[liberationtech] Man-in-the-middle attack on GitHub in China
Matt Mackall
mpm at selenic.com
Wed Jan 30 11:15:57 PST 2013
On Wed, 2013-01-30 at 09:55 -0800, x z wrote:
> @Nadim, I think breaking in a CA is a rather serious crime that GFW would
> refrain from committing;
Unlike, say, breaking into the Tibetan government-in-exile, Google and
hundreds of other companies?
But surely there is a registrar in China that the Chinese government can
simply "lean on", if not one that is directly controlled by the
government. The reasons NOT to do a "real" SSL attack is that
compromised CAs get removed from browsers' CA databases, which means
you've just burned a valuable resource for a future attack.
What interests me most about this attack is that command-line tools like
git are much less prepared to deflect SSL attacks than a typical
browser. Projects like git, mercurial, wget, curl, countless mail
readers, and even Tor (!) don't have the resources and infrastructure to
maintain their own CA databases. Instead, they rely on, and lag behind,
the databases of projects like Mozilla. Most of these don't poll CRLs,
do pinning, or the other deeper defenses that browsers are moving to.
--
Mathematics is the supreme nostalgia of our time.
More information about the liberationtech
mailing list