SoylentNews is people
SoylentNews
We had two Soylents send us news of a new tactic in state-sponsored attempts at silencing undesired content on the internet:
China Is Said to Use Powerful New Weapon to Censor Internet.
Late last month, China began flooding American websites with a barrage of Internet traffic in an apparent effort to take out services that allow China’s Internet users to view websites otherwise blocked in the country.
Initial security reports suggested that China had crippled the services by exploiting its own Internet filter — known as the Great Firewall — to redirect overwhelming amounts of traffic to its targets. Now, researchers at the University of California, Berkeley, and the University of Toronto say China did not use the Great Firewall after all, but rather a powerful new weapon that they are calling the Great Cannon.
The Great Cannon, the researchers said in a report published Friday ( https://citizenlab.org/2015/04/chinas-great-cannon/ ), allows China to intercept foreign web traffic as it flows to Chinese websites, inject malicious code and re-purpose the traffic as Beijing sees fit.
The system was used, they said, to intercept web and advertising traffic intended for Baidu — China’s biggest search engine company — and fire it at GitHub, a popular site for programmers, and GreatFire.org, a nonprofit that runs mirror images of sites that are blocked inside China. The attacks against the services continued on Thursday, the researchers said, even though both sites appeared to be operating normally.
[Continued after the break.]
China's "Great Cannon" used to silence government critics
Citizen Lab, a Canadian human rights organization, published a report on what it calls the Great Cannon - a DDOS system that they say is deployed by the Chinese government. This system was allegedly used for the recent attack against GitHub.
We show that, while the attack infrastructure is co-located with the Great Firewall, the attack was carried out by a separate offensive system, with different capabilities and design, that we term the “Great Cannon.” The Great Cannon is not simply an extension of the Great Firewall, but a distinct attack tool that hijacks traffic to (or presumably from) individual IP addresses, and can arbitrarily replace unencrypted content as a man-in-the-middle.
The operational deployment of the Great Cannon represents a significant escalation in state-level information control: the normalization of widespread use of an attack tool to enforce censorship by weaponizing users. Specifically, the Cannon manipulates the traffic of “bystander” systems outside China, silently programming their browsers to create a massive DDoS attack. While employed for a highly visible attack in this case, the Great Cannon clearly has the capability for use in a manner similar to the NSA’s QUANTUM system,4 affording China the opportunity to deliver exploits targeting any foreign computer that communicates with any China-based website not fully utilizing HTTPS.
(Score: 3, Insightful) by maxwell demon on Sunday April 12 2015, @12:45PM
Hmm ... this makes me think: Is there a way to specify which root certificates are to be trusted for which domain (possibly with a browser extension)? For example, I could check the certificate authority my bank uses, and then instruct the browser to not silently accept certificates from another certificate authority for my bank's web site, without actually deleting all other root certificates (which would make many other web sites inaccessible).
The Tao of math: The numbers you can count are not the real numbers.
(Score: 1, Interesting) by Anonymous Coward on Sunday April 12 2015, @02:44PM
The problem with that is they then MITM you when you "check the certificate authority your bank uses." It's turtles all the way down.
There is cert pinning which remembers the certificate between sessions and errors out if it changes. So as long as your first access to the site was not compromised you are OK until that cert expires. Cert pinning is slowly being deployed in fits and starts.
(Score: 3, Informative) by maxwell demon on Sunday April 12 2015, @04:53PM
Since the root certificates are stored locally, they cannot MITM them. So unless they have access to my bank's certification authority's private key (likely for the NSA, unlikely for China), the checking process is immune against MITM attacks.
Ah, that's interesting. Another useful property would be if replacement certificates were always signed with the previous certificate, so you could easily check whether the replacement certificate is valid (well, unless additionally the previous certificate was compromised, but I don't think there's much one can do in that case).
The Tao of math: The numbers you can count are not the real numbers.
(Score: 1, Informative) by Anonymous Coward on Monday April 13 2015, @05:38AM
There's a Firefox extension called "Certificate Patrol [mozilla.org]" that tells you when a certificate changes with a "CA-only" option to only warn you if the CA changes, but it appears to be no longer supported. There's also some plugins that use a third-party server to keep track of which certificates have been seen for a given server in attempt to detect MITM attacks. Convergence [wikipedia.org] is one of them, Perspectives [perspectives-project.org] is another. They might have a mode for just running locally and alerting of certificate changes, I'm not sure.
(Score: 2) by maxwell demon on Monday April 13 2015, @07:53PM
I'm using Perspectives, and it doesn't have such an option (or I can't find it).
On the Convergence web site, I don't find any information about such functionality (I haven't however searched very thorough). Anyway, it looks like an interesting alternative to Perspectives, thank you for making me aware of it; unfortunately according to the web page it's still beta.
The Tao of math: The numbers you can count are not the real numbers.