Hacker News new | comments | ask | show | jobs | submit login

I really appreciate how they're doing this. The Chinese built up an amazing infrastructure for the Great Firewall; the Kazakhs just say "install our cert!" The Chinese spend billions and have to stay ahead of all of their citizens' clever new ideas at all times; the Kazakhs spend a few hundred and just need to point guns at their citizens until they install a cert.

Sure, it's going to be difficult to enforce, but it should also be quite cheap.

Chinese govt is also capable of doing this. Best part? We even have our trusted* root certificate!

Could this get any "better"? Sure! We can even MITM all the OUTGOING https traffic if we want! #GitHubDDoS

* Recently un-trusted by Apple and Mozilla. https://support.apple.com/en-us/HT204938

Was that trusted root cert ever misused? IIRC, it was un-trusted because they did not do their due diligence on how an issued sub-cert was being used by an Egyptian company.

What does the GitHub DDOS have to do with MITM attacks on https?

the ddos was achieved by altering the contents of one of the script on a large chinese site (was it baidu? google it). Once every user on that site loaded the tampered script, it made sure to send many requests to github.

Was the large Chinese site serving traffic over HTTPS?

Sadly, they (Baidu) are not, which is why the script content was easily modified.

To clear it up, I said that GFW "can" do (but has not yet done) these. But it tried to MITM some https traffic earlier with a non-trusted certificate as an experiment.

@andreyf: More like a social experiment. See whether people would notice (we did) and what's their reaction.

Experiment? This isn't science. They can ask any engineer what MITM with a non-trusted cert would do, and that's nothing.

I really don't understand how that sort of behaviour doesn't constitute an act of war.

Imagine if China sent saboteurs in-country to physically destroy infrastructure being used by American businesses. That would Not Be Taken Lightly.

    > how that sort of behaviour doesn't constitute an act of war
You need photos of explosions and dead babies to convince your populace to go to war. Making a case for war between nuclear powers on the basis that "some website for geeks became a bit less reliable" isn't going to cut it.

The same way that Stuxnet destroying Iranian centrifuges was an act of war ?

Yes. Although I'd have thought that particular war would have started back with the hostage-taking in, what, 1979?

I really don't understand relationships between States.

I'm not a West Hater by any means, but I'd say the war started when the US and the UK engineered a coup in Iran because Iran nationalized their oil industry (after the British oil company running it refused to be audited or to renegotiate terms).


Whereas I'd say the problem was forced nationalisation.

That does not justify overthrowing another country's government. Most countries, including the United States, recognize the state's eminent domain over its land and its natural resources. Besides which, the Iranians tried to negotiate, the British refused, so the Iranians nationalized in response.

A foreign coup is a valid response to nationalisation?

I'm not sure. But nationalisation is certainly a violation of rights.

Of course, I'd be interested to see how those assets were set up in the first place - my bet would be during a non-rights-respecting period of colonialism.

How far back do you go? (Serious question).

You go to when the country got a democratically elected government.

As for nationalisation is certainly a violation of rights do you hold that all eminent domain is a violation of rights? IE if the government wants to build a road and uses compulsory purchase orders it's a violation of rights?

Yes. It's possible to do such things in non rights violating ways. For example, buying options on properties and exercising them when a route is made.

Starting point for international relations:


always love a good reference to Argo.

Which sort of behavior? Having their own root certificate?

I meant China's behaviour, e.g. orchestrating a DDOS attack against GitHub for political reasons.

The root certificate thing is 'merely' a violation of the rights of their own subjects.

Ah, ok that makes more sense.

To be fair they really fucked up a couple of stages of that GitHub DDOS and made it trivial to stop.

And they managed to shine the spotlight on a project in need of some tlc.

> it's going to be difficult to enforce

I guess it's just a matter of dropping every connection that you can't MITM, no?

You don't have to. Proxy handles the request and just gives response back to you signed with national cert. If you don't install it, your browser will just start complaining about every site. At least that is how Bluecoat ProxySG[1] works at my employee.

