Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

For 18 Minutes, 15% of the Internet Routed Through China

CmdrTaco posted more than 3 years ago | from the i-bet-it's-nice-to-visit dept.

Encryption 247

olsmeister writes "For 18 minutes this past April, 15% of the world's internet traffic was routed through servers in China. This includes traffic from both .gov and .mil US TLDs." The crazy thing is that this happened months ago, and nobody noticed. Hope you're encrypting your super-secret stuff.

cancel ×

247 comments

Sorry! There are no comments related to the filter you selected.

Nobody Noticed ... Except Everyone (Even Slashdot) (5, Informative)

eldavojohn (898314) | more than 3 years ago | (#34246108)

The crazy thing is that this happened months ago, and nobody noticed.

Odd, Slashdot reported the day afterward: Chinese ISP Hijacks the Internet (Again) [slashdot.org] .

Re:Nobody Noticed ... Except Everyone (Even Slashd (4, Informative)

interkin3tic (1469267) | more than 3 years ago | (#34246250)

That summary and article didn't report the .mil or .gov traffic.

I guess we just assumed it was only youtube videos or pokes on facebook.

Re:Nobody Noticed ... Except Everyone (Even Slashd (0, Offtopic)

commodore64_love (1445365) | more than 3 years ago | (#34246348)

What's the purpose of Facebook pokes?

Re:Nobody Noticed ... Except Everyone (Even Slashd (1)

Anonymous Coward | more than 3 years ago | (#34246376)

The same as poking in real life.

Re:Nobody Noticed ... Except Everyone (Even Slashd (1)

blair1q (305137) | more than 3 years ago | (#34246622)

With half the calories burned.

Re:Nobody Noticed ... Except Everyone (Even Slashd (0)

Anonymous Coward | more than 3 years ago | (#34246784)

What's the purpose of FarmVille?

Re:Nobody Noticed ... Except Everyone (Even Slashd (5, Funny)

pushing-robot (1037830) | more than 3 years ago | (#34246876)

It's an API that lets you randomly write to memory addresses on their servers.

Keepalive -packet for friendships (1, Interesting)

Anonymous Coward | more than 3 years ago | (#34247142)

There are two kinds of people you know but don't interact daily with: Those you don't really care about (Old classmate that you never really hung out with... He's just on your contact list because... Well... Why the hell not? It doesn't cost you anything and might be useful some day) and those that you still are interested in but just haven't had anything to say to at the moment or haven't interacted with lately but might want to reconnect with. Pokes are for the latter group: They signal "Heya. I'm here if you need me or if you'd like to grab a beer some day.. Just wanted to let you know but I don't really need response right now and just writing this all would feel stupid..." so in a way they're like keepalive packets for friendships: No data is being exchanged except for the fact that the connection still exists. The old fashioned way to do this was christmas cards but they have their flaws (mainly, latency).

What facebook does is essentially this one: It makes it really easy to get back in touch. I have friends that I didn't really speak to for a year or two and at that point it was unlikely that I'd ever just spontaneously call him. But a few comments on each others' facebook statuses was easy, then a message, then the call, then the actual human interaction. It lowers the treshold. Pokes are one tool at that: Haven't talked to someone for a few years but suddenly get interested on how he is doing? Poke. No obligations, nothing, just one click. But if he pokes back, he's probably also interested in how you're doing and the treshold to start a conversation just went down by half.

You can compare it to christmas cards, the children's "Do you like me? [ ] Yes, [ ] No" notes or whatever (there are numerous more example of offline pokes: Things simply to lower the treshold for the real interaction). You might think that it is a shame that those exists (that the treshold should stay higher)... I dunno. Whatever you (or I) think about it, we're quickly going towards the point where that treshold for social interaction doesn't exist (it has been an ongoing trend ever since phones made it a lot easier to call someone than to visit them).

Re:Keepalive -packet for friendships (1, Insightful)

icebike (68054) | more than 3 years ago | (#34247382)

So computer maintained relationships have some meaning in your shallow world?

There is a time to let go. Your fear of loneliness and irrelevancy will not be helped by this any more than your picture in your 6th grade yearbook.

Re:Nobody Noticed ... Except Everyone (Even Slashd (4, Informative)

Sepodati (746220) | more than 3 years ago | (#34246392)

They hijacked prefixes, not data. At least not directly. If you sent a packet during that time, it may have been routed to China. I doubt they stood up a big infrastructure to close TCP sessions with all of that incoming traffic and actually capture anything. Perhaps for a very targetted attack they could have, but then there'd be better ways than this to do it, I imagine.

