
Apple shifts iTunes to HTTPS, sidesteps China’s censors - iProject
http://www.theregister.co.uk/2012/12/21/itunes_https_shift_routes_around_great_firewall/
======
markild
This seems to assume that the certificate chain in the software available
within China is not compromised (aka, "obvious" way to detect MITM).

I honestly don't know if this is a fair assumption or not, it just strikes me
as weird that it is not mentioned when first mentioning the "great firewall"

~~~
stock_toaster
I suppose they could be using cert pinning[1].

[1]: <http://www.imperialviolet.org/2011/05/04/pinning.html>

~~~
StavrosK
You mean Apple? In that case, I don't understand how that would help. The user
never sees Apple's certificate, they only see the one presented by the MITM,
no?

~~~
markild
In this case, if understand the concept correctly, it would be iTunes that
pins the certificate authority for the iTunes server.

One would still be vulnerable of a corrupt CA. The only solution to this would
be to issue all certificates from an internal CA and verify this in your
application.

~~~
StavrosK
Or you could just harcode the certificate fingerprint and refuse to accept
anything else. It's trivial when you own the client.

I'm not sure if this would break when you needed to renew the certificate, but
I guess you only update the signature, not the actual public key.

~~~
sp332
But if China is already MITM, they can modify or replace the binary while you
are downloading it.

~~~
StavrosK
Yep. In that case, you don't own the client.

------
ybaumes
I've got a question for security experts. I've always assumed that government
should have enough cpu-power to decode a few encrypted emails and some https
connection. So why don't China decode https traffics and perform the same
filter as for simple tcp connection? And even tough they wouldn't have enough
power to do so, why don't they break down the https connection when it is
established?

~~~
simonh
Extremely strong 'military grade' encryption is commonplace nowadays. It
doesn't matter whether what yo're encrypting is a casual email or the launch
codes for a nuclear weapon, consumer grade encryption such as that in https is
fine as long as it's configured and used correctly. The CPU power required to
break it is greater than all the CPUs in the world put together running for
millions of years.

The problem is that if a way can be found to disrupt the configuration, such
as by compromising the certificate chain, then decrypting the message becomes
trivially easy.

So reading such a message is usually either impossible, or simple.

------
so898
According to my friend in China, the App Store is still too slow for him to
update his applications. Apple really should build some CDNs in mainland
China.

~~~
est
Someone must translate this.

Why public cloud is so difficult to build in China

[http://www.pingwest.com/why-public-cloud-is-so-difficult-
to-...](http://www.pingwest.com/why-public-cloud-is-so-difficult-to-build-in-
china/)

That's why most western companies don't have VPS, IDC or CDN in China.

~~~
oisino
Great article.. Setting up CDNs in China is extremely hard without government
support and local business being lead investors.

------
seanmcdirmid
This assumes that https traffic isn't being attacked by the GFW, which it is.
But I don't know, the app store was down for me up until a few days ago, so
maybe this is working.

