GitHub MitM attack orchestrated by Chinese censors?
China-based users and visitors of GitHub, the globally popular online source code repository, have been targeted with an man-in-the-middle attack late last Friday, reports GreatFire.org, a non-profit organization that reports on the government’s online censorship efforts in China.
They say that for an hour or so, visitors from China were faced with browser warning messages about invalid SSL certificates, and speculate that the people behind the attack might have been the developers of the “Great Firewall” of China, who were named in a petition put forward to the White House, asking that “people who help internet censorship should be denied entry to the U.S.”
“The petition has gathered more than 8,000 signatures in the five days since. To make the idea specific, there is a link to a list of Chinese individuals accused of contributing to the technical infrastructure behind online censorship in China. And this list is hosted on – you guessed it – GitHub,” GreatFire reports.
“The list has gathered hundreds of comments, the vast majority in Chinese. One of these comments contains the supposed address and ID number of Fang Binxing, the Principal of Beijing University of Posts and Telecommunications and often called the ‘Father of China’s Great Firewall’. Another comment links to another much longer list of supposed contributors to the Great Firewall, also hosted on GitHub.”
The Chinese government did block access to GitHub a week prior to that, but was forced to restore access due to public protest and probably due to the fact that blocking it cripples the ability of Chinese developers to collaborate, and thusly to innovate.
“[The authorities] can’t selectively block content on GitHub nor monitor what users are doing there. They also cannot block the website altogether lest they hurt important Chinese companies,” GreatFire claims. “This is where man-in-the-middle attacks make their entrance. By faking SSL certificates, the authorities can indeed intercept and track traffic to encrypted websites.”
They say that the attack was “crude” (the fake SSL certificate was not signed by a known certificate authority), “irrational”, and short-lived, but unfortunately that doesn’t mean that some of the visitors passwords weren’t recorded.