Imagine if, with no effort on your part, every web connection you made was secured, even the most ordinary, such as visiting our fair site while not logged in. You might think, why bother when I’m just visiting sites I read or use for reference—sites where there’s no personal or financial information to steal?
The Great Cannon of China may make you reconsider that, even as it’s becoming easier. More ordinary websites are adding the option to browse securely all the time. You can get plug-ins to help, and new methods of encrypting whenever possible are being baked into browsers.
Fire away!
The Great Firewall of China is a term coined to describe how authorities there block, intercept, and shape Internet traffic entering and leaving the country’s borders. Other countries, democracies and totalitarian, are known to have or believed to have efforts as strong, but not as invasive or disruptive with few exceptions.
China doesn’t mind if its citizens, researchers, and employees of foreign companies can’t access any or all of the Internet resources they need. More recently, China has taken to blocking or disrupting virtual private networks ( VPNs), secure pathways that are resistent or impossible to crack open, and are widely used by the middle-class in China among others. (Netflix is estimated to have millions of “U.S.” customers who use a VPN to connect to American networks.)
Now China has reportedly deployed a new tool: rather than defensive, it’s offensive, and has been dubbed by its discoverers, the Great Cannon of China. Put simply, the cannon rewrites webpages and other traffic crossing China’s data borders—such as to Baidu and Alibaba—and can insert code into pages that are then executed on the requester’s machine.
The cannon is cited as behind large distributed denial of service (DDoS) attacks. These typically involve compromised computers, in which malware has been installed in the past, and which regularly check in to control-and-command centers. When a DDoS is activated, which can be for hire, for politics, or as a tool to deflect attention for an assault elsewhere, thousands to millions of computers direct as much traffic as possible to a small target, even a single address.
In the case of the Great Cannon, the report says the system can insert malicious JavaScript into an unencrypted page request and response, which turns the requester’s browser and computer into part of the distributed attack. This requires no malware installation, though the same vector could be used to compromise computers.
This affects Mac users, because these distributed JavaScript attacks rely on perfectly normal browser behavior. The separate issue of being able to infect a Mac or iOS device remains highly constrained, but some Windows systems and mobile devices, new and old, have pathways for exploitation.
This sort of vector needs millions of users visiting sites with most visitors using an insecure connection for at least part of their session. It doesn’t even require that you visit Chinese sites: any third-party advertising system or other embedded page element at a site you visit that’s hosting part of its content in China can also be affected.
Encrypt at every opportunity
The cannon is the most notable new entry in leveraging unsecured web and other client-server sessions, and you can’t counter it entirely by yourself, unless a third-party releases tools to let you block browser sessions or webpage media and JavaScript requests from sites identified as being intercepted and rewritten by the Great Cannon and other attacks.
Websites have to step up to allow always-available encryption, and many are. They recognize that even for elements outside of commerce, finance, and healthcare, the ability for outside parties of any kind to see or redirect your traffic impairs privacy, increases government’s ability to meddle (or worse), and casts a negative light on how the company handles your data. In Netflix’s quarterly earnings letter released on April 15, the company wrote:
Over the next year we’ll evolve from using HTTP to using Secure HTTP (HTTPS) while browsing and viewing content on our service. This helps protect member privacy, particularly when the network is insecure, such as public Wi-Fi, and it helps protect members from eavesdropping by their ISP or employer, who may want to record our members’ viewing for other reasons.
The other side is to use browsers and plug-ins that preferentially use encryption and encourage browser makers to step up to enable that functionality.
I’ve been using a tool for years from the Electronic Frontier Foundation (EFF) and the Tor Project called HTTPS Everywhere which simulates this in part. Using a browser plug-in and a large set of rules about popular websites (including Macworld), HTTPS Everywhere always tries to make a secure connection first unless a rule says that it would break the site. (The plug-in is offered for Firefox, Chrome, and Opera. Safari lacks the ability to rewrite all URLs entered or clicked before the URL is requested from a server.)
Some discussion forums and other web components aren’t yet fully compatible with an always-secure world, making pages load incorrectly, but that’s already changing. The more users who rely on and want always-secure connections, the more they will see broken pages, and the greater the pressure for sites and services that lag to upgrade them.
Also on the roster is opportunistic encryption (OE), a technology pushed by Mozilla, makers of Firefox, to allow sites to use secure connections that aren’t backed by the kinds of certificates that are signed by central certificate authorities. While those certificates are best, and are part of making sure a site is legitimate, the OE argument is that some encryption is better than none.
Mozilla released Firefox 37 with this feature enabled, but a potential exploit let them to disable it in 37.0.1: a malicious party might be able to fool Firefox into accepting an unsigned certificate instead of the legitimate one. This is fixable.
Eventually, all browsers—Apple’s included, based on the direction of things and their attitude towards end-to-end encryption—will try to make every connection a secure one, turning down the payload of the Great Cannon and many lesser ones, while also pushing other parties out of our business, whether personal business or the commercial kind. As government officials of any nation try to explain why this kind of encryption everywhere is bad, keep the cannon in mind.
Author: Glenn Fleishman, Senior Contributor
Glenn Fleishman’s most recent books include Take Control of iOS and iPadOS Privacy and Security, Take Control of Calendar and Reminders, and Take Control of Securing Your Mac. In his spare time, he writes about printing and type history. He’s a senior contributor to Macworld, where he writes Mac 911.