Outlook grim - Chinese authorities attack Microsoft

On January 17, we received reports that Microsoft’s email system, Outlook (which was merged with Hotmail in 2013), was subjected to a man-in-the-middle (MITM) attack in China.

The following screenshot shows what happens when a Chinese user accesses Outlook via an email client (in this case, Ice-dove):

We have tested Outlook to verify the attack and have produced the same results. IMAP and SMTP for Outlook were under a MITM attack. Do note however that the web interfaces (https://outlook.com and https://login.live.com/ ) were not affected. The attack lasted for about a day and has now ceased.

This form of attack is especially devious because the warning messages users receive from their email clients are much less noticeable than the warning messages delivered to modern browsers (see screenshot at the end of this post for comparison).

(Sample error message from default iPhone mail client)

In addition, email clients normally run in the background. Users will only see an abrupt pop-up warning when the client tries to automatically retrieve messages. Users will then be able to tap on a “continue” button and ignore the warning message. As the user did not initiate the retrieval of emails, most users will not think twice about clicking on “continue” and will likely attribute the warning message to a network problem. If users do click on the “continue” button, then all of their emails, contacts and passwords will be logged by the attackers.

This attack comes within a month of the complete blocking of Gmail (which is still entirely inaccessible). Because of the similarity between this attack and previous, recent MITM attacks in China (on Google, Yahoo and Apple), we once again suspect that Lu Wei and the Cyberspace Administration of China have orchestrated this attack or have willingly allowed the attack to happen. If our accusation is correct, this new attack signals that the Chinese authorities are intent on further cracking down on communication methods that they cannot readily monitor.

This new MITM attack comes three months after the iCloud MITM attack, which was widely reported in the media and which prompted Apple’s CEO Tim Cook to fly to China to raise the matter directly with the Chinese authorities. The Chinese foreign press spokesperson denied the “hacking” allegation and Apple has not made any public statements addressing the outcome of the discussions. However Apple did add a Chinese language help page (and an English one) which addresses similar issues. Apple refers to episodes of this nature as “organized network attacks”.

At the time of the iCloud attack, Google (over CERNET) and Yahoo were both experiencing MITM attacks and Outlook (web portal only) was under a MITM attack for a short period of time. Since the wide reporting of these attacks, GFW had not attempted any large scale attacks until this one. The authorities are most likely continuing to test their MITM technology. The authorities may also be gauging user response. By keeping track of how many users ignore the certificate warnings, the authorities will be able to determine the effectiveness of this type of attack.

We strongly recommend that users never bypass certificate error messages by clicking “continue”.

Call to Action

We suspect that the Cyberspace Administration of China, which is directly in charge of censorship and GFW, is directly responsible for the MITM attack against Outlook, and the recent related MITM attacks in China. CNNIC (China Internet Network Information Center) is directly governed by the Cyberspace Administration of China and should not be trusted as a certificate authority by major software vendors.

We have outlined CNNIC's dubious history in a previous blog post. Given the dangerous nature of this attack on Outlook, we again strongly encourage organizations, including Microsoft and Apple, to immediately revoke trust for the CNNIC certificate authority.

What are certificates used for?

Certificates are used primarily to verify the identity of a person or device, authenticate a service, or encrypt files.

What is a certification authority (CA)?  

Certification authorities are the organizations that issue certificates. They establish and verify the authenticity of public keys that belong to people or other certification authorities, and they verify the identity of a person or organization that asks for a certificate.

Technical Details

IMAP/SMTP are commonly used on mobile email clients (e.g the default mail application on iPhones) and desktop email clients like Thunderbird. Internet Message Access Protocol (IMAP) is a protocol which allows users to connect to the same mailbox through multiple devices (i.e. your desktop, mobile, etc.). Simple Mail Transfer Protocol (SMTP) is typically used by users to send messages to a server which are then relayed to the recipient.

Wikipedia defines a man-in-the-middle (MITM) attack in the following way:

The man-in-the-middle attack...is a form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker.

Tests

To reproduce the result in a Firefox browser, we first configured Firefox to allow access on port 993 which is the port used by IMAP. We then accessed https://imap-mail.outlook.com:993. We immediately received the warning message. As you can see, the certificate is self-signed, which is consistent with previous MITM attacks in China.

  outlook-MITM.png

The certificate error message shown in Chrome. Chrome was configured to allow connections via port 993.

The fake certificate used in the attack:

https://github.com/chengr28/RevokeChinaCerts/blob/master/Windows/Certs/[Fake]AnyHotmailCom_201501.crt

WireCapture:

https://www.cloudshark.org/captures/8bf76336e67d

Reports:

https://www.v2ex.com/t/163062 and https://www.v2ex.com/t/163018.

 

Comments

More Blog Posts

Subscribe to our mailing list
Show content from Blog | Google+ | Twitter | All. Subscribe to our blog using RSS.

