Thursday, September 4, 2014

Authorities launch man-in-the-middle attack on Google

What happened?

From August 28, 2014 reports appeared on Weibo and Google Plus that users in China trying to access and via CERNET, the country’s education network, were receiving warning messages about invalid SSL certificates. The evidence, which I include later in this post, indicates that this was caused by a man-in-the-middle attack.
While the authorities have been blocking access to most things Google since June 4th, they have kept their hands off of CERNET, China’s nationwide education and research network. However, in the lead up to the new school year, the Chinese authorities launched a man-in-the-middle (MITM) attack against Google.


There is a clear incentive to implement a man-in-the-middle attack against Google. Google enforced HTTPS by default on March 12, 2014 in China and elsewhere. That means that all communication between a user and Google is encrypted by default. Only the end user and the Google server know what information is being searched and returned. The Great Firewall, through which all outgoing traffic from China passes, only knows that a user is accessing data on Google’s servers - not what that data is. This in turn means that the authorities cannot block individual searches on Google - all they can do is block the website altogether. This is what has happened on the public internet in China but has not happened on CERNET.
The authorities know that if China is to make advances in research and development, if China is to innovate, then there must be access to the wealth of information that is accessible via Google. CERNET has long been considered hands off when it comes to censorship, for this very reason. Even long blocked services such as YouTube and Google+ are available via CERNET. In contract, on the public internet in China, Google Scholar is blocked and the China version of the site redirects users to the Hong Kong version of the site, which is also blocked.
Up until last month, access to Google remained relatively unfettered for those accessing the properties via CERNET. Instead of just outright blocking Google on CERNET, which would have raised the ire of students, educators and researchers across China, the authorities felt that a MITM attack would serve their purpose. By placing a man-in-the-middle, the authorities can continue to provide students and researchers access to Google while eavesdropping or blocking selective search queries and results.

Has it happened before?

At the beginning of last year, the Chinese authorities staged a country-wide MITM attack on Github.

Will it happen again?

The short answer is yes. I predicted last year that because of the increased shift to encryption, man-in-the-middle attacks were likely to become an increasingly tempting choice for the authorities.

The Details

There have been multiple user reports from those using CERNET about fake certificates when accessing Google. Netresec did a great forensic analysis of the MITM attack on Github. I contacted Netresec with the wire captures below. They concluded that all evidence indicates that a MITM attack is being conducted against traffic between China’s nationwide education and research network CERNET and Google. The machines performing the MITM attack are most likely injecting packets somewhere at the outer border of CERNET, where they are peering with external networks. Their full forensic analysis is available online.
I do not have data ourselves to show how or if this happened. I have relied on the sources listed below. Many of these sources were used in this report on Solidot.
Screenshot taken by Weibo user
The screenshot shows the user trying to access Google using the Chrome browser and receiving a warning about an invalid SSL certificate. For Chrome and Firefox users, the browser won’t allow you to bypass the certificate warning for Google because Google enables HTTP Strict Transport Security (HSTS).
Another screenshot by the same user compared the certificate he received with a normal connection (on the left) and a connection under the man-in-the-middle attack (on the right).
Reports on Google Plus
WireShark capture files
I have some WireShark capture files. If you need to examine them, please contact me. Redacted versions appear in the Netresec report.
Copy of fake SSL certificate
Uploaded to Google drive (copy hosted by me). This fake certificate has been seen by multiple users. See below for a comparison of the current valid certificate and the fake one used during the attack.

What should you do

You should never click through when you see a certificate warning. You should use Firefox or Chrome as these browsers won’t even allow you to click through the warning for websites that use HSTS (like Google and Github). If you click through the warning, your Google account credentials can be stolen, which means all your Gmail can be read by the attacker.