China Staging a Nationwide Attack On iCloud and Microsoft Accounts

New submitter DemonOnIce writes: According to The Verge and an original report from the site that monitor's China's Great Firewall activity, China is conducting a large-scale attack on iCloud and Microsoft accounts using its government firewall software. Chinese users may be facing an unpleasant surprise as they are directed to a dummy site designed to look like an Apple login page (or a Microsoft one, as appropriate).

ouch

[BringsApples]

Gotta suck to live in China. Er, wait...

Re:ouch

Hmmm? In what way is this related to using a Microsoft or Apple product? It's a dumb man in the middle attack (relying on the user accepting an invalid cert) that could be carried on any domain at all.

Re:ouch

Look, I'm pro F/OSS, hence against Apple Vader and M$. The parent comment is not insightful, OK? An labeling it thus only makes scores go higher, I suppose, which makes difficult to separate quality material by ACs from BS from registered fools. Please...

We have to maintain a minimum of quality here, if not else to keep the "nerd" moniker.

At work, some weeks ago I realized FF was not getting some sites (which worked fine on IE and Chrome). Also, I use Google ssl (https), and noticed by clicking on the padlock in the address bar that Google was not authenticating my search; it seemed to be authenticated by our proxy. I couldn't help but suppose I was victim of a man-in-the-middle trick. Not that important, I was at work and suppose they are entitle to check any use of _their_ network, I also do not use ssl because of dubious sites, but to achieve greater security. This is probably interesting for them, too (we deal with sensitive information). But it was interesting to know my privacy's gone the way of the dodo.

And I'm not in the US nor China.

The ultimate result of that is a fragmented internet. Wanna post in an international site like I'm doing now? Well, since I'm not Chinese, I guess I still have some time to do it. But what happens when (if not already) foreigner posts starts to be censored? (or simply discarded)

Re:ouch

Gotta suck to live in China. Er, wait...

Probably better than having to suck Obama/Cameron/Harper/Abbott's cock just to stay off the no fly list ;)

Facebook ain't gonna Like this

directed to a dummy site designed to like an Apple login page

I'm pretty sure you're not supposed to trick users into clicking the Like button.

Re:Facebook ain't gonna Like this

Damn, AC beat me again!

Re:Facebook ain't gonna Like this

Do you prefer the paddle or the cane?

Popular US browsers will warm, Chinese ones won't

[Rosyna]

If you use Firefox, Safari, Chrome, or IE in China, they will all warn you that MiTM attack has occurred (if you trying going to https://icloud.com./ But the most popular browser used in China (according to Qihoo, the claim is dubious), Qihoo’s Chinese 360 "Secure Browser". will allow Man in the middle attacks to occur, by design.

Why?

[ClaraBow]

Are the Chinese officials trying to score some celebrity porn?

Re:Why?

[gandhi_2]

It's almost like they are a... communist country.

Re:Why?

[Anonymous+Psychopath]

Are the Chinese officials trying to score some celebrity porn?

It's possibly related to the protests in Hong Kong and the government's desire to identify the leaders/participants.

Re:Why?

> Are the Chinese officials trying to score some celebrity porn?

Probably because of the Hong King protests. Despite how we view China from the outside, the leadership there considers themselves to be very vulnerable. To the point of paranoia sometimes. China does have a history of local uprisings getting "out of hand" and toppling governments. Plus authoritarianism is inherently unstable. So maybe they are on to something.

Whatever the legitimacy of their fears, they are probably looking for signs of the HK protests spreading into something bigger inside the mainland.

Re:Why?

[Wintermute__]

Are the Chinese officials trying to score some celebrity porn?

It's possibly related to the protests in Hong Kong and the government's desire to identify the leaders/participants.

Or any other type of dissident or protester they can collect dirt on.

Like the NSA or any other spy agency, if they can scoop up any private data, they are going to want it.

Re: Why?

[antifoidulus]

It's only going to get worse as the chinese economy stagnates. I've been saying this for years, but people are finally starting to realize that China copied the post-war Japanese model right down to the bad loans, today's China is pretty much where Japan was in 1988, barreling towards the cliff. The difference between the 2 countries is the government though. Outside of the economy the CCP has been deeply unpopular for years. However there was little unrest since the economy was booming. However what will happen when growth slows is much more unclear. Hong Kong like protests against the government would probably be the best case. More likely is large scale riots as unemployment coupled with a large # of men being unable to find a wife is a recipe for disaster. The CCP knows they are living on borrowed time and are going to do everything in their power, including perhaps returning to the days of the cultural revolution if it finds it necessary. In the short term expect spying incidents like this to become the norm.

