Evidence shows CNNIC and CAC behind MITM attacks

Since 2013, we have repeatedly called on major software vendors to revoke CNNIC-issued certificates. Most notably, we raised this issue when we reported on the Cyberspace Administration of China’s (CAC) man-in-the-middle (MITM) attacks on Google, Microsoft’s Outlook, Apple, Yahoo and Github. Mainstream media have reported about these security vulnerabilities before and on March 24, Ars Technica reported on Google’s announcement that they have definitive evidence that CNNIC (China Internet Network Information Center) was behind a new MITM attack on Google.

From our October, 2014 blog post:

CNNIC has implemented (and tried to mask) internet censorship, produced malware and has very bad security practices. Tech-savvy users in China have been protesting the inclusion of CNNIC as a trusted certificate authority for years. In January 2013, after Github was attacked in China, we publicly called for the the revocation of the trust certificate for CNNIC. In light of the recent spate of man-in-the-middle (MITM) attacks in China, and in an effort to protect user privacy not just in China but everywhere, we again call for revocation of CNNIC Certificate Authority.

CNNIC is either complicit in the recent MITM attacks or has intentionally allowed these attacks to happen. We have been witness to the Chinese authorities using MITM attacks against Apple’s iCloud, Google, Microsoft’s Outlook and Yahoo in this month alone.

CNNIC is responsible for the “operation, administration and service organization of national network fundamental resources”. We have evidence that the recent attacks originated from the Chinese internet backbone. Attacks against Yahoo and Google have been implemented on the internet backbone for weeks.

Today we have concrete proof from Google that CNNIC (and by extension CAC) is indeed complicit in MITM attacks. Google states in its own blog post:

On Friday, March 20th, we became aware of unauthorized digital certificates for several Google domains. The certificates were issued by an intermediate certificate authority apparently held by a company called MCS Holdings. This intermediate certificate was issued by CNNIC.

CNNIC is included in all major root stores and so the misissued certificates would be trusted by almost all browsers and operating systems. Chrome on Windows, OS X, and Linux, ChromeOS, and Firefox 33 and greater would have rejected these certificates because of public-key pinning, although misissued certificates for other sites likely exist.

We are delighted that Google, Microsoft and Mozilla have taken steps to blacklist the  intermediate certificate used in the attack. The Ars Technica story provides more details about Mozilla’s statement. Apple has not made a public statement about this issue. However, more action is needed. CNNIC is still trusted by these platforms and the Chinese authority can sign other intermediate certificates in order to launch future MITM attacks. We once again call for Google, Mozilla, Microsoft and Apple to revoke trust for CNNIC immediately in order to protect Chinese user data and user data worldwide.

 

 

Comments

More Blog Posts

Subscribe to our mailing list
Show content from Blog | Google+ | Twitter | All. Subscribe to our blog using RSS.

Mon, Dec 12, 2016

China is the obstacle to Google’s plan to end internet censorship

It’s been three years since Eric Schmidt proclaimed that Google would chart a course to ending online censorship within ten years. Now is a great time to check on Google’s progress, reassess the landscape, benchmark Google’s efforts against others who share the same goal, postulate on the China strategy and offer suggestions on how they might effectively move forward.

flowers on google china plaque

Flowers left outside Google China’s headquarters after its announcement it might leave the country in 2010. Photo: Wikicommons.

What has Google accomplished since November 2013?

The first thing they have accomplished is an entire rebranding of both Google (now Alphabet) and Google Ideas (now Jigsaw). Throughout this blog post, reference is made to both new and old company names.

Google has started to develop two main tools which they believe can help in the fight against censorship. Jigsaw’s DDoS protection service, Project Shield, is effectively preventing censorship-inspired DDoS attacks and recently helped to repel an attack on Brian Krebs’ blog. The service is similar to other anti-DDoS services developed by internet freedom champions and for-profit services like Cloudflare.

Thu, Nov 24, 2016

Facebook: Please, not like this

Facebook is considering launching a censorship tool that would enable the world’s biggest social network to “enter” the China market. Sadly, nobody will be surprised by anything that Mark Zuckerberg decides to do in order to enter the China market. With such low expectations, Facebook is poised to usurp Apple as China’s favorite foreign intelligence gathering partner. If the company launches in China using this strategy they will also successfully erase any bargaining power that other media organizations may hold with the Chinese authorities.

Tue, Jul 05, 2016

GreatFire.org now testing VPN speed and stability in China

There is a commonly held belief in China that if you have a VPN that works then you should keep quiet about it. In terms of freedom of access to information, the problem with this approach is that access to knowledge suddenly is a secret. Today we are launching a project that we hope will destroy that model.

Our newest website, Circumvention Central (CC), aims to provide real-time information and data about circumvention solutions that work in China. Since 2011, we have been collecting data about blocked websites in China and now we will add data about the effectiveness of VPNs and other circumvention tools.

We are launching CC with four main objectives in mind.

Our first objective is to help to grow the number of Chinese who circumvent censorship restrictions in China. By sharing our information and data about these tools, we hope to show a wider audience which circumvention tools are working.

Our second objective is to improve the circumvention experience for users in China by bringing transparency to tool performance. We will measure these tools on speed (how quickly popular websites are loaded) and on stability (the extent to which popular websites load successfully).

