[dujiulun2006]

Chinese govt is also capable of doing this. Best part? We even have our trusted* root certificate!

Could this get any "better"? Sure! We can even MITM all the OUTGOING https traffic if we want! #GitHubDDoS

* Recently un-trusted by Apple and Mozilla. https://support.apple.com/en-us/HT204938

[andreyf]

Was that trusted root cert ever misused? IIRC, it was un-trusted because they did not do their due diligence on how an issued sub-cert was being used by an Egyptian company.

What does the GitHub DDOS have to do with MITM attacks on https?

[mil0]

the ddos was achieved by altering the contents of one of the script on a large chinese site (was it baidu? google it). Once every user on that site loaded the tampered script, it made sure to send many requests to github.

[therein]

Was the large Chinese site serving traffic over HTTPS?

[dujiulun2006]

Sadly, they (Baidu) are not, which is why the script content was easily modified.

To clear it up, I said that GFW "can" do (but has not yet done) these. But it tried to MITM some https traffic earlier with a non-trusted certificate as an experiment.

[dujiulun2006]

@andreyf: More like a social experiment. See whether people would notice (we did) and what's their reaction.

[andreyf]

Experiment? This isn't science. They can ask any engineer what MITM with a non-trusted cert would do, and that's nothing.

[duncan_bayne]

I really don't understand how that sort of behaviour doesn't constitute an act of war.

Imagine if China sent saboteurs in-country to physically destroy infrastructure being used by American businesses. That would Not Be Taken Lightly.

[peteretep]

    > how that sort of behaviour doesn't constitute an act of war

You need photos of explosions and dead babies to convince your populace to go to war. Making a case for war between nuclear powers on the basis that "some website for geeks became a bit less reliable" isn't going to cut it.

[com_kieffer]

The same way that Stuxnet destroying Iranian centrifuges was an act of war ?

[duncan_bayne]

Yes. Although I'd have thought that particular war would have started back with the hostage-taking in, what, 1979?

I really don't understand relationships between States.

[ta0o0o0]

I'm not a West Hater by any means, but I'd say the war started when the US and the UK engineered a coup in Iran because Iran nationalized their oil industry (after the British oil company running it refused to be audited or to renegotiate terms).

https://en.wikipedia.org/wiki/1953_Iranian_coup_d'%C3%A9tat

[duncan_bayne]

Whereas I'd say the problem was forced nationalisation.

[ta0o0o0]

That does not justify overthrowing another country's government. Most countries, including the United States, recognize the state's eminent domain over its land and its natural resources. Besides which, the Iranians tried to negotiate, the British refused, so the Iranians nationalized in response.

[lhopki01]

A foreign coup is a valid response to nationalisation?

[fleitz]

Starting point for international relations:

https://en.wikipedia.org/wiki/Realpolitik

[mil0]

always love a good reference to Argo.

[cortesoft]

Which sort of behavior? Having their own root certificate?

[duncan_bayne]

I meant China's behaviour, e.g. orchestrating a DDOS attack against GitHub for political reasons.

The root certificate thing is 'merely' a violation of the rights of their own subjects.

[cortesoft]

Ah, ok that makes more sense.

[orf]

To be fair they really fucked up a couple of stages of that GitHub DDOS and made it trivial to stop.

[jacquesm]

And they managed to shine the spotlight on a project in need of some tlc.