Re:Why?

China hasn't been Communist for 30+ years, just like how the DPRK isn't a democacy.

Re: Why?

So similar to the US then?

Spying on their citizens - Check
Economic stagnation - Check
Riots - Check
High unemployment - Check

Re:Why?

[Jeremi]

It's almost like they are a... communist country.

Right -- only a communist country would attempt such shenanigans. Western democracies are totally above that sort of misbehavior. ;^)

Re:Why?

You do realise that there's a difference between calling yourself "communist" and actually asking from each according to ability and giving to each according to need, yes?

Otherwise America would be "capitalist" despite quantitatively eased fiat currency and bank bailouts.

Re:Why?

It's almost like they are a... communist country.

What does that have anything to do with anything? Their economic policies are hardly relevant.

They're a dictatorship, that's their political model and why they get away with this.

Re: Why?

Say what? Their economy is quite booming, as they are the sole manufacturing center for most of the West, and the sole source of rare earth materials.

With all the cards in their deck, including their age-old tactics of fighters against Western interests mysteriously getting arms and ammo, they are not stagnating; their economy is booming.

In fact, even tech companies know this. WinHEC was moved to China not just because the CEO liked Beijing opera.

Re:Why?

They're a dictatorship, that's their political model and why they get away with this.

Wait, who are we talking about again?

Re: Why?

So similar to the US then?

Spying on their citizens - Check
Economic stagnation - Check
Riots - Check
High unemployment - Check

Does every slashdot article have to revolve back to trashing the USA? This article is about a cyber attack in China.

Re:Why?

[radicalskeptic]

Well, close. I wouldn't technically call it a dictatorship because the power is spread out around various people and groups, including the Standing Committee, former members of the Standing Committee and the military. But you're on the right track. 1) China is communist only in name. 2) Even if they were fully communist, that's an economic system, not a political one per se. The word that you and the grandparent poster is looking for is 'authoritarian.' BTW I lived in China for three and a half years and IMO they are getting the government they deserve. Freedom, truth, and Classical Liberal ideals are not high on their list of values.

Re: Why?

[antifoidulus]

How many people were saying the same thing about the Japanese economy in the late 80s? Answer, almost all of them. Do a google search for China and debt and you will see what I mean. They are also not the "sole manufacturing center for most of the west". Very little value is added in China, and it's manufacturing that can be done elsewhere, and is increasing done elsewhere as China gets more and more expensive, both economically and politically. Crappy hardware trade shows do not an economy make.

Re:Why?

[Earthquake+Retrofit]

The BBC reported today: "The Beijing-appointed leader of Hong Kong, Leung Chun-ying, said Monday evening that it was unacceptable to allow his successors to be chosen in open elections, in part because doing so would risk giving poorer residents a dominant voice in politics... he backed Beijing’s position that all candidates to succeed him as chief executive, the top post in the city, must be screened by a “broadly representative” nominating committee appointed by Beijing. That screening, he said, would insulate candidates from popular pressure to create a welfare state, and would allow the city government to follow more business-friendly policies to address economic inequality instead."

Whatever it is, it doesn't sound like communism to me.

Re:Why?

[pushing-robot]

Communism went bankrupt a long time ago. All that's left is the brand name.

Re: Why?

Posting AC. I provide IT support for a chinese company based in the US. They wanted an American firewall and anti-virus suite. One of the employees insist on using some security 360 shit that's very chatty on the network. I blocked its net-block range and shortly he complained and wanted it fixed ASAP. I strongly suspect he's a CCP mole. Fuck him, he can suffer with the software approved by corporate.

Re:Why?

[peragrin]

So how many times has the NSA done the same thing? oh that's right the NSA merely forces Cisco to install hardware that lets them monitor such connections.

The NSA has done far far worse to Americans, let alone everyone else in the world. China at least primarily limits it's attempts to it's own citizens.

Re: Why?

