something completely different...

    Sometimes, you just have to love how reality works.

    On the one hand, we have the Spy Agencies and Corporations of America doing their criminal best to destroy encryption and weaken security world wide, just so they can read everyone's communications and use the information for blackmail, crowd control and advertising.

    The American public, utterly deprived of a voice in this matter - and most other matters as well - can do nothing to stop the runaway USG and the MAFIA run American Fascist Billionaire Club from doing whatever they damn well please, because the new secret interpretations of the old laws and the constitution, as well as the newly established corporate exploitation and public surveillance laws of the land of the free, allow both the USG and the Mob to do as they please, legally.

    And then along comes China - the most backwards-leading country on earth, desperately trying to destroy the influence of western culture, which they believe is making profit difficult for their own billionaires - oops - I meant that they believe is turning their own peasants into freedom fighters.... er... I mean that they think is ruining the moral fiber of the Honorable Chinese People.... and the Chinese Government is doing everything it can to utilize US technology and the USG built backdoor insecurity system to prove to the US public that Obama's threat of Cyber Terrorists attacking US systems is real, but really just showing the US public how insecure their communications has become under the control of Corporate America and the USG's Spy apparatus.

    Its like a poorly written soap opera, using B-grade actors, in which the writers never bothered to even consider adding a good guy hero to save the day and with the Mob inserting a three minute commercial every three minutes, selling shit as new and improved shinola.

    Yep. Civilization. Adulthood. Honor. Honesty. Morality. Truth. You've really got to love those popular human myths we keep bragging about having. Too bad they're not really available any more - except as ideals - in the Land of the Unfree.

    ---

    link to this | view in thread ]

  18. identicon
    Anonymous Coward, 15 Apr 2015 @ 12:44pm

    Nah encryption is only for terrorists, pirates, and pedophiles.

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.