Weekly Edition
Return to the Security page
| |||||||||||||
China, GitHub and the man-in-the-middle (Greatfire)
The Greatfire.org site has a
detailed analysis of a man-in-the-middle attack apparently directed
against Chinese Github users. "It’s clear that a lot of software
developers in China rely on GitHub for their code sharing. Completely
cutting access affects big business. GitHub may just be too important to
block. That leaves the authorities in a real pickle. They can’t
selectively block content on GitHub nor monitor what users are doing
there. They also cannot block the website altogether lest they hurt
important Chinese companies. This is where man-in-the-middle attacks make
their entrance. By faking SSL certificates, the authorities can indeed
intercept and track traffic to encrypted websites."
(Log in to post comments)
China, GitHub and the man-in-the-middle (Greatfire) Posted Jan 30, 2013 14:53 UTC (Wed) by douglarek (guest, #87070) [Link]
A little sad~
China, GitHub and the man-in-the-middle (Greatfire) Posted Jan 30, 2013 17:03 UTC (Wed) by intgr (subscriber, #39733) [Link]
Actually I would say this is a success story of SSL - contrary to all the bad news we have heard about problems with the SSL protocol and certificate authorities.
Public services like GitHub are now enforcing SSL, making censorship more complicated and invasive. Unlike before, users in China are now explicitly alerted that their traffic is being intercepted. And users who successfully defeat the Great Firewall have an easy way to verify the fact.
China, GitHub and the man-in-the-middle (Greatfire) Posted Jan 30, 2013 20:37 UTC (Wed) by kjp (subscriber, #39639) [Link]
The article doesn't share your optimism:
"
China, GitHub and the man-in-the-middle (Greatfire) Posted Jan 30, 2013 21:04 UTC (Wed) by raven667 (subscriber, #5198) [Link]
That's not entirely true, some browsers such as Chrome do support pinning and have signatures for some keys shipped with the software and will flag it if it doesn't see the expected key when going to, for example, www.google.com
China, GitHub and the man-in-the-middle (Greatfire) Posted Jan 31, 2013 0:05 UTC (Thu) by robert_s (subscriber, #42402) [Link]
Right, but you can't exactly argue that such a scheme is truly scalable, can you?
China, GitHub and the man-in-the-middle (Greatfire) Posted Jan 31, 2013 16:32 UTC (Thu) by raven667 (subscriber, #5198) [Link]
Well SSH style key pinning is scalable but is dependent on the first interaction being clean, which may not be the case in a network with pervasive SSL proxying. Pre-loaded key lists, assuming they haven't been tampered with, can flag for major sites that can be listed but in both cases most users are just going to click through any warnings to get to where they want to go.
The benefit is that the one user who actually pays attention can trivially demonstrate that the MITM is going on and sound the alarm.
China, GitHub and the man-in-the-middle (Greatfire) Posted Feb 1, 2013 9:36 UTC (Fri) by job (guest, #670) [Link]
It's not, but it goes a long way from nothing. Github is probably large and important enough (certainly after this) that the Chromium devs could ship with their certificate pinned, as they do for Tor and Twitter. By protecting the large web sites, any blanket MITM would also be discovered. If you are a developer and have access to out-of-band communications, perhaps it is worthwhile manually pinning the sites important to you.
China, GitHub and the man-in-the-middle (Greatfire) Posted Jan 30, 2013 21:53 UTC (Wed) by intgr (subscriber, #39733) [Link]
No, such abuse wouldn't last long and China knows it.
You clearly missed this bit in TFA:
> The attack would be detectable by manually reviewing the SSL certificate. While the vast majority of users would not do this, one single report on such an attack would create a huge international scandal that might lead to major browsers removing their trust of CNNIC. So the authorities will likely avoid using this tool, unless they feel it’s absolutely necessary.
China, GitHub and the man-in-the-middle (Greatfire) Posted Jan 30, 2013 23:17 UTC (Wed) by Fowl (subscriber, #65667) [Link]
> ...such an attack would create a huge international scandal that might lead to major browsers removing their trust of CNNIC
We can hope. Sometimes the outrage never comes, unfortunately.