Cheap manufacturing doesn't make for a domestic economy. That is the precise problem China faces. They have 600 million poor people who need jobs or they'll probably riot. But those jobs don't pay much--because there's someone in Cambodia or Vietnam who can work for less with no bathroom breaks. That keeps the poor poor. The fact that the communist country, founded on "the worker," has no workers' rights either doesn't help either. In short, most of the country is struggling to stay afloat and can't buy much. Think about it: China has half the economy we do but four times the people. That means the average Chinese spends 12.5% of what the average American does. That's the shortcoming.

China has become, in essence, the bad half of Fordism. They have quality goods but low wages. The people who make the products can't afford to buy them. It's why fakes are so rampant. The worker in the Chanel factory can steal a bag and sell it for a week's wages.

Re:Why?

"Fascism may be defined as the merger of corporations and state." - Il Duce

Re:Why?

You mean totalitarian. Communism is a type of economy, not government.

Re:Why?

I can almost hear your baby tears hitting your keyboard from here.

Re: Why?

[metlin]

Spying on their citizens - Check

The difference here is that we the people still have the right to question the government, and organizations like the EFF continue to fight for it.

Economic stagnation - Check

You must be joking. American economy is anything but stagnant. Between 2009-2013, the U.S. GDP growth 1.9%, which is pretty good compared to most other OECD countries.

It may be "stagnant" when you compare it to a country like China at 7.7%, but that is simply not sustainable, not without artificial currency manipulation.

Riots - Check

A few days of media blitz over a police shootout is not the same as protesters fighting for democracy.

High unemployment - Check

What on earth are you talking about? The U.S. unemployment is at 5.9% as of September 2014 and China's is estimated at ~4.5%.

Re: Why?

[phantomfive]

The CCP knows they are living on borrowed time and are going to do everything in their power, including perhaps returning to the days of the cultural revolution if it finds it necessary.

The CCP uses fear of the cultural revolution as a way to stay in power. That's what all the talk about 'Harmony' means. Not many people in China want to go back to that. They understand it made no sense to have red stoplights mean go,for example.

Re:Why?

While the West is spying too, the barrier is much lower in China when it comes to which topics can get you jailed. Civil rights, social engagement and even discussing history can all get the police to show up at your door.
Even competing with the government while having the same goals can get you jailed: for example in fighting corruption. The CCP has, in its own eyes, the absolute monopoly in doing "good" things for the people, such as driving out corruption. Private people need not join in these efforts, by the thread of being thrown in jail.

Re:Why?

you could almost think they're trying to compensate for something by putting "People's" or "democratic" into their names ;)

Re: Why?

lol. I know that 360 crap. My girlfriend has it on her PC. It's similar to most other Chinese software/adware/malware (the boundaries are fluent). If you remember Bonzi Buddy, that's how most of it feels like. Oh and then there's still this love for MSIE that this country has... back in 2011 the Bank of China online banking software wouldn't even run on a x64 OS! Now it still works with MSIE exclusively (or you can use a bloated iOS app).

Re:Why?

They have a similar screening process in North Korea. Strangely enough, they're always picking the same guy. He must be really good!

Re:Why?

[XxtraLarGe]

The BBC reported today: "The Beijing-appointed leader of Hong Kong, Leung Chun-ying, said Monday evening that it was unacceptable to allow his successors to be chosen in open elections, in part because doing so would risk giving poorer residents a dominant voice in politics... he backed Beijingâ(TM)s position that all candidates to succeed him as chief executive, the top post in the city, must be screened by a âoebroadly representativeâ nominating committee appointed by Beijing. That screening, he said, would insulate candidates from popular pressure to create a welfare state, and would allow the city government to follow more business-friendly policies to address economic inequality instead."
Whatever it is, it doesn't sound like communism to me.

It's probably better described as fascism, but there has never been a place on earth where communism in practice resembled communism in theory. It's not possible to ever implement it, because the power hungry use it as a method for personal enrichment. As Lord Acton said "Power tends to corrupt. Absolute power corrupts absolutely. Great men are almost always bad men."

Re:Why?

[TheOldFart]

because doing so would risk giving poorer residents a dominant voice in politics..

That sounds a lot like... Texas?

Re:Why?

[Andrewkov]

Their honesty is refreshing.

Re:Why?

Totalitarian oligarchy, not "communism" so you might want to brush up on civics.

Re: Why?

