Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Wider use of HTTPS could have prevented attack against GitHub

Jeremy Kirk | April 6, 2015
The attack against GitHub was enabled by someone tampering with regular website traffic to unrelated Chinese websites, all of which used a JavaScript analytics and advertising related tool from Baidu.

The unique attack method used to disrupt the code-sharing site GitHub over the last week could have been prevented if more websites enabled encryption, the Electronic Frontier Foundation (EFF) said Wednesday.

The attack against GitHub was enabled by someone tampering with regular website traffic to unrelated Chinese websites, all of which used a JavaScript analytics and advertising related tool from Baidu.

Somewhere on China's network perimeter, that analytics code was swapped out for code that transparently sent data traffic to GitHub, at times crippling parts of the popular website, particularly two projects that specialize in anti-censorship tools. It was also particularly insidