Monday, January 19, 2015

Chinese authorities attack Microsoft

On January 17, I received reports that Microsoft’s email system, Outlook (which was merged with Hotmail in 2013), was subjected to a man-in-the-middle (MITM) attack in China.

The following screenshot shows what happens when a Chinese user accesses Outlook via an email client (in this case, Ice-dove):

We have tested Outlook to verify the attack and have produced the same results. IMAP and SMTP for Outlook were under a MITM attack. Do note however that the web interfaces ( and ) were not affected. The attack lasted for about a day and has now ceased.

This form of attack is especially devious because the warning messages users receive from their email clients are much less noticeable than the warning messages delivered to modern browsers (see screenshot at the end of this post for comparison).
(Sample error message from default iPhone mail client)

In addition, email clients normally run in the background. Users will only see an abrupt pop-up warning when the client tries to automatically retrieve messages. Users will then be able to tap on a “continue” button and ignore the warning message. As the user did not initiate the retrieval of emails, most users will not think twice about clicking on “continue” and will likely attribute the warning message to a network problem. If users do click on the “continue” button, then all of their emails, contacts and passwords will be logged by the attackers.

This attack comes within a month of the complete blocking of Gmail (which is still entirely inaccessible). The similarity between this attack and previous, recent MITM attacks in China (on Google, Yahoo and Apple) is evident. This new attack signals that the Chinese authorities are intent on further cracking down on communication methods that they cannot readily monitor.
This new MITM attack comes three months after the iCloud MITM attack, which was widely reported in the media and which prompted Apple’s CEO Tim Cook to fly to China to raise the matter directly with the Chinese authorities. The Chinese foreign press spokesperson denied the “hacking” allegation and Apple has not made any public statements addressing the outcome of the discussions. However Apple did add a Chinese language help page (and an English one) which addresses similar issues. Apple refers to episodes of this nature as “organized network attacks”.

At the time of the iCloud attack, Google (over CERNET) and Yahoo were both experiencing MITM attacks and Outlook (web portal only) was under a MITM attack for a short period of time. Since the wide reporting of these attacks, GFW had not attempted any large scale attacks until this one. The authorities are most likely continuing to test their MITM technology. The authorities may also be gauging user response. By keeping track of how many users ignore the certificate warnings, the authorities will be able to determine the effectiveness of this type of attack.
I strongly recommend that users never bypass certificate error messages by clicking “continue”.

Technical Details

IMAP/SMTP are commonly used on mobile email clients (e.g the default mail application on iPhones) and desktop email clients like Thunderbird. Internet Message Access Protocol (IMAP) is a protocol which allows users to connect to the same mailbox through multiple devices (i.e. your desktop, mobile, etc.). Simple Mail Transfer Protocol (SMTP) is typically used by users to send messages to a server which are then relayed to the recipient.
Wikipedia defines a man-in-the-middle (MITM) attack in the following way:
The man-in-the-middle a form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker.


To reproduce the result in a Firefox browser, I first configured Firefox to allow access on port 993 which is the port used by IMAP. I then accessed I immediately received the warning message. As you can see, the certificate is self-signed, which is consistent with previous MITM attacks in China.

The certificate error message shown in Chrome. Chrome was configured to allow connections via port 993.

The fake certificate used in the attack:[Fake]AnyHotmailCom_201501.crt


Friday, January 9, 2015

GFW redirected visitors from blocked sites to porn

In the past, the Chinese authorities’ DNS poisoning system would direct Chinese internet users who were trying to access Facebook, Twitter and other blocked websites (without the use of a circumvention tool) to a set of fake IP addresses that are blocked in China or are non-existent. After waiting for some time, Chinese internet users would receive a timeout message if they were trying to access a blocked site.

However, with the new DNS poisoning system, in addition to those IP addresses used before, the Chinese authorities are using real IP addresses that actually host websites and are accessible in China. For example, shows that if a user tries to access Facebook from China, they might instead land on a random web page, e.g.

Below is a screenshot by a Chinese user when he was trying to access our website which was blocked in China. He was redirected to a government site in Korea. In essence, GFW is sending Chinese users to DDOS the Korean government's website.
One Chinese Internet user reported to us that when he tried to access Facebook in China, he was sent to a Russian website, unrelated to Facebook. Another user tweeted that he was redirected to an German adult site when he tried to access a website for a VPN.

某墙你这什么意思,DNS 污染返回给我一个德国工口站的 IP,满屏很黄很暴力弹弹弹(
— nil (@xierch) January 4, 2015

The redirection to adult content is especially ironic. The authorities often cite the “protection of minors” as one reason to justify internet censorship. But in this example, users who are trying to access perfectly legal but blocked content instead are sent to illegal (in China) adult content websites.

This upgrade of the GFW effectively disabled many anti-DNS-poisoning tools. Because GFW used only a small set of fake IP addresses, these tools could discard the fake IP addresses easily and access the correct IP addresses to bypass any block. Now this is no longer possible as legitimate IP address are used to poison other domains.

It is clear that the authorities treat the great firewall as a work-in-progress and are constantly tweaking and making changes to the censorship apparatus. I expect to see more changes in the coming months.