Hacker News new | comments | show | ask | jobs | submit login

This reminds me the Firefox certificate "bug"[1] two years ago. A China certificate root server was added into trusted servers in Firefox and Chinese hackers started to submit bug report regarding this, since people don't trust certificate servers run by China government. Man-in-the-middle attack was exact what Chinese hackers worried about.

If they put this fake certificate in a certificate root server that's in the trusted server list, they can easily get anyone's account who's using affected browsers.

It's weird that they start with Github. It's not a website that's popular among human activists or any other people that China government might be interested in. Instead, it's popular among programmers and hackers, who are the main group and forces in China to help people bypass GFW to access blocked content. I suppose this attack might be what the government uses to test reaction and capability of hackers.

Seriously, this is really, really, bad.

[1] https://bugzilla.mozilla.org/show_bug.cgi?id=542689

EDIT: added link for bug report

Spoofing GitHub's SSL certificate is a step in the direction of inserting espionage-style backdoors, as GitHub permits HTTPS read-only checkouts of repositories.

I'm not suggesting that this will be free of problems, given how particular Git is about checksums, nor am I certain what methods they would use to acquire SSH commit access for altering repository contents to affect the rest of the world.

Still, it's absolutely a necessary prerequisite to altering data from GitHub - and, if they acquire SSH keys, altering data at GitHub. Both possibilities are terrifying.

GitHub now [allows HTTPS pushes][1], so a man-in-the-middle attack on a single connection would be sufficient to push backdoors. In any case, can't the intermediary just add another SSH key to the account?

[1]: https://help.github.com/articles/pushing-to-a-remote

If CNNIC is complicit in a MITM attack there will be a paper trail (namely a certificate signed by them) proving their involvement. To this day nobody has produced a cert signed by CNNIC that was used for a MITM attack. There's no reason to believe that CNNIC is bad/evil/whatever other than their affiliation with the PRC.

Disclosure: I work for Mozilla, but not on security.

Thanks for the reply. Glad to see some guy from Mozilla here!

You are right there's no reason to believe that CNNIC has to be bad/evil/whatever, but we cannot assume CNNIC would never be bad/evil either. We have to look at its history, and what's behind it.

When something turns bad, it won't throw out an announcement beforehand. And we need something that can handle this in time.

I'm thinking about something like this: in addition to the trusted root server list, keep another list, e.g., less trusted root servers; besides normal update program, put a special piece of code in the browser that allows firefox team to delete certain root server from less trusted root servers on the air. By "on the air", I mean not needing a full version update, or restarting the browser. It can warn the user, but it should not be possible to canceled the deletion.

That's something that we've considered doing. I'm not sure what the current state is. I suspect there's a bug somewhere on bugzilla.mozilla.org for implementing a cert blocklist that does not require a full update.

CNNIC is notorious for producing malware and many other things. Some is list here http://en.wikipedia.org/wiki/CNNIC

Having been in the internet industry in China for more than 10 years before I decided to move to the US I would say CNNIC is just as evil as any government organization in China if not worse. There are some well known rules regarding CNNIC: don't buy a .cn domain, don't install any software from them and don't trust what they say.

BTW non government organizations are technically banned in China. You need to apply for a permit and you seldom get one.

If you actually look at the certificate, it is self-signed, not signed by a malicious root server. Your anecdote has nothing to do with this current attack.

You are right. This one has nothing to do with root servers. But they are already able to fake certificate national wide. It's only one step from adding it into root server.

My sense is that there is a correlation between geeks and activists, so I think it's a "logical" group to target for further "attention"/persecution. It also makes sense to want to inject flaws in project code. (Even though git has hashes, the hash can be fine if the injection happens on commit.)

I have always imagined that github would be a huge target for the chinese... for industrial espionage. they could get the source for private repositories for many startups and successful companies.

Don't forget the ability to inject code into repos on behalf of someone else.

If you've been logged into github and you told your browser to ignore the warnings then better keep a really good eye on your commit log, lest something pops up that you didn't actually put in there.

And change your password at the earliest opportunity.

I doubt very much of value is on github.com as opposed to more secure Github Enterprise installations behind company firewalls.

Uncounted open source projects that end up being run with root privileges are on github. It all depends on how you determine value.

If value is defined as the number of machines that can be backdoored, communications intercepted and so on then it may very well be that that other form of value will be realized in good time as well.

> It's weird that they start with Github.

I don't think it's safe to assume that they started with Github.

Some possible reasons:

GitHub is popular among developers.

Many developers have faster computers and more computers per household than others that aren't in IT/development.

Many developers, though they pretend to be security minded and focused at times, often have a more lax attitude in practice than system administrators, especially at home or working on personal projects.

Some developers have more usernames/passwords and certs to other servers available than non-developers would.

Some developers have access to other confidential data or newer technology that could be of practical use.

Tools for bypassing the firewall are often distributed on github, so it makes sense as part of lockdown.

FWIW, I always try to remove the CNNIC root cert from my setups. It's not that hard to do (except for iOS devices) and I have never had an issue since I don't frequent sites that would be signed by CNNIC.

Maybe having access to the sourcecode of a site or app = access to the site or app.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact