Another Reason To Deploy Encryption Widely: Spiking China's 'Great Cannon' Attack
from the reasons-to-be-crypto dept
A couple of weeks ago, Mike provided an in-depth analysis of China's new tactic in its longstanding efforts to restrict access by its population to material that challenges the official narrative. This powerful DDoS attack has now been dubbed "China's Great Cannon" by researchers in a fascinating analysis published by The Citizen Lab. As Mike pointed out, one reason why this new approach has been developed is that it is not possible to block individual URLs when HTTPS traffic is involved. Thus, ironically, the increased use of encryption -- which is meant to protect users online -- led to the development of a powerful new digital weapon that potentially makes them not just victims, but even part of the attack. However, encryption is also a remedy, as The Citizen Lab researchers write:Our findings in China add another documented case to at least two other known instances of governments tampering with unencrypted Internet traffic to control information or launch attacks -- the other two being the use of QUANTUM by the US NSA and UK’s GCHQ. In addition, product literature from two companies, FinFisher and Hacking Team, indicate that they sell similar "attack from the Internet" tools to governments around the world. These latest findings emphasize the urgency of replacing legacy web protocols, like HTTP, with their cryptographically strong versions, like HTTPS.However, the remedy is only partial. Writing on his blog, Brian Krebs quotes Bill Marczak, one of the lead authors of the Great Cannon report, as saying:
Relying on an always-on encryption strategy is not a foolproof counter to this attack, because plug-ins like https-everywhere will still serve regular unencrypted content when Web sites refuse to or don't offer the same content over an encrypted connection. What's more, many Web sites draw content from a variety of sources online, meaning that the Great Cannon attack could succeed merely by drawing on resources provided by online ad networks that serve ads on a variety of Web sites from a dizzying array of sources. "Some of the scripts being injected in this attack are from online ad networks," Marczak said. “But certainly this kind of attack suggests a far more aggressive use of https where available."This confirms that encryption is no panacea, but is certainly worth deploying. The fact that it can make China's Great Cannon attacks harder, if not impossible, should also give pause to government officials around the world as they try to demonize encryption and call for it to be weakened or even banned.
Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: ddos, encryption, great cannon, great firewall, https
Reader Comments
Subscribe: RSS
View by: Time | Thread
Great Cannon
It doesn't make it any less ominous, but it does have a nicer ring to it!
[ link to this | view in chronology ]
Re: Great Cannon
"The Great Wall" leads to "The Great Firewall" which then leads to "The Great Cannon".
[ link to this | view in chronology ]
Re: Re: Great Cannon
Thank you for the insight and now I think it's time for me to get some coffee and wake up this lame brain of mine!
[ link to this | view in chronology ]
Re: Re: Great Cannon
[ link to this | view in chronology ]
Re: Great Cannon
[ link to this | view in chronology ]
Yet another reason to block/blacklist/firewall advertising
Of course they are, since the worthless morons running those ad networks have failed, for YEARS, to make even token efforts to ensure the security and integrity of the content they're serving. (They're much too busy spying and invading privacy.) As a result, ad networks are knives held to the throats of Internet users and should be blocked, blacklisted and firewalled whenever and wherever possible.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
HTTPS everywhere
There are similar plugins for scripts and 3rd party content that allow the user control without having to spend too much time on these settings.
[ link to this | view in chronology ]
Do you really think other governments are on our side?
Most officials of most governments are cheering China on under their breath. It is only in pubklic that China is condemned. In private they have the same agenda. It is just the remaining barriers of free speech and democracy that stop them saying so publicly.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
It's a frackdoor.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
And now for something completely different...
On the one hand, we have the Spy Agencies and Corporations of America doing their criminal best to destroy encryption and weaken security world wide, just so they can read everyone's communications and use the information for blackmail, crowd control and advertising.
The American public, utterly deprived of a voice in this matter - and most other matters as well - can do nothing to stop the runaway USG and the MAFIA run American Fascist Billionaire Club from doing whatever they damn well please, because the new secret interpretations of the old laws and the constitution, as well as the newly established corporate exploitation and public surveillance laws of the land of the free, allow both the USG and the Mob to do as they please, legally.
And then along comes China - the most backwards-leading country on earth, desperately trying to destroy the influence of western culture, which they believe is making profit difficult for their own billionaires - oops - I meant that they believe is turning their own peasants into freedom fighters.... er... I mean that they think is ruining the moral fiber of the Honorable Chinese People.... and the Chinese Government is doing everything it can to utilize US technology and the USG built backdoor insecurity system to prove to the US public that Obama's threat of Cyber Terrorists attacking US systems is real, but really just showing the US public how insecure their communications has become under the control of Corporate America and the USG's Spy apparatus.
Its like a poorly written soap opera, using B-grade actors, in which the writers never bothered to even consider adding a good guy hero to save the day and with the Mob inserting a three minute commercial every three minutes, selling shit as new and improved shinola.
Yep. Civilization. Adulthood. Honor. Honesty. Morality. Truth. You've really got to love those popular human myths we keep bragging about having. Too bad they're not really available any more - except as ideals - in the Land of the Unfree.
---
[ link to this | view in chronology ]
[ link to this | view in chronology ]