China Telecom's Internet Traffic Misdirection

This should absolutely be exposed in browser UIs, esp Firefox which uses its own store. Why can I not easily select/deselect all, sort by country of origin, issuer, plain text search filters, and so on? The ability to click-through, or even to simply display the "insecure" badge, would still be there.

Or, as you said, being able to subscribe to other recommendations would be cool.

I personally think certificate transparency and Expect-Ct headers will do far more to detect China-in-the-middle.

Nothing is more embarrassing than getting caught with your fingers in the cookie jar.

Besides I trust CAs will be de-listed if proven compromised.

> Combine this with exploits into one or more broadly trusted certificate authorities (which surely exist) and it's pretty amazing how much data China would have been able to obtain.

The attacker doesn't even need to compromise a CA.

If someone hijacks the IP address of example.com, he could easily get a valid Let's Encrypt certificate for that domain.

The party you want to connect to chooses the CA, not you. Are you really not going to use YouTube because you don’t trust the Google CA?

Anyway, redirecting and sniffing traffic is one thing, intercepting and changing encrypted traffic while being undetected is another. It’s quite a stretch really.

because tomorrow your bank starts to only have a cert from some CA you didn't trust before.

having to manually select/add CAs is akin to not having ssl and using pgp everywhere. and you know how well that works out even for technical folks.

I understand the sentiment, but somehow I feel that more people will trust Alex Jones on this than Bruce Schneier.

Actual experts aren't respected by the general population enough for this to be a net positive change is my guess.

That’s basically PGP.

Distributed trust and vouching systems are going to be the next big thing.

Sounds a bit like how ad-block plus handles the blocking based on lists to which you subscribe, just with certificate white/blacklists?

Such is the nature of BGP. Something like SPF (eg: an authorized AS list for an IP block) and DMARC (reporting about who tried to broadcast what IP block and was rejected) would be great, perhaps even have the latter component convey attack info so ISPs could deal with infected clients automatically.

Basic security mechanisms when it comes to large ISP networks are a pipe dream though, instead we get vendors pushing extremely vulnerable Juniper gear cause its reasonably priced, meanwhile these boxes have new root exploits found multiple times a year. None of the vendors give a crap about security, Cisco pays it some lip service (to win gov't contracts) but charges a premium for basic features.

Internet routing (BGP), SMTP, and DNS (not inclusive, just off the top of my head) were developed during the very beginnings of the internet, without much thought into today's use and scale.

Today you'd do better, with hindsight being 20/20.

And that agreement is trying to be enforced using PKI: https://blog.cloudflare.com/rpki/

And state actors are proving themselves to not be gentlemen at all.

A "gentlemen's agreement" that was designed to sustain a nuclear strike...

I'd like to point out that government used to run by agreements that were like that, and look what has happened in that domain. I say this as a warning what the internet could become.

Have you got a translated version of that screenshot?

> Go ahead, monkey around with BGP, since I have the public key of the recipient of my packets I can detect this and block any type of misdirection.

And how did you get that public key?

An attacker could pretty easily obtain a valid Let's Encrypt certificate using a BGP hijack.

Also, the CA system is in bad shape - CAs have been hacked and certificates were leaked. Not to mention that some of the CAs your browser trusts are not entirely trustworthy or are located in untrustworthy countries. Oh, and from time to time there are attacks against TLS itself (e.g. https://drownattack.com/)

I would guess that the author copied the results into a table and prettified them and added in details like location.

At the top of the screenshot it says "traceroute from London to ..." - no traceroute program knows where it is in the world!

Also the locations of each hop in traceroute NY > Chicago > Ashburn etc., no traceroute program will know where in the world those IPs are. I suspect the author has guestimated based on the reverse DNS record for the IPs and latency.

Traceroute does have the ability to show you the ASNs in a path but that is based on a WHOIS lookup of the IPs that it's discovering. So it could be wrong by assuming the IP address of each hop was announce by the ASN that owns it.

Yes. You can set your reverse DNS to whatever you want if you own the IP blocks.

See also: https://news.ycombinator.com/item?id=5192656

Other links: https://dyn.com/blog/china-telecoms-internet-traffic-misdire...

http://www.circleid.com/posts/20181105_china_telecom_accused...

It's using ajax to fetch the actual article. Seems a bit strange since it's static

You will be surprised how many companies already doing so

I just don’t understand why the telecom agreements are not reciprocal. If no foreign nation is allowed to put a POP in China, then why is China allowed to put POP’s all around the world?

Or the government of Australia which has laws allowing similar...

Its not as though our domestic technology vendors care about security. JunOS is constantly having new vulnerabilities found, and Cisco ain't much better, but charges a premium price as they are viewed as the market leader and pay some lip service to security.

Can I ask what browsers? If you've disabled Javascript, I'd argue that's the anachronism.