Re:Nobody Noticed ... Except Everyone (Even Slashd (1)

Yvanhoe (564877) | more than 3 years ago | (#34247444)

I don't understand, why couldn't they just log all the data that went through ? Unencrypted passwords, http authentications, emails sent... It would have the potential to bring a lot of valuable informations. If I was the Chinese CIA, I would have only one goal : make it happen again.

Re:Nobody Noticed ... Except Everyone (Even Slashd (1)

BitZtream (692029) | more than 3 years ago | (#34247468)

You don't need an infrastruction to terminate connections, you just need to watch traffic flow and record it. You can analyze it over time later elsewhere to find useful information.

Not that I think that was the point or anything, but if I were going to do something like this, knowing that I wouldn't be able to keep the traffic flowing in my direction for any length of time, I'd just log everything and analyze later. If I was China, I'd upload it to EC2 and pay Amazon to analyze it for me at that, they could probably afford it.

Re:Nobody Noticed ... Except Everyone (Even Slashd (4, Funny)

MaskedSlacker (911878) | more than 3 years ago | (#34246260)

You think the /. editors RTFA?

Re:Nobody Noticed ... Except Everyone (Even Slashd (2, Funny)

uncledrax (112438) | more than 3 years ago | (#34247026)

Isn't that why they have the whole meta-moderate in the firehose thing?

Re:Nobody Noticed ... Except Everyone (Even Slashd (1)

flyingkillerrobots (1865630) | more than 3 years ago | (#34246612)

And nobody noticed.

Re:Nobody Noticed ... Except Everyone (Even Slashd (1)

Arancaytar (966377) | more than 3 years ago | (#34247184)

It's hard enough for Slashdot to keep up with the news, now you want them to keep up with what they keep up with? :P

Re:Nobody Noticed ... Except Everyone (Even Slashd (1)

FrootLoops (1817694) | more than 3 years ago | (#34247604)

The crazy thing is that this happened months ago, and nobody noticed.

Odd, Slashdot reported the day afterward: Chinese ISP Hijacks the Internet (Again) [slashdot.org] .

The story you linked was posted on April 9th. The article in the summary says (twice) its redirect happened on April 18th. They couldn't be the same if these dates are accurate.

That said, this April 18th attack is discussed in a "316-page report to Congress," so it's pretty clear it wasn't *just* noticed.

I knew something was weird (4, Funny)

elrous0 (869638) | more than 3 years ago | (#34246112)

All my emails started showing up with fortunes and free eggrolls.

Re:I knew something was weird (1, Funny)

Anonymous Coward | more than 3 years ago | (#34246422)

I know. We all read your email that day.

Re:I knew something was weird (3, Funny)

Da_Biz (267075) | more than 3 years ago | (#34247514)

All my emails started showing up with fortunes and free eggrolls.

And ended with "in bed."

Re:I knew something was weird (5, Funny)

drainbramage (588291) | more than 3 years ago | (#34247584)

An hour later.....
I wanted to read them again.

This points to obvious fact (1)

eexaa (1252378) | more than 3 years ago | (#34246156)

...that one internet isn't really enough.

Re:This points to obvious fact (5, Interesting)

arivanov (12034) | more than 3 years ago | (#34246436)

Or it is.

It is just that the USA has forgotten the Internet basics. It has also forgotten major past incidents like that case from 10 years back when one small ISP in Florida directed most of the Internet traffic through itself and fell over.

USA internet has very little redundancy. Most of the peering is private, in very few locations and the routes announced by ISPs to each other are not filtered based on declared ISP announcement policy. As the few remaining ISPs are so big the announcement lists have grown to a size where filtering them poses a technical difficulty. In addition to that because the ISPs are big they trust each others change control that routes for blocks which are "somebody's elses will not be announced". Bad Idea (TM). And that is why this was possible in the first place.

Compared to that in Europe most of the peering is public and nearly all ISPs heavily filter the route announcements coming from other peers. A Chinese ISP which would announce blocks it does not own would simply be ignored. It is of course possible for the ISP in question to add the policy to its official export list, post it to RIPE, get it propagated to other ISPs and then announce the routes, but that will take time and will have a big chance to be noticed. It will also be clear that there is "no mistake" there so the ISP in question will really get kicked off the internet for this one.

