Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
China Encryption Security The Internet

EFF: Wider Use of HTTPS Could Have Prevented Attack Against GitHub 48

itwbennett writes The attack against GitHub was enabled by someone tampering with regular website traffic to unrelated Chinese websites, all of which used a JavaScript analytics and advertising related tool from Baidu. Somewhere on China's network perimeter, that analytics code was swapped out for code that transparently sent data traffic to GitHub. The reason GitHub's adversaries were able to swap out the code is because many of the Chinese websites weren't encrypting their traffic.
This discussion has been archived. No new comments can be posted.

EFF: Wider Use of HTTPS Could Have Prevented Attack Against GitHub

Comments Filter:
  • by JustinKSU ( 517405 ) on Thursday April 02, 2015 @10:15AM (#49391679)
    duh. better security == better security.
  • by Anonymous Coward

    You cannot tamper with the contents of a HTTPS stream.

    But don't be under the illusion that that actually provides security, after all, if you can't MITM, you just need to poison the watering hole.

    • by krept ( 697623 )
      I didn't get your comment until further down... HTTPS does provide security, it just doesn't guarantee it. Especially where China could probably install any client they want on many many computers.
      • by gl4ss ( 559668 )

        ah but the dos wasn't coming from china.

        instead, it was coming from any browser in the world that fetched a page(or rather, piece of tracking javascript code from baidu) _in_ china. they still would have only had to mitm the baidu.

        and they probably already were sitting on the pipe to baidu or were able to divert the traffic. that's why people are saying that it's the state, because either it's the state OR baidus internet tap is hacked.

  • How will HTTPS help in this situation? The Great Firewall could just as easily act as a MITM attack and still do the exact same attack? Are we even sure it was the firewall and not Baidu themselves?

    • by smooc ( 59753 )

      I understood that part of the attack also happened from international visitors to Baidu. Would a MITM of the Great Firewall still have worked then or would it at least have been partially mitigated?

    • by Anonymous Coward

      because you'd have to accept the certificates. But you're correct it's unlikely that it would have helped much as we know that governments are able to generate arbitrary certificates (with preaccepted CAs).

      That said I believe DNSSEC does help this (If I recall correctly part of DNSSEC is creating TCP connections with SSL using the DNS signed certificate. but I could be thinking of a different extension)

    • by Anonymous Coward

      Agreed. And in fact one guy narrowed down the source of the packet injection to the Great Firewall (China Unicom): Pin-pointing China's attack against GitHub [erratasec.com].

    • Re:HTTPS? (Score:5, Informative)

      by IamTheRealMike ( 537420 ) on Thursday April 02, 2015 @10:40AM (#49391819)

      The Great Firewall could just as easily act as a MITM attack

      This must be a new use of the phrase "just as easily" that I haven't encountered before.

      Line rate DPI is already expensive and slow. The Great Firewall has in the past routinely suffered from weird hotspots or outages at peak times where banned keywords were not always being spotted.

      The injection technique that the GFW was using in this instance is very simple: on spotting a particular byte pattern in the packet stream, write three (probably pre-formatted) packets into a network port, sit back, see what happens. There were always exactly three packets and attempting to get normal behaviour out of the MITM TCP stack didn't work, meaning there probably is no stack.

      Now throw "completely intercept the TCP handshake and redo it, then perform an SSL handshake on the client end, then perform ANOTHER connection to the Baidu server, then obtain a fake cert without tipping off the western browser/OS makers whose browsers you are trying to hack, THEN decrypt massive amounts of traffic (basically all traffic to the intended host) at line rate" .... yeah good luck. It can theoretically be done but it'd require entire datacenters of machines doing nothing but decrypting and re-encrypting Baidu.

      Then remember that this attack works by converting Chinese people abroad into a botnet. So the moment the Chinese fake cert is detected it would be revoked immediately. Attack over.

      No way. It will never happen. If China wants to convert Baidu users into a weapon then it is MUCH simpler for them to simply ...... put a gun to the CEOs head and say "you're inserting our js into your code whether you like it or not". That way Baidu pays all the costs of serving their code and they don't need any large new infrastructure to do SSL MITM.

