China Using Man-In-The-Middle Attack Against Google

from the now,-where-did-they-get-that-idea? dept

One of the most shocking revelations from the Snowden documents was that the NSA and GCHQ are running "man-in-the-middle" (MITM) attacks against Google -- that is, impersonating the company's machines so as to snoop on encrypted traffic to them. They are able to do that through the use of secret servers, codenamed Quantum, placed at key places on the Internet backbone, which therefore require the complicity of the telecom companies. Of course, in countries like China, arranging for Internet streams to be intercepted in this way is even easier, so perhaps the following story on greatfire.org should come as no surprise:
From August 28, 2014 reports appeared on Weibo and Google Plus that users in China trying to access google.com and google.com.hk via CERNET, the country's education network, were receiving warning messages about invalid SSL certificates. The evidence, which we include later in this post, indicates that this was caused by a man-in-the-middle attack.
Greatfire.org's analysis of why China is using MITM attacks against Google on the education network, rather than simply blocking access completely, is particularly interesting. The problem for the Chinese authorities is that Google has now implemented HTTPS by default:
Google enforced HTTPS by default on March 12, 2014 in China and elsewhere. That means that all communication between a user and Google is encrypted by default. Only the end user and the Google server know what information is being searched and returned. The Great Firewall, through which all outgoing traffic from China passes, only knows that a user is accessing data on Google’s servers -- not what that data is. This in turn means that the authorities cannot block individual searches on Google -- all they can do is block the website altogether. This is what has happened on the public internet in China but has not happened on CERNET.
The reason is that access to Google is simply too important for the research community in China. Blocking Google entirely would therefore be counterproductive for the country's future:
The authorities know that if China is to make advances in research and development, if China is to innovate, then there must be access to the wealth of information that is accessible via Google. CERNET has long been considered hands off when it comes to censorship, for this very reason.
The MITM approach offers the perfect solution: it allows researchers to get most of the benefit of Google's huge Internet index, but can be used to block selective search queries or results when people try to access sites or information that Chinese authorities want to censor. As the Greatfire.org post suggests, the increasing use of encrypted connections for online services means that MITM attacks are likely to become much more common -- and not just in China.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Filed Under: attacks, blocking, censorship, china, man in the middle, mitm


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    Ninja (profile), 10 Sep 2014 @ 3:05am

    As the Greatfire.org post suggests, the increasing use of encrypted connections for online services means that MITM attacks are likely to become much more common -- and not just in China.

    Emphasis mine. China doing it is not really a surprise but the really surprising bit is that we actually expect countries like the US, UK and even some other European ones to do the exact same. Will we be surprised to learn the NSA is doing the same (and I believe they are at this very moment)?

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 10 Sep 2014 @ 4:14am

      Re:

      There's one difference.

      China already blocks Google. If you want to use it, you have to accept the MITM (which HTTPS makes very obvious).

      On the US and Europe, if there is MITM of Google (which, as I said, HTTPS makes very obvious), it will cause a shitstorm.

      And newer browsers make the MITM even more difficult. Chrome already pins Google's certificates. Firefox is going to do the same next version.

      reply to this | link to this | view in chronology ]

      • icon
        John Fenderson (profile), 10 Sep 2014 @ 8:08am

        Re: Re:

        "On the US and Europe, if there is MITM of Google (which, as I said, HTTPS makes very obvious), it will cause a shitstorm."

        This is already done in the US and Europe, and thanks to forged certs HTTPS does not make it obvious. There is no resulting shitstorm.

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 10 Sep 2014 @ 8:13am

          Re: Re: Re:

          I find that hard to believe. As said above: Chrome already pins Google's certificates. This has already revealed MITM on Google's websites before.

          Thus, [citation needed].

          reply to this | link to this | view in chronology ]

          • icon
            John Fenderson (profile), 10 Sep 2014 @ 8:53am

            Re: Re: Re: Re:

            Citation needed? Really? This was front-paged on pretty much every tech site when it hit the news and the supporting evidence is readily available through a quick web search.

            Yes, cert pinning helps some, but it's far from foolproof and doesn't really address how MITM attacks are actually being done by the pros (hacking the target machine and replacing certs). Also, currently only Chrome and (recently) Firefox does this.

            reply to this | link to this | view in chronology ]

            • identicon
              Anonymous Coward, 10 Sep 2014 @ 10:57am

              Re: Re: Re: Re: Re:

              Could you help me with a few keywords to search for, then? I have been following the tech news for a long while, and do not recall of any MITM of Google's SSL other than Diginotar's (which was caught by Chrome's cert pining). But that was on Iran, not USA or Europe.

