GreatFire Alleges Chinese Government Intercepted Traffic to Yahoo amid Hong Kong Protests
GreatFire, the online censorship monitor, accused the Chinese Government of intercepting traffic to Yahoo using fake and self-signed X.509 certificates, according to a Twitter announcement.
The alleged man-in-the-middle attack was also analyzed by Netresec, a Swedish-based network forensics company that confirmed the existence of fake X.509 certificates in the other two cases.
“The purpose of GFW (a.k.a. `Golden Shield`) is to censor the Internet, so the primary goal with this MITM attack isn’t to covertly spy on Chinese Yahoo searches,” said Erik Hjelmvik of Netresec. “Regardless if the end users notice the MITM or not, a self-signed X.509 cert is enough in order to see what they are searching for and `kill` their connection to Yahoo when queries like `Umbrella Revolution` and `Tiananmen Square Protests` are observed.”
Netresec analyzed two packet captures from China, with one located in Wuxi and the other in Zhengzhou, and both gave the “18.104.22.168” IP address belonging to the Yahoo Honk Kong domain as intercepted by the Great Firewall of China (GFW).
The Time-To-Live (TTL) analysis revealed the same results as in Google’s case, meaning that the high TTL values, 58 and 57, of returning IP packets put the MitM attack just 6 or 7 router hops away.
The X.509 SSL certificates appeared to be self-signed for “yahoo.com,” which makes certain browsers flag it as a MitM attack element, more precisely a crafted certificate.
Photo Credit: @GreatFireChina
The modus operandi seems to resemble the ones in Google’s and Github’s cases, with one linking element being the fake X.509 certificates.
The man-in-the-middle attack is the third one allegedly carried out by the Chinese authorities as GreatFire also reported similar traffic interception attempts on Google and Github.
Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US
July 16, 2021
How to protect yourself against cyberstalking
July 06, 2021
The Top Five Security Risks Smartphone Users Face Today
July 02, 2021
Phishing Alert: Scammers Use Fake SharePoint and DocuSign Messages to Steal Users’ Login Credentials
July 02, 2021
Your Doxxing Dossier Will Keep Growing Thicker Until You See the Danger
June 30, 2021
FOLLOW US ON
You might also like
August 05, 2021
August 04, 2021