Re:This points to obvious fact (0)

blair1q (305137) | more than 3 years ago | (#34246680)

It's also possible that someone in China also doesn't understand Internet basics, and figured if he/she said "route everything here" it would stop propagating that at the border, because they probably never browsed outside of China in their off hours and to them The Internet only goes that far.

I remember that day (3, Funny)

Anonymous Coward | more than 3 years ago | (#34246160)

I had just finished torrenting a 10gig 1080p mkv and 18 minutes later I was hungry for more downloads.

Re:I remember that day (0)

Anonymous Coward | more than 3 years ago | (#34246570)

You know, I think I grabbed the same file. Got halfway through it, and then it became inexplicably corrupted.

Re:I remember that day (0)

Anonymous Coward | more than 3 years ago | (#34247424)

I hope it had happy ending.

Testing .... 1, 2, 3; Testing 1, 2, 3, (0)

Anonymous Coward | more than 3 years ago | (#34246166)

Dear China:

Please Log all N.S.A. intercepts.

Thanks in advance.

Yours In Akademgorodok,
Kilgore Trout

As designed (4, Insightful)

Neil Watson (60859) | more than 3 years ago | (#34246192)

Isn't that what the Internet was designed to do; route as need to get bits to their destination?

Re:As designed (0)

Anonymous Coward | more than 3 years ago | (#34246266)

But I doubt OSPF means data from say, Washington, D.C. to NY, is to be routed to China first.

Re:As designed (2, Informative)

Anonymous Coward | more than 3 years ago | (#34246536)

Well, it depends. The protocol is made to be elastic, and therefore sensitive to network topography changes. Lines might become congested or go down, which means the shortest path might indeed be through a rather round-about course. Routing all this data to China would be quite an extreme example, though. Either a lot of failure would have to occur at the same time, or they would have to broadcast false numbers to give themselves a better routing metric.

Re:As designed (2, Interesting)

janeuner (815461) | more than 3 years ago | (#34246952)

Yes. It worked as designed. That is the crazy thing.

Re:As designed (3, Funny)

vxice (1690200) | more than 3 years ago | (#34246980)

Depends, what is the normal average for traffic going through China? Among other things such as did China just happen to have the best routes for this anyways? This summary doesn't give the basic necessary information, oh wait this is slashdot I though I was in a different tab for a min.

Imagine how china feels (5, Insightful)

js3 (319268) | more than 3 years ago | (#34246220)

when that 18mins is over and all their stuff goes through American servers

Re:Imagine how china feels (3, Insightful)

Servaas (1050156) | more than 3 years ago | (#34246272)

Only the stuff they want though

Re:Imagine how china feels (1)

Anonymous Coward | more than 3 years ago | (#34246730)

LOL, I agree, and all of Americans emails get routed through the super secret AT&T backend to the NSA servers so American secret ops can spy on Americans. This is such a bull-crap story anyway. Where is the proof that 15% of all routing went through China? I didn't read any proof WHATSOEVER that this actually occured.

However we all do know for a fact that American internet traffic is being routed through NSA and CIA servers for analysis. Go Big Brother Governments!!!

The Chinese aren't the reason to use encryption (5, Insightful)

Christianfreak (100697) | more than 3 years ago | (#34246234)

There are plenty of reasons to use encryption but the Chinese government just isn't one of them for me. If I view something they don't like, what exactly are they going to do? I suppose they could block my access but it's not like I would get thrown in a Chinese prison.

I have a lot more to worry about from identity thieves, scams and heck, my own government.

Re:The Chinese aren't the reason to use encryption (2, Insightful)

140Mandak262Jamuna (970587) | more than 3 years ago | (#34246332)

Of course, you could be a human rights activist providing anonymizing proxy for some oppressed, sadly now recently deceased, soul in Beijing.

Re:The Chinese aren't the reason to use encryption (4, Insightful)

LWATCDR (28044) | more than 3 years ago | (#34246390)

Depends. Sending any igs files of that new project to anybody?
How about that source code.
I fear we are getting way too comfortable with email for my taste.

Re:The Chinese aren't the reason to use encryption (1)

bluefoxlucid (723572) | more than 3 years ago | (#34247126)

What would Internet Go Server files matter for a project? And don't you use SGF for simple game format saves these days anyway?

