China Launches MitM Attack on Google Users

Chinese authorities want to keep tabs on the its users of an education and research network so they have started intercepting encrypted traffic to and from Google’s servers, an organization that monitors online censorship in China reported on Thursday. Google, just like many other popular west based websites, is blocked in China. However, since the search engine is highly valuable for research purposes, authorities allow access to it through CERNET, a nationwide education and research computer network.

However, according to the non-profit organization GreatFire, starting on August 28, CERNET users have been seeing warning messages about invalid SSL certificates when trying to access google.com and google.com.hk. Experts believe authorities have launched a man-in-the-middle (MitM) attack against the encrypted traffic between CERNET and Google to see what people are searching for.

Greatfire.org claimed that the attacks are similar to those believed to have been sanctioned by Beijing in January 2013 against developer site Github.

This isn’t the first time Chinese authorities launch such attacks. In January 2013, GitHub users in China reported seeing warning messages about invalid certificates. At the time, experts assumed that the MitM attack was launched due to a petition asking that the creators of the “Great Firewall of China,” the country’s censorship system, be denied entry to the United States. The names of people who allegedly contributed to the technical infrastructure behind the censorship system was published on GitHub, which might have been the reason why authorities decided to target the website.

Netresec says the MitM attack on Google is similar to the one launched last year against GitHub, but it’s not identical.

“Instead of just outright blocking Google on CERNET, which would have raised the ire of students, educators and researchers across China, the authorities felt that a MITM attack would serve their purpose. By placing a man-in-the-middle, the authorities can continue to provide students and researchers access to Google while eavesdropping or blocking selective search queries and results,” GreatFire said in a blog post.

Netresec has analyzed two of the packet captures used in the attacks and it has determined that the operation was conducted from within China.

“It’s difficult to say exactly how the MITM attack was carried out, but we can dismiss DNS spoofing as the used method. A more probable method would be IP hijacking; either through a BGP prefix hijacking or some form of packet injection. However, regardless of how they did it the attacker would be able to decrypt and inspect the traffic going to Google,” Netresec researchers noted in a blog post.

Greatfire.org urged CERNET users not to click through if they see a certificate warning as it could lead to attackers stealing their Google credentials and accessing their email account.

Google sites inside China have been difficult to access smoothly since the firm effectively quit the country in 2010 after the Operation Aurora APT attacks were revealed and some, like YouTube, are banned outright.

The Great Chinese Firewall is well known to everybody but China has been tightening its internet censorship over past few weeks because of the large scale pro-democracy movement that is going on its Hong Kong territory.