Another Reason To Deploy Encryption Widely: Spiking China's 'Great Cannon' Attack

from the reasons-to-be-crypto dept

A couple of weeks ago, Mike provided an in-depth analysis of China's new tactic in its longstanding efforts to restrict access by its population to material that challenges the official narrative. This powerful DDoS attack has now been dubbed "China's Great Cannon" by researchers in a fascinating analysis published by The Citizen Lab. As Mike pointed out, one reason why this new approach has been developed is that it is not possible to block individual URLs when HTTPS traffic is involved. Thus, ironically, the increased use of encryption -- which is meant to protect users online -- led to the development of a powerful new digital weapon that potentially makes them not just victims, but even part of the attack. However, encryption is also a remedy, as The Citizen Lab researchers write:
Our findings in China add another documented case to at least two other known instances of governments tampering with unencrypted Internet traffic to control information or launch attacks -- the other two being the use of QUANTUM by the US NSA and UK’s GCHQ. In addition, product literature from two companies, FinFisher and Hacking Team, indicate that they sell similar "attack from the Internet" tools to governments around the world. These latest findings emphasize the urgency of replacing legacy web protocols, like HTTP, with their cryptographically strong versions, like HTTPS.
However, the remedy is only partial. Writing on his blog, Brian Krebs quotes Bill Marczak, one of the lead authors of the Great Cannon report, as saying:
Relying on an always-on encryption strategy is not a foolproof counter to this attack, because plug-ins like https-everywhere will still serve regular unencrypted content when Web sites refuse to or don't offer the same content over an encrypted connection. What's more, many Web sites draw content from a variety of sources online, meaning that the Great Cannon attack could succeed merely by drawing on resources provided by online ad networks that serve ads on a variety of Web sites from a dizzying array of sources. "Some of the scripts being injected in this attack are from online ad networks," Marczak said. “But certainly this kind of attack suggests a far more aggressive use of https where available."
This confirms that encryption is no panacea, but is certainly worth deploying. The fact that it can make China's Great Cannon attacks harder, if not impossible, should also give pause to government officials around the world as they try to demonize encryption and call for it to be weakened or even banned.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Filed Under: ddos, encryption, great cannon, great firewall, https


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 14 Apr 2015 @ 2:42am

    Great Cannon

    I dunno. Maybe something got lost in the translation, but I think naming it The Grand Cannon would sound better than The Great Cannon.

    It doesn't make it any less ominous, but it does have a nicer ring to it!

    reply to this | link to this | view in chronology ]

    • identicon
      Call me Al, 14 Apr 2015 @ 3:14am

      Re: Great Cannon

      It is continuing naming form for Chinese things.

      "The Great Wall" leads to "The Great Firewall" which then leads to "The Great Cannon".

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 14 Apr 2015 @ 3:22am

        Re: Re: Great Cannon

        Doh! I certainly feel dumb and embarrassed now!

        Thank you for the insight and now I think it's time for me to get some coffee and wake up this lame brain of mine!

        reply to this | link to this | view in chronology ]

      • icon
        John Fenderson (profile), 14 Apr 2015 @ 12:53pm

        Re: Re: Great Cannon

        To my ears, the name has multiple levels of meaning. One is what you just said here. The other is that I take it as a sly reference to the Low Orbit Ion Cannon that it resembles.

        reply to this | link to this | view in chronology ]

    • icon
      M. Alan Thomas II (profile), 14 Apr 2015 @ 10:19pm

      Re: Great Cannon

      The Grand Cannon series (I through V) were strategic weapons in the Macross universe. /geek

      reply to this | link to this | view in chronology ]

  • identicon
    Rich Kulawiec, 14 Apr 2015 @ 2:47am

    Yet another reason to block/blacklist/firewall advertising

    "Some of the scripts being injected in this attack are from online ad networks"

    Of course they are, since the worthless morons running those ad networks have failed, for YEARS, to make even token efforts to ensure the security and integrity of the content they're serving. (They're much too busy spying and invading privacy.) As a result, ad networks are knives held to the throats of Internet users and should be blocked, blacklisted and firewalled whenever and wherever possible.

    reply to this | link to this | view in chronology ]