Re:The Chinese aren't the reason to use encryption (4, Insightful)

Tridus (79566) | more than 3 years ago | (#34246452)

Yeah, seriously. I'm a lot more concerned about what the US government and the molestation department at TSA might do then I am about the Chinese government.

This story is interesting from a tech perspective, but the commentary at the end is BS on a site from a country with ever decreasing privacy standards.

Re:The Chinese aren't the reason to use encryption (2, Insightful)

circletimessquare (444983) | more than 3 years ago | (#34246988)

it is true that the usa has decreasing privacy standards

it is also true that china's privacy standards are orders of magnitude below the usa's standards, firmly entrenched in the toilet

so i don't understand a point of view that is more concerned with flawed standards, but much better standards, than they are with a country that is an actual, no-apologies firmly authoritarian "i tell you who your master is and what you can can cannot think" regime

it makes me wonder at your critical thinking skills

when you can't tell the difference between hyperbole and reality, and you wind up more worried about the hyperbolic and fantastic threats to human rights rather than the actual and real threats to human rights, then you just seem to be some sort of propagandized fool to me

Re:The Chinese aren't the reason to use encryption (1)

wealthychef (584778) | more than 3 years ago | (#34247412)

it makes me wonder at your critical thinking skills

You might wonder at his critical thinking skills, while I wonder at your listening skills. The idea that one should be more concerned about the privacy policies of one's own government than of the Chinese is a perfectly valid viewpoint. Perhaps he's more concerned about the policies of the US because
a) They actually impact him personally
b) They are something he can actually do something about

The Invasion of the Chineeese Terror! (3, Insightful)

Chicken_Kickers (1062164) | more than 3 years ago | (#34247470)

Chineeese! It's ALIVE! It's coming for YOU and your family! Hide in your bomb shelters! Wrap wet towels on your heads! Cover your bedrooms in tin foils. The Chineeese Terror is coming!!!

Seriously, what is wrong with you Americans? Can't you and your government live through life without manufacturing an enemy to hate? What is it in your national psyche that requires an opponent? Is it because you actually bought into your own "we're the Good Guys(TM)" propaganda that the only way to validate this absurd world view is to manufacture "bad guys". My theory is that you are so hung up on WWII, the last "good war" that you fought in, that you and your leaders are subconsciously trying to recreate it so that you can feel good about yourselves again. Hence, the Axis of evil, war on terror, and now a more traditional enemy, the Red Peril. Get over it.

Re:The Chinese aren't the reason to use encryption (0)

Anonymous Coward | more than 3 years ago | (#34246718)

They are Chinese so obviously they are communist, untrustworthy, and scammers or theives. RTFA

Re:The Chinese aren't the reason to use encryption (0)

Anonymous Coward | more than 3 years ago | (#34247168)

I don't think the issue is Chinese censorship. The fear is that China was scooping up large amounts of data in the hopes of finding critical information that was meant to be kept secret.

Is .cn special? (1)

kthreadd (1558445) | more than 3 years ago | (#34246242)

Hope you're encrypting your super secret stuff.

I always encrypt sensitive data no matter if it routes through China, Sweden, the USA or any other country that may tap it.

Re:Is .cn special? (1)

Jeff DeMaagd (2015) | more than 3 years ago | (#34246328)

That's best, among other things, but particularly given how the US government already has a track record of wholesale tapping of internet communications.

Re:Is .cn special? (1)

ScrewMaster (602015) | more than 3 years ago | (#34246404)

That's best, among other things, but particularly given how the US government already has a track record of wholesale tapping of internet communications.

And China's doesn't? I mean ... really?

Re:Is .cn special? (0)

Anonymous Coward | more than 3 years ago | (#34246708)

I agree. How silly it is that in the US you can access pretty much any site you want without fear of government reprisals. On the other hand the Chinese way of blocking probably more than half the Internet and everything having to be routed through the government's firewall before it can leave the country is just a beacon to the rest of the world about their commitment to open and free communication on the Internet. We should only hope that more governments the world over choose to model their policies based on those of the Chinese.

Re:Is .cn special? (3, Insightful)

Anonymous Coward | more than 3 years ago | (#34246356)

If you only encrypt sensitive data it attaches a huge neon light to it.

Re:Is .cn special? (2, Funny)

Anonymusing (1450747) | more than 3 years ago | (#34246426)

This is why I only anonymize and encrypt nonsensitive data, like MySpace traffic, dating sites, etc. You want my shopping wish list on Amazon?! CRACK MY ENCRYPTION, NSA!!! But that stuff about overthrowing the government is wide open. Throws 'em way off.

