Over the past few weeks, China has been using its country’s Internet infrastructure to attack political opponents by turning normal users’ web browsers into Denial of Service tools.
GitHub has announced that this is the largest DDoS that they have ever dealt with. Despite the scale of the attack, neither GitHub nor the individual repositories have been forced offline. In fact, due to GitHub’s wide deployment of HTTPS, it would be quite hard for China to censor these specific endpoints without censoring the entirety of GitHub. One of the advantages that HTTPS provides is that it not only encrypts the contents of a web page, but also the specific URL of the page being requested. Unless you have access to the private keys for a given site, it is difficult for an attacker to determine exactly which URL within a site is being accessed in a secure browsing session. And if the attacker can’t determine which requests are for pages they want to block, they are forced to block the entire site if they want to prevent access to certain pages.
This is a big advantage for citizens who wish to access information freely within a censorship regime. In order to mitigate the risk of critical information being censored, content creators can mirror their data on a secure domain that the censors may be reluctant to block for fear of political or financial consequences. It seems that that is exactly what has happened in this situation. Before the GitHub attack started on March 26th, GreatFire.org reported an attack on their own servers starting March 17th. And indeed, blocking GitHub would have injurious effects on Chinese coders and thus the Chinese economy. When China previously blocked the site for days at a time in January 2013, the former head of Google’s China operations Kai-Fu Lee posted on the micro-blogging site Sina Weibo that the act was “unjustifiable,” and that it “will only derail the nation’s programmers from the world, while bringing about a loss in competitiveness and insight.” This time, they’ve gone a step further and actually weaponized Chinese Internet businesses in order to censor critical voices.
We know that China injected the payload at some point between Baidu’s servers and when the traffic exited the country. This was only possible due to the fact that the Baidu Analytics script included on sites is not using encryption by default. Without HTTPS, anyone sitting between the web server and the end user can modify content arbitrarily. This is part of the reason we need 100% deployment of HTTPS for the entire web. At the same time, It’s important to note that HTTPS isn’t a complete inoculation against malicious state action. The government of China could easily have leaned on Baidu to provide their encryption keys to the censors to incorporate in their Man-on-the-Side attack. Alternatively, they could have forced Baidu to deliver the malicious code directly from their servers. And as we have pointed out before, when governments can force web services to fork over their crypto keys or suffer the consequences, an enormous amount of information about end users activities is divulged. In this case, it’s worse: governments can turn people across the world into unwitting partners in assisting censorship regimes to stifle free speech.