[operagost]

To be fair, that 5.9 number is after millions of people decided to quit working and either 1. Live with a lower single income in the family or 2. Go on the public dole indefinitely, whether through social security or welfare. The federal government permanently removes these people from the rolls, as if people who aren't even looking for work don't drain the rest of the people who are being productive.

Re: Why?

[thetoadwarrior]

You're only allowed to speak out because they allow it. Huge chunks of the population technically don't have constitutional rights thanks to the constitution free zone around the border. Technically no one in Florida is covered by the constitution. The U.S. government just does a better job at making people think they're free.

Re:Why?

Communism went bankrupt a long time ago. All that's left is the brand name.

Funny, the same is true about America being the champions of democracy, freedom, and liberty.

What's left is an empty shell that people still like to claim has a moral high-ground and stands on principle.

The reality is, America is as morally and intellectually bankrupt as former communist countries.

Only Americans are too stupid to understand this, because they're all still buying into it.

Re: Why?

How many people were saying the same thing about the Japanese economy in the late 80s?

I think "superpower" India wouldn't mind having a bit of the Japanese economic woes you speak of.

Do a google search for China and debt and you will see what I mean.

You might want to sent your googling results to every fucking pundit in media gushing about the Chinese economy (not that western media is particularly trustworthy for most things).
Seriously, when I watch economy news, it's like China news.

it's manufacturing that can be done elsewhere

Do me a favor, turn over your [insert any one of your possessions] and tell me where it's made?
It's fine and well to say "can be done elsewhere", but then there's reality.
Besides, your statement divulges your duplicity, as you implicitly admits China is doing well so that you can then claim: "can be done elsewhere".
I'm afraid you've been exposed as a hater.

Re: Why?

[ryocoon]

Yeah, I hate 360 with a livid passion. I see it on all my relatives' computers and it drives me nuts. It runs like molasses in winter. It is incredibly noisy on the network when it shouldn't be. It pops ads all over the place and revs the CPU like crazy at times. Yeah, most of the banking software all require these specialty security certificates, unsigned drivers for weird USB fobs, only work in IE 8 or below, and often doesn't work at all on x64 versions of Windows. It is a nightmare to try and navigate (especially with my limited Chinese). I pity anybody who has to do tech support for folks who use that stuff.

Re: Why?

[antifoidulus]

Do you realize what the "made in" actually means? It means simply where the final assembly was done. Final assembly is not a complicated process, you obviously have no idea what you are talking about.

even Chinese celebs post nekkid pics

[turkeydance]

somebody has to do it.

Re:Popular US browsers will warm, Chinese ones won

[Rosyna]

Forgot to mention that enabling 2FA in China may be useless if they can also intercept the messages and do a replay attack.

Chinese ops a great idea, right?

[__aaltlg1547]

I wonder if this will make companies like Microsoft and Apple rethink their ties to China.

Re:Chinese ops a great idea, right?

[Wintermute__]

I wonder if this will make companies like Microsoft and Apple rethink their ties to China.

That's quite an optimistic attitude you've got there.

Re:Chinese ops a great idea, right?

[mythosaz]

And lose 1.36BN potential customers?

Re:Chinese ops a great idea, right?

I wonder if this will make companies like Microsoft and Apple rethink their ties to China.

They already have. They still do business there because there's so much money, but their internal security has gone way the fuck up with regards to China.

Note the SEC-equivalent Raids on Microsoft China a while back. It wasn't about monopolies. Or it was, but I've got a bridge to sell you.

Re:Chinese ops a great idea, right?

[__aaltlg1547]

Only a small fraction of that buy Apple or Microsoft products.

Re:Chinese ops a great idea, right?

Only a huge fraction of that buy Apple or Microsoft products.

Fixed that for you.

Re:Chinese ops a great idea, right?

[dk20]

Only a small fraction of that buy Apple or Microsoft products.
Citation? You have data backing up the statement?

Looking at it another way, lets say just 10% of Chinese buy Apple products, that would work out to 136,704,000 customers

Are you aware that Companies like GM actually sell more cars in China then any other market?

Re:Chinese ops a great idea, right?

[Teresita]

Sure they buy Microsoft products. They get Windows XP SP3 for $1.99 from Sum Dum Phuc.

Re:Chinese ops a great idea, right?

[Joel+Cahoon]

You wouldn't download a car...

Re:Chinese ops a great idea, right?

