Firstly, thanks to GitHub using HSTS on github.com (although not www.github.com), the certificate error will be fatal in Chrome and (I believe, but haven't checked) Firefox as long as you have visited GitHub previously.<p>(It's not preloaded HSTS so it would have to be learnt from a previous, unattacked connection.)<p>I know that the unbypassable errors for some sites upset the more technically minded people, but I think that incidents like this show its value.<p>The CloudShark trace shows what appears to be Firefox connecting to the GitHub IP address, but the server clearly isn't GitHub from the config. The server appears to be configured to accept the client's ciphersuite preference, but doesn't support DHE nor ECDHE.<p>The server is also only 9ms from the client - that's clearly not crossing any oceans. I'd also guess that the server is overloaded at the time because the ServerHello (which doesn't take significant processing to generate in this case) takes 900ms to come back.<p>Sadly, it appears to show the user overriding the certificate error and talking to the server anyway :( Hopefully that was a fresh FF install just to see what would happen (which would explain why HSTS didn't prevent the override).<p>Lastly, the certificate appears to be self-signed, but the Authority Key Id doesn't match. One assumes, based on "OpenSSL Generated Certificate" that OpenSSL was used, but the person may have had some trouble. I'd guess that they generated a CA certificate first (with the same Subject) and then signed the certificate in question as a leaf. Many of the tutorials that you'll find online are for that sort of setup so perhaps they weren't very familiar with X.509 certificates.
To clarify, this looks more like someone turning off SSL access to GitHub than a proper MITM attack in the traditional sense.<p>The certificate in that link is just a self-signed certificate, not something signed by a CA:<p>Issuer: C=US, ST=Some-State, O=github.com, OU=github.com, CN=github.com
Subject: C=US, ST=Some-State, O=github.com, OU=github.com, CN=github.com<p>So your browser will warn you that you are not making a secure connection. Firefox users, for instance, will have to make 5 clicks to get through that warning and visit the page.<p>I think "China turns off SSL access to GitHub" might be a more appropriate title.
This reminds me the Firefox certificate "bug"[1] two years ago. A China certificate root server was added into trusted servers in Firefox and Chinese hackers started to submit bug report regarding this, since people don't trust certificate servers run by China government. Man-in-the-middle attack was exact what Chinese hackers worried about.<p>If they put this fake certificate in a certificate root server that's in the trusted server list, they can easily get anyone's account who's using affected browsers.<p>It's weird that they start with Github. It's not a website that's popular among human activists or any other people that China government might be interested in. Instead, it's popular among programmers and hackers, who are the main group and forces in China to help people bypass GFW to access blocked content. I suppose this attack might be what the government uses to test reaction and capability of hackers.<p>Seriously, this is really, really, bad.<p>[1] <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=542689" rel="nofollow">https://bugzilla.mozilla.org/show_bug.cgi?id=542689</a><p>EDIT: added link for bug report
Fortunately, it looks like Chrome prevents users from clicking past the ssl errors. This Chinese chrome screenshot[1] shows that there's only a back button (for English versions of this page, see [2]). Unfortunately, it appears that IE allows users to click past the errors[3]. I'm also interested in how the 360 browser[4], which has been gaining market share in China, handles the error.<p>Does anyone have any theories why China would use a self signed certificate when it's very indiscreet? A lot of users will just click through if given the opportunity (around 60% in chrome before new security measures prevented it[2]), but I doubt many users with truly sensitive private repos would do this.<p>[1] <a href="https://twitter.com/GreatFireChina/status/295236912594186240/photo/1" rel="nofollow">https://twitter.com/GreatFireChina/status/295236912594186240...</a><p>[2] <a href="http://www.imperialviolet.org/2012/07/19/hope9talk.html" rel="nofollow">http://www.imperialviolet.org/2012/07/19/hope9talk.html</a><p>[3] <a href="https://twitter.com/chenshaoju/status/295139636718743552/photo/1" rel="nofollow">https://twitter.com/chenshaoju/status/295139636718743552/pho...</a><p>[4] <a href="http://news.ycombinator.com/item?id=4499168" rel="nofollow">http://news.ycombinator.com/item?id=4499168</a>
What bugs me about stuff like this is that there will always be mercenaries, guys just like you and me that will do <i>anything</i> as long as it pays. The Chinese government wouldn't stand a chance if they had to do this stuff themselves. Mercenary coders are nothing new, we have them in every country (and sysadmins, companies and so on).<p>But you have to wonder what goes on in their heads, what mindset would prompt you to sell out like that.