Thu, Aug 10, 2023

1.4 million people used FreeBrowser to circumvent the Great Firewall of Turkmenistan

Since 2021, the authorities in Turkmenistan have taken exceptional measures to crack down on the use of circumvention tools. Citizens have been forced to swear on the Koran that they will not use a VPN. Circumvention tool websites have been systematically blocked. Arbitrary searches of mobile devices have also taken place and have even targeted school children and teachers.

The government has also blocked servers hosting VPNs which led to “near complete” internet shutdowns on several occasions in 2022. Current reports indicate that 66 hosting providers, 19 social networks and messaging platforms, and 10 leading content delivery networks (CDNs), are blocked in the country. The government presumably is unconcerned about the negative economic impact that such shutdowns can cause.

Fri, Mar 18, 2022

Well-intentioned decisions have just made it easier for Putin to control the Russian Internet

This article is in large part inspired by a recent article from Meduza (in Russian).

Since the beginning of the war in Ukraine, Russian users have had problems accessing government websites and online banking clients. Browsers began to mark these sites as unsafe and drop the connection. The reason is the revocation of digital security certificates by foreign certificate authorities (either as a direct consequence of sanctions or as an independent, good will move); without them, browsers do not trust sites and “protect” their users from them.

However, these actions, caused - or at least triggered by - a desire to punish Russia for their gruesome actions in Ukraine, will have long-lasting consequences for Russian netizens.

Digital certificates are needed to confirm that the site the user wants to visit is not fraudulent. The certificates contain encryption keys to establish a secure connection between the site and the user. It is very easy to understand whether a page on the Internet is protected by a certificate. One need just look at the address bar of the browser. If the address begins with the https:// prefix, and there is a lock symbol next to the address, the page is protected. By clicking on this lock, you can see the status of the connection, the name of the Certification Authority (CA) that issued the certificate, and its validity period.

There are several dozen commercial and non-commercial organizations in the world that have digital root certificates, but 3/4 of all certificates are issued by only five of the largest companies. Four of them are registered in the USA and one is registered in Belgium.

Mon, Aug 03, 2020

Announcing the Release of GreatFire AppMaker

GreatFire (https://en.greatfire.org/), a China-focused censorship monitoring organization, is proud to announce that we have developed and released a new anti-censorship tool that will enable any blocked media outlet, blogger, human rights group, or civil society organization to evade censors and get their content onto the phones of millions of readers and supporters in China and other countries that censor the Internet.

GreatFire has built an Android mobile app creator, called “GreatFire AppMaker”, that can be used by organizations to unblock their content for users in China and other countries. Organizations can visit a website (https://appmaker.greatfire.org/) which will compile an app that is branded with the organization’s own logo and will feature their own, formerly blocked content. The app will also contain a special, censorship-circumventing web browser so that users can access the uncensored World Wide Web. The apps will use multiple strategies, including machine learning, to evade advanced censorship tactics employed by the Chinese authorities.  This project will work equally well in other countries that have China-like censorship restrictions. For both organizations and end users, the apps will be free, fast, and extremely easy to use.

This project was inspired by China-based GreatFire’s first-hand experience with our own FreeBrowser app (https://freebrowser.org/en) and desire to help small NGOs who may not have the in-house expertise to circumvent Chinese censorship. GreatFire’s anti-censorship tools have worked in China when others do not. FreeBrowser directs Chinese internet users to normally censored stories from the app’s start page (http://manyvoices.news/).

Fri, Jul 24, 2020

Apple, anticompetition, and censorship

On July 20, 2020, GreatFire wrote to all 13 members of the Subcommittee on Antitrust, Commercial and Administrative Law of the U.S. House Committee on the Judiciary, requesting a thorough examination into Apple’s practice of censorship of its App Store, and an investigation into how the company collaborates with the Chinese authorities to maintain its unique position as one of the few foreign tech companies operating profitably in the Chinese digital market.  

This letter was sent a week before Apple CEO TIm Cook will be called for questioning in front of the Subcommittee on Antitrust, Commercial and Administrative Law. The CEOs of Amazon, Google and Facebook will also be questioned on July 27, as part of the Committee’s ongoing investigation into competition in the digital marketplace.

This hearing offers an opportunity to detail to the Subcommittee how Apple uses its closed operating ecosystem to not only abuse its market position but also to deprive certain users, most notably those in China, of their right to download and use apps related to privacy, secure communication, and censorship circumvention.

We hope that U.S. House representatives agree with our view that Apple should not be allowed to do elsewhere what would be considered as unacceptable in the U.S. Chinese citizens are not second class citizens. Private companies such as Apple compromise themselves and their self-proclaimed values of freedom and privacy when they collaborate with the Chinese government and its censors.

Mon, Jun 10, 2019

Apple Censoring Tibetan Information in China

Apple has a long history of censorship when it comes to information about Tibet. In 2009, it was revealed that several apps related to the Dalai Lama were not available in the China App Store. The developers of these apps were not notified that their apps were removed. When confronted with these instances of censorship, an Apple spokesperson simply said that the company “continues to comply with local laws”.

In December, 2017, at a conference in China, when asked about working with the Chinese authorities to censor the Apple App Store, Tim Cook proclaimed:

"Your choice is: do you participate, or do you stand on the sideline and yell at how things should be. And my own view very strongly is you show up and you participate, you get in the arena because nothing ever changes from the sideline."

