Man-in-the-middle attack on Github. -- http://bit.ly/Vqh8zJ
Fake GITHUB cert -- http://www.mediafire.com/?zx6eno648axz7bh
Twitter (Github attack news) -- https://www.twitter.com/search/?q=Github%20SSL
(It's not preloaded HSTS so it would have to be learnt from a previous, unattacked connection.)
I know that the unbypassable errors for some sites upset the more technically minded people, but I think that incidents like this show its value.
The CloudShark trace shows what appears to be Firefox connecting to the GitHub IP address, but the server clearly isn't GitHub from the config. The server appears to be configured to accept the client's ciphersuite preference, but doesn't support DHE nor ECDHE.
The server is also only 9ms from the client - that's clearly not crossing any oceans. I'd also guess that the server is overloaded at the time because the ServerHello (which doesn't take significant processing to generate in this case) takes 900ms to come back.
Sadly, it appears to show the user overriding the certificate error and talking to the server anyway :( Hopefully that was a fresh FF install just to see what would happen (which would explain why HSTS didn't prevent the override).
Lastly, the certificate appears to be self-signed, but the Authority Key Id doesn't match. One assumes, based on "OpenSSL Generated Certificate" that OpenSSL was used, but the person may have had some trouble. I'd guess that they generated a CA certificate first (with the same Subject) and then signed the certificate in question as a leaf. Many of the tutorials that you'll find online are for that sort of setup so perhaps they weren't very familiar with X.509 certificates.
where would one keep up with stuff like that other than keeping up with new rfc's?
SSL/TLS Deployment Best Practices
It seems even github is susceptible to this. That is, for people who type www.github.com into their browser rather than github.com. They both did the redirect wrong, as well as left off HSTS of https://www.github.com.
The certificate in that link is just a self-signed certificate, not something signed by a CA:
Issuer: C=US, ST=Some-State, O=github.com, OU=github.com, CN=github.com
Subject: C=US, ST=Some-State, O=github.com, OU=github.com, CN=github.com
So your browser will warn you that you are not making a secure connection. Firefox users, for instance, will have to make 5 clicks to get through that warning and visit the page.
I think "China turns off SSL access to GitHub" might be a more appropriate title.
If this is real, then the Chinese may have collected some interesting statistics regarding the percentage of developers who don't care about certificate issues.
I didn't see the cert appear over the wire myself, but I'm in China at the moment and spent part of this week in communication with the Gentoo and Debian release engineering teams suggesting they revisit perceived issues in their respective key distribution processes and documentation (issues focused on automated validation of install media; not individual packages). Gentoo was already working on it and Debian got back to me pretty quick. I don't feel I was wasting my time now.
Really, we need a key distribution and trust anchor solution for the masses, as Moxie has spoken about, that includes 'trust agility'. IIRC the latest iteration of his proposed solution there is http://tack.io/
It's worth pointing out that many governments have MITM and warrantless surveillance systems, not only the Chinese. For more background see http://wikileaks.org/spyfiles/ which summarizes "Mass interception of entire populations is not only a reality, it is a secret new industry spanning 25 countries." and Jacob Applebaum's keynote at 29C3, https://www.youtube.com/watch?v=QNsePZj_Yks (Youtube is also banned in China).
(edit: posted beneath this thread as moxie is one of the community's most respected parties in this area and just posted, but had some extra info in here! :)
This seems really sloppy for China. Without further proof, I don't think it was the govt.
It's only "sloppy," though, when conceptualized as a MITM. China does have an extensive history of censoring access to sites, and recently censored access to GitHub entirely IIRC. It could be that they decided to block SSL access, but allow HTTP access, and this is how they implemented that.
I agree that this may be a further extending of the "New Years train ticket" block on Github.
It may also be new toying after the recent "experiment". Leaving Github without SSL inside China still makes trouble - China's insidious corruption at the very top is subtle, incremental small steps, all designed for the "long game".
It may also be raw mercantilism ... as with Google, Twitter, and Facebook long before this.
It should be 中国研究 but you said 中文研究, which means Chinese text research.
The level of sophistication that the GFW seems to be achieving is disturbing. We've had certificate attacks before, perhaps they are testing something out that will be deployed more broadly to solve there "gmail" problem?
Appreciate your insight - thanks for weighing in on this.
If they put this fake certificate in a certificate root server that's in the trusted server list, they can easily get anyone's account who's using affected browsers.