              Of course, if you control the target's machine (which you need to add a new cert), the target has already lost; Chrome even disables cert pining in that case (it assumes it is a "legitimate MITM" by the machine's owner).

              reply to this | link to this | view in chronology ]

              • icon
                John Fenderson (profile), 10 Sep 2014 @ 12:49pm

                Re: Re: Re: Re: Re: Re:

                You can get lots of relevant results by searching for "root cs mitm attack". I've gathered a couple here (the two Techdirt links are intentional, to provide a starting place for explanation and further research), but there's LOTS more. The Diginotar thing isn't the only (or the worst) example of this sort of thing.

                "if you control the target's machine (which you need to add a new cert), the target has already lost"

                You don't actually need to control the machine totally to do this, but you do need to hack it. In many (typically business) installations, you don't even need to touch the target's machine -- you only need to subvert the proxy or AD server.

                Your comment here seems to imply that we shouldn't count this subversion somehow. If that's what you intend to imply, then I couldn't disagree with you more.

                "Chrome even disables cert pining in that case (it assumes it is a "legitimate MITM" by the machine's owner)."

                Which is a weakness in Chrome's implementation (there's no such thing as a "legitimate MITM attack.") They felt they had to include this weakness in order to allow certain commonly used cert tricks (telling people to stop doing that is not a commercially viable thing), but it's a weakness nonetheless. Not really that big of a deal in context, though, as cert pinning is simply a hack to reduce the effects of the severe problems we have with root CAs in the first place. I'm not going to complain too much that the band-aid doesn't cover the entire wound.

                Techdirt: How the NSA pulls off man-in-the-middle attacks
                FLYING PIG: The NSA Is Running Man In The Middle Attacks Imitating Google's Servers
                New MitM attacks impersonate banking sites without triggering alerts

                reply to this | link to this | view in chronology ]

                • icon
                  John Fenderson (profile), 10 Sep 2014 @ 12:50pm

                  Re: Re: Re: Re: Re: Re: Re:

                  Corrections: by "root cs mitm attack" I meant "root ca mitm attack".

                  and I was missing the flying pig link: https://www.techdirt.com/articles/20130910/10470024468/flying-pig-nsa-is-running-man-middle-attacks- imitating-googles-servers.shtml

                  reply to this | link to this | view in chronology ]

                • icon
                  Eldakka (profile), 10 Sep 2014 @ 5:28pm

                  Re: Re: Re: Re: Re: Re: Re:

                  (there's no such thing as a "legitimate MITM attack.")

                  Well, I guess that depends on which side of the network management infrastructure you sit on.

                  While I don't like it, my organisation performs what I consider a legitimate MITM.

                  They have a hardware appliance proxy server that performs MITM attacks against HTTPS traffic on staff internet use except those sites on a whitelist. The whitelist includes mostly financial sites (i.e. banks and internet banking, and other similar known sites). The appliance has it's own certificate, which is inserted into the windows standard desktop build as a trusted cert, so you don't even get errors (unless you install a 3rd party browser like firefox, that doesn't include the cert in it's trusted cert store). The appliance decrypts the incoming/outgoing stream and virus/malware scans it and compares it to a black/whitelist of unauthorised/authorised sites, then re-encrypts it to continue to the site/user.

                  The organisation has a legitimate interest in limiting it's legal exposure to staff accessing illegal content, and a legitimate interest in virus scanning all incoming/outgoing data.

                  By using the work supplied computers and internet bandwidth of the organisation, you have to abide by it's acceptable use policy.

                  reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Hero, 10 Sep 2014 @ 4:48am

    Invalid Certs?

    I find it hard to believe that the Chinese gov't can't get CA signed certs for the MITM attack. Maybe the MITM attack is not being performed by Chinese authorities, but rather by some other malicious, non-state actor.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 10 Sep 2014 @ 8:15am

      Re: Invalid Certs?

      If they used a CA signed cert, and the counterfeit signed cert got out (as the certs involved in this MITM did), the CA would quickly be removed from all browsers (see: Diginotar).

      It's a very high cost to pay for a very low return in this case.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 10 Sep 2014 @ 4:56am

    In communist (insert country),
    internet attacks you

    reply to this | link to this | view in chronology ]

  • icon
    That One Guy (profile), 10 Sep 2014 @ 5:06am

    Listen to the echoing silence...

    Yet another case where, due to the fact that the USG has done the very same actions, they are stuck either exposing their hypocrisy by calling out China on actions the USG sees nothing wrong with when it's the one committing them, or remaining silent, not wanting to draw attention to it's own actions in the past/present.

