Slashdot Mirror

← Back to Stories (view on slashdot.org)

EFF: Wider Use of HTTPS Could Have Prevented Attack Against GitHub

Posted by timothy on from the one-day-one-day dept.

itwbennett writes The attack against GitHub was enabled by someone tampering with regular website traffic to unrelated Chinese websites, all of which used a JavaScript analytics and advertising related tool from Baidu. Somewhere on China's network perimeter, that analytics code was swapped out for code that transparently sent data traffic to GitHub. The reason GitHub's adversaries were able to swap out the code is because many of the Chinese websites weren't encrypting their traffic.

3 of 48 comments (clear)

  1. As if ... by gstoddart · · Score: 3, Insightful

    So basically if China allowed HHTPS a non-Chinese server wouldn't have been DDoS'd.

    Like China will give a crap about that.

    --
    Lost at C:>. Found at C.
  2. Re:HTTPS? by Coren22 · · Score: 4, Insightful

    This is China we are talking about. They just ask Baidu to give them a copy of the SSL cert. I administer devices that are 1U and can act as a MITM at 10Gbit speeds, they are called load balancers. How hard would it be to reprogram a load balancer to also insert a script? Not very.

    Frankly, it would be just as easy to make Baidu serve up the script for them, or even hack the Baidu servers to add the "malicious" script themselves. This is a government, they have the power.

    --
    APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
  3. Re:Fake certificate... by Anonymous Coward · · Score: 0, Insightful

    Most people can barely hold any trust about anything from the US these days. That includes its people, you would have to be clinically insane to trust americans.

    China are no worse than you. Probably a little better in fact.