2 min read

GreatFire Alleges Chinese Government Intercepted Traffic to Yahoo amid Hong Kong Protests

Lucian Ciolacu

October 02, 2014

GreatFire Alleges Chinese Government Intercepted Traffic to Yahoo amid Hong Kong Protests

GreatFire, the online censorship monitor, accused the Chinese Government of intercepting traffic to Yahoo using fake and self-signed X.509 certificates, according to a Twitter announcement.

The alleged man-in-the-middle attack was also analyzed by Netresec, a Swedish-based network forensics company that confirmed the existence of fake X.509 certificates in the other two cases.

“The purpose of GFW (a.k.a. `Golden Shield`) is to censor the Internet, so the primary goal with this MITM attack isn’t to covertly spy on Chinese Yahoo searches,” said Erik Hjelmvik of Netresec. “Regardless if the end users notice the MITM or not, a self-signed X.509 cert is enough in order to see what they are searching for and `kill` their connection to Yahoo when queries like `Umbrella Revolution` and `Tiananmen Square Protests` are observed.”

Netresec analyzed two packet captures from China, with one located in Wuxi and the other in Zhengzhou, and both gave the “202.43.192.109” IP address belonging to the Yahoo Honk Kong domain as intercepted by the Great Firewall of China (GFW).

The Time-To-Live (TTL) analysis revealed the same results as in Google’s case, meaning that the high TTL values, 58 and 57, of returning IP packets put the MitM attack just 6 or 7 router hops away.

The X.509 SSL certificates appeared to be self-signed for “yahoo.com,” which makes certain browsers flag it as a MitM attack element, more precisely a crafted certificate.

Photo Credit: @GreatFireChina

The modus operandi seems to resemble the ones in Google’s and Github’s cases, with one linking element being the fake X.509 certificates.

The man-in-the-middle attack is the third one allegedly carried out by the Chinese authorities as GreatFire also reported similar traffic interception attempts on Google and Github.

tags


Author



Right now

Top posts

E-mails claiming your computer was hacked and your privacy exposed - what you need to know (spoiler: you can relax - they’re bluffing)

E-mails claiming your computer was hacked and your privacy exposed - what you need to know (spoiler: you can relax - they’re bluffing)

July 29, 2021

5 min read
Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

July 16, 2021

3 min read
How to protect yourself against cyberstalking

How to protect yourself against cyberstalking

July 06, 2021

2 min read
The Top Five Security Risks Smartphone Users Face Today

The Top Five Security Risks Smartphone Users Face Today

July 02, 2021

4 min read
Phishing Alert: Scammers Use Fake SharePoint and DocuSign Messages to Steal Users’ Login Credentials

Phishing Alert: Scammers Use Fake SharePoint and DocuSign Messages to Steal Users’ Login Credentials

July 02, 2021

3 min read
Your Doxxing Dossier Will Keep Growing Thicker Until You See the Danger

Your Doxxing Dossier Will Keep Growing Thicker Until You See the Danger

June 30, 2021

2 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

The Perils of Online Dating: Spotting Romance Scammers Before They Break Your Heart and Your Bank Account The Perils of Online Dating: Spotting Romance Scammers Before They Break Your Heart and Your Bank Account
Alina BÎZGĂ

August 05, 2021

3 min read
Google Fixes Five High-Severity Flaws in Chrome 92 for Windows, Mac and Linux Google Fixes Five High-Severity Flaws in Chrome 92 for Windows, Mac and Linux
Filip TRUȚĂ

August 05, 2021

1 min read
Google Drops All Support for Android 2.3.7 and Older Google Drops All Support for Android 2.3.7 and Older
Silviu STAHIE

August 04, 2021

1 min read