    Yet another casualty in the blind rush to 'Collect it all!' by the spy agencies.

    reply to this | link to this | view in chronology ]

  • identicon
    the threat to peace is the USA, 10 Sep 2014 @ 5:19am

    easily solved

    just search for giant penis links via a script

    hand out to the masses and never use these fucktard search engines

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 10 Sep 2014 @ 7:57am

      Re: easily solved

      Lol, I always wanted to be able to have a browser browsing random links at intervals that I decide to from a list or something while I do my real browsing on tor duckduckgo

      reply to this | link to this | view in chronology ]

      • identicon
        Duckworthy, 10 Sep 2014 @ 8:43pm

        Re: Re: easily solved

        I always wanted to be able to have a browser browsing random links at intervals that I decide to from a list or something while I do my real browsing on tor duckduckgo

        The TrackMeNot browser extension does just that, if you use FireFox. It even has a checkbox to use words from a list of DHS "red flag" words like "anthrax" and "bomb", if you want to make sure you're jerking their chain occasionally.

        reply to this | link to this | view in chronology ]

  • icon
    Whatever (profile), 10 Sep 2014 @ 5:55am

    If you are in a position to be the MITM, then getting around the SSL is insanely simple, you just gateway everything, decoding both sides and acting as the other party in both cases.

    The Chinese government isn't doing anything shocking or surprising here. They are doing what they need to do to control the internet as best they see fit.

    Now if they would just shut down the SSH hackers and comment spammers... ;)

    reply to this | link to this | view in chronology ]

    • icon
      Ninja (profile), 10 Sep 2014 @ 6:07am

      Re:

      The Chinese government isn't doing anything shocking or surprising here.

      It is not surprising indeed but if it doesn't shock you then you have a problem (which is not surprising considering your history). Anybody with physical access to fibers could theoretically perform such attacks yes but it must NOT happen under any circumstances and one of the issues the article rises is that with encryption becoming more and more common other surveillance-happy Governments will resort to such things.

      If you are ok with MITM attacks then start doing all your communications unencrypted and with your real name. Should spare law enforcement the resources to keep track of you.

      reply to this | link to this | view in chronology ]

      • icon
        Whatever (profile), 10 Sep 2014 @ 6:54am

        Re: Re:

        If you are ok with MITM attacks

        O have a real problem with misrepresentation. I didn't say I am okay with MITM attacks.

        I am not okay with MITM attacks in the free world. However, in the context of China, I understand it just fine. For them it isn't an attack, it's a method by which to control information as they have always done. It would be no different than reading every letter in and out of the country, or deciding what books are allowed in.

        Acceptance of a political reality does not mean approval of the methods, only that I understand what they are doing, and in a situation where they have full control over every inbound and outbound packet, it's really not hard to do at all.

        If you asked me the same thing about the US government, or the UK govenrment, then I would have a different answer for you. Within that society, that sort of thing is just not acceptable.

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 10 Sep 2014 @ 7:31am

          Re: Re: Re:

          I understand it just fine. For them it isn't an attack, it's a method by which to control information as they have always done.

          It is a sustained attack of a government on its own people so that they can maintain power. It is what the Inquisition tried to do, and it is what Islamic extremists are trying to do when they call for the imposition of Sharia law. Further, such control has a very nasty habit of spreading, because it it finds that a neighboring free people are a threat to its power.

          reply to this | link to this | view in chronology ]

        • icon
          Ninja (profile), 10 Sep 2014 @ 7:38am

          Re: Re: Re:

          I'm not ok with this type of attack anywhere. The fact that China has "always controlled" their communications means absolutely nothing.

          Within that society, that sort of thing is just not acceptable.

          It's not acceptable anywhere. This line of thought is tremendously dangerous and I stand by my last comment. If it's ok in China go live there and open your communications. Ah, why would you do that? Crazy eh? But it's ok for the Chinese to deal with it, right?

          reply to this | link to this | view in chronology ]

          • icon
            Whatever (profile), 10 Sep 2014 @ 8:03am

            Re: Re: Re: Re:

            If it's ok in China go live there

            This is a truly humorous comment on so many levels, that I can't even begin to start. I'll leave it at that.

            It's not acceptable anywhere.

            It's not exceptable to your moral standards. However, Mike has repeatedly stated that morals should not enter into the discussion. Do you have a problem that some countries have chosen a different system from the pseudo freedom that many people live in? Do you honestly think that it's the only way?