Sat, May 07, 2016

The New York Times vs. The Chinese Authorities

Could the New York Times be setting the best path forward for news organizations in China?

Thu, Feb 18, 2016

From the desk of Lu Wei: Apple, encryption and China

Lu Wei, Director of the Cyberspace Administration of China, offers some friendly help to FBI Director James Comey.
Subscribe to our blog using RSS.

Comments

thanks for this post, keep it up for updating us, i am waiting for ur new article.

happy mothers day sms in hindi
happy mothers day in hindi

fathers day

2015 sayings in hindi
happy

fathers day 2015 hindi
happy

fathers day 2015 hindi messages

Yes thanks for this post and useful one. Hope you continue posting great contents in future.

Floyd Mayweather vs Andre Berto live streaming

Golden Globe Awards 2016 Live Stream || @ On January 10, 2016 set the date for the 73rd Annual Golden Globe Awards by The Hollywood Foreign Press.

Golden Globe Awards 2016 Live Stream
http://goldenglobeawards2016livestream.com/

Justin Bieber Tickets Tours & Concert Updates
http://justinbieberconcert.co/

Knock! Knock! Knock!!! Hello……!!!! We are back with a big bang award show which is Golden Globe Award 2016. Great show, some great people, beautiful and spectacularly talented actresses/actors and lots of fun, entertainment, and suspense’re to be revealed.

This award has been continuing since 1943. Group of writers gathered together to frame the Hollywood Foreign Press Association and made liberally distributed award named Golden globe Award where they play momentous role in film making. The first award was being honored on best achievement in 1943 filmmaking and was held in January 1944, at the 20th Century –Fox studios. Successively, every year ceremonies were held in different venues for decades.

Your way of describing the whole thing in this paragraph is actually pleasant, all be able to without difficulty know it, Thanks a lot. http://reet-result.in/

I was very happy to find this page. I need to thank you for ones time just for this wonderful read!! I definitely
loved every bit of it and i also have you book marked to look at new things on your site.
http://uptetresult2015-16.in/

مؤسسة صفوة المدينة شركة تنظيف خزانات وغسيل خزانات بالمدينة المنورة ومكافحة حشرات بالمدينة المنورة الشركة لديها تخصص فى نقل العفش بالمدينة اللمنورة ومكافحة الحشرات وغسيل الخزانات بالمدينة المنورة
http://www.atar-almadinah.com/khasil.html شركة تنظيف خزانات بالمدينة المنورة

Nice blog.. thanks for sharing a nice blog.. its very interesting and useful for me....please visit my website i assure you that it will benefit you.
http://packersmoversahmedabad.co.in/

An excellent information provided thanks for all the information i must say great efforts made by you. thanks a lot for all the information you provided.
http://packersmoversbangalore.in/packers-and-movers-bangalore-to-hyderabad

good We all recognize that it isn't that much simple for tutuappguide.com On the display, you will obtain a blue bar which reveals nice.

All those people search pan card status, should check this website https://mypancardstatus.com/ which has complete information.

ICC Champions Trophy 2017 Live Streaming & TV, Star India and Star Middle East hold global rights for ICC Champions Trophy 2017, CT 2017 Worldwide TV
http://www.iccchampionstrophy2017lives.com

iOS 10 is causing all sorts of trouble for the jailbreak teams. The constant updates from Apple, leading us to
https://vshareappdownloadios.com
https://myxerfreeringtonesdownload.com

https://mypancardstatus.com/ really info given to all the peoples to enjoy it.

thanks man for sharing http://tutuhelperapps.com/ really worth to try.

iOS devices are frequently strenthened. Thanks for https://www.tutuhelperguide.com/ I can now download paid apps like Minecraft PE for free without Jailbreak

Have you tried Lineage OS yet?

Download Lineage OS for your Android device from www.lineageosdownloads.com

Have you tried Lineage OS yet?

Download Lineage OS for your Android device from www.lineageosdownloads.com

thanks for sharing this man and you can check my blog too here https://modapkarena.com It's about android games, apps etc.

BEST AND TNXXX FOR SHARING

https://www.aptoideapk.co/

thanks for sharing this man
http://www.themobileupdates.com/

tnxxxx for grate information
https://www.gamehackerapk.co/

visit our site http://apkrocks.com for more downloading android apps for free.

Tutuapp APK Download for Android, iOS TuTu App Pokemon Go Tutuapp

http://www.fifaconfederationscup2017live.org
FIFA Confederations Cup 2017 Qualified Teams: Russia being the host ... broadcast Confederations Cup matches live on free-to-air channels.

http://www.fifaconfederationscup2017live.org
FIFA Confederations Cup 2017 Qualified Teams: Russia being the host ... broadcast Confederations Cup matches live on free-to-air channels.

192.168.I.254 Login Admin IP Address Configuration https://192-168-l-254ip.com/

IPv4 private IPv6 network address, the home-use router can very well use it in order to set up https://192168o1ip.com/

Make snapchat online can also be done for Kindle users can t login to snapchat engine result to install snapchat on bluestacks.

Have fun on viewing all your enjoyable videos on the Mobdro apk 2017 costs. mobdro for iphone You could also download your favored flick video stuff from Mobdro app.

Add new comment

Filtered HTML

  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <blockquote> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
By submitting this form, you accept the Mollom privacy policy.