China's surveillance is always so blatant and public, they don't bother trying to hide it like America (which is analogous to political corruption in both countries).
When the artist Ai Weiwei had his email account compromised by the state, they simply logged into his email webmail UI and forwarded a copy of his emails to a 3rd party email address. They didn't even bother intercepting his email at the network or service provider level.
Edit: > "Apple increased the encryption aspects on the phone allegedly to prevent snooping from the NSA. However, this increased encryption would also prevent the Chinese authorities from snooping on Apple user data."
It's a shame articles keep confusing Apple's harddisk encryption with network data encryption. :\
> China's surveillance is always so blatant and public, they don't bother trying to hide it like America.
I'm a little shocked - they've surely got the ability to do a proper MITM. CNNIC is a root CA for plenty of browsers. Saving it up for when they really need it, maybe?
In China, it's very common for websites to ask people to trust their self-issued certificates. If you want to buy train tickets in China, you end up with this page (https://kyfw.12306.cn/otn) which asks you to trust its own cert.
Yes, big companies in china like Alibaba(taobao, alipay) will install their root certification authority(and enable all purposes by default) to your computer without any notification when you install their security control software(it's required if you want use their software).
This is worse than 12306.
This AM electrician comes over, guy in his early 30's (not an old timer) has a new iphone doesn't know how to sync and get the old stuff to the new iphone. Doesn't even know that Apple can help him with that. For computer things relies on his brother in law "the computer guy". Thinks Dell makes great "computers". "Don't they?" he says to me. Doesn't even really understand the difference between Mac OS and Windows. [1]
Point being there are tons of people out there that you could get to do practically anything. And they don't know the difference between one warning dialog box and another. It's just all a mashup to them.
[1] Add: By that I mean isn't aware that there is even a difference more than Coke vs. Pepsi is different.
And the NSA, China, and every other politically motivated actor is actively looking for the blithely unaware 70 year old virologist who happens to work on dual-use agents.
This AM, a software developer comes over to fix my computer he had just bought a new dimmer for his living room lights. Doesn't even realize that you can't use a conventional dimmer with compact fluorescent lights. "They are the same, right?"[1]
[1] Add: By that, I mean he isn't aware of the things he isn't aware of.
Ease up on the geek rhetoric until you walk in his shoes.
Way to miss the point. There is no time where we are expected to understand the subtle differences of dimmers. Users of computers are quite frequently expected to know which operating system they have when following instructions just for operating a computer. They will also encounter certificate errors in day-to-day operations.
They shouldn't be expected to know that though. The problem is that software developers haven't managed to figure that out and just make things work for their customers the way electricians have. Can you imagine if you went to the store to pick up a replacement light bulb and you had to look up whether your house used AC or DC? It's such a basic difference, everyone should know, right?
Here's some history background of the train in China.
(I realized that I have to start from the Hukou policy so that I could tell a reasonable story. Please bear with me.)
TL;DR, This is what a train station looks like before Chinese New Year [1].
Let's start from Hukou policy: Every Chinese is required to register their information to the government and has to provide a permanent address. This looks similar to most other country. But it goes quite far beyond a simple registration. Your Hukou is associated with a permanent address and in many cases, you are only allowed to do many critical things within the city of your permanent address. For example, your child cannot go to the local schools outside their Hukou address. Changing your address on Hukou is very hard and usually happens in some cases: When you go to university, you are allowed to temporarily change your Hukou under the university's city; 2. If you found a job in another city and your employer is willing to help you to relocate your Hukou address. 3. You married with a local person for several years. Basically, you can understand Hukou as a domestic visa. There are two types of Hukou: Farmer Hukou and City Hukou. Basically, they have different benefits/restrictions. Similar to F1 visa, H1B visa, etc.
Well, why I mention this? Here is some history. 30 years ago, major amount of the Chinese population were farmers. To build cities, you have to let those farmers live in the city and do lots of construction works. Due to the Hukou policy, people are not allowed to permanently migrate, esp. changing their Hukou status from Farmer to City. But there's more opportunities in cities and people could make more money. So gradually, there emerges a large group of people whose Hukou address is out of city but work in the cities. Their family has to in their home town, otherwise their children cannot go to school in the cities.
Every year, people works outside their home town will try to go back during Chinese New Year. Since the fact I mentioned above, there's a huge amount of people. They have to take trains (which is cheaper than flight.) Such yearly migration is quite large, ~3.3B tickets in 2014 [0].
Oh, and here is the answer to your question: Go to the train station is really not an option. It's like black Friday, but in a much larger scale. People have to wait outside for even weeks to get a ticket. To some extend, online ticket system helps. However, because of the throughput of the train system is limited, it's still hard to get a ticket.
I agree with everything you've written. But for other readers, would like to clarify that changing Hukou isn't very complex for most cities when purchase of property is made.
Not that buying property may be easy for a migrant worker, but for most cities an 80 square meter property should be enough. Outside of Beijing/Shanghai/Shenzhen that's about a million Yuan.
Just wanted to add some clarification / quantification for a casual reader.
Inside Shenzhen, I'm currently renting an 80 square meter apartment. It cost my landlord 4 million yuan and he and his wife made a 50% down payment. I understand in Beijing it's much, much more expensive. The economic divide in this country is insane.
A million Yuan is $163,000 US dollars, and 80 square meters is 860 square feet. I would imagine that is just about impossible for a migrant worker to manage.
To be fair, I don't personally trust the root CAs that my browsers and OS's trust. There are hundreds of them, from many countries. I think it's a reasonable expectation that at least some are corrupt.
Unless I trust each CA, their processes and every employee who could circumvent them, the current CA infrastructure is inherently unsafe. Self-signed certificates are only marginally less trustworthy (rather than having to compromise a CA, a bad actor would simply have to generate a new certificate and hope that I don't check the fingerprint - and I wouldn't check it).
Yes, there was a very large European root CA that was compromised and was actively being used for MITM attacks except this time the web browser address bar would still "turn green". Which is pretty much as bad as it gets.
Root CAs are not really trustworthy. Manually trusting a self-signed cert is, probably, more secure in the long term. You take control of trust, rather than delegating it out to some faceless corporation who can be corrupted or hacked.
The issue is how to know when the self-signed cert if trustworthy. I agree that the root CA trust system is not the answer, and web of trust doesn't work in practice, but I don't know how we can know if a self-signed cert is trustworthy in the first place. Besides doing out of band fingerprint verification (assuming the sideband isn't also compromised).
That said, I'd be more inclined to trust a self-signed cert of a CA signed one. I don't even know half the CAs that my device trusts, and some I recognise (government ones) I explicitly wouldn't trust.
My understanding is that CAs have been compromised for a while now. Does no one remember the RSA scandal and the NSA's manufactured hash collisions through deliberate injection of vulnerabilities into random number generators? I may be off a bit but I recall the revelations basically concluding the whole system was compromised at the fundamental level.
I too remember something like that, but was under the impression that CAs are still ok.
But of course, judging by the massive downvoting you've gotten, I suppose you're incorrect. I wish those downvoters would explain their viewpoint rather than downvoting...
If they got caught it'd get removed from Firefox and Chrome. I am more surprised that they don't have common Chinese software install a set of MitM CAs.
> I am more surprised that they don't have common Chinese software install a set of MitM CAs.
It said in the article: the most popular Chinese browser Qihoop 360 browser doesn't even giving a warning for the bad SSL cert. "Qihoo’s popular Chinese 360 secure browser is anything but and will load the MITMed page directly."
* The popularity of that browser is way over reported - they tend to report "installed" statistics rather than "used".
* If you read the article you'll see self signed certificates were used for the MitM. From my own research, 360 secure browser just doesn't validate certificates in many circumstances. No CA required.
According to my observation Qihoo Browser was more frequently used by a tech noob than tech savvy. And this alone poses great risk of the general public regardless to the underlying ethnics and interests.
edit: but only in so much as you trust Apple, as they provide and verify the keys. But... assuming you're using an iphone, this isn't really a new threat vector.
This may no longer be true for Chrome at least. They recently added protection against unauthorized configuration changes by third party programs. I'm having trouble determining whether that protection extends to root CAs though.
Even a government will only have the capabibilty to perform meaningful surveillance on a limited number of people not to mention act on it.
Assuming the majority of people desire not to be tortured or killed far more then they desire freedom. It's probably more effective to simply pretend that you're performing surveillance as an intimidation tactic, than to actually perform surveillance unnoticed. It's also far more socially acceptable on an international level than violence.
Even a government will only have the capabibilty to
perform meaningful surveillance on a limited number of
people not to mention act on it.
That claim is currently true, but if you understand Bayes' Theorem and Moore's Law, you know that it's just a matter of time.
But re this:
It's probably more effective to simply pretend that
you're performing surveillance as an intimidation
tactic, than to actually perform surveillance unnoticed.
iirc, former East German Stasi or KGB have said essentially the same thing.
They could also do targeted MITM attacks where only one person is served via the forged certificate. That's harder to detect, and if it's all spycraft, then the target on the receiving end is unlikely to report the breach.
Agree! The real spy agencies can do it smarter - signed with its own root CA, etc.
It might also be other 3rd parties who is doing the MITM.
Anyone can setup a fake free wifi, reroute the DNS system. Some percentage of those "free" service users will press "OK" to let other sniff their "secure" connections.
> China's surveillance is always so blatant and public, they don't bother trying to hide it like America.
I get that America means 'USA' in this context. How exactly do US government officials hide the fact that they keep data of everything possible that happens online outside the United States (and doesn't give a damn about what anyone else thinks about it)?
Given the statements of many US senators, after both Cablegate and Snowden I don't think the US tries to hide anything at all.
> They didn't even bother intercepting his email at the network or service provider level.
Is this a known fact? If I wanted to spy on a prominent dissident [1], I would use a variety of methods. Some would be intentionally crude, so that the target feels safer after noticing and defeating them, making the more sophisticated approaches that much more effective.
[1] I recommend visiting the current Ai Weiwei exhibit in San Francisco. It's quite good.
It is hard to tell whether it always is. If they are smart they use a deterrent, which must be visible to work, to decrease the number of potential targets to track, and something well hidden to follow the remaining real/potential troublemakers.
"blatant and public", yes I agree with that, but I think this incidence also shows more of a level of incompetence: as owenmarshall pointed out, they have all the means of doing it "properly", but gets caught red handed instead...
When the artist Ai Weiwei had his email account compromised by the state, they simply logged into his email webmail UI and forwarded a copy of his emails to a 3rd party email address. They didn't even bother intercepting his email at the network or service provider level.
Edit: > "Apple increased the encryption aspects on the phone allegedly to prevent snooping from the NSA. However, this increased encryption would also prevent the Chinese authorities from snooping on Apple user data."
It's a shame articles keep confusing Apple's harddisk encryption with network data encryption. :\