Re:Is .cn special? (2, Insightful)

Amouth (879122) | more than 3 years ago | (#34246582)

you know i just had that conversation with my general manager.

except it was about shredding documents - they couldn't imagine someone going though a bag of strip shredded paper trying to find something.

my comment was - it takes effort and a reason.. important info that shouldn't be public is a good reason.. and if you only shred important things it makes the effort all that much easier..

needless to say we will be investing in a large capacity cross cut shredder - with hopes to put all our outgoing paper through it.

Re:Is .cn special? (1)

colesw (951825) | more than 3 years ago | (#34246926)

needless to say we will be investing in a large capacity cross cut shredder - with hopes to put all our outgoing paper through it.

I guess for customers receiving mail from you it'll be like a puzzle!

Re:Is .cn special? (1)

Amouth (879122) | more than 3 years ago | (#34247104)

in outgoing i meant trashed.. while we do mail things.. we don't from this location.

Invalid Certificates (3, Informative)

Bios_Hakr (68586) | more than 3 years ago | (#34246284)

From National Defense Magazine: http://www.nationaldefensemagazine.org/blog/Lists/Posts/Post.aspx?ID=249# [nationalde...gazine.org]

"If China telecom intercepts that [encrypted message] and they are sitting on the middle of that, they can send you their public key with their public certificate and you will not know any better," he said. The holder of this certificate has the capability to decrypt encrypted communication links, whether it's web traffic, emails or instant messaging, Alperovitch said. "It is a flaw in the way the Internet operates," said Yoris Evers, director of worldwide public relations at McAfee.

What makes this really annoying is that a lot of .mil sites use self-signed certificates. When doing mil-2-mil browsing, you just get used to clicking whatever to get into the site. So, I can easily see how China could do a MITM without alarming any of the end users.

Re:Invalid Certificates (1)

Amouth (879122) | more than 3 years ago | (#34246614)

you know - i knew a lot of mil sites used self signed but i ASSUMED it was a government CA they where using.. not just server self signed..

If i was the US government i would fix that.. make a US Government CA.. force all government sites to use it.. and to make sure that all computers belonging to me do not accept the China CA..

Re:Invalid Certificates (1, Informative)

Anonymous Coward | more than 3 years ago | (#34246862)

Actually they're not self-signed. They have their own root certificate that you have to install to use the non-public-intended .gov and .mil servers.

I do tech support for my father who is in the military. Guess who got to install the root cert.

Re:Invalid Certificates (1)

jgtg32a (1173373) | more than 3 years ago | (#34247092)

Your father?

Re:Invalid Certificates (0)

Anonymous Coward | more than 3 years ago | (#34247442)

Is saying something that specific really a good way to stay anonymous? I don't mean anonymous to people here.

Re:Invalid Certificates (1, Informative)

Anonymous Coward | more than 3 years ago | (#34246968)

Mil sites definitely are not using self signed certs. In fact the IA folks would probably crucify you and your so called noncompliant servers. Users must install the appropriate root and intermediate certificates on their workstations obtained from trusted sources. If you are doing mil2mil browsing and getting those errors I would chalk that up to user error.

Re:Invalid Certificates (1)

gotpaint32 (728082) | more than 3 years ago | (#34247076)

Who is modding this informative? No mil sites use self signed certs. Please get your facts straight.

Re:Invalid Certificates (1)

bartwol (117819) | more than 3 years ago | (#34247294)

Who is modding this informative?

In most cases, Slashdot posts are moderated by ignorant kids who harbor unsubstantiated biases, and consider "informative" any position that confirms what they already believe.

Facts will rarely get in the way of beliefs.

There goes the neighborhood... (4, Interesting)

digitaldc (879047) | more than 3 years ago | (#34246298)

It remains unclear whether the redirection was intentional, the report says, but it demonstrates that it is possible for malicious actors to seize control of the Internet and redirect traffic.
On April 8, according to Web security specialists, a small Chinese Internet service provider published a set of instructions under the Border Gateway Protocol, that directed Web traffic from about 37,000 networks to route itself via computer servers in China.
The list was republished by China Telecom and briefly propagated itself across the global Web, which works on a trust system, with each server updating its routing instructions based on data provided by others in the network.

What the hell is a 'trust system' anyway? Is that part of the Border Gateway Protocol? [cisco.com]
Maybe someone needs to take a closer look at this 'trust system.'

