Hacker News new | comments | show | ask | jobs | submit login

To clarify, this looks more like someone turning off SSL access to GitHub than a proper MITM attack in the traditional sense.

The certificate in that link is just a self-signed certificate, not something signed by a CA:

Issuer: C=US, ST=Some-State, O=github.com, OU=github.com, CN=github.com Subject: C=US, ST=Some-State, O=github.com, OU=github.com, CN=github.com

So your browser will warn you that you are not making a secure connection. Firefox users, for instance, will have to make 5 clicks to get through that warning and visit the page.

I think "China turns off SSL access to GitHub" might be a more appropriate title.

SSL infrastructure was already known to be best treated as globally compromised.

If this is real, then the Chinese may have collected some interesting statistics regarding the percentage of developers who don't care about certificate issues.

I didn't see the cert appear over the wire myself, but I'm in China at the moment and spent part of this week in communication with the Gentoo and Debian release engineering teams suggesting they revisit perceived issues in their respective key distribution processes and documentation (issues focused on automated validation of install media; not individual packages). Gentoo was already working on it and Debian got back to me pretty quick. I don't feel I was wasting my time now.

Really, we need a key distribution and trust anchor solution for the masses, as Moxie has spoken about, that includes 'trust agility'. IIRC the latest iteration of his proposed solution there is http://tack.io/

It's worth pointing out that many governments have MITM and warrantless surveillance systems, not only the Chinese. For more background see http://wikileaks.org/spyfiles/ which summarizes "Mass interception of entire populations is not only a reality, it is a secret new industry spanning 25 countries." and Jacob Applebaum's keynote at 29C3, https://www.youtube.com/watch?v=QNsePZj_Yks (Youtube is also banned in China).

(edit: posted beneath this thread as moxie is one of the community's most respected parties in this area and just posted, but had some extra info in here! :)

I don't think there's proof of China doing anything here. Perhaps someone on OP's coffee shop WiFi is poisoning arp tables and forging certs.

This seems really sloppy for China. Without further proof, I don't think it was the govt.

Agreed there's nothing in the data to directly suggest government involvement.

It's only "sloppy," though, when conceptualized as a MITM. China does have an extensive history of censoring access to sites, and recently censored access to GitHub entirely IIRC. It could be that they decided to block SSL access, but allow HTTP access, and this is how they implemented that.

Everything in my bones (25 years, 中文研究, China research) tells me the China government is directly involved with this. China is corrupt beyond belief, and any smaller destabilization can lead to further problems.

I agree that this may be a further extending of the "New Years train ticket" block on Github.

It may also be new toying after the recent "experiment". Leaving Github without SSL inside China still makes trouble - China's insidious corruption at the very top is subtle, incremental small steps, all designed for the "long game".

It may also be raw mercantilism ... as with Google, Twitter, and Facebook long before this.

How does your 25y China research made the Chinese character wrong?

It should be 中国研究 but you said 中文研究, which means Chinese text research.

As an sort of old china hand, china is corrupt but not beyond belief, there are plenty of countries that are much more corrupt, even India is worse than china and they even have democracy.

The level of sophistication that the GFW seems to be achieving is disturbing. We've had certificate attacks before, perhaps they are testing something out that will be deployed more broadly to solve there "gmail" problem?

It appears that my contrived scenario is incorrect. The incident seems to have occurred at several locations across the country. Assuming this is correct, it does appear to be a government action.


Thanks, Moxie - The original article in China (by top-notch geeks) wrote 中间人攻击 which translates directly to "man-in-the-middle attack".

Appreciate your insight - thanks for weighing in on this.

And this only lasted for a few hours. Users connecting to github saw perfect tlsv1 session without github sending its real cert. This means github was routed to a reverse proxy for the mitm test.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact