GreatFire Alleges Chinese Government Intercepted Traffic to Yahoo amid Hong Kong Protests

GreatFire, the online censorship monitor, accused the Chinese Government of intercepting traffic to Yahoo using fake and self-signed X.509 certificates, according to a Twitter announcement.

The alleged man-in-the-middle attack was also analyzed by Netresec, a Swedish-based network forensics company that confirmed the existence of fake X.509 certificates in the other two cases.

“The purpose of GFW (a.k.a. `Golden Shield`) is to censor the Internet, so the primary goal with this MITM attack isn’t to covertly spy on Chinese Yahoo searches,” said Erik Hjelmvik of Netresec. “Regardless if the end users notice the MITM or not, a self-signed X.509 cert is enough in order to see what they are searching for and `kill` their connection to Yahoo when queries like `Umbrella Revolution` and `Tiananmen Square Protests` are observed.”

Netresec analyzed two packet captures from China, with one located in Wuxi and the other in Zhengzhou, and both gave the “202.43.192.109” IP address belonging to the Yahoo Honk Kong domain as intercepted by the Great Firewall of China (GFW).

The Time-To-Live (TTL) analysis revealed the same results as in Google’s case, meaning that the high TTL values, 58 and 57, of returning IP packets put the MitM attack just 6 or 7 router hops away.

The X.509 SSL certificates appeared to be self-signed for “yahoo.com,” which makes certain browsers flag it as a MitM attack element, more precisely a crafted certificate.

Photo Credit: @GreatFireChina

The modus operandi seems to resemble the ones in Google’s and Github’s cases, with one linking element being the fake X.509 certificates.

The man-in-the-middle attack is the third one allegedly carried out by the Chinese authorities as GreatFire also reported similar traffic interception attempts on Google and Github.