Great Firewall architects fingered for GitHub attack
Crude man-in-the-middle attack followed White House petition
The Chinese computer scientists who helped build the country’s infamous Great Firewall may have been responsible for a man-in-the-middle attack on users of GitHub after they were named and shamed on the social code sharing site.
This is the theory put forward by GreatFire.org, a not-for-profit organisation which monitors and reports on online censorship in China. It explained in a blog post that users trying to access GitHub last weekend were faced with browser messages warning of an invalid SSL certificate – a tell-tale sign of a man-in-the-middle attack.
“The attack happened on a Saturday night. It was very crude, in that the fake certificate was signed by an unknown authority and bound to be detected quickly. The attack stopped after about an hour,” said GreatFire.org.
Its theory is that the attack was connected to a high profile petition created on the White House web site the day before.
This petition – which has now amassed over 9,000 signatures and could theoretically end up influencing US policy – calls on the Obama administration to deny entry to the architects of the Great Firewall, should they try and visit the US in the future.
A link on the petition takes the user to another GitHub page listing the names and some contact details of three key figures responsible for the Great Firewall.
Among the comments are the supposed address and ID number of Fang Binxing – often dubbed Father of the Great Firewall – and a link to another list with scores of others named and shamed.
GreatFire argued that because GitHub is HTTPS only, the authorities in China cannot block individual pages but only the entire site. This actually happened around a fortnight ago but after pretty vocal protests from developers who rely on the site to collaborate, it was unblocked again.
In this way, “the only tool left in the censorship toolbox is man-in-the-middle attacks” which can help the attackers intercept and monitor traffic, said GreatFirewall, adding the following:
"The whole episode seems rather irrational. It’s conceivable that one or several individuals identified on these lists as enemies of a free internet decided to take action into their own hands. They are the technical people behind the Great Firewall and so they would clearly be capable of implementing this attack. They had a motive in that they were personally being targeted by the people behind the White House petition. And they had no other options since they had been barred from blocking GitHub completely."
The Party has certainly been unafraid in the past to completely block sites or even cut the internet for large swathes of the population if social order is threatened.
However, it faces a more difficult problem if the sites in question are deemed too important to the international competitiveness of Chinese businesses to take down completely – as GitHub’s supporters argued.
This is where man-in-the-middle comes in. Although the attack last weekend was limited in scope, pretty crude and flagged by most browsers, GreatFire warned that such attacks may become more common and sophisticated in the future, especially if the number of sites in China using HTTPS keeps growing. ®
The future of SSL
How long before it is mandated that every browser in China has a trusted root certificate that is controlled by the ruling party.
There would then be no indication of a MITM attack and it wouldn't prove a visible annoyance to most users.
Every SSL packet could then be DPI'd.
if you have some control over "your" browser
I would like to be able to tie https sites to specific certificates in my browser. Then I wouldnt have to check the certificate every time I visited the site to be sure that one of the zillion other root certs installed in my browser wasnt being used. eg I should be able to tell my browser to only say https hsbc is valid if it is signed verisign not any other root cert like neverheardofthem.com. i couldnt get firefox addins to do that on all platforms. any tips?
Re: The future of SSL
If you control the trusted certificate root server you have ability to create any certs you want.