Another Reason To Deploy Encryption Widely: Spiking China's 'Great Cannon' Attack
from the reasons-to-be-crypto dept
A couple of weeks ago, Mike provided an in-depth analysis of China’s new tactic in its longstanding efforts to restrict access by its population to material that challenges the official narrative. This powerful DDoS attack has now been dubbed “China’s Great Cannon” by researchers in a fascinating analysis published by The Citizen Lab. As Mike pointed out, one reason why this new approach has been developed is that it is not possible to block individual URLs when HTTPS traffic is involved. Thus, ironically, the increased use of encryption — which is meant to protect users online — led to the development of a powerful new digital weapon that potentially makes them not just victims, but even part of the attack. However, encryption is also a remedy, as The Citizen Lab researchers write:
Our findings in China add another documented case to at least two other known instances of governments tampering with unencrypted Internet traffic to control information or launch attacks — the other two being the use of QUANTUM by the US NSA and UK?s GCHQ. In addition, product literature from two companies, FinFisher and Hacking Team, indicate that they sell similar “attack from the Internet” tools to governments around the world. These latest findings emphasize the urgency of replacing legacy web protocols, like HTTP, with their cryptographically strong versions, like HTTPS.
However, the remedy is only partial. Writing on his blog, Brian Krebs quotes Bill Marczak, one of the lead authors of the Great Cannon report, as saying:
Relying on an always-on encryption strategy is not a foolproof counter to this attack, because plug-ins like https-everywhere will still serve regular unencrypted content when Web sites refuse to or don’t offer the same content over an encrypted connection. What’s more, many Web sites draw content from a variety of sources online, meaning that the Great Cannon attack could succeed merely by drawing on resources provided by online ad networks that serve ads on a variety of Web sites from a dizzying array of sources.
“Some of the scripts being injected in this attack are from online ad networks,” Marczak said. ?But certainly this kind of attack suggests a far more aggressive use of https where available.”
This confirms that encryption is no panacea, but is certainly worth deploying. The fact that it can make China’s Great Cannon attacks harder, if not impossible, should also give pause to government officials around the world as they try to demonize encryption and call for it to be weakened or even banned.
Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+
Filed Under: ddos, encryption, great cannon, great firewall, https
Comments on “Another Reason To Deploy Encryption Widely: Spiking China's 'Great Cannon' Attack”
Great Cannon
I dunno. Maybe something got lost in the translation, but I think naming it The Grand Cannon would sound better than The Great Cannon.
It doesn’t make it any less ominous, but it does have a nicer ring to it!
Re: Great Cannon
It is continuing naming form for Chinese things.
“The Great Wall” leads to “The Great Firewall” which then leads to “The Great Cannon”.
Re: Re: Great Cannon
Doh! I certainly feel dumb and embarrassed now!
Thank you for the insight and now I think it’s time for me to get some coffee and wake up this lame brain of mine!
Re: Re: Great Cannon
To my ears, the name has multiple levels of meaning. One is what you just said here. The other is that I take it as a sly reference to the Low Orbit Ion Cannon that it resembles.
Re: Great Cannon
The Grand Cannon series (I through V) were strategic weapons in the Macross universe. /geek
Yet another reason to block/blacklist/firewall advertising
“Some of the scripts being injected in this attack are from online ad networks”
Of course they are, since the worthless morons running those ad networks have failed, for YEARS, to make even token efforts to ensure the security and integrity of the content they’re serving. (They’re much too busy spying and invading privacy.) As a result, ad networks are knives held to the throats of Internet users and should be blocked, blacklisted and firewalled whenever and wherever possible.
Would maelstrom stop the DDOS-problems? ( http://blog.bittorrent.com/2014/12/10/project-maelstrom-the-internet-we-build-next/ )
Except China will ´simply´ ban/MitM encryption which they can feasibly do.
HTTPS everywhere
It should help greatly if tools like HTTPS everywhere remembered which sites they can connect to with the encrypted protocol (store that info locally). Then (optionally) prompt the user what to do when it cannot connect securely to one of these.
There are similar plugins for scripts and 3rd party content that allow the user control without having to spend too much time on these settings.
Do you really think other governments are on our side?
This confirms that encryption is no panacea, but is certainly worth deploying. The fact that it can make China’s Great Cannon attacks harder, if not impossible, should also give pause to government officials around the world as they try to demonize encryption and call for it to be weakened or even banned.
Most officials of most governments are cheering China on under their breath. It is only in pubklic that China is condemned. In private they have the same agenda. It is just the remaining barriers of free speech and democracy that stop them saying so publicly.
But think of the children, Glyn!
Switching to HTTPS might work, unless FBI director James Comey demands a frontdoor into HTTPS too.
Re: Re:
Since the feds insist that the backdoor they want isn’t a backdoor, and it’s clearly not a front door either, I would like to appease them by coining a new word for it.
It’s a frackdoor.
When will a billion Chinese let its government know they have had enough of being the target of the likes of The “Great Cannon”.
combatting tyranny home or abroad
It will also spike Comcast’s ability to inject popups into people’s browsing in the event of detecting network-utilizing malware / copyright strikes.
And now for something completely different...
Sometimes, you just have to love how reality works.
On the one hand, we have the Spy Agencies and Corporations of America doing their criminal best to destroy encryption and weaken security world wide, just so they can read everyone’s communications and use the information for blackmail, crowd control and advertising.
The American public, utterly deprived of a voice in this matter – and most other matters as well – can do nothing to stop the runaway USG and the MAFIA run American Fascist Billionaire Club from doing whatever they damn well please, because the new secret interpretations of the old laws and the constitution, as well as the newly established corporate exploitation and public surveillance laws of the land of the free, allow both the USG and the Mob to do as they please, legally.
And then along comes China – the most backwards-leading country on earth, desperately trying to destroy the influence of western culture, which they believe is making profit difficult for their own billionaires – oops – I meant that they believe is turning their own peasants into freedom fighters…. er… I mean that they think is ruining the moral fiber of the Honorable Chinese People…. and the Chinese Government is doing everything it can to utilize US technology and the USG built backdoor insecurity system to prove to the US public that Obama’s threat of Cyber Terrorists attacking US systems is real, but really just showing the US public how insecure their communications has become under the control of Corporate America and the USG’s Spy apparatus.
Its like a poorly written soap opera, using B-grade actors, in which the writers never bothered to even consider adding a good guy hero to save the day and with the Mob inserting a three minute commercial every three minutes, selling shit as new and improved shinola.
Yep. Civilization. Adulthood. Honor. Honesty. Morality. Truth. You’ve really got to love those popular human myths we keep bragging about having. Too bad they’re not really available any more – except as ideals – in the Land of the Unfree.
—
Nah encryption is only for terrorists, pirates, and pedophiles.