What happened?

From August 28, 2014 reports appeared on Weibo and Google Plus that users in China trying to access google.com and google.com.hk via CERNET, the country’s education network, were receiving warning messages about invalid SSL certificates. The evidence, which we include later in this post, indicates that this was caused by a man-in-the-middle attack.

While the authorities have been blocking access to most things Google since June 4th, they have kept their hands off of CERNET, China’s nationwide education and research network. However, in the lead up to the new school year, the Chinese authorities launched a man-in-the-middle (MITM) attack against Google.

We broke the news about the MITM attack on Github in January 2013. To borrow from that blog post, Wikipedia defines a man-in-the-middle-attack in the following way:

The man-in-the-middle attack...is a form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker.

Why?

There is a clear incentive to implement a man-in-the-middle attack against Google. Google enforced HTTPS by default on March 12, 2014 in China and elsewhere. That means that all communication between a user and Google is encrypted by default. Only the end user and the Google server know what information is being searched and returned. The Great Firewall, through which all outgoing traffic from China passes, only knows that a user is accessing data on Google’s servers - not what that data is. This in turn means that the authorities cannot block individual searches on Google - all they can do is block the website altogether. This is what has happened on the public internet in China but has not happened on CERNET.

The authorities know that if China is to make advances in research and development, if China is to innovate, then there must be access to the wealth of information that is accessible via Google. CERNET has long been considered hands off when it comes to censorship, for this very reason. Even long blocked services such as YouTube and Google+ are available via CERNET. In contract, on the public internet in China, Google Scholar is blocked and the China version of the site redirects users to the Hong Kong version of the site, which is also blocked.

Up until last month, access to Google remained relatively unfettered for those accessing the properties via CERNET. But as we have seen on just about every front, the current administration is hellbent on controlling the medium as well as the message. Instead of just outright blocking Google on CERNET, which would have raised the ire of students, educators and researchers across China, the authorities felt that a MITM attack would serve their purpose. By placing a man-in-the-middle, the authorities can continue to provide students and researchers access to Google while eavesdropping or blocking selective search queries and results.

Has it happened before?

At the beginning of last year, the Chinese authorities staged a country-wide MITM attack on Github.

Will it happen again?

The short answer is yes. We predicted last year that because of the increased shift to encryption, man-in-the-middle attacks were likely to become an increasingly tempting choice for the authorities.

The Details

There have been multiple user reports from those using CERNET about fake certificates when accessing Google. Netresec did a great forensic analysis of the MITM attack on Github. We contacted Netresec with the wire captures below. They concluded that all evidence indicates that a MITM attack is being conducted against traffic between China’s nationwide education and research network CERNET and Google. The machines performing the MITM attack are most likely injecting packets somewhere at the outer border of CERNET, where they are peering with external networks. Their full forensic analysis is available online.

We do not have data ourselves to show how or if this happened. We have relied on the sources listed below. Many of these sources were used in this report on Solidot.

Screenshot taken by Weibo user

The screenshot shows the user trying to access Google using the Chrome browser and receiving a warning about an invalid SSL certificate. For Chrome and Firefox users, the browser won’t allow you to bypass the certificate warning for Google because Google enables HTTP Strict Transport Security (HSTS).

Another screenshot by the same user compared the certificate he received with a normal connection (on the left) and a connection under the man-in-the-middle attack (on the right).

Reports on Google Plus

https://plus.google.com/u/0/115822850906053020654/posts/EGW4NEd7z3N

https://plus.google.com/+duffJiang/posts/Dk5LrD7CiWM  

WireShark capture files

We have some WireShark capture files. If you need to examine them, please contact us. Redacted versions appear in the Netresec report.

Copy of fake SSL certificate

Uploaded to Google drive (copy hosted by us). This fake certificate has been seen by multiple users. See below for a comparison of the current valid certificate and the fake one used during the attack.

What should you do

You should never click through when you see a certificate warning. You should use Firefox or Chrome as these browsers won’t even allow you to click through the warning for websites that use HSTS (like Google and Github). If you click through the warning, your Google account credentials can be stolen, which means all your Gmail can be read by the attacker.  

You can also use our Google mirror to access Google. Days after the authorities blocked Google in China in June, we launched a mirror of Google. Since that time, over 1 million Chinese have used our “FreeGoogle” mirror and have accessed other information that we have made unblockable in China.

Corrections

We sent a newsletter to our subscribers yesterday where we stated that those who access the world wide web via CERNET were able to access sites like YouTube and Facebook. While we test what websites are blocked on the public internet, we do not test what is blocked on CERNET. YouTube and Facebook are in fact blocked (as are other sites), but Google was unaffected until this man-in-the-middle attack and we are now seeing reports that access to Gmail via CERNET is being blocked.