In a desperate bid to keep a watch on HTTPS websites, China has launched a man-in-the-middle cyber attack campaign, targeting the users of China Education and Research Network (CERNET) who use Google for search purposes.
Photo: Gil C / Shutterstock
Nonprofit anti-censorship website Greatfire.org reported that these attacks resemble the ones that happened in January 2013. Last year’s attacks were apparently sanctioned by Beijing against developer website Github.
Chinese people do not have access to blocked foreign websites, but this censorship does not apply to the users of CERNET. The attack gained attention when CERNET users reported on social media sites that they are getting an invalid SSL certificate warning when they use Google.
Greatfire.org posted on their blog that the present Chinese administration is trying to control the media on all fronts. Since blocking Google might receive an angry rebuttal from students, researchers, and educators throughout the country, the government thought that an MITM type of attack would be the best.
With the MITM attack, the government can let researchers and students access Google while spying on the search queries and their results. Greatfire said that they are drawing this conclusion following expert advice from Netresec, a security-based company that analyzed the MITM attacks on Github.
In March 2012, Google enforced HTTPS, which means that all queries between users and Google will be encrypted, so a third party cannot know the search string or the results. The great firewall of China does not know what data is being sent or received, making them unable to block specific searches on Google. So they blocked Google, but it is still running on CERNET.
The Chinese government knows that to make progress in the field of research and development, the researchers would need a wealth of information, which is possible only if they are allowed to access a good search engine. When it comes to censorship, the Chinese government has always stayed soft on CERNET.
Until last month, CERNET users could access Google freely for research purposes, but there have been changes now, and users see a certificate expiration page when they search for something.
The devices that are performing the attack are probably injecting packets near the outer border of CERNET, the place where it peers with external networks. Netresec said that it’s difficult to find out how the attack was planned, but DNS spoofing was certainly not used.
There’s a chance that the IP hijacking method was involved, and it could be BGP prefix hijacking or a packet injection. Whatever method was used by them, they are certainly able to inspect the traffic going out to Google.
Greatfire advised CERNET users not to bypass the certificate warning as the attackers could steal their Google information and could even access their email accounts. The website also advised people to use Chrome or Firefox because these browsers will not let them click through the warning page. They can also use Greatfire Google mirror to perform searches. Google mirror has been accessed by more than a million users to find information that has been blocked by China.
Chinese users have problems accessing many Google run sites, and some websites like YouTube are banned ever since the tech giant left the country in 2010 when the attacks from Operation Aurora ATP were revealed.
Even though Google sites are not easily accessible in China, Beijing has started blocking Google more fiercely since June this year with the 25th anniversary of Tiananmen Square massacre. Although Google Mirror has helped people perform Google searches, the main Google site is restricted.
Chinese people do not seem to be happy with the state of online affairs, and this is apparent from many examples. Recently, a man sued China Unicom because the company does not let its users perform Google searches. Wang Long said on his Weibo account that when the judge asked the company’s lawyer whether Google can normally be accessed by users, the lawyer said that he wasn’t sure if he could tell the court or not.
China Unicom was absolved of any blame, and the case just showed that Google search cannot be accessed in the country.
An anonymous expert in cyber security reported to The Global Times that Wang Long has taken up the wrong enemy. “It is Google that should be blamed, since it does not operate its business in China,” he said. “I call on companies like Google or Twitter or Facebook to offer services in China and accept [proper supervision].”
As the Web shifts its focus to encryption, there are chances that MITM attacks will become the preferred option for the Chinese government.