            See, I don't agree with the way the Chinese govenment does things, I don't agree with many of their policies. However, I understand what they are doing so none of this surprises me. If anything, it points out a fundamental weakness of the internet that will never go away, which is someone always controls the data as it enters and exits the country. Understanding that the internet is entirely based on a trust that is broken routinely for profit, for political reasons, or just for the pleasure of some 4chan wannabe should be more than enough to give you pause.

            It's too bad you cannot understand the difference between understanding something and agreeing (or supporting) something.

            reply to this | link to this | view in chronology ]

            • icon
              Ninja (profile), 10 Sep 2014 @ 11:02am

              Re: Re: Re: Re: Re:

              It's not exceptable to your moral standards. However, Mike has repeatedly stated that morals should not enter into the discussion.

              It's not morals. It's scientifically proven that humans change behavior drastically when monitored full time. Also, if we allow such kind of total surveillance to happen many similar movements that shaped society as it is today simple wouldn't and won't be able to take place. They will be killed in their infancy. My problem is that there are megalomaniacs like you who think it's ok to do it. In the past this would simply be impossible in many levels but now with widespread surveillance it can become the norm.

              See, I don't agree with the way the Chinese govenment does things

              But it's ok if it fits your totalitarian world view. Fascinating. It's just that the US has too much freedom so it's ok that it's reined in, right? You are disgusting.

              If anything, it points out a fundamental weakness of the internet that will never go away

              On the contrary, it is already being worked on. Censorship is the problem and there are various workarounds, some deployed and some being developed right now. The new surveillance-happy era we are now will just quicken the development.

              Understanding that the internet is entirely based on a trust that is broken routinely for profit, for political reasons, or just for the pleasure of some 4chan wannabe should be more than enough to give you pause.

              Indeed it is largely based on trust but now that it has been proven that this trust is misplaced people are moving to fix it. There are works going on to make these certifications more hijack-proof.

              It's too bad you cannot understand the difference between understanding something and agreeing (or supporting) something.

              Your whole speech says you are the one who doesn't understand a thing. The simple fact that you believe that there is a limit to free speech and that there are human beings that can enforce such limits without abusing them already shows your lack of understanding.

              reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 10 Sep 2014 @ 8:02am

          Re: Re: Re:

          Chinese citizens have a more easy way to the pursuit of basic human happiness than in the "free world". At least 98% of them, sorry Tibet and East Turkestan (gotta have them muslim terrorists in your own home too if not american...just ask Russians).

          reply to this | link to this | view in chronology ]

        • icon
          John Fenderson (profile), 10 Sep 2014 @ 8:11am

          Re: Re: Re:

          "For them it isn't an attack, it's a method by which to control information as they have always done."

          The same thing can be said when literally any other government or company that operates the pipes does this. It is a straight-up attack. The key is that the communication is being intercepted by people who are not intended to be a party to the communication. That makes it an attack. That the attackers wouldn't agree with the characterization means nothing.

          reply to this | link to this | view in chronology ]

          • identicon
            Anonymous Coward, 10 Sep 2014 @ 1:08pm

            Re: Re: Re: Re:

            Indeed. If you look at the CIA triad of information security-- confidentiality, integrity, and availability-- the Chinese government here is attacking both the confidentiality and the availability of the web searches. Depending on how it's blocking search results it may be affecting the integrity as well. If the Chinese government is open about blocking searches (e.g., "This is an illegal search term and we are blocking the results") then I would say the integrity is still intact. If they try to make it look like Google has no information on the topic (e.g., "no search results") and trying to disguise they fact that they are blocking the results, however, that would be an attack on the integrity of the communications as well.

            reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 10 Sep 2014 @ 6:19am

      Re:

      Now, now. If comment spammers were shut down then you'd be out of a job.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 10 Sep 2014 @ 7:59am

      Re:

      ssh hackers ? because I use a ssh tunnel to connect to my own private server I pay for in a remote country as to create a socks5 tunnel on localhost:8080 i'm a hacker!

      Man so 1337

      reply to this | link to this | view in chronology ]

    • icon
      John Fenderson (profile), 10 Sep 2014 @ 8:09am

      Re:

      "The Chinese government isn't doing anything shocking or surprising here."

      Surprising? No. Shocking? Yes.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 10 Sep 2014 @ 9:18am

    I can't believe a country with such a large population and so much repression hasn't had any major uprising recently. China makes me sad, because it's living proof that large populations of humans are willing to accept living their lives under a repressive hell.

    If I had to choose living a life of hell under repression, or a short life fighting for freedom, I'd choose a short life under freedom. I guess most people don't feel that way, which leaves me to wonder what kind of future humanity has in store for itself.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Techdirt Gear
Shop Now: Techdirt Logo Gear
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.