Some speculation as to why they're targeting Github:<p>- the Chinese gov't is trying to identify users/developers of train-ticket-purchasing bots [1]<p>- they are is interested in capturing some intellectual property contained in private repos<p>- it's just an exercise to watch & learn how computer-literate users circumvent a MITM attack<p>Given the recent Github blockade, I'd go with the first.<p>[1] <a href="http://www.techinasia.com/github-blocked-china/" rel="nofollow">http://www.techinasia.com/github-blocked-china/</a>
Many are mentioning the Chinese government, but are there any signs that they are involved?<p>How do we know that this isn't just a hijack of a Chinese isps dns server or something similar? Maybe the same that happened to Goolge Morocco just a couple of days ago ( <a href="http://arabcrunch.com/2013/01/breaking-google-morocco-google-co-ma-is-hacked.html" rel="nofollow">http://arabcrunch.com/2013/01/breaking-google-morocco-google...</a> ).
FYI there is a petition on whitehouse.gov to deny those people who work on GFW entry US.
<a href="https://petitions.whitehouse.gov/petition/people-who-help-internet-censorship-builders-great-firewall-china-example-should-be-denied-entry-us/5bzJkjCL" rel="nofollow">https://petitions.whitehouse.gov/petition/people-who-help-in...</a>
It sucks my client will be able to say he was right about now allowing source code to be hosted on github.<p>(We ended up setting up a gitlab box and it works just as well)
I guess it was a planned public test or technical verification of certain larger project about live traffic decryption on national level. There really isn't a plausible political reason of github being targeted. Maybe targeting github can get data about user response or verify scalability of the infrastructure given recent high https traffic volume from China to github.
I was wondering when Github was going to start supporting HSTS and 2-Factor Auth. I'm betting that it gets bumped in priority after this event. Nothing like an incident to move along security requirements!<p><a href="http://dev.chromium.org/sts" rel="nofollow">http://dev.chromium.org/sts</a><p><a href="https://www.duosecurity.com/features" rel="nofollow">https://www.duosecurity.com/features</a>
I should report that from my Shanghai based VPS I don't get this problem.<p>Perhaps this is localised, or was just a trial for a few hours.<p><a href="https://gist.github.com/4650029" rel="nofollow">https://gist.github.com/4650029</a>
Read the Twitter stream - affects people inside China.<p>Still, shows the depth and corruption the China (gov't).<p><a href="https://twitter.com/search/?q=Github%20SSL" rel="nofollow">https://twitter.com/search/?q=Github%20SSL</a>
How would this fake cert work? It doesn't seem to originate with a root or have any associated information. Do browsers actually accept certs that look like this?
Censorship in China is a big business, for the companies that have connections to the officials, for the universities that rely on the funds, and for the officials who use this as a stepstone for their career. It is so common that you can even find many fresh graduates who worked for the GFW in the job market.
How long ago did this start? I wonder if it has anything to do with some of the issues with Github I (and others) were noticing on Friday[0]<p>[0] <a href="https://twitter.com/davidbalbert/status/294941563673522176" rel="nofollow">https://twitter.com/davidbalbert/status/294941563673522176</a>
Here's another (safe) "tweet" by China geek alerting the situation.<p>RT @chenshaoju
无锡电信实际测试GitHub已经遭到SSL中间人攻击。
<a href="http://bit.ly/X49oPK" rel="nofollow">http://bit.ly/X49oPK</a>