Disclaimer: I am not a security expert, but I did study networking and network security for a few years.
This article seems a bit over the top. It's pure speculation, and it seems much more likely that an engineer configured a router incorrectly, panicked for 15 minutes, then fixed it.
"What set this incident apart from other such mishaps was the fact that China Telecom could manage to absorb this large amount of data and send it back out again without anyone noticing a disruption in service."
We've got a technically inclined community here: When your Internet access is slow for a while, what do you attribute it to? I doubt anyone's first instinct is "must be a man-in-the-middle attack." Again, it seems much more likely that they simply had the capacity to handle most of that traffic (biggest country in the world, modernization, etc.) and no one noticed because the Internet is often flaky.
When my internet is slow, my first inclination is traceroute (mainly so I can complain to comcast is it's their fault which it usually is), which presumably would show what was happening.
I'd also emphasize the unlikelihood that China can handle that amount of traffic.
As anyone who's surfed on the internet in China can attest, the bandwidth into and out of China is basically nil. You can test this out yourself by trying to watch anything on youku.com - it takes years to load. If they magically had the capacity to actually handle the load of the world, I wish they would turn it on already.
When my Internet access is slow, I'm inclined to attribute it to Comcast. Then I log into my router, verify things are down own that link (I multihome with a slower DSL connection), and reboot my cable modem. Sadly, that fixes things nine times out of ten.
Internet encryption depends on two keys. One key is private and not shared, and the other is public, and is embedded in most computer operating systems. Unknown to most computer users, Microsoft, Apple and other software makers embed the public certificates in their operating systems. They also trust that this system won’t be abused.
Umm, yeah, right. Basic fail at understanding public/private key cryptography.
If crypto systems relied on trusting that everyone does the right thing, they would be useless.
After such a fundamental failure, it's hard to take the rest of the article seriously.
Actually, I think the article is right. They have not failed to understand public/private key cryptography; you have failed to understand where you actually get your bank's public key from. Obviously, the bank has to send it to you. But then the problem is, how can you trust it really is your bank's key? The way we use is to trust a long list of people (CAs) to sign certificates saying "this key belongs to this domain."
So, if your browser has a CA belonging to CCNIC, a Chinese corporation which could certainly act for the Chinese government, they could pull off this spoofing. The question then is, is CCNIC in people's browsers? According to http://www.mozilla.org/projects/security/certs/included/, it is in Firefox.
As to how to pull off the spoofing, if you have a root CA, you can sign arbitrary certs, i.e. for domains you don't own.
So, the article is right and SSL does require trusting all your trusted CAs are trustworthy.
This is a failure of the journalist to understand the distinction between "public/private key cryptography" and "public/private key cryptography as used in the SSL/TLS certificate authority scheme". I'm pretty sure that they guy (s)he was interviewing knew the difference.
Of course, configuring your system to trust any valid certificate is just stupid.
You are right, this explanation of public key encryption is wrong. Maybe this stems from misunderstanding by the author, or is just the result of oversimplification.
However, that threat of Chinese authorities sniffing on SSL traffic is real. Just remember the root certificate issued by the China Internet Network Information Center that ended up in Firefox, see http://news.ycombinator.com/item?id=1244444
> If crypto systems relied on trusting that everyone does the right thing, they would be useless.
Acutally, in-brower SSL crypto without certificate verification (as in "is this the same certificate that it was before?", not as in "is this certificate signed by trusted CA?") relies exactly on that assumption.
It seems to me that data going over a publicly accessible network that is designed to let that data go by whatever route is necessary has been routed over a part of that network.
How is that a problem? You cannot expect your internet data to be private: the nature of the beast is that it will be public. Anything sensitive must be encrypted in such a way that by the time the encryption is broken by your enemy (considering the likely resources they have) the data is no longer useful.
I'm a little bit surprised that peers did not have filters on inbound BGP advertisements. As an operator you typically don't trust most of your peers and only accept advertisements for ASs and network blocks previously agreed upon. Filters are modified manually.
