The Chinese Government is running a MITM attack on SSL encrypted traffic between Chinese China Education and Research Network and Google.
Google website, like many other web services, is blocked by the Chinese Government, which operate a rugged censorship on the Internet content. But block a resource like Google is anachronistic and counterproductive, for this reason, China allows access to it through the The China Education and Research Network (CERNET).
Of course privacy and security experts fear that the Chinese Government is monitoring users accessing the Google service through the CERNET, the non-profit organization GreatFire revealed that starting on August 28th, CERNET users have been observing warning messages related to use of invalid SSL certificates accessing google.com and google.com.hk website. The circumstance is not new, in case like this there is the possibility that Chinese authorities are running a man-in-the-middle (MitM) attack to eavesdrop encrypted traffic between CERNET and Google.
The evidence, which we include later in this post, indicates that this was caused by a man-in-the-middle attack.
“While the authorities have been blocking access to most things Google since June 4th, they have kept their hands off of CERNET, China’s nationwide education and research network. However, in the lead up to the new school year, the Chinese authorities launched a man-in-the-middle (MITM) attack against Google.” “Instead of just outright blocking Google on CERNET, which would have raised the ire of students, educators and researchers across China, the authorities felt that a MITM attack would serve their purpose. By placing a man-in-the-middle, the authorities can continue to provide students and researchers access to Google while eavesdropping or blocking selective search queries and results,” GreatFire reported in a blog post.
The thesis sustained by GreatFire has been refuted by software vendor Netresec which has analyzed two of the packets used in the attacks, confirming that there is the Chinese Government behind the MITM attack.
“The Chinese are running a MITM attack on SSL encrypted traffic between Chinese universities and Google. We’ve performed technical analysis of the attack, on request from GreatFire.org, and can confirm that it is a real SSL MITM against www.google.com and that it is being performed from within China.”
“It’s difficult to say exactly how the MITM attack was carried out, but we can dismiss DNS spoofing as the used method. A more probable method would be IP hijacking; either through a BGP prefix hijacking or some form of packet injection. However, regardless of how they did it the attacker would be able to decrypt and inspect the traffic going to Google,” Netresec researchers noted in a blog post.
The captured files contain pure IPv6 traffic, the CERNET use this protocol, both addresses appear legit, one from Peking University (netname PKU6-CERNET2) and the other from Chongqing University (CQU6-CERNET2).
“Both IP addresses belong to AS23910, named “China Next Generation Internet CERNET2”. states Netresec.
The Chinese Government has already conducted similar attacks in the past, in January 2013, the users of GitHub service in China reported seeing warning messages about invalid certificates. At the time, experts believed that the attacks was run due to a petition asking that the creators of the “Great Firewall of China,” be denied entry to the United States. GitHub was chosen to disclose the list of the names of experts whowho supported the creation of the censorship system causing the reaction of the Chinese Government.