Re:There goes the neighborhood... (3, Informative)

Amouth (879122) | more than 3 years ago | (#34247014)

with BGP if I advertise my self as a route to a subnet others around me will try to send me that traffic IF they trust me.

now with a small company like mine.. my telco doesn't accept any routes other than my own subnets so instead i would just black hole my self.

now take a large telco or backbone provider .. say Level 3.. if they started advertising a route to my subnets then everyone who is closer to them then me (basically everyone) they will send L3 the traffic..

this type of attack/what ever you want to call it - only works if you are a big enough player for your neighbors to believe what you are advertising.

with my L3 example.. not every telco (or any really) would review that route change.. as for all they know i got a leased line from L3 or set up a peering agreement..

the cardinal sin of BGP is to advertise a route that isn't yours. but that is all it is.. and advertisement.

Re:There goes the neighborhood... (2, Insightful)

bluefoxlucid (723572) | more than 3 years ago | (#34247366)

What the hell is a 'trust system' anyway? Is that part of the Border Gateway Protocol? [cisco.com]

Maybe someone needs to take a closer look at this 'trust system.'

This is a classic example of the guy who doesn't know wtf he's talking about being the only one asking the questions that actually need to be asked.

Paralells (0)

Anonymous Coward | more than 3 years ago | (#34246302)

This can't be good, last time I routed snail mail through China I was hospitalized with SARS.

and on the other side of the world... (5, Insightful)

schlachter (862210) | more than 3 years ago | (#34246308)

Chinese Headlines claim for a period of nearly 21,018,240 minutes...nearly 100% of Internet traffic has been routed through the United States....wonder if they're worried about the balance of power?

Always do (1)

petes_PoV (912422) | more than 3 years ago | (#34246344)

Hope you're encrypting your super secret stuff.

considering where it usually gets routed through.

IPSec time? (1)

mlts (1038732) | more than 3 years ago | (#34246374)

Wasn't IPSec supposed to protect against stuff like this, so even if someone was able to route internal traffic through a hostile source, all that could be done would be traffic analysis (finding which machines put more packets on the wire than others)?

Re:IPSec time? (1)

blair1q (305137) | more than 3 years ago | (#34246750)

Works when your session is already established before the man gets in the middle.

Gives you a false sense of security otherwise.

So? 100% of US traffic goes through NSA "closets" (4, Interesting)

thesandbender (911391) | more than 3 years ago | (#34246384)

Well, maybe not 100% but it's established that the bulk of US traffic is trunked off to closets in AT&T (and other) switch rooms. This is going to include any communications going to points outside the US and (more importantly) any traffic that happens to be routed through the US while going between two points outside the US.

And for documentation about the NSA closets (4, Informative)

thesandbender (911391) | more than 3 years ago | (#34246610)

indeed (0)

Anonymous Coward | more than 3 years ago | (#34246682)

check for more background on this

http://www.wired.com/politics/law/news/2007/06/spy_room

Americans are retarded, complacent idiots, who have no fucking idea what their elected leaders allow.

Encrypt everything.

"Fox News" (1)

whiteboy86 (1930018) | more than 3 years ago | (#34246580)

No source, citations or references given on the FA, just the usual "Sponsored Links" and the McAfee threat director's 'insight'..

I don't think the authors understand cryptography (2, Insightful)

techmuse (160085) | more than 3 years ago | (#34246588)

There are two problems here:

1) Can China redirect traffic through its network by advertising that it has the lowest cost routing path? (Apparently, yes.) This is a wormhole attack, and is well documented in research literature.

2) Can China record or alter any traffic that passes through its network? If the data is sufficiently well encrypted, it can not read that data, although it can record the cyphertext. The fact that China can issue a certificate does not mean that it can read *your* data. It only means that encrypted data sent to Chinese servers can be read by the holder(s) of the encryption keys used by those servers.

If you are sending data over the net, and want to protect it, be sure that it is encrypted. If you don't care, be aware that anyone might be able to monitor it, even governments of other countries. If you don't trust the Chinese root CA to certify the identity of servers that you go to, don't accept their CA's certificate as an authority for that purpose.

Re:I don't think the authors understand cryptograp (1)

RobNich (85522) | more than 3 years ago | (#34247036)

If the data is sufficiently well encrypted, it can not read that data, although it can record the cyphertext. The fact that China can issue a certificate does not mean that it can read *your* data.