The largest operators have peering links with no filters ("everyone is equal"), but that implies a lot of trust. And "trust" should not be a word placed next to a communist country name.
RIPE stores every BGP update message sent through the AMSIX in an Oracle DB. I know this because I know the guy that does it. I don't know specifically about ARIN but we can safely assume they do the same.
Unless someone actually goes and looks at what was being sent by Chinese BGP routers at the time of this supposed outage they should STFU. I'm not saying this is definitely BS. But the article is seriously short on details.
Presumably, a broken BGP advertisement. These days, they create breathless "news" stories like this one. Back in the '90s, when small-town ISPs managed to accidentally advertise short paths to huge chunks of the Internet, they broke the whole Internet. It's hard to get too wound up about it.
If you're worried that China is going to MITM your SSL sessions, remove their certificate from your cert store.
If I was a Chinese supercyberspy, I probably wouldn't do something as blatant as routing the entire Internet to China just to get traffic I wanted. I think I'd do something much more akin to spearphishing an overseas Google employee to get onto their internal network.
What the article describes can absolutely be done. Well, sort of. China can't advertise its routes as the "fastest", because internet routing cares little about performance[1], but they can otherwise work to make them an attractive option. It's certainly plausible that they could have pulled in 15% of global traffic.
It's not plausible that they could have pulled in any traffic they so choose, but (depending on where their border is placed) they could have grabbed most of it. Also, it's not necessarily obvious to a casual observer what they could have grabbed.
[1] Internet routing in practice is based mostly on politics, a little bit on cost, and basically just uses performance as a tie-breaker.
BGP could stand to get a security update but as with most fundamental internet protocols it will probably never happen. Most people seem to believe this incident was accidental. More info,
Interesting note about public keys that are automatically trusted by proprietary operating systems, and the potential for abuse by foreign powers. Reminded me of the discussion a while back about how it's relatively easy to become a root certificate authority in Firefox. Everyday cryptography needs some serious revamping.
The UI for everyday cryptography needs some serious revamping.
It's not relatively easy to become a Firefox root CA, but too many people are, and part of the reason why is that your cert store configuration is buried deep in the "don't touch, no user serviceable parts" bowels of your configuration.
If you want more technical internet routing information, always look to NANOG. These two threads are discussing what happened, as it happened, by the people who are likely to fix/deal with it:
It says that the hijacking occurred in April. Someone in China accessing your email just two days ago is probably just coincidence. However, it would still be a good idea to look into it (and change your password)
[+] [-] johnthedebs|15 years ago|reply
This article seems a bit over the top. It's pure speculation, and it seems much more likely that an engineer configured a router incorrectly, panicked for 15 minutes, then fixed it.
"What set this incident apart from other such mishaps was the fact that China Telecom could manage to absorb this large amount of data and send it back out again without anyone noticing a disruption in service."
We've got a technically inclined community here: When your Internet access is slow for a while, what do you attribute it to? I doubt anyone's first instinct is "must be a man-in-the-middle attack." Again, it seems much more likely that they simply had the capacity to handle most of that traffic (biggest country in the world, modernization, etc.) and no one noticed because the Internet is often flaky.
[+] [-] btmorex|15 years ago|reply
[+] [-] newhouseb|15 years ago|reply
As anyone who's surfed on the internet in China can attest, the bandwidth into and out of China is basically nil. You can test this out yourself by trying to watch anything on youku.com - it takes years to load. If they magically had the capacity to actually handle the load of the world, I wish they would turn it on already.
[+] [-] nphase|15 years ago|reply
[+] [-] swombat|15 years ago|reply
Umm, yeah, right. Basic fail at understanding public/private key cryptography.
If crypto systems relied on trusting that everyone does the right thing, they would be useless.
After such a fundamental failure, it's hard to take the rest of the article seriously.
[+] [-] Robin_Message|15 years ago|reply
So, if your browser has a CA belonging to CCNIC, a Chinese corporation which could certainly act for the Chinese government, they could pull off this spoofing. The question then is, is CCNIC in people's browsers? According to http://www.mozilla.org/projects/security/certs/included/, it is in Firefox.
As to how to pull off the spoofing, if you have a root CA, you can sign arbitrary certs, i.e. for domains you don't own.
So, the article is right and SSL does require trusting all your trusted CAs are trustworthy.
(edited for clarity and tone)
[+] [-] JoachimSchipper|15 years ago|reply
Of course, configuring your system to trust any valid certificate is just stupid.
[+] [-] danielh|15 years ago|reply
However, that threat of Chinese authorities sniffing on SSL traffic is real. Just remember the root certificate issued by the China Internet Network Information Center that ended up in Firefox, see http://news.ycombinator.com/item?id=1244444
[+] [-] piotrSikora|15 years ago|reply
Acutally, in-brower SSL crypto without certificate verification (as in "is this the same certificate that it was before?", not as in "is this certificate signed by trusted CA?") relies exactly on that assumption.
[+] [-] derefr|15 years ago|reply
[+] [-] danio|15 years ago|reply
How is that a problem? You cannot expect your internet data to be private: the nature of the beast is that it will be public. Anything sensitive must be encrypted in such a way that by the time the encryption is broken by your enemy (considering the likely resources they have) the data is no longer useful.
Did I miss something?
[+] [-] jwr|15 years ago|reply
The largest operators have peering links with no filters ("everyone is equal"), but that implies a lot of trust. And "trust" should not be a word placed next to a communist country name.
[+] [-] CWuestefeld|15 years ago|reply
The word "trust" shouldn't be placed next to any government.
[+] [-] count|15 years ago|reply
Which is categorically different than the majority of operators. Additionally, what does communism have to do with it?
[+] [-] smutticus|15 years ago|reply
Unless someone actually goes and looks at what was being sent by Chinese BGP routers at the time of this supposed outage they should STFU. I'm not saying this is definitely BS. But the article is seriously short on details.
[+] [-] pc|15 years ago|reply
Google Cache: http://webcache.googleusercontent.com/search?q=cache:4lR05JZ...
[+] [-] tptacek|15 years ago|reply
If you're worried that China is going to MITM your SSL sessions, remove their certificate from your cert store.
If I was a Chinese supercyberspy, I probably wouldn't do something as blatant as routing the entire Internet to China just to get traffic I wanted. I think I'd do something much more akin to spearphishing an overseas Google employee to get onto their internal network.
[+] [-] amalcon|15 years ago|reply
It's not plausible that they could have pulled in any traffic they so choose, but (depending on where their border is placed) they could have grabbed most of it. Also, it's not necessarily obvious to a casual observer what they could have grabbed.
[1] Internet routing in practice is based mostly on politics, a little bit on cost, and basically just uses performance as a tie-breaker.
[+] [-] guelo|15 years ago|reply
http://bgpmon.net/blog/?p=282
http://www.nytimes.com/external/idg/2010/04/08/08idg-a-chine...
[+] [-] TallGuyShort|15 years ago|reply
[+] [-] tptacek|15 years ago|reply
It's not relatively easy to become a Firefox root CA, but too many people are, and part of the reason why is that your cert store configuration is buried deep in the "don't touch, no user serviceable parts" bowels of your configuration.
[+] [-] BCM43|15 years ago|reply
More info: http://web.monkeysphere.info/why/#index1h2
[+] [-] kevindication|15 years ago|reply
http://mailman.nanog.org/pipermail/nanog/2010-April/020789.h...
http://mailman.nanog.org/pipermail/nanog/2010-April/020865.h...
[+] [-] da5e|15 years ago|reply
[+] [-] johnfn|15 years ago|reply
[+] [-] dangrossman|15 years ago|reply
[+] [-] rick_2047|15 years ago|reply
Got a message that it was accessed by United States (webcontrolcenter.com:67.199.10.9) 21 hours ago.
WTF is happening
Advise on what to do now is welcomed here
[+] [-] starpilot|15 years ago|reply