How is this an attack on apple or microsoft when clearly it's a MITM attack??
Titling for the article should be reflective of the content otherwise it's purely sensationalist

Re:Chinese ops a great idea, right?

[bloodhawk]

China is a massive market, even a small fraction of the market is bigger than most other countries. 1% is still 13.6 million customers and I would happily bet they have far more than a 1% share.

Re:Chinese ops a great idea, right?

[__aaltlg1547]

If you count HK, China makes up a significant percentage of customers. If you don't count HK, not so much. Apple and Microsoft make products that are very costly with respect to Chinese wage scales.

Re:Chinese ops a great idea, right?

If you count HK, China makes up a significant percentage of customers. If you don't count HK, not so much. Apple and Microsoft make products that are very costly with respect to Chinese wage scales.

Are you fucking serious?

I guess you're a hater because Steve Jobs/Tim Cook, Louis Vuitton, Ferrari, Rolex, ...must a lot more stupid than slashdotter Shavano for setting up glitzy retail spaces in the Mainland.
BTW, there were Apple stores in China before Hong Kong.

Re:Chinese ops a great idea, right?

[bloodhawk]

You are clinging to the past. China has a large and rapidly growing middle class as well as a strong wealthy segment. As to the HK comment, that is just moronic, HK population in its entirety doesn't even equal 1/5th of chinas population that earns over 200k a year.

Re:So what? I'm not in China.

That seems to be the most anyone in the US can muster when it comes to their own country's attacks on foreign people. Why would they be interested in what other countries' spooks do to non-US people? Oh right, we're trying to make China look bad and scare people.

China doesn't need anyone's help to look bad.

China still has room to grow

China moved from a per capita of few hundreds of dollars per year, to several thousands per year. Today's technology, permits a few tens of thousands per year income for many industrialized nations. That is about where Japan maxed out at. Even if income in Japan has stagnated for the last couple of decades, it stagnated in a good place, and things could definitely be worse. Naysayers be damned, China is going to keep on growing. China might stop at Russia's per capita income, but that's not too bad.

Re:So what? I'm not in China.

[dk20]

Please post us a picture of your Chinese entry visa so we know you have actual evidence, not just regurgitating what you saw on FOX or CNN.

Re:Popular US browsers will warm, Chinese ones won

Which Two-Factor Authentication methods lack replay attack prevention techniques?

Re:Popular US browsers will warm, Chinese ones won

Unless, of course, the Patriot Act forbids it.

Re:Popular US browsers will warm, Chinese ones won

I just went to https://icloud.com/ from a Windows 2003 Server in China running IE 9.08.xx and I saw no such warning. The page came up fine

Maybe it is too old to warn.

Re:Popular US browsers will warm, Chinese ones won

Sorry, it was a 2008 R2 server running that version of IE..

Re:Popular US browsers will warm, Chinese ones won

[QuantumReality]

Don't be naive. It's so easy to do it without warning. I can tell you at least 3 different methods of doing that. Remember, it's not just a single hacker, but government that controls whole traffic, that can impersonate not only any domain but any ip they want, they control BGP.

Behind the curve

[Tablizer]

What, they haven't found a subtle and quiet way to sneak in like the N-S-A does?

Re:Behind the curve

[gurnec]

:-) Very nice pun there, thanks for that.

Re:Popular US browsers will warm, Chinese ones won

[Rosyna]

The ones that use SMS.

Advice to Apple and Microsoft

I strongly urge Microsoft and Apple to automatically reset passwords on all affected accounts. They really can't take just accept this kind of behaviour.

Easy to fake...

[gurnec]

Just an FYI... I've no reason to disbelieve the story, but it would be simple to fake the evidence presented...

I also wonder why the hotmail.com certificate was mistakenly created for the hotmai.com domain... that seems rather amateurish for a nation state. (Of course, perhaps plausible deniability is the reason.)

Regardless of whether or not it's fake, it does serve to point out the intentional flaws of Qihoo’s Chinese 360 "Secure Browser" pointed out by Rosyna above -- certainly a good thing to publicize.

Re:Easy to fake...

[Bite+The+Pillow]

I don't see a mistakenly created certificate. It looks like it is legitimately for hotmai.com

Which seems to be owned by microsoft and exists to redirect people who are not cautious about typing domains to the intended destination.

Taking over the DNS redirects and serving hotmail-looking content is a good way to catch a few people, if that's your game.

