China Launches MitM Attack on Google Users

Chinese authorities want to keep tabs on the users of an education and research network so they have started intercepting encrypted traffic to and from Google’s servers, an organization that monitors online censorship in China reported on Thursday.

Google, just like many other popular websites, is blocked in China. However, since the search engine is highly valuable for research purposes, authorities allow access to it through CERNET, a nationwide education and research computer network.

However, according to the non-profit organization GreatFire, starting on August 28, CERNET users have been seeing warning messages about invalid SSL certificates when trying to access google.com and google.com.hk. Experts believe authorities have launched a man-in-the-middle (MitM) attack against the encrypted traffic between CERNET and Google to see what people are searching for.

“Instead of just outright blocking Google on CERNET, which would have raised the ire of students, educators and researchers across China, the authorities felt that a MITM attack would serve their purpose. By placing a man-in-the-middle, the authorities can continue to provide students and researchers access to Google while eavesdropping or blocking selective search queries and results,” GreatFire said in a blog post.

Netresec has analyzed two of the packet captures used in the attacks and it has determined that the operation was conducted from within China.

“It’s difficult to say exactly how the MITM attack was carried out, but we can dismiss DNS spoofing as the used method. A more probable method would be IP hijacking; either through a BGP prefix hijacking or some form of packet injection. However, regardless of how they did it the attacker would be able to decrypt and inspect the traffic going to Google,” Netresec researchers noted in a blog post.

This isn’t the first time Chinese authorities launch such attacks. In January 2013, GitHub users in China reported seeing warning messages about invalid certificates. At the time, experts assumed that the MitM attack was launched due to a petition asking that the creators of the “Great Firewall of China,” the country’s censorship system, be denied entry to the United States. The names of people who allegedly contributed to the technical infrastructure behind the censorship system was published on GitHub, which might have been the reason why authorities decided to target the website. 

Netresec says the MitM attack on Google is similar to the one launched last year against GitHub, but it’s not identical.

While Chinese authorities are trying to keep a close eye on the country’s Internet users, recent reports show that the country’s cybercrime marketplace boomed last year.