Hacker News new | ask | show | jobs
by gruez 270 days ago
>Think about the consequences of that. Anyone who connects to your site from China is MITM by Alibaba.

Source? AFAIK their China product is entirely separate and you need to specifically sign up for it. AWS/Azure have similar arrangements in China but you wouldn't say the Cloudfront users are getting MITMed by the CCP.
2 comments
Canada 270 days ago
I noticed this years ago while in China. I saw someone at a bar with a laptop out using my web site. I went and chatted him up, and I noticed a different TLS certificate, I don't recall if he moused over the lock icon or if his browser, or back then when browsers showed the issuer in the address bar. Freaked me out.

Apparently it's JD Cloud now. Or maybe it was the, and I don't recall correctly. It was a Chinese company, and it really freaked me out when I saw it.

Our company did not do any configuration to enable this behavior. This was in 2017.

AWS was a completely separate entity in China at the time. Fully backdoored of course. Opening an account there required a local company.

With Cloudflare, they were straight up MITM our site which had nothing to do with China at all.

link
gruez 270 days ago
Are you sure they weren't using a corporate machine with some sort of MITM proxy? That seems far more plausible than what you're suggesting. Moreover it's unclear why they'd even bother minting a new certificate for the China side, rather than copying the certificate like they do for all their other POPs.
link
Canada 269 days ago
Yeah, I'm sure it wasn't a corporate MITM. I turned off my VPN and saw the same on my own machine.

I guess Cloudflare isn't doing this any more by default.

They probably didn't share the other cert because they'd have to give the private keys to these Chinese partner.

link
donavanm 269 days ago
Yes, I havent done CDN work in a few years, but AFAIK that applies to all of the cloud "partners" in PRC as well. The customer needs to sign up with the PRC entity, provide ICP & local contacts, etc.

I would say that any MIIT approved infrastructure provider _is_ co-opted by the CCP. Its the entire point of requiring ICPs, tying the ICPs to network addresses/endpoints, and infra providers to be local entities; the MIIT gets their MITM equipment and RTBH routes directly in to the providers local DC.

link