The Chinese authorities have launched a man-in-the-middle attack campaign against users of the country’s research and education network CERNET who try to search via Google, in a bid to monitor and censor the HTTPS site.
Non-profit anti-censorship body Greatfire.org claimed that the attacks are similar to those believed to have been sanctioned by Beijing in January 2013 against developer site Github.
They first came to light when users of CERNET, who unlike regular Chinese netizens are allowed access to usually blocked foreign sites, complained on social media that they’d begun receiving warning messages about invalid SSL certificates.
“As we have seen on just about every front, the current administration is hell bent on controlling the medium as well as the message. Instead of just outright blocking Google on CERNET, which would have raised the ire of students, educators and researchers across China, the authorities felt that a MITM attack would serve their purpose,” Greatfire.org claimed in a blog post.
“By placing a man-in-the-middle, the authorities can continue to provide students and researchers access to Google while eavesdropping or blocking selective search queries and results.”
Greatfire said it’s basing its conclusions on expert advice from network security monitoring firm Netresec, which analyzed the original MITM attacks on Github last year.
The security firm claimed that “the machines performing the MITM attack are most likely injecting packets somewhere at the outer border of CERNET, where they are peering with external networks.”
“It's difficult to say exactly how the MITM attack was carried out, but we can dismiss DNS spoofing as the used method,” Netresec said in a blog post.
“A more probable method would be IP hijacking; either through a BGP prefix hijacking or some form of packet injection. However, regardless of how they did it the attacker would be able to decrypt and inspect the traffic going to Google.”
Greatfire.org urged CERNET users not to click through if they see a certificate warning as it could lead to attackers stealing their Google credentials and accessing their email account.
Google sites inside China have been difficult to access smoothly since the firm effectively quit the country in 2010 after the Operation Aurora APT attacks were revealed and some, like YouTube, are banned outright.
However, Beijing began blocking Google with more urgency in the run up to the 25th anniversary of the Tiananmen Square massacre in June this year. Since then, Greatfire.org has been offering a mirror site for Google Search which users inside the Great Firewall can access.
In related news, a Chinese man has stuck his head above the parapet by suing state-owned China Unicom for denying him access to Google Search.
Wang Long claimed on his Weibo account that when the judge at the Futian People’s Court asked Unicom’s lawyer whether Google’s site can normally be accessed, he replied that he was "not sure whether he can tell [the court] or not,” according to AFP.
The judge apparently absolved China Unicom of any blame, although he admitted Google could not be accessed in China.
The machines performing the MITM attack are most likely injecting packets somewhere at the outer border of CERNET, where they are peering with external networks