This article seems a bit over the top. It's pure speculation, and it seems much more likely that an engineer configured a router incorrectly, panicked for 15 minutes, then fixed it.
"What set this incident apart from other such mishaps was the fact that China Telecom could manage to absorb this large amount of data and send it back out again without anyone noticing a disruption in service."
We've got a technically inclined community here: When your Internet access is slow for a while, what do you attribute it to? I doubt anyone's first instinct is "must be a man-in-the-middle attack." Again, it seems much more likely that they simply had the capacity to handle most of that traffic (biggest country in the world, modernization, etc.) and no one noticed because the Internet is often flaky.
The parent makes a valid claim.
I mostly sometimes remember to use gnu screen now.
As anyone who's surfed on the internet in China can attest, the bandwidth into and out of China is basically nil. You can test this out yourself by trying to watch anything on youku.com - it takes years to load. If they magically had the capacity to actually handle the load of the world, I wish they would turn it on already.
Yeah, it could be by design, and yes a number of corporations have direct fiber lines out to Japan. I used to work at Microsoft in Beijing, which had a line out to Japan and it was easily the fastest internet I've ever use in my life (goes without saying also uncensored).
Umm, yeah, right. Basic fail at understanding public/private key cryptography.
If crypto systems relied on trusting that everyone does the right thing, they would be useless.
After such a fundamental failure, it's hard to take the rest of the article seriously.
So, if your browser has a CA belonging to CCNIC, a Chinese corporation which could certainly act for the Chinese government, they could pull off this spoofing. The question then is, is CCNIC in people's browsers? According to http://www.mozilla.org/projects/security/certs/included/, it is in Firefox.
As to how to pull off the spoofing, if you have a root CA, you can sign arbitrary certs, i.e. for domains you don't own.
So, the article is right and SSL does require trusting all your trusted CAs are trustworthy.
(edited for clarity and tone)
You break RSA by factoring n into p x q.
Firstly, I doubt that US (say) government personnel will remove Chinese CAs, never mind contractors or even ordinary business people or citizens, so to my mind this is a risk to trusting SSL, even if expert users can mitigate it as you have described.
Secondly, I believe CAs can also sign other CAs (and indeed Entrust did this for this very Chinese CA) so it's not that simple. You might need to distrust most CAs, which makes using SSL slightly tricky.
Thirdly, even if you remove the CA now, how do you know you weren't already MITM-attacked back in February? It's too late.
As for mitigation, alerting the user on CA or certificate changes might help, but getting the UX right will be hard. I could see a solution in the future where your bank sends you a memory stick with portable firefox installed on it and precisely one trusted certificate — the bank's. Of course, that means trusting the mail system, but since we already trust the mail system (e.g. using mailed statements for ID verification) we can't be worse off. An attack would require hijacking the USB stick and your connection to the bank at the beginning of the same session for it not to be noticeable — not so easy.
Of course, configuring your system to trust any valid certificate is just stupid.
However, that threat of Chinese authorities sniffing on SSL traffic is real. Just remember the root certificate issued by the China Internet Network Information Center that ended up in Firefox, see http://news.ycombinator.com/item?id=1244444
Acutally, in-brower SSL crypto without certificate verification (as in "is this the same certificate that it was before?", not as in "is this certificate signed by trusted CA?") relies exactly on that assumption.
How is that a problem? You cannot expect your internet data to be private: the nature of the beast is that it will be public. Anything sensitive must be encrypted in such a way that by the time the encryption is broken by your enemy (considering the likely resources they have) the data is no longer useful.
Did I miss something?
The largest operators have peering links with no filters ("everyone is equal"), but that implies a lot of trust. And "trust" should not be a word placed next to a communist country name.
The word "trust" shouldn't be placed next to any government.
Which is categorically different than the majority of operators.
Additionally, what does communism have to do with it?
Unless someone actually goes and looks at what was being sent by Chinese BGP routers at the time of this supposed outage they should STFU. I'm not saying this is definitely BS. But the article is seriously short on details.
Google Cache: http://webcache.googleusercontent.com/search?q=cache:4lR05JZ...
If you're worried that China is going to MITM your SSL sessions, remove their certificate from your cert store.
If I was a Chinese supercyberspy, I probably wouldn't do something as blatant as routing the entire Internet to China just to get traffic I wanted. I think I'd do something much more akin to spearphishing an overseas Google employee to get onto their internal network.
If this claim is valid, it would seem likely that the bad BGP advertisement was not accidental.
They aren't the only ones.
I guess what would be difficult is to reach a consensus on adding the above route.. oh well.
Also relevant: http://asert.arbornetworks.com/2008/02/internet-routing-inse...
It's not plausible that they could have pulled in any traffic they so choose, but (depending on where their border is placed) they could have grabbed most of it. Also, it's not necessarily obvious to a casual observer what they could have grabbed.
 Internet routing in practice is based mostly on politics, a little bit on cost, and basically just uses performance as a tie-breaker.
It's not relatively easy to become a Firefox root CA, but too many people are, and part of the reason why is that your cert store configuration is buried deep in the "don't touch, no user serviceable parts" bowels of your configuration.
More info: http://web.monkeysphere.info/why/#index1h2
Thankfully, it is very unlikely that anything like this would ever see widespread adoption, thus allowing us to sidestep the question of how it might work if they turned X509 off.
Got a message that it was accessed by United States (webcontrolcenter.com:220.127.116.11) 21 hours ago.
WTF is happening
Advise on what to do now is welcomed here
Please leave a comment as the down votes are cryptic to me.
Sorry for the harsh words.