Search Mailing List Archives

Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] Man-in-the-middle attack on GitHub in China

Jacob Appelbaum jacob at
Wed Jan 30 01:00:00 PST 2013

x z:
> This is a great piece Martin! Thanks for the thorough analysis, explanation
> and documentation.
> I have two comments:
> 1. It is a bit sad that the petition "People who help internet censorship,
> builders of Great Firewall in China for example, should be denied entry to
> the U.S.<>
> " only got 9,024 signatures after 6 days. Yes, the petition is merely
> symbolic, but it *is* symbolic. I do hope significantly more people can
> sign it, otherwise, the GFW operators and Chinese authority can laugh their
> way home, "see, so few people care!". I hope activists on this mailing list
> can help spreading the word, 26 days remaining.

I think that reducing a worker's travel rights is a rather strange
tactic. It smacks of injustice. Borders as they exist today didn't exist
in such a way around one hundred years ago, do we really like that? Is
it such a good idea to promote a culture of control simply because in
the short term "we" somehow benefit from it? I think the answer is no
but I admit, I have a real big chip on my shoulder about harassment in
US customs.

I would encourage people not to sign such a petition. It is a symbol and
it is a symbol of a control society hell bent on using coercive force of
any kind to produce results. We should be better.

> 2. Even though HTTPS traffic is nontrivial to tackle, GFW has a much
> simpler solution for it. GFW can deteriorate the user experience of HTTPS
> websites, e.g. injecting random resets to HTTPS connections. People can
> still use the site, but it becomes slow and unstable, gradually more and
> more will switch away to use domestic replacement. It is a slow process,
> but can be a successful one.

Indeed - we are seeing this exact strategy in many places in the world
right now.

All the best,

> Cheers,
> Tom
> 2013/1/29 Martin Johnson <greatfire at>
>> At around 8pm, on January 26, reports appeared on Weibo and Twitter that
>> users in China trying to access were getting warning messages
>> about invalid SSL certificates. The evidence, listed further down in this
>> post, indicates that this was caused by a man-in-the-middle attack. Full
>> post at
>> One interesting conclusion is that support for HTTP Strict Transport
>> Security in Chrome and Firefox makes a real difference. If
>> man-in-the-middle attacks become more common in China, preventing users
>> from adding exceptions and making the warning messages informative is
>> crucial. We need to find ways to convince users to use browsers that
>> support these safety measures. Currently, around 50% of Internet users in
>> China use either the 360 so-called Safety Browser (which is a very ironic
>> name) or Internet Explorer 6 (yes, it lives on in China).
>> Martin Johnson
>> Founder
>> - Monitoring Online Censorship In China.
>> - Uncensored, Anonymous Sina Weibo Search.
>> - We Can Unblock Your Website In China.
>> --
>> Unsubscribe, change to digest, or change password at:
> --
> Unsubscribe, change to digest, or change password at:

More information about the liberationtech mailing list