Or another way - if Microsoft is catching typos, why would a nation state be amateurish for doing the same thing?

Re:Easy to fake...

[gurnec]

I don't see a mistakenly created certificate. It looks like it is legitimately for hotmai.com
...
Or another way - if Microsoft is catching typos, why would a nation state be amateurish for doing the same thing?

Microsoft isn't doing the same thing, though. You're right that the (real) hotmai.com site does redirect to outlook.com, however it doesn't have a certificate, nor does it even have https enabled.

Furthermore, the packet capture shows that whoever created it was trying to visit "login.live.com" (it's in the SNI field of the SSL Client Hello message), and so the server should have responded with a cert for that domain, not for hotmail.com nor hotmai.com.

I'll stick by my interpretation that this was amateurish, I just don't know if it was intentionally so.

Re:Easy to fake...

[Clsid]

I have reason to disbelieve this story. I have been soing tests and no matter where I connect I still get the legitimate sites. I think this is like some sort of anti-Communist hysteria or something.

Re:Easy to fake...

[Bite+The+Pillow]

I stand by my interpretation that once you type the domain, and verify a few certificates, you don't care.

You, specifically, are not "you", the collective.

Even an amateurish attack will be successful from time to time.

If a nation state tries to intercept the easy, hard, and next-to-impossible data, is it still amateurish? Defend.

Appropriate response

lock all accounts that were created via Chinese IP addresses. Assume they are compromised and prevent *anyone* from logging in to them.

Re:Popular US browsers will warm, Chinese ones won

[ThatsMyNick]

The ones that use SMS dont prevent replay attacks? Any half decent SMS two factor authentication will prevent replay attacks.

2 factor auth is not supposed to prevent a MITM BTW. A page MITM-ing facebook can just pass information between the user and the server (the user will give the 2 factor auth to the MITM-ing server, which will just pass it on to facebook), and keep the session alive for as long as they want.

Should have saw it coming!

Ahh the old chinaman in the middle attack!

Re: Should have saw it coming!

pahahaha, thank you for making me laugh for the first time on this thread. you made my day.

Re:Popular US browsers will warm, Chinese ones won

[WaffleMonster]

Which Two-Factor Authentication methods lack replay attack prevention techniques?

All of them except smartcard/cert.

Re:Popular US browsers will warm, Chinese ones won

[WaffleMonster]

The ones that use SMS dont prevent replay attacks? Any half decent SMS two factor authentication will prevent replay attacks.

I don't know why I'm stating the obvious... SMS is not a trustworthy communications channel especially when your adversary is your government.

2 factor auth is not supposed to prevent a MITM BTW.

Haha ha ha ha funniest thing I've heard all day.

A page MITM-ing facebook can just pass information between the user and the server (the user will give the 2 factor auth to the MITM-ing server, which will just pass it on to facebook), and keep the session alive for as long as they want.

This is why real systems cryptographically bind both factors.

Dubious reports

[Clsid]

I think what those guys experienced would be related to an ISP. I'm in China and traveling at the moment, so I can tell you that I'm still getting to the legit sites either using airport wifi, hotel wifi or a residential ISP.

There is interference with the internet, no doubt about that, especially since the Hong Kong protests, when they took down the whole BBC website. But unless I see it reported from a reputable source I will call this bs, since I have never been able to verify their claims in previous occasions.

Re:Dubious reports

Surely you are aware of the fact that greatfire.org is the single entity in the world that is best informed on the great firewall of China.
Thus the operators of the firewall closely monitors all publications on greatfire.org and might take action the minute they publish?
The whole purpose of the firewall is to be unnoticed, so any competent firewall operator would exclude all hotels visited by foreigners.
They are not incompetent.

Re:Dubious reports

[ruir]

Probably they implemented common standard corporate technology nationwide that has its own certs to intercept SSL traffic. I doubt they are targeting known sites to capture passwords.

Re:Popular US browsers will warm, Chinese ones won

you appear to be clueless around security. 2FA is not a mitigation against man in the middle. It about raising the confidence level of the identity of the person who initiated the authentication. You can still MITM it depending on other factors implemented, however if you MITM a good 2FA system you only get the one time hijacking of the current session, not the ability to reauthenticate and as with many banks they then require a reauth for confirmation of certain off account transactions to help prevent the MITM problem.