[1] https://bto.bluecoat.com/webguides/proxysg/security_first_st...

Funny story, most of the machines / servers at my workplace weren't vulnerable to Heartbleed - but ProxySG was. AFAIK they built their own OS from scratch, too.

For SSL traffic, yes, but that wouldn't stop someone from using a different encryption protocol.

country wide, this is a loud call for a cloud, distributed proxy provider with a better track record than the telco, to offer tor-like tunnels to at least exit the MITM zone.

easy to enforce inside the country. Just set it so that there's no https if you don't have the cert! It is becoming a legal requirement for all telcos in the country so even if you're roaming (with a data plan from a foreign provider, for example) - you're still using the local telcos.

Only way to avoid is to use some kind of foreign satellite internet or maybe private / non government / non telco dark fibre.

I guess VPN is the only way to avoid it. Or sshuttle or something over port 80. But then again, how long will it take before they can detect that and then block it?!

Or you can use non-standard ports, and change them continuously.

They can just block everything by default and only enable what they can decrypt. Maybe you could try tunelling encrypted data over HTTP, but heuristics could probably pick that up too.

Well, in that case I'm just going to invent a TCP-over-cat-pictures VPN. Encode all the TCP packets in the subtle details of the fur and package everything up as innocent-looking HTTP GET requests.

This realistically shouldn't be too hard to do with obfsproxy's already-built framework.

You're going to run out of cat pictures pretty quickly.

I've been thinking about this lately, and it seems that you could use something like a book code. Client and server use existing internet accessible images as the book and then your communication simply references bytes in those images: client requests a URL that encodes the bytes it wants to send, server returns HTML containing the urls of images containing the bytes it wants to send in response (and any extra content that helps make the page seem normal, ignored by the client). Pictures could be anything anywhere (lolcats, wikipedia, etc.), client should only ever need to download the picture once. Bandwidth wouldn't be great, but if the server is accessible via a wide (and evolving) variety of domains it seems like it would be quite hard to distinguish this from normal browsing.

Just pass a DVD with white noise when you meet in person. That should keep you in one time pads as long as you want to communicate with someone. All you need is XOR and a bookmark. Of course you need to meet once, if that's not feasible you're going to get more technical.

In Vernor Vinge's A Fire Upon the Deep I recall a plot element along these lines. Traders traffic in cubes of material that acts as a super dense source of pad data. Your communication partner on another ship would have the twin cube, and the two would be synced up and then provide the carrier data stream for video and other content. When your cubestuff is exhausted your secure authenticated comms cease.

If the censorship is based on the government being able to make some sense of what you're communicating, XORing with a PSK will not work, because they will see meaningless garbage and block it. The reason I suggested cat pictures is because the censors will see actual cat pictures and (hopefully) consider the protocol not worthy of blocking.

s/cat pictures/whatever you want/

got a repo i can contribute to?

Just drop fresh meme text on 'em and Bob's your uncle!

I think you may be on to something here.

Pretty easy really. Without knowing the key for the steganographic algorithm, it's really hard to get the data out unless you can compare it to the original. So if you're sourcing the pictures from somewhere, you'll need to manipulate false bits that aren't called for from the data itself to keep it from being breakable in such a manner.

If I had the free time, I'd create a cryptographic protocol running on top of telnet that looked like someone playing a MUD.

For email, you'd encrypt data to have it look like regular prose. So you'd only get a few bits per English word, but that would be sufficient for short messages. Could also make use of extra spaces in between words.

The real trick with that would be to take an existing document, and alter it to encode a message. So you'd be doing things like using synonym choice to get your bits.

There aren't enough MUD players to make it inconspicuous.

Cat pictures and steganography.

Wait, isn't reddit already used for this extensively? With each subreddit being a separate comms channel. Or is there another reason why very little reddit content makes sense?

It's not even difficult to enforce. If you don't install their cert, you don't have access to the internet. Or you just have to force Chrome to ignore all SSL errors, which is the same thing.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact