HTTPS MITM of various GitHub IP addresses in China

[wkrp]

On 2020-03-26, users in China reported an HTTPS MITM of pages.github.com. I found this out from #ooni IRC.

• Github pages 的 HTTPS 是不是出问题了？ (archive)

@tomac4t archived the MITM certificates and uncovered more details: https://gist.github.com/tomac4t/396930caa8c32f97c80afd9567b4e704

DNS resolution is not being tampered with. The MITM is IP address–based, not domain-based, and affects at least these IP addresses:

• 185.199.108.153
• 185.199.109.153
• 185.199.110.153
• 185.199.111.153

It affects at least the following domains:

• pages.github.com
• *.github.io
• desktop.github.com
• githubstatus.com
• developer.github.com
• services.github.com

The list notably does not include other GitHub domains such as github.com, api.github.com, gist.github.com, and others. @tomac4t reports that it's possible to domain-front one of the affected domains with one of the unaffected domains.

The discussion on #ooni says that other IP addresses are affected, besides GitHub ones.

• 157.185.169.208 (www.jd.com) discussion thread (archive)
• 210.61.181.25 (www.jd.com)
• 104.27.175.29 discussion thread (archive)

The most peculiar feature of the MITM certificates is

emailAddress = 346608453@qq.com

Also interesting:

Not Before: Sep 26 09:32:37 2019 GMT
Not After : Sep 23 09:32:37 2029 GMT

Here is an article about the situation and a translation into English:

• Github Pages疑被中间人攻击 (archive)

Today, many Chinese netizens have complained that accessing Github Pages from a Chinese IP will load an invalid certificate, while using a foreign IP access will load a normal certificate, suspecting that the domain has been attacked by a middleman.

Man-in-the-middle attack (English: man-in-the-middle attack, abbreviated: MITM) in the field of cryptography and computer security refers to an attacker creating separate connections with each end of a communication and exchanging the data it receives so that both ends of the communication think they are talking directly to each other over a private connection, when in fact the entire session is completely controlled by the attacker. In a man-in-the-middle attack, an attacker can intercept calls from both sides of the communication and insert new content. In many cases this is simple (for example, a man-in-the-middle attacker in the receiving range of an unencrypted Wi-Fi wireless access point can insert himself as a man-in-the-middle into this network).

The prerequisite for a man-in-the-middle attack to be successful is that the attacker can disguise himself as each of the participating endpoints of the session and not be recognized by the other endpoints. A man-in-the-middle attack is an attack of (lack of) mutual authentication. Most encryption protocols specifically incorporate some special authentication methods to block man-in-the-middle attacks. For example, the SSL protocol can verify that the certificate used by one or both parties involved in the communication is issued by an authoritative and trusted digital certificate authority and can perform two-way identity authentication.

In a nutshell, so-called man-in-the-middle attacks are carried out by intercepting normal network communication data and performing data tampering and sniffing, without the knowledge of the parties to the communication.

The IP address resolution of pages.github.com is not a problem, the IP address resolved from China is 185.199.111.153, which belongs to Github.

Opening this untrusted certificate shows that the issuer of the certificate is 346608453@qq.com.

Establishing secure HTTPS communication that prevents man-in-the-middle attacks requires the following steps.

• The server is correctly configured with the corresponding security certificate
• Client sends request to server
• The server returns the public key and certificate to the client
• The client will verify the security of the certificate upon receipt, and if passed, a random number will be generated, encrypted with the public key, and sent to the server
• The server will use the private key to decrypt the encrypted random number and then use the random number as the private key to symmetrically encrypt the data to be sent.
• The client receives the encrypted data using a private key (i.e. the generated random value) to decrypt the data and parse the data to present the results to the client
• SSL encryption established

Thanks to @tomac4t for reviewing a draft of this post.

[wkrp]

The most peculiar feature of the MITM certificates is

emailAddress = 346608453@qq.com

You can find a lot of news stories by doing a web search for this email address.

https://www.oschina.net/news/114402/git-mitm (archive)

另据多名网友反馈，京东、koajs 等网站同样出现该问题，同样无效证书来自于该 QQ 邮箱，有人怀疑该疑似攻击者为黑客初学者，而攻击目的很有可能只是在练习/测试，但是此次影响范围之广，不太像是练手。

According to the feedback from several users, Jingdong, koajs and other websites have the same problem, the same invalid certificate came from the same QQ mailbox, some people suspect that the suspected attacker is a beginner hacker, and the purpose of the attack is most likely just practice/testing, but this time the scope of influence is so wide that it is not like a practicing hand.

The article linked in the post above has been updated. https://www.williamlong.info/archives/6021.html (archive)

打开这个不受信任的证书，显示该证书的颁布者是346608453@qq.[]()com。查询该QQ号码，显示其昵称为心即山灵，地址为黑龙江哈尔滨，通过这个QQ查询其加入的QQ群，可以发现其真名疑似叫“张勇”，居住地疑似为“哈尔滨城东新居D区”，毕业学校疑似为“建三江一中92届”。从攻击者自签名证书留下的QQ号可以在网上搜寻到部分信息，信息显示此前这名攻击者正在学习加密技术。这名攻击者还曾在技术交流网站求助他人发送相关源代码，从已知信息判断攻击者可能是在学习后尝试发起攻击。

更新：3月27日13:17，QQ号346608453在其QQ空间“心即灵山的QQ空间”发布信息，称“QQ号码被盗，现已恢复”。但这个声明却显得有些“不打自招”，因为攻击者要生成CA证书的话，随便填个邮箱都可以，根本不需要盗QQ号。

Opening this untrusted certificate shows that the issuer of the certificate is 346608453@qq.[]()com. Querying the QQ number shows that his nickname is Xinlingshanling, whose address is Harbin, Heilongjiang. Through this QQ query to join the QQ group, it can be found that his real name is suspected to be "Zhang Yong", and his place of residence is suspected to be "Harbin Chengdong Xinju D District", the graduation school is suspected to be "92nd Sanjiang No.1 Middle School". From the QQ number left by the attacker's self-signed certificate, some information can be searched online. The information shows that the attacker was learning encryption technology before. The attacker also asked others to send related source code on the technical communication website, and judged from the known information that the attacker may have tried to launch the attack after learning.

Update: On March 27th at 13:17, QQ number 346608453 posted information in its QQ space "Heart is Lingshan's QQ space", saying that "the QQ number was stolen and has now been restored." However, this statement seems to be a bit "uninvited", because if an attacker wants to generate a CA certificate, he can fill in an email box without having to steal the QQ number.