
China Telecom's Internet Traffic Misdirection - dbelson
https://internetintel.oracle.com/blog-single.html?id=China+Telecom%27s+Internet+Traffic+Misdirection
======
resters
Combine this with exploits into one or more broadly trusted certificate
authorities (which surely exist) and it's pretty amazing how much data China
would have been able to obtain.

Every time I bring up the following point someone chimes in that it's a bad
idea, but I still fail to understand why it's not easy to pick which CAs I
want to trust by picking a list of entities/people I trust and then adopting
their recommendations for which CAs to trust.

This would be a few clicks of UI to let me be intelligently paranoid while
maintaining only a layperson's understanding of why (say) Bruce Schneier
decides to trust some and not others.

~~~
unethical_ban
This should absolutely be exposed in browser UIs, esp Firefox which uses its
own store. Why can I not easily select/deselect all, sort by country of
origin, issuer, plain text search filters, and so on? The ability to click-
through, or even to simply display the "insecure" badge, would still be there.

Or, as you said, being able to subscribe to other recommendations would be
cool.

~~~
dsl
Because it is never the "China Government" CA that is the problem, it is a
medium to large Western-based CA getting hacked.

China, Iran, etc. don't want direct attribution.

~~~
killjoywashere
And by "Western", keep in mind Italy and many other "2nd world" countries (to
use some dated terminology).

~~~
Lio
2nd World? Doesn't that usually refer to former members of the old Eastern
Block?[1]

To my knowledge, Italy has never been part of the Eastern Block.

[https://en.wikipedia.org/wiki/Eastern_Bloc](https://en.wikipedia.org/wiki/Eastern_Bloc)

~~~
arm85
Huh, I never thought about Switzerland being a third world country.

~~~
RugnirViking
Or indeed somalia being a 2nd world country

------
commandlinefan
I'm continually amazed at how insecure almost every aspect of internet routing
is - it mostly boils down to a sort of "gentlemen's agreement" that everybody
will follow the rules.

~~~
toomuchtodo
Internet routing (BGP), SMTP, and DNS (not inclusive, just off the top of my
head) were developed during the very beginnings of the internet, without much
thought into today's use and scale.

Today you'd do better, with hindsight being 20/20.

~~~
Mtinie
That's certainly true. But now that we have the benefit of hindsight, isn't
the only reasonable option to start to take the steps to correct the obvious
problems?

~~~
toomuchtodo
Yes, with a "but" the size of celestial bodies: it's a herculean effort.
Witness how long IPv6 has taken to obtain traction (and the lack of any
traction on DNSSEC, and the resulting DNS over HTTP shims). These are
improvements that occur over years, if not decades and require substantial
human and financial resources to deliver on.

~~~
0x8BADF00D
Why do you think IPv6 never took off? Do you think the format of addresses was
less human readable, and therefore that’s what led to its slow adoption? What
if the address was instead displayed as a mapping using a data format like
JSON?

~~~
toomuchtodo
Networks found ways to reduce IPv4 usage, or support dual stack early on when
necessary. Turns out every internet endpoint doesn't need to be directly
addressable, and most Internet use cases are one to many (CDNs to eyeballs).

[https://www.nonog.net/wp-content/uploads/2017/06/Altibox-
An-...](https://www.nonog.net/wp-content/uploads/2017/06/Altibox-An-
IPv6-Story-NONOG-2017-01-min.pdf)

[https://www.networkworld.com/article/3254575/lan-wan/what-
is...](https://www.networkworld.com/article/3254575/lan-wan/what-is-ipv6-and-
why-aren-t-we-there-yet.html)

------
cauldron
CT and Chinese ISPs have been hijacking user traffic for decades, profiting
off of it by selling traffic dump to data exploiting companies, insert ads in
webpages, steal social media tokens (for follower boosting and ads
retweeting).

I've found China Unicom openly hawking their data mining products.
[https://imgur.com/a/uNxA50K](https://imgur.com/a/uNxA50K)

~~~
hrrsn
Have you got a translated version of that screenshot?

~~~
cauldron
[https://imgur.com/a/pIKYUMP](https://imgur.com/a/pIKYUMP)

------
burtonator2011
This is one of the reasons TLS/SSL and crypto is so amazingly important.

Go ahead, monkey around with BGP, since I have the public key of the recipient
of my packets I can detect this and block any type of misdirection.

~~~
maltalex
> Go ahead, monkey around with BGP, since I have the public key of the
> recipient of my packets I can detect this and block any type of
> misdirection.

And how did you get that public key?

An attacker could pretty easily obtain a valid Let's Encrypt certificate using
a BGP hijack.

Also, the CA system is in bad shape - CAs have been hacked and certificates
were leaked. Not to mention that some of the CAs your browser trusts are not
entirely trustworthy or are located in untrustworthy countries. Oh, and from
time to time there are attacks against TLS itself (e.g.
[https://drownattack.com/](https://drownattack.com/))

~~~
olliej
Because the public keys are baked into the OS trust store. For the exact
reason of not being able to get the keys from the internet if you don’t
already have a root of trust.

The other issues (trust worthiness of CAs in countries that have the ability
to compel a ca to issue a fake cert -Australia say), are intended to be
mitigated by the CT logging that is now required by the major trust stores.
Sure your Aussie CA might issue a fake certificate, but in doing so they
ensure they get a global distrust...

~~~
cheeze
The dream is definitely not trusting certs which haven't been written to a
log. I think that the path is actually in sight too. The CAB forum seems
relatively on board.

~~~
tialaramex
You can experience this dream today by simply installing Google's "Chrome"
browser. If you prefer a different browser you probably don't have long to
wait, Firefox and Safari have announced plans to check CT (Apple says in
Calendar Year 2018 but I won't be astonished if that slips) and it's something
Microsoft's browser team are contemplating - if you care about trust in the
Web PKI you obviously shouldn't use Microsoft's products anyway, but if you
do...

------
martinald
Somewhat offtopic but which tool shows you the AS number + info alongside the
traceroute in the screenshot?

~~~
jwbensley
I would guess that the author copied the results into a table and prettified
them and added in details like location.

At the top of the screenshot it says "traceroute from London to ..." \- no
traceroute program knows where it is in the world!

Also the locations of each hop in traceroute NY > Chicago > Ashburn etc., no
traceroute program will know where in the world those IPs are. I suspect the
author has guestimated based on the reverse DNS record for the IPs and
latency.

Traceroute does have the ability to show you the ASNs in a path but that is
based on a WHOIS lookup of the IPs that it's discovering. So it could be wrong
by assuming the IP address of each hop was announce by the ASN that owns it.

~~~
agentphil
thousandeyes.com, a network intelligence platform, gives you all that
information in one place.

------
mirimir
OK, so I'm sitting here, posting to HN in Firefox. And if I like, I can open a
terminal and run something like:

    
    
        traceroute news.ycombinator.com | grep -f chinese-ipv4 -f chinese-hosts
    

And indeed, there could be a Firefox extension that did that, right? So at
least, users would know.

~~~
jwbensley
Its difficult for the "average user" (define as you please) to know what what
path should look like though. Lots of ISPs will have private peerings to
others ISPs/content providers/carriers etc. which aren't publically listed
anywhere.

~~~
mirimir
I'm not suggesting that the (say) Firefox extension would show the path. It
would just show whether the path included devices in whatever country. In this
case, China. Users wouldn't need to know details. There are many sources of
geolocation data that the extension could draw upon.

------
mehrdadn
Tangent, but are traceroutes spoofable (barring timing differences), or would
they break too many other things to be practical? I'm wondering if anyone
might do that to hide their tracks.

~~~
nrki
Yes. You can set your reverse DNS to whatever you want if you own the IP
blocks.

See also:
[https://news.ycombinator.com/item?id=5192656](https://news.ycombinator.com/item?id=5192656)

------
localguy
"Loading..." the page doesn't work without JavaScript enabled for no reason.

~~~
DevoidSimo
It's using ajax to fetch the actual article. Seems a bit strange since it's
static

~~~
jachee
Imagine that: _Oracle_ doing something more complex than necessary. /s

------
walrus01
If BGP4 were designed today, it would look very different.

------
zozbot123
How about just globally blocking AS4134 and AS9318?

~~~
baybal2
You will be surprised how many companies already doing so

------
furkitolki
According to traceroute, I wonder what makes United States safe and China not.
Both not safe.

------
ggm
Hanlon's razor has been raised on NANOG.

------
jmartrican
This is so stupid that we keep doing business with the Communist Party of
China.

~~~
consumer451
I just don’t understand why the telecom agreements are not reciprocal. If no
foreign nation is allowed to put a POP in China, then why is China allowed to
put POP’s all around the world?

------
gcb0
lol. typical anachronistic oracle. their blog fails fail to render on 2 out of
3 browsers I tested. What is this? 1995?

~~~
praneshp
Can I ask what browsers? If you've disabled Javascript, I'd argue that's the
anachronism.

~~~
gcb0
firefox mobile with uBlock origin.

Edit: ha! ironically, Oracle site about china spying on you won't load the
content unless you allow google analytics code to run. If google analytic code
fail, the rest of their code also fails.

~~~
pinusc
I can read the article just fine on Firefox for Android with uBlock origin. It
also loads with no problems through my pi-hole, which blocks Google Analytics.