      • Re:HTTPS? (Score:5, Insightful)

        by Coren22 ( 1625475 ) on Thursday April 02, 2015 @11:00AM (#49391945) Journal

        This is China we are talking about. They just ask Baidu to give them a copy of the SSL cert. I administer devices that are 1U and can act as a MITM at 10Gbit speeds, they are called load balancers. How hard would it be to reprogram a load balancer to also insert a script? Not very.

        Frankly, it would be just as easy to make Baidu serve up the script for them, or even hack the Baidu servers to add the "malicious" script themselves. This is a government, they have the power.

        • Frankly, it would be just as easy to make Baidu serve up the script for them

          Yes. That's exactly what I said in the last paragraph. Did you read the post all the way to the end?

          Obviously China can build the equipment needed to do a massive MITM attack on Baidu. But it would be a big step up from what they're currently doing, cost wise. So it makes little sense for them to do that, given they'd need to coerce the private keys out of Baidu anyway. At that point they may as well just re-use Baidu's existing eq

      • by orasio ( 188021 )

        There's also another bit that I fail to understand.

        If the Chinese Firewall guys wanted to DoS github, they could just do it. Playing synthetic traffic against github, for example.
        Instead, we say that they hijacked their users computers, so they could generate traffic that in the end would have to go through the firewall.

        From the firewall point of view, that wouldn't be a DDoS, because the attacker is always them, no distribution happens. It doesn't make sense, and it's a lot more work than just doing the Do

    • HTTPS (SSL) alone will not stop attacks like this where any registrar trusted by the browser can issue certificates for any site that they want to.

      HTTPS combined with DNSSEC + DANE would stop attacks like this. Because now the domain owner can say a few things:

      - This is the only CA allowed to issue certificates for my domain
      - My certificate is X, and not anything else

      In short - admins need to put pressure on their DNS providers to provide DNSSEC for their domain records, after which DANE can be used
  • EFF Link (Score:5, Informative)

    by gQuigs ( 913879 ) on Thursday April 02, 2015 @10:20AM (#49391711) Homepage
  • As if ... (Score:4, Insightful)

    by gstoddart ( 321705 ) on Thursday April 02, 2015 @10:27AM (#49391749) Homepage

    So basically if China allowed HHTPS a non-Chinese server wouldn't have been DDoS'd.

    Like China will give a crap about that.

  • Fake certificate... (Score:5, Interesting)

    by zoffdino ( 848658 ) on Thursday April 02, 2015 @10:31AM (#49391783)
    Can HTTPS help when even the certificate is faked? I can barely hold any trust about anything from China these days.
    • by Anonymous Coward

      It can if you've explicitly distrusted all known CA root certificates known to be associated with China's current regime, like CNNIC. Which I'd highly recommend doing.

  • ...for web sites that are https-capable to start refusing all non-https connections. That might go along way to ensuring the ubiquity of https...

  • Sounds like it's time for DANE, http://en.wikipedia.org/wiki/D... [wikipedia.org]. SSL certificates via DNS

    • by tepples ( 727027 )

      Good luck getting last mile ISPs and domain registrars to offer reliable DNSSEC resolution.

      • The registart choice is up to you. Just choose one that offers DNSSEC.

        The ISP part is harder, but if applications stopped using their DNS when DNSSEC is not available, they would adopt it in a heart beat.

        • by tepples ( 727027 )

          if applications stopped using their DNS when DNSSEC is not available

          Then ISPs would point the finger at application developers when the applications stopped working.

          • No need to make your applications stop working. Just try the default DNS, and if it fails use another server. Also, cache the failure during the session, so the ISP will lose your metadata.

            • by tepples ( 727027 )

              Just try the default DNS, and if it fails use another server.

              Which would require the application to hardcode the IP address of a recursive DNSSEC server. Who would operate this server? Would 8.8.4.4 and 8.8.8.8 [google.com] be appropriate, or ought this to be the job of the publisher of each individual application?

              • Yes, one'd have to hard-code it. It's up to the developer to decide what server to hard-code, obviously. Context will tell what's more appropriate, by I'd gess most big projects would use their own servers.

Beware of all enterprises that require new clothes, and not rather a new wearer of clothes. -- Henry David Thoreau

Working...