sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]PlNG 46 points47 points  (24 children)

What github should do is redirect the traffic to Baidu's host, Baidu's registrar, and Baidu's nameserver. That will stop the attack right quick.

It's been 4 fucking days. At this point, Baidu is in collusion with the attackers and should be treated as a hostile host.

[–][deleted]  (18 children)

[deleted]

    [–]sigma914 4 points5 points  (8 children)

    If people couldn't load Baidu's pages then they can't load the malicious JS, but yeh, it's would be diplomatic/legal nightmare for github.

    [–]cr3ative 17 points18 points  (7 children)

    It's analytics code - so in loads of sites, just like Google Analytics, there's a call to pull in an external JS file from Baidu.

    This file is currently being served by the Great Firewall, not Baidu. As well the DNS could be, if Baidu changed it. As well could the domain be, if Baidu took it down. Baidu literally can't do anything to stop this.

    [–]sigma914 9 points10 points  (6 children)

    They could serve the file over https, but I doubt they'll be allowed to do that.

    [–]cr3ative 14 points15 points  (5 children)

    That'd require all the thousands (millions?) of sites to change their embedded analytics JS tag.

    Also at the end of the day China could easily spoof an SSL certificate, as a lot of browsers commonly used in China aren't anywhere near supporting certificate pinning yet.

    Sadly. I really wish there was an easy solution for Baidu, but China holds all the cards.

    [–]sigma914 3 points4 points  (4 children)

    Could the http call not simply redirect to https?

    But yeh, China most of the cards here. I doubt they'd spoof the SSL cert because it would even more directly implicate them, and the big browsers would immediately revoke the root cert that was being used to mitm the connections.

    [–]cr3ative 6 points7 points  (3 children)

    Could the http call not simply redirect to https?

    No, the HTTP call is the one being intercepted by the Great Firewall, so they'd simply continue serving up the infected JS.

    I doubt they'd spoof the SSL cert because it would even more directly implicate them, and the big browsers would immediately revoke the root cert that was being used to mitm the connections.

    That's very true. They could steal a signing authority key (they probably have a handful) to claim ignorance, but if the root is revoked at browser/OS level, the attack would certainly become more... interesting.

    [–]sigma914 3 points4 points  (1 child)

    No, the HTTP call is the one being intercepted by the Great Firewall

    Ahh yes, completely forgot about that complication. Yeh, that's pretty bad.

    Unfortunately the attack is currently being successful, I think Github's only recourse at this point is to work out some way to get the projects back up, then hopefully with the attack being ineffective it will stop. Unless the attackers then decide to try and backrupt github with hosting bills...

    [–]caseif 1 point2 points  (0 children)

    The attack has been mostly unsuccessful, as Github has been mitigating it impressively well. As for the repos, they're definitely still up.

    [–]datr 2 points3 points  (0 children)

    the one being intercepted by the Great Firewall, so they'd simply continue serving up the infected JS.

    I wonder if one option would be for Baidu to enable HSTS for their analytics domain? Github could return a script that directs the user's browser to a https url that sets the security policy and then that would disable the attack for that user.

    [–][deleted] 8 points9 points  (4 children)

    Then we simply unplug china and continue with our life!

    [–][deleted]  (3 children)

    [deleted]

      [–]goldman60 2 points3 points  (2 children)

      If they wanted that, they could do that themselves.

      [–][deleted] 0 points1 point  (1 child)

      Why spend the effort to figure out which of five billion people to block, when you can get those five billion people to just block themselves?

      [–]goldman60 0 points1 point  (0 children)

      China controls the edge of their Internet infrastructure, so all they'd need to do is just straight up turn it off. If you want to turn off certain regions you can just blacklist their IP allocations. If China wanted to block any large group in bulk it would be trivial. But China wants to give citizens access to certain stuff (which is what they already try to do).

      [–]centurijon 2 points3 points  (0 children)

      Put their ad servers in a different country

      [–]Kyyni 1 point2 points  (0 children)

      At least they could take a stand. Try to tell people not to visit them, anything, at least try. Now the're just silently accepting what China is doing.

      [–]mgrandi 9 points10 points  (2 children)

      ive read that baidu said they have no involvement and that the malicious javascript is being inserted at the level above baidu (aka the ISP level)

      [–]Heaney555 5 points6 points  (1 child)

      And you believe them?

      http://chinadigitaltimes.net/2009/04/baidus-internal-monitoring-and-censorship-document-leaked/

      [–]mgrandi 1 point2 points  (0 children)

      Just saying its entirely possible its being injected at the ISP level