GitHub MitM attack orchestrated by Chinese censors?
Posted on 31 January 2013.
China-based users and visitors of GitHub, the globally popular online source code repository, have been targeted with an man-in-the-middle attack late last Friday, reports, a non-profit organization that reports on the government's online censorship efforts in China.

They say that for an hour or so, visitors from China were faced with browser warning messages about invalid SSL certificates, and speculate that the people behind the attack might have been the developers of the "Great Firewall" of China, who were named in a petition put forward to the White House, asking that "people who help internet censorship should be denied entry to the U.S."

"The petition has gathered more than 8,000 signatures in the five days since. To make the idea specific, there is a link to a list of Chinese individuals accused of contributing to the technical infrastructure behind online censorship in China. And this list is hosted on - you guessed it - GitHub," GreatFire reports.

"The list has gathered hundreds of comments, the vast majority in Chinese. One of these comments contains the supposed address and ID number of Fang Binxing, the Principal of Beijing University of Posts and Telecommunications and often called the 'Father of China's Great Firewall'. Another comment links to another much longer list of supposed contributors to the Great Firewall, also hosted on GitHub."

The Chinese government did block access to GitHub a week prior to that, but was forced to restore access due to public protest and probably due to the fact that blocking it cripples the ability of Chinese developers to collaborate, and thusly to innovate.

"[The authorities] canít selectively block content on GitHub nor monitor what users are doing there. They also cannot block the website altogether lest they hurt important Chinese companies," GreatFire claims. "This is where man-in-the-middle attacks make their entrance. By faking SSL certificates, the authorities can indeed intercept and track traffic to encrypted websites."

They say that the attack was "crude" (the fake SSL certificate was not signed by a known certificate authority), "irrational", and short-lived, but unfortunately that doesn't mean that some of the visitors passwords weren't recorded.


What's the real cost of a security breach?

The majority of business decision makers admit that their organisation will suffer an information security breach and that the cost of recovery could start from around $1 million.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Feb 11th