  • icon
    frank87 (profile), 14 Apr 2015 @ 2:52am

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 14 Apr 2015 @ 3:24am

    Except China will ´simply´ ban/MitM encryption which they can feasibly do.

    reply to this | link to this | view in chronology ]

  • identicon
    Yes, I know I'm commenting anonymously, 14 Apr 2015 @ 3:58am

    HTTPS everywhere

    It should help greatly if tools like HTTPS everywhere remembered which sites they can connect to with the encrypted protocol (store that info locally). Then (optionally) prompt the user what to do when it cannot connect securely to one of these.
    There are similar plugins for scripts and 3rd party content that allow the user control without having to spend too much time on these settings.

    reply to this | link to this | view in chronology ]

  • icon
    Richard (profile), 14 Apr 2015 @ 6:54am

    Do you really think other governments are on our side?

    This confirms that encryption is no panacea, but is certainly worth deploying. The fact that it can make China's Great Cannon attacks harder, if not impossible, should also give pause to government officials around the world as they try to demonize encryption and call for it to be weakened or even banned.

    Most officials of most governments are cheering China on under their breath. It is only in pubklic that China is condemned. In private they have the same agenda. It is just the remaining barriers of free speech and democracy that stop them saying so publicly.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 14 Apr 2015 @ 8:14am

    But think of the children, Glyn!

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 14 Apr 2015 @ 9:39am

    Switching to HTTPS might work, unless FBI director James Comey demands a frontdoor into HTTPS too.

    reply to this | link to this | view in chronology ]

    • icon
      John Fenderson (profile), 14 Apr 2015 @ 9:51am

      Re:

      Since the feds insist that the backdoor they want isn't a backdoor, and it's clearly not a front door either, I would like to appease them by coining a new word for it.

      It's a frackdoor.

      reply to this | link to this | view in chronology ]

  • icon
    terry (profile), 14 Apr 2015 @ 12:49pm

    When will a billion Chinese let its government know they have had enough of being the target of the likes of The "Great Cannon".

    reply to this | link to this | view in chronology ]

  • icon
    Padpaw (profile), 14 Apr 2015 @ 10:09pm

    combatting tyranny home or abroad

    reply to this | link to this | view in chronology ]

  • icon
    M. Alan Thomas II (profile), 14 Apr 2015 @ 10:22pm

    It will also spike Comcast's ability to inject popups into people's browsing in the event of detecting network-utilizing malware / copyright strikes.

    reply to this | link to this | view in chronology ]

  • icon
    GEMont (profile), 15 Apr 2015 @ 12:40pm

    And now for something completely different...

    Sometimes, you just have to love how reality works.

    On the one hand, we have the Spy Agencies and Corporations of America doing their criminal best to destroy encryption and weaken security world wide, just so they can read everyone's communications and use the information for blackmail, crowd control and advertising.

    The American public, utterly deprived of a voice in this matter - and most other matters as well - can do nothing to stop the runaway USG and the MAFIA run American Fascist Billionaire Club from doing whatever they damn well please, because the new secret interpretations of the old laws and the constitution, as well as the newly established corporate exploitation and public surveillance laws of the land of the free, allow both the USG and the Mob to do as they please, legally.

    And then along comes China - the most backwards-leading country on earth, desperately trying to destroy the influence of western culture, which they believe is making profit difficult for their own billionaires - oops - I meant that they believe is turning their own peasants into freedom fighters.... er... I mean that they think is ruining the moral fiber of the Honorable Chinese People.... and the Chinese Government is doing everything it can to utilize US technology and the USG built backdoor insecurity system to prove to the US public that Obama's threat of Cyber Terrorists attacking US systems is real, but really just showing the US public how insecure their communications has become under the control of Corporate America and the USG's Spy apparatus.

    Its like a poorly written soap opera, using B-grade actors, in which the writers never bothered to even consider adding a good guy hero to save the day and with the Mob inserting a three minute commercial every three minutes, selling shit as new and improved shinola.

    Yep. Civilization. Adulthood. Honor. Honesty. Morality. Truth. You've really got to love those popular human myths we keep bragging about having. Too bad they're not really available any more - except as ideals - in the Land of the Unfree.

    ---

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 15 Apr 2015 @ 12:44pm

    Nah encryption is only for terrorists, pirates, and pedophiles.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Insider Shop - Show Your Support!

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.