It's weird that they start with Github. It's not a website that's popular among human activists or any other people that China government might be interested in. Instead, it's popular among programmers and hackers, who are the main group and forces in China to help people bypass GFW to access blocked content. I suppose this attack might be what the government uses to test reaction and capability of hackers.
Seriously, this is really, really, bad.
EDIT: added link for bug report
I'm not suggesting that this will be free of problems, given how particular Git is about checksums, nor am I certain what methods they would use to acquire SSH commit access for altering repository contents to affect the rest of the world.
Still, it's absolutely a necessary prerequisite to altering data from GitHub - and, if they acquire SSH keys, altering data at GitHub. Both possibilities are terrifying.
Disclosure: I work for Mozilla, but not on security.
You are right there's no reason to believe that CNNIC has to be bad/evil/whatever, but we cannot assume CNNIC would never be bad/evil either. We have to look at its history, and what's behind it.
When something turns bad, it won't throw out an announcement beforehand. And we need something that can handle this in time.
I'm thinking about something like this: in addition to the trusted root server list, keep another list, e.g., less trusted root servers; besides normal update program, put a special piece of code in the browser that allows firefox team to delete certain root server from less trusted root servers on the air. By "on the air", I mean not needing a full version update, or restarting the browser. It can warn the user, but it should not be possible to canceled the deletion.
Having been in the internet industry in China for more than 10 years before I decided to move to the US I would say CNNIC is just as evil as any government organization in China if not worse. There are some well known rules regarding CNNIC: don't buy a .cn domain, don't install any software from them and don't trust what they say.
BTW non government organizations are technically banned in China. You need to apply for a permit and you seldom get one.
If you've been logged into github and you told your browser to ignore the warnings then better keep a really good eye on your commit log, lest something pops up that you didn't actually put in there.
And change your password at the earliest opportunity.
If value is defined as the number of machines that can be backdoored, communications intercepted and so on then it may very well be that that other form of value will be realized in good time as well.
I don't think it's safe to assume that they started with Github.
GitHub is popular among developers.
Many developers have faster computers and more computers per household than others that aren't in IT/development.
Many developers, though they pretend to be security minded and focused at times, often have a more lax attitude in practice than system administrators, especially at home or working on personal projects.
Some developers have more usernames/passwords and certs to other servers available than non-developers would.
Some developers have access to other confidential data or newer technology that could be of practical use.
Does anyone have any theories why China would use a self signed certificate when it's very indiscreet? A lot of users will just click through if given the opportunity (around 60% in chrome before new security measures prevented it), but I doubt many users with truly sensitive private repos would do this.
But you have to wonder what goes on in their heads, what mindset would prompt you to sell out like that.
In the case of the Chinese government, I believe the bigger problem is patriots. They honestly believe that they are doing the Right Thing. So did the people who wrote Stuxnet.
And my claim is that it was likely written by people who consider themselves patriots, not mercenaries.
- the Chinese gov't is trying to identify users/developers of train-ticket-purchasing bots 
- they are is interested in capturing some intellectual property contained in private repos
- it's just an exercise to watch & learn how computer-literate users circumvent a MITM attack
Given the recent Github blockade, I'd go with the first.
How do we know that this isn't just a hijack of a Chinese isps dns server or something similar? Maybe the same that happened to Goolge Morocco just a couple of days ago ( http://arabcrunch.com/2013/01/breaking-google-morocco-google... ).
Juniper also implicated: http://www.cfr.org/china/us-internet-providers-great-firewal...
Blue coat: http://online.wsj.com/article/SB1000142405297020368750457700...
The list goes on ...
(We ended up setting up a gitlab box and it works just as well)
Personally, I use a mix
The perception that the cloud is somehow re-invented is in fact the saddening thing. It's just more accessible and faster than in the fast, but ultimately you can't manage infrastructure by abdication and farming it out.
There's always an uneasy balance between security and convenience.
The client declining to hosting code on github should be enough justification.
There's always a precarious balance between security and convenience.
The customers own their code. They have been around longer for more oscillations between the "cloud" and bare metal than most people who have an opinion on it.
They're forward thinking enough to not embrace the cloud, or bare metal, and instead are exploring hybrid cloud technology that can run on a combination, and more importantly, move dev ops between different environments.
One reality is many people who blindly think it's ok to put everything on in the cloud, don't always know of the reality of liability, or have a relationship with any codebase and the associated IP for more than a few years.
2FA serves as an annoyance to phishers, but whoever is doing this network attack has direct access to your session cookie.
Perhaps this is localised, or was just a trial for a few hours.
Still, shows the depth and corruption the China (gov't).