China, GitHub and the man-in-the-middle (Greatfire) Posted Jan 31, 2013 21:50 UTC (Thu) by bojan (subscriber, #14302) [Link]
Isn't the real fix to drop CNNIC from the trusted certificate authority list then?
China, GitHub and the man-in-the-middle (Greatfire) Posted Feb 1, 2013 9:45 UTC (Fri) by job (guest, #670) [Link]
Drop CAs _before_ they misbehave?
I'm sure the required future prediction powers could be put to better use.
China, GitHub and the man-in-the-middle (Greatfire) Posted Jan 30, 2013 22:46 UTC (Wed) by avsej (guest, #72462) [Link]
they could choose to use ssh protocol to interact with github it doesn't rely on SSL certificates
China, GitHub and the man-in-the-middle (Greatfire) Posted Jan 31, 2013 0:03 UTC (Thu) by robert_s (subscriber, #42402) [Link]
Yes, but it does that by more or less _ignoring_ the problem of key distribution (leaving the user to manually verify a host's fingerprint). SSL at least tries that by using a PKI (public key infrastructure) - however such things aren't always perfect, which is what the article is trying to point out.
China, GitHub and the man-in-the-middle (Greatfire) Posted Jan 31, 2013 8:19 UTC (Thu) by pabs (subscriber, #43278) [Link]
There is a PKI for SSH too:
China, GitHub and the man-in-the-middle (Greatfire) Posted Feb 1, 2013 8:59 UTC (Fri) by job (guest, #670) [Link]
Any modern OpenSSH will look up SSHFP in DNS. Provided you turn on DNSSEC (and github actually publishes this), that's as good as it gets. The root key trustees are few and very closely guarded.
China, GitHub and the man-in-the-middle (Greatfire) Posted Feb 5, 2013 8:51 UTC (Tue) by Lennie (subscriber, #49641) [Link]
DNS in China ? Really ? That is the first thing they mess with. If you are behind the Chinese Firewall, DNSSEC isn't gonna work.
China, GitHub and the man-in-the-middle (Greatfire) Posted Jan 31, 2013 14:15 UTC (Thu) by miekg (subscriber, #4403) [Link]
This is where DANE (RFC 6698) and DNSSEC can help. However this can push the Chinese goverment into faking the complete DNS(SEC) tree...
China, GitHub and the man-in-the-middle (Greatfire) Posted Jan 31, 2013 17:36 UTC (Thu) by cesarb (subscriber, #6266) [Link]
> However this can push the Chinese goverment into faking the complete DNS(SEC) tree...
Not possible, since the root DNSSEC key is distributed with the software. There is no warning dialog box a user can easily dismiss; the software simply returns SERVFAIL. And there is a single root DNSSEC key, which is out of their reach, unlike the SSL model which has several root keys.
The most they can do is block DNSSEC requests, forcing all DNS resolution to fail. Since the root is signed, if a DNSSEC validating resolver cannot validate the root, it will return SERVFAIL for all queries.
China, GitHub and the man-in-the-middle (Greatfire) Posted Jan 31, 2013 22:05 UTC (Thu) by tialaramex (subscriber, #21167) [Link]
Of course the Chinese government _could_ require you (as a citizen, or if they were really wanting to make life difficult, a visitor) to use their software, with their version of the DNS root keys. That would be completely transparent, you'd know that you had the Chinese roots and therefore were seeing only the restricted Chinese Internet, but you wouldn't have any way of reliably escaping from this situation. To bootstrap you need DNSSEC keys for the legitimate root, and there's no reason the Chinese government would let you see those, or indeed even allow a search query looking for them.
China, GitHub and the man-in-the-middle (Greatfire) Posted Feb 1, 2013 9:43 UTC (Fri) by job (guest, #670) [Link]
If the attacker requires you to use their special resolver software, you know what to expect. That could not get less transparent.
China, GitHub and the man-in-the-middle (Greatfire) Posted Feb 1, 2013 11:06 UTC (Fri) by hummassa (subscriber, #307) [Link]
You choked me with your double (triple? quadruple?) negative. :-D
|
|||||||||||||