If they used a Man-In-The-Middle attack during the routing change, creating signed certificates using a top-level CA, they won't even need to decrypt anything. In addition, having the cypher text means that they can spend a few months or years using brute-force to decrypt it (or less, now that they have the fastest supercomputer in the world). Once they do, they'll have the keys for those sessions. Using that, they may even be able to derive the server's private key.

At the very least, they have a copy of the data, and they can eventually crack the encryption.

I do agree with you on the Chinese CA, and I plan to remove it from all of my browsers as trusted.

Re:I don't think the authors understand cryptograp (1)

techmuse (160085) | more than 3 years ago | (#34247564)

Breaking modern encryption algorithms using current techniques would take somewhere around the lifetime of the universe. The number of computations required to break a well designed algorithm increase exponentially with the key length. You should always use an algorithm and key length that can be expected to protect your data for longer than the data will remain valuable.

As I indicated in my explanation below, being able to create a certificate does not mean that they can trick you into trusting their site. They must have a cert signed by a root CA that you trust. If you trust the Chinese CA, then you're stuck trusting its assertions. But if you don't, the attack can't work.

Re:I don't think the authors understand cryptograp (4, Insightful)

VortexCortex (1117377) | more than 3 years ago | (#34247064)

2) Can China record or alter any traffic that passes through its network? If the data is sufficiently well encrypted, it can not read that data, although it can record the cyphertext. The fact that China can issue a certificate does not mean that it can read *your* data. It only means that encrypted data sent to Chinese servers can be read by the holder(s) of the encryption keys used by those servers.

I don't think you understand MITM attacks.

Take a moment to look at the list of trusted root certificate authorities in your web browser right now.
FF Preferences > Advanced > Encryption > View Certificates

Notice the Chinese ones? The Chinese government can compel any of those root CAs to produce a certificate for any domain they choose. For example, let's say CNNIC [slashdot.org] creates rogue certs for Google.com.

1) You request a secure page "https://mail.google.com"
2) MITM intercepts the request and makes their own connection to mail.google.com using the real cert.
3) MITM uses the fake cert to encrypt it's connection to you, and pass you the mail.google.com data.
4) Firefox validates the cert chain and gives you a big "look it's secure" bar, and you just got pwned.

The real problem is with the retarded cert system. Any CA can create certs for any domain without the domain's permission; If the CA is trusted your browser won't complain at all.

This is why it's important to view the certs that you are using (in Firefox, click or hover over the "secure" bar).
Note: If you had a cookie that kept you signed in to gmail, its too late to check the cert after the MITM is logged into your account.

Re:I don't think the authors understand cryptograp (2, Insightful)

VortexCortex (1117377) | more than 3 years ago | (#34247284)

Please excuse the reply to myself, but I'd like to point out that I'm not trying to single out China here, the above statements apply to USA, UK, Canada, or government that a trusted Root CA company resides within.

Eg: The US Government could compel (and also gag-order) Thawte into creating fake certs for Google.com (or any other domain), and in Google's case, you wouldn't even find out you've been pwned by checking the cert...

Honestly, HTTPS / SSL is The Ultimate Theater of Security.

Re:I don't think the authors understand cryptograp (1)

techmuse (160085) | more than 3 years ago | (#34247486)

Certificates aren't used to encrypt anything. The certificate contains a set of assertions about the subject of the certificate, signed by the certificate issuer. One of those assertions is typically the subject's public key. All the certificate is claiming is that a certain public key is associated with a certain identity, where that identity is claimed by the certification chain starting at some root (in this case, the Chinese CA). If you trust a certain root CA, then you also must trust any assertions made by the children of that CA in the CA hierarchy. If you do not trust that CA, then you won't trust any certification paths that originate at that root.

So is a man in the middle attack possible, as you've described? No. Here's what would actually happen:

1) You request a secure page "https://mail.google.com"
2) Google's server sends you Google's certificate. This is signed (through some CA chain) by a root CA that you (presumably) trust. An attacker could also send you Google's cert, but the attacker doesn't have Google's private key, so anything they encrypt could not be decrypted using Google's public key.
3) You verify that certificate by validating the certificate chain to it. Note that even though China may have a root CA, it doesn't have the private key that was used to generate the certificate. (If China sent you such a cert, it would only validate against the Chinese root CA, which you would have to already trust!)
4) If the attacker attempts to do a man in the middle attack, they can pass you a certificate, but they can't generate data signed by Google, unless you trust China's root CA, because the attacker doesn't have Google's private key.

