Another Reason For Ubiquitous Web Encryption: To Neuter China’s “Great Cannon”

Another Reason For Ubiquitous Web Encryption: To Neuter China's "Great Cannon"

China’s web censorship machine, the Great Firewall, has a more offensive brother, researchers have declared today. Called the Great Cannon by Citizen Lab, a research body based at the University of Toronto, it can intercept traffic and manipulate it to do evil things.

In recent distributed denial of service (DDoS) attacks on code repository Github, the Great Cannon was used to redirect traffic intended for Baidu , the equivalent of Google in China, to hit two pages on the target site, including one that provided links to the Chinese-language edition of the New York Times. GreatFire.org, a website dedicated to highlighting Chinese censorship, was hit by a similar attack.

The Great Cannon only intercepts traffic to or from a specific set of targeted addresses, unlike the Great Firewall, which actively examines all traffic on tapped wires going in and out of China. According to Citizen Lab, in the recent DDoS hits, it intercepted traffic going to Baidu, and when it saw a request for certain JavaScript files on a Baidu server, it appeared to either pass the request on “unmolested”, as it did for 98 per cent of connections, or it dropped the request before it reached Baidu and sent a malicious script back to the requesting user, as it did nearly 2 per cent of the time. That malicious script would fire off traffic to the victims’ servers. With so many users redirected to the targets, the internet pipes feeding Github and GreatFire.org were clogged up, taking them offline. It was an effective, if blunderbuss, approach to censoring the targets.

But, as the researchers noted, the Great Cannon could be abused to intercept traffic and insert malware to infect anyone visiting non-encrypted sites within the reach of the attack tool. That could be done, said Citizen Lab, by simply telling the system to manipulate traffic from specific targets, say, all communications coming from Washington DC, rather than going to certain sites, as in the abuse of Baidu visitors. “Since the Great Cannon operates as a full man-in-the-middle, it would also be straightforward to have it intercept unencrypted email to or from a target IP address and undetectably replace any legitimate attachments with malicious payloads, manipulating email sent from China to outside destinations,” Citizen Lab added in its report released today.

The Great Cannon is not too dissimilar to QUANTUM, a system used by the National Security Agency and the UK’s GCHQ, according to the Edward Snowden leaks.  So-called lawful intercept providers, FinFisher and Hacking Team, sell products that appear to do the same too, Citizen Lab noted.

But there’s one simple way to stop the Great Cannon and the NSA from infecting masses of users: encrypt all websites on the internet. The system would not be able to tamper with traffic that is effectively encrypted. The SSL/TLS protocols (which most users commonly use when on HTTPS websites rather than HTTP) drop connections when a “man-in-the-middle” like the Cannon is detected, whilst preventing anyone from peeking at the content of web communications.

There are some significant projects underway designed to bring about ubiquitous web encryption. Just this week, the Linux Foundation announced it would be hosting the Let’s Encrypt project, which seeks to make SSL certificates, which website owners have to own and integrate into their servers to provide HTTPS services, free and easy to acquire. It should be possible to grab these simple and (hopefully) secure certificates from mid-2015, though Josh Aas, executive director at the the Internet Security Research Group (ISRG), which runs Let’s Encrypt, would not say when exactly. It has some serious backers, including Akamai, Cisco, Electronic Frontier Foundation and Mozilla.

It’s unclear whether Let’s Encrypt would provide certificates to Chinese sites. “The default stance is that we want to issue to everyone – but we will have to comply with US laws… our legal team is looking into it.”

“There’s a lot of the web that isn’t encrypted,” added Jim Zemlin, executive director at The Linux Foundation. “We think that’s a big deal for internet security.”