Re:Popular US browsers will warm, Chinese ones won

Sorry but you are full of shit, no mystical routing, ip rules or firewalls can remove the warning. The only way to get rid of the warnings are to either get ahold of trusted certificates or to have pwned the client box so you can control the client/MITM connections, it doesn't matter whether it is a single hacker or every man in the Chinese government, the number of people doesn't magically create a workaround of the validation process.

In China: Yahoo also

In China, I have also been running into SSL certificate errors for Yahoo.com, but only occasionally. Maybe 1/5 of the time, or 1/10 of the time. It sounds similar.

Re:Popular US browsers will warm, Chinese ones won

Didn't get the warning either. But I'm on a government approved VPN from my company. It's worrying that they now start to censor the corporate VPNs too. In the past it was no problem to access sites which were normally blocked on the regular Chinese internet. I wonder if they're really that insecure or paranoid to go that far.

Re: I believe you missed who the adversary is

[xiando]

Grandparent got downvoted to -1 for stating the plain obvious: "Don't be naive. It's so easy to do it without warning. " (..) Remember, it's not just a single hacker, but government that controls whole traffic, that can impersonate not only any domain but any ip they want, they control BGP."

This is ./ so it is to be expected that such true and damning information was swiftly downvoted. I see the reply to that also got downvoted even though it calls the simple truth "shit": "Sorry but you are full of shit, no mystical routing, ip rules or firewalls can remove the warning. The only way to get rid of the warnings are to either get ahold of trusted certificates or to have pwned the client box so you can control the client/MITM connections"

Did you still miss that it is the GOVERNMENT of a major country we are talking about here? Now go take a good hard look at that default list of "trusted" root certificates shipped with all major browsers. And no, using Firefox or Chrome will not help you here.

https is and always was broken by design. It is, and never was, safe against a government adversary and it never will be. You can stick your head in the sand and think "my government lovs me" (that must be why false-flag terrorism is common, why the US has flouride in the water and so on) but that won't change the simple fact that any government agency can simply make a phonecall and get a valid certificate for any damn domain they want and you're none the wiser if you are a target.

Does this become a "news" website?

One person reports a problem -- it's a national wide problem?
And do you moral high guys ever click to the very bottom of the news to check what the real news is? Of course you busily spent time pointing your fingers.

In the news, one of the problem is the hotmail using "hotmai.com" certificate, which is happen to be a M$ website as well.

I've been experiencing SSL errors with Hotmail..

[Rick+in+China]

This has been going on for maybe a month -- but glad someone has logged/traced/pointed it out.. at least for hotmail.com. It's not consistent - but it has happened to me maybe 10 or 15 times in the last month. Typically it's perfectly fine.

Re:Popular US browsers will warm, Chinese ones won

>Popular US browsers will warm

The winter is coming. This is a good thing.

Re:Popular US browsers will warm, Chinese ones won

Every Government has the certificates to sign their own keys for any website. The "trust" system for the CA is designed that way.

Re: I believe you missed who the adversary is

[fulldecent]

This is a cute post that implies governments will use influence over CAs to sign fake websites that are accepted by default by browsers.

Given any such forgery would:
  - leave immediate and permanent evidence
  - be a known attack vector that people are actively seeking evidence of
  - be of high interest to slashdot and browser makers

Then I would recommend the naive null hypothesis that governments do not do this on a large scale has a high bar to be rejected.

OTOH, targeted attacks against individual people are a different story.

Re:Popular US browsers will warm, Chinese ones won

[WaffleMonster]

you appear to be clueless around security.

I openly admit to being clueless around everything. You still have to support your arguments.

2FA is not a mitigation against man in the middle. It about raising the confidence level of the identity of the person who initiated the authentication.

Authentication is establishing proof of identity. Over networks this requires strong crypto and guarding of pre-established basis of trust specific to each factor.

There is no way around this basic truth. Number of factors involved is irrelevant.

Just because Google does x or old RSA fobs did y or some bank did z does not make those schemes secure. They may represent practically useful tradeoffs to some subset of the real world yet when your adversary is the Chinese government you quickly appreciate why they are insecure and don't really work.

You can still MITM it depending on other factors implemented, however if you MITM a good 2FA system you only get the one time hijacking of the current session, not the ability to reauthenticate

Is one session not enough to wreak havoc?

and as with many banks they then require a reauth for confirmation of certain off account transactions to help prevent the MITM problem.

I don't think online banking is something that deserves to be held up as an example. At least here in the US the faux second factor schemes allowed to be deployed by many institutions are patently ridiculous and dangerous.

What is secure is entering credentials into a FOB which then performs a cryptographic handshake with the institution. Here each and every factor is strongly protected and at no point is MITM possible unless the physical guard is compromised. Most everything short of the above is noise.

Re:Popular US browsers will warm, Chinese ones won

Please describe a 2 factor authentication method that is not susceptible to a man in the middle attack.

Specifically, describe a 2FA mechanism that is safe where one channel is completely compromised (Lets say; the Web Page you are "logging in to" is being man in the middled by the Chinese government).

This is not "Prove something doesn't exist", but show me even one example of a mechanism that does exist that is "man in the middle-proof". Seriously.

Re: I believe you missed who the adversary is

Chrome will save you.

Because certificate pinning means; even if the certificate is valid from a valid trusted CA chrome will still warn you that the certificate has changed .

Apple's icloud trademark trampled

[laughingskeptic]

I wonder if Apple will complain to the world trade commission regarding the self-signed www.icloud.com certificate. This is a purposeful violation of Apple's trademark.

Re: I believe you missed who the adversary is

[dgatwood]

https is and always was broken by design. It is, and never was, safe against a government adversary and it never will be.

Other than certificate pinning (which you can do with CA certs and SSL/TLS just as easily), describe a scheme that doesn't have this problem. No?

At some point, you have to have a trusted party to provide trust in a cert. Otherwise, you have nothing. And that trusted party can be compromised, at which point you have nothing.

Web of trust:

The closest thing I'm aware of to avoiding that involves a web of trust, where trust is distributed more, but without a central authority, there's no consistency in how well different parts of that web perform validation of the identity of the requestor, which results in even weaker trust than with a central authority.

Of course, you could set a trust policy that requires multiple signatures to trust a certificate, but at some point, you're still trusting random websites that you don't know, and whatever limit you set, a government could always exceed it. If you say that three sites must sign something for you to trust it, the government can find three sites that can be bribed, or even use their own sites to sign it.

Mind you, you could carefully craft trust policies, and then manually evaluate every certificate that fails to decide whether you trust it, and that would be more secure for people who are highly skilled at crypto, but for the average person, such a scheme would be much, much weaker.

DNS-based security:

Another proposal for reducing the importance of the CAs is putting the certs in DNS records. This ensures that only those who can mess with DNS can change the certs.

Unfortunately, most users rely on external DNS servers for recursion. If the government substitutes their own, they can refuse all DNSSec queries, and most users will be none the wiser. This effectively makes DNSSec useless until OS vendors make it mandatory by showing errors when it gets an unsigned response.

Re:Popular US browsers will warm, Chinese ones won

[WaffleMonster]

Please describe a 2 factor authentication method that is not susceptible to a man in the middle attack.

Client certificate + password

certificate based smart cards /w keypads

Specifically, describe a 2FA mechanism that is safe where one channel is completely compromised (Lets say; the Web Page you are "logging in to" is being man in the middled by the Chinese government).

This is not "Prove something doesn't exist", but show me even one example of a mechanism that does exist that is "man in the middle-proof". Seriously.

Too many people seem to be poisoned by the way things are vs how they could be if the proper readily available technology was brought to bear on the problem. Collection of credentials from web forms per your example is breathtakingly stupid way to have your users fall victim to attacks yet it is **everywhere**

For "what you know" use of zero-knowledge key agreement protocols such as TLS-SRP (RFC5054) enable two parties to establish mutual proof of possession without leaking shit and without associated MITM bullshit.

Imagine entering your credentials into a web form and not having to give a shit who is on the other end and without having any SSL certificates.

If the right person is on the other end login succeeds and *both parties* have evidence of the identity of who they are talking to.

If the wrong person was on the other end they don't get *SHIT* not even material for offline attack and the login fails. No certificates or external security mechanisms are required yet they can still be used to further enhance security and practical user experience.

Zero knowledge agreement satisfies "What you know" factor mutually in a secure way without MITM.

Mutual certificate authentication satisfies "What you have" factor in a secure way without MITM.

Each factor above is able to stand on its own feet separately. Each offers mutual evidence of identity.