In the ten years since Apple was first criticized for working with the Chinese authorities to silence already marginalized voices, what has changed? Apple continues to strictly follow the censorship orders of the Chinese authorities. When does Tim Cook expect that his company will help to bring about positive change in China?

Based on data generated from https://applecensorship.com, Apple has now censored 29 popular Tibetan mobile applications in the China App Store. Tibetan-themed apps dealing with news, religious study, tourism, and even games are being censored by Apple. A full list of the censored apps appear below.

Subscribe to our blog using RSS.

Comments

Removing CNNIC root isn't practical, as it prevents the company from selling devices in China. Please make more practical recommendations. For example, only accept CNNIC-signed certificates for .CN domains. That would allow CNNIC to continue to exercise control over Chinese domains without jeopardizing the security of the entire Internet. (This is basically "TLD pinning" for root CAs.)

 Romantic Getaways: You can also plan a romantic holiday with
your loved one. It is really nice to see all these valentine's
day gift ideas for dogs, cause you two will be hollering with
love don't you know. This need not always be romantic love but any love.

Review my site: Propose Day SMS

After Daytona Beach Police Detectives finished their investigation of the incident, the scene was turned over to a site manager for Clean
Fuels National, who police emphasized was not at the
scene when the incident happened. It has emerged as one of the
best weekend destinations especially for families.
The last four or five years there's been more of a mix of INDYCAR drivers going over, which
is good for both series.

Also visit my web site ... daytona 500 live streaming

this post is awesome, great msg for us, plz update ur blog for daily basis, i am regular visitor of this site, so keep posting for us,

click the below links to create backlink
best free backlink website
click here for msg movie

thanks for this post, keep it up for updating us, i am waiting for ur new article.

thanks again
IPL8 live stream 2015

It’s certainly fresh to writing and seeing concepts which are truly helpful to get the direction

mothers day quotes
happy mothers day qutes 2015
happy mothers day 2015

Nice post to share
http://listacademyanik.com/

Nice post to share.
CLICK HERE>>
http://www.100kfactoryultraeditionreview.com/

----------------------------------------
There many errors that can hurt your PPC project without you even understanding it. For this factor, I wish to present to you the leading 5 factors your Pay Per Click project suffers online. look at part 1 of this article
----------------------------------------
CHECKOUT>>www.100kfactoryultraeditionreview.com

--------------------------------------------------------------------------------
http://listacademyanik.com/
============================================

Hey,

"Good website! I really love how it is easy on my eyes and the data are well written. I am wondering how I could be notified when a new post has been made. I have subscribed to your RSS feed which must do the trick! Have a nice day!"

======================
CLICK HERE>>http://listacademyanik.com/

======================

Hey ,
I would like to thank you for the efforts you have put in writing this website. I'm hoping the same high-grade web site post from you in the upcoming also. In fact your creative writing abilities has inspired me to get my own web site now. Actually the blogging is spreading its wings rapidly.

http://listacademyanik.com/dna-wealth-blueprint-3-0-review-bonus

good Study how to setup Kodi earlier known as noted as XBMC Kodi Download Linux, iOS, Windows, and Android. Moreover, Kodi App Android nice.

good The formal webpage of Droid4x packages a tiny method data file on Droid4x your laptop when you struck the ‘download&' button. nice.

good cannot send or receive messages or pictures utilizing it. snapchat sign in file from its web site and also run the installer as well as nice.

Download caller name announcer from callernameannouncer.uniqsofts.com to read al incoming notifications.

Thanks mate for share this nice post
obat pembesar penis klg: http://obatfrigid.com/obat-klg.html

Playstore in our android devices since long. Though Playstore is fairly aptoide apk you uninstall the app, simply click the apk once again and install

Game Guardian is an amazing game hack/alteration tool. Game guardian helps you modify money, HP, Sp and more aspects of the game.
game guardian apk

I definitely enjoyed every bit of it and I have you bookmarked to see new information on your blog.
my boy

A festival is an event ordinarily celebrated by a community and centering on some characteristic aspect of that community and its religion or traditions. It is often marked as a local or national holiday, mela, or eid.

http://festival-status.wallinside.com

For a lot of us looking to establish an online store, 'e-commerce' is where it all begins. When you find this phrase in articles and testimonials - it simply refers to the buying and selling of products on the internet.
To Get More Info>> https://www.7figurecyclereviewbonus.com/ << VISIT HERE

After reading the article I updated my knowledge regarding the same.
It really helped me a lot.
Thanks for sharing this with us.

https://www.kickstarter.com/profile/netgearsupport/about

At this rate, shouldn't China create their own operating system like what North Korea did? Everything is banned, it's so annoying for tourists. Thank you for sharing the news! I want to visit China some day but with this policy, I can't receive email from work when traveling, it's very hard for me.
https://htmlcolor-codes.com/

Add new comment

Filtered HTML

  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <blockquote> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
By submitting this form, you accept the Mollom privacy policy.