China, GitHub and the man-in-the-middle (Greatfire)

Posted Jan 30, 2013 20:37 UTC (Wed) by kjp (guest, #39639)
In reply to: China, GitHub and the man-in-the-middle (Greatfire) by intgr
Parent article: China, GitHub and the man-in-the-middle (Greatfire)

The article doesn't share your optimism:

"
No browser would prevent the authorities from using their ultimate tool though: certificates signed by the China Internet Network Information Center. CNNIC is controlled by the government through the Ministry of Industry and Information Technology. They are recognized by all major browsers as a trusted Certificate Authority. If they sign a fake certificate used in a man-in-the-middle attack, no browser will warn of any usual activity.
"

to post comments

China, GitHub and the man-in-the-middle (Greatfire)

Posted Jan 30, 2013 21:04 UTC (Wed) by raven667 (subscriber, #5198) [Link] (3 responses)

That's not entirely true, some browsers such as Chrome do support pinning and have signatures for some keys shipped with the software and will flag it if it doesn't see the expected key when going to, for example, www.google.com

China, GitHub and the man-in-the-middle (Greatfire)

Posted Jan 31, 2013 0:05 UTC (Thu) by robert_s (subscriber, #42402) [Link] (2 responses)

Right, but you can't exactly argue that such a scheme is truly scalable, can you?

China, GitHub and the man-in-the-middle (Greatfire)

Posted Jan 31, 2013 16:32 UTC (Thu) by raven667 (subscriber, #5198) [Link]

Well SSH style key pinning is scalable but is dependent on the first interaction being clean, which may not be the case in a network with pervasive SSL proxying. Pre-loaded key lists, assuming they haven't been tampered with, can flag for major sites that can be listed but in both cases most users are just going to click through any warnings to get to where they want to go.

The benefit is that the one user who actually pays attention can trivially demonstrate that the MITM is going on and sound the alarm.

China, GitHub and the man-in-the-middle (Greatfire)

Posted Feb 1, 2013 9:36 UTC (Fri) by job (guest, #670) [Link]

It's not, but it goes a long way from nothing. Github is probably large and important enough (certainly after this) that the Chromium devs could ship with their certificate pinned, as they do for Tor and Twitter. By protecting the large web sites, any blanket MITM would also be discovered. If you are a developer and have access to out-of-band communications, perhaps it is worthwhile manually pinning the sites important to you.

China, GitHub and the man-in-the-middle (Greatfire)

Posted Jan 30, 2013 21:53 UTC (Wed) by intgr (subscriber, #39733) [Link] (1 responses)

No, such abuse wouldn't last long and China knows it.

You clearly missed this bit in TFA:

> The attack would be detectable by manually reviewing the SSL certificate. While the vast majority of users would not do this, one single report on such an attack would create a huge international scandal that might lead to major browsers removing their trust of CNNIC. So the authorities will likely avoid using this tool, unless they feel it’s absolutely necessary.

China, GitHub and the man-in-the-middle (Greatfire)

Posted Jan 30, 2013 23:17 UTC (Wed) by Fowl (subscriber, #65667) [Link]

> ...such an attack would create a huge international scandal that might lead to major browsers removing their trust of CNNIC

We can hope. Sometimes the outrage never comes, unfortunately.

China, GitHub and the man-in-the-middle (Greatfire)

Posted Jan 31, 2013 21:50 UTC (Thu) by bojan (subscriber, #14302) [Link] (1 responses)

Isn't the real fix to drop CNNIC from the trusted certificate authority list then?

China, GitHub and the man-in-the-middle (Greatfire)

Posted Feb 1, 2013 9:45 UTC (Fri) by job (guest, #670) [Link]

Drop CAs _before_ they misbehave?

I'm sure the required future prediction powers could be put to better use.