This reminds me the Firefox certificate "bug" two years ago. A China certificate root server was added into trusted servers in Firefox and Chinese hackers started to submit bug report regarding this, since people don't trust certificate servers run by China government. Man-in-the-middle attack was exact what Chinese hackers worried about.
If they put this fake certificate in a certificate root server that's in the trusted server list, they can easily get anyone's account who's using affected browsers.
It's weird that they start with Github. It's not a website that's popular among human activists or any other people that China government might be interested in. Instead, it's popular among programmers and hackers, who are the main group and forces in China to help people bypass GFW to access blocked content. I suppose this attack might be what the government uses to test reaction and capability of hackers.
Spoofing GitHub's SSL certificate is a step in the direction of inserting espionage-style backdoors, as GitHub permits HTTPS read-only checkouts of repositories.
I'm not suggesting that this will be free of problems, given how particular Git is about checksums, nor am I certain what methods they would use to acquire SSH commit access for altering repository contents to affect the rest of the world.
Still, it's absolutely a necessary prerequisite to altering data from GitHub - and, if they acquire SSH keys, altering data at GitHub. Both possibilities are terrifying.
GitHub now [allows HTTPS pushes], so a man-in-the-middle attack on a single connection would be sufficient to push backdoors. In any case, can't the intermediary just add another SSH key to the account?
If CNNIC is complicit in a MITM attack there will be a paper trail (namely a certificate signed by them) proving their involvement. To this day nobody has produced a cert signed by CNNIC that was used for a MITM attack. There's no reason to believe that CNNIC is bad/evil/whatever other than their affiliation with the PRC.
Disclosure: I work for Mozilla, but not on security.
Thanks for the reply. Glad to see some guy from Mozilla here!
You are right there's no reason to believe that CNNIC has to be bad/evil/whatever, but we cannot assume CNNIC would never be bad/evil either. We have to look at its history, and what's behind it.
When something turns bad, it won't throw out an announcement beforehand. And we need something that can handle this in time.
I'm thinking about something like this: in addition to the trusted root server list, keep another list, e.g., less trusted root servers; besides normal update program, put a special piece of code in the browser that allows firefox team to delete certain root server from less trusted root servers on the air. By "on the air", I mean not needing a full version update, or restarting the browser. It can warn the user, but it should not be possible to canceled the deletion.
That's something that we've considered doing. I'm not sure what the current state is. I suspect there's a bug somewhere on bugzilla.mozilla.org for implementing a cert blocklist that does not require a full update.
Having been in the internet industry in China for more than 10 years before I decided to move to the US I would say CNNIC is just as evil as any government organization in China if not worse. There are some well known rules regarding CNNIC: don't buy a .cn domain, don't install any software from them and don't trust what they say.
BTW non government organizations are technically banned in China. You need to apply for a permit and you seldom get one.
My sense is that there is a correlation between geeks and activists, so I think it's a "logical" group to target for further "attention"/persecution. It also makes sense to want to inject flaws in project code. (Even though git has hashes, the hash can be fine if the injection happens on commit.)
Many developers have faster computers and more computers per household than others that aren't in IT/development.
Many developers, though they pretend to be security minded and focused at times, often have a more lax attitude in practice than system administrators, especially at home or working on personal projects.
Some developers have more usernames/passwords and certs to other servers available than non-developers would.
Some developers have access to other confidential data or newer technology that could be of practical use.
FWIW, I always try to remove the CNNIC root cert from my setups. It's not that hard to do (except for iOS devices) and I have never had an issue since I don't frequent sites that would be signed by CNNIC.