Slashdot Mirror

← Back to Stories (view on slashdot.org)

EFF: Wider Use of HTTPS Could Have Prevented Attack Against GitHub

Posted by timothy on from the one-day-one-day dept.

itwbennett writes The attack against GitHub was enabled by someone tampering with regular website traffic to unrelated Chinese websites, all of which used a JavaScript analytics and advertising related tool from Baidu. Somewhere on China's network perimeter, that analytics code was swapped out for code that transparently sent data traffic to GitHub. The reason GitHub's adversaries were able to swap out the code is because many of the Chinese websites weren't encrypting their traffic.

10 of 48 comments (clear)

  1. Today's "news" brought to you by... by JustinKSU · · Score: 3, Funny

    duh. better security == better security.

  2. HTTPS needs to be the default by Anonymous Coward · · Score: 2, Interesting

    You cannot tamper with the contents of a HTTPS stream.

    But don't be under the illusion that that actually provides security, after all, if you can't MITM, you just need to poison the watering hole.

    1. Re:HTTPS needs to be the default by krept · · Score: 2

      I didn't get your comment until further down... HTTPS does provide security, it just doesn't guarantee it. Especially where China could probably install any client they want on many many computers.

      --
      None of us know everything. Therefore we're all naïve.
  3. EFF Link by gQuigs · · Score: 5, Informative

    https://www.eff.org/deeplinks/...

  4. As if ... by gstoddart · · Score: 3, Insightful

    So basically if China allowed HHTPS a non-Chinese server wouldn't have been DDoS'd.

    Like China will give a crap about that.

    --
    Lost at C:>. Found at C.
  5. Fake certificate... by zoffdino · · Score: 4, Interesting

    Can HTTPS help when even the certificate is faked? I can barely hold any trust about anything from China these days.

  6. Re:HTTPS? by IamTheRealMike · · Score: 4, Informative

    The Great Firewall could just as easily act as a MITM attack

    This must be a new use of the phrase "just as easily" that I haven't encountered before.

    Line rate DPI is already expensive and slow. The Great Firewall has in the past routinely suffered from weird hotspots or outages at peak times where banned keywords were not always being spotted.

    The injection technique that the GFW was using in this instance is very simple: on spotting a particular byte pattern in the packet stream, write three (probably pre-formatted) packets into a network port, sit back, see what happens. There were always exactly three packets and attempting to get normal behaviour out of the MITM TCP stack didn't work, meaning there probably is no stack.

    Now throw "completely intercept the TCP handshake and redo it, then perform an SSL handshake on the client end, then perform ANOTHER connection to the Baidu server, then obtain a fake cert without tipping off the western browser/OS makers whose browsers you are trying to hack, THEN decrypt massive amounts of traffic (basically all traffic to the intended host) at line rate" .... yeah good luck. It can theoretically be done but it'd require entire datacenters of machines doing nothing but decrypting and re-encrypting Baidu.

    Then remember that this attack works by converting Chinese people abroad into a botnet. So the moment the Chinese fake cert is detected it would be revoked immediately. Attack over.

    No way. It will never happen. If China wants to convert Baidu users into a weapon then it is MUCH simpler for them to simply ...... put a gun to the CEOs head and say "you're inserting our js into your code whether you like it or not". That way Baidu pays all the costs of serving their code and they don't need any large new infrastructure to do SSL MITM.

  7. Re:HTTPS? by Coren22 · · Score: 4, Insightful

    This is China we are talking about. They just ask Baidu to give them a copy of the SSL cert. I administer devices that are 1U and can act as a MITM at 10Gbit speeds, they are called load balancers. How hard would it be to reprogram a load balancer to also insert a script? Not very.

    Frankly, it would be just as easy to make Baidu serve up the script for them, or even hack the Baidu servers to add the "malicious" script themselves. This is a government, they have the power.

    --
    APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
  8. Re:Prediction by Midnight+Thunder · · Score: 4, Informative

    Regular http will be basically dead by 2020.

    It will be if setting up an HTTPS and virtual-hosts using HTTPS becomes as easy as setting up a basic HTTP server.

    The main issues as the moment is that getting a certificate is complicated, expensive and then dealing with setups is not always straightforward. Now, that is just for a basic Apache server. Create scenarios where you have load balancers, Apache servers serving multiple domain names and applications servers fronted by Apache and you have another set of problems.

    HTTPS needs to become easy to setup for anyone, and not just necessary.

    I may have missed some of the advances in simplification, so I would welcome any new information here.

    --
    Jumpstart the tartan drive.
  9. Re:DANE by tepples · · Score: 2

    Good luck getting last mile ISPs and domain registrars to offer reliable DNSSEC resolution.