Secrets? What secrets? (1)

h00manist (800926) | more than 3 years ago | (#34246634)

We can't afford the cost to administrate secrets. With all the current data gathering and monitoring techniques, the only people who can afford the cost of keeping actual secrets are professional sleuths or top level government and corporate people. They hold secrets on and from each other, but mostly from us. It seems the game is inverted now - by fighting to protect our right to illusory privacy, in practice we mosly protect their right to keep secrets from us.

Re:Secrets? What secrets? (1)

Dunbal (464142) | more than 3 years ago | (#34246788)

and corporate people.

      Hah, just today my significant other responded to an email from someone lower down the ladder that read something like "if you don't want me to publish information X on the grounds that it was confidential, then why did you send it to me to be published?"

      No, I wouldn't put all my money on the corporate world being able to keep secrets.

this is why I go with the station wagon (2, Informative)

antifoidulus (807088) | more than 3 years ago | (#34246690)

If you manage to end up in China when driving a station wagon full of tapes from North Carolina to DC you REALLY are doing it wrong.

Does it really matter? (1)

fluor2 (242824) | more than 3 years ago | (#34246694)

Warhol was almost right... (1)

Bob_Who (926234) | more than 3 years ago | (#34246712)

In China, only 15% of everyone is famous for 18 minutes.

Protocols used on the 'net are horribly outdated (1)

Just Brew It! (636086) | more than 3 years ago | (#34246762)

They were designed years ago, for an environment where it was actually somewhat sensible for everyone to trust everyone else. Major routing screwups like this, DNS cache poisoning exploits, the type of attack demonstrated by FireSheep, and even plain ol' spam are all possible largely because the underlying protocols are not secure.

Re:Protocols used on the 'net are horribly outdate (3, Insightful)

shentino (1139071) | more than 3 years ago | (#34247310)

You cannot have the centralized control you need to block out abuse without also having that centralized control in the hands of censorship happy powers.

Freedom of expression implies freedom to be an ass.

Re:Protocols used on the 'net are horribly outdate (1)

VortexCortex (1117377) | more than 3 years ago | (#34247392)

I thought "Freedom of expression" implies your own breast milk costs you $0.

37 percent is ALWAYS going by usa (0)

Anonymous Coward | more than 3 years ago | (#34246990)

Wherever I want to go from any country in east Asia, everything gors by California. Could USA stop the permanent hijack of the internet? Seriously, this article is stupid, it doesn't even tell which ISP is involved. I don't expect Fox to know what as AS nuber is, but there is a limit to stupidity!

15 percent routed through china... (1)

alienzed (732782) | more than 3 years ago | (#34247008)

and what percentage do the Chinese represent of the internet? I'd bet it's more than 15%.

It's all in the Cloud (1)

WillAffleckUW (858324) | more than 3 years ago | (#34247010)

and they already embedded Red Chinese spy images in all your pics while that happened.

Got security?

Not while China's in the WTO.

You are missing a point (1)

chord.wav (599850) | more than 3 years ago | (#34247040)

For US citizens: Chinese government spying on your traffic is way less harmful than US government spying on your traffic. I mean, what can they do with that data? Sending you spam?

Simple to detect. (1)

Cruciform (42896) | more than 3 years ago | (#34247050)

If you want to know if China is hijacking your data just looks for the bits that are shifted left.

Ah ha! I found you, Comrade Ping!

Whereas traffic going through the US is not scary? (1)

Kaz Kylheku (1484) | more than 3 years ago | (#34247152)

This story is rooted in ridiculous xenophobia.

You have more to fear from your wi-fi or cable snooping neighbor than from China.

Security must be end-to-end. There is no such thing as a trusted ISP or country.

Re:Whereas traffic going through the US is not sca (1)

Just Brew It! (636086) | more than 3 years ago | (#34247356)

The point isn't that it was routed through China per se; the point is that it is so easy to hijack the traffic of a large portion of the 'net. As has already been pointed out, anything sensitive should be encrypted anyway.

Chinese spam (1)

Fuzzums (250400) | more than 3 years ago | (#34247262)

It would explain the increase in Chinese spam that I see since April 18th ;)

% loss? (1)

owlnation (858981) | more than 3 years ago | (#34247314)

15% went into China. 9% came out???
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>