[liberationtech] Man-in-the-middle attack on GitHub in China

Tue Jan 29 22:37:44 PST 2013

Thanks Tom. Good comments too. My replies:

1. I think 9,000 is not so bad. Distributing the campaign in China is made
difficult for example by censorship on Sina Weibo. Keywords such as gfw
and 防火长城 are blocked, and
https://freeweibo.com/weibo/%E7%99%BD%E5%AE%AB?source=cmp_p shows that Sina
has deleted messages describing the petition. Also, to sign the petition
you have to sign up for an account with an email address and a name. Even
though you could provide a fake name, signing what is in effect an
anti-government list would make a lot of people think twice.

2. Yes, the GFW can and does block and throttle HTTPS connections, for
example to GMail. What I find most interesting are the HTTPS sites that
they seemingly don't dare to block - like GMail, and now GitHub. These
services are serving as the most secure platforms for online discussion.

On the point of trying to slowly convince people to switch to other
platforms, I'm sure the authorities want to see that happen, but I'm not
sure it's working. I don't have any statistics but in my personal
experience people are not switching away from for example GMail because
it's instable. I do think it does prevent new users from signing up in the
first place though.

Martin Johnson
Founder
https://GreatFire.org - Monitoring Online Censorship In China.
https://FreeWeibo.com - Uncensored, Anonymous Sina Weibo Search.
https://Unblock.cn.com - We Can Unblock Your Website In China.

On Wed, Jan 30, 2013 at 1:04 PM, x z <xhzhang at gmail.com> wrote:

> This is a great piece Martin! Thanks for the thorough analysis,
> explanation and documentation.
>
> I have two comments:
>
> 1. It is a bit sad that the petition "People who help internet
> censorship, builders of Great Firewall in China for example, should be
> denied entry to the U.S.<https://petitions.whitehouse.gov/petition/people-who-help-internet-censorship-builders-great-firewall-china-example-should-be-denied-entry-us/5bzJkjCL>
> " only got 9,024 signatures after 6 days. Yes, the petition is merely
> symbolic, but it *is* symbolic. I do hope significantly more people can
> sign it, otherwise, the GFW operators and Chinese authority can laugh their
> way home, "see, so few people care!". I hope activists on this mailing list
> can help spreading the word, 26 days remaining.
>
> 2. Even though HTTPS traffic is nontrivial to tackle, GFW has a much
> simpler solution for it. GFW can deteriorate the user experience of HTTPS
> websites, e.g. injecting random resets to HTTPS connections. People can
> still use the site, but it becomes slow and unstable, gradually more and
> more will switch away to use domestic replacement. It is a slow process,
> but can be a successful one.
>
> Cheers,
>
> Tom
>
> 2013/1/29 Martin Johnson <greatfire at greatfire.org>
>
>> At around 8pm, on January 26, reports appeared on Weibo and Twitter that
>> users in China trying to access GitHub.com were getting warning messages
>> about invalid SSL certificates. The evidence, listed further down in this
>> post, indicates that this was caused by a man-in-the-middle attack. Full
>> post at
>> https://en.greatfire.org/blog/2013/jan/china-github-and-man-middle
>>
>> One interesting conclusion is that support for HTTP Strict Transport
>> Security in Chrome and Firefox makes a real difference. If
>> man-in-the-middle attacks become more common in China, preventing users
>> from adding exceptions and making the warning messages informative is
>> crucial. We need to find ways to convince users to use browsers that
>> support these safety measures. Currently, around 50% of Internet users in
>> China use either the 360 so-called Safety Browser (which is a very ironic
>> name) or Internet Explorer 6 (yes, it lives on in China).
>>
>> Martin Johnson
>> Founder
>> https://GreatFire.org - Monitoring Online Censorship In China.
>> https://FreeWeibo.com - Uncensored, Anonymous Sina Weibo Search.
>> https://Unblock.cn.com - We Can Unblock Your Website In China.
>>
>> --
>> Unsubscribe, change to digest, or change password at:
>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>
>
>
> --
> Unsubscribe, change to digest, or change password at:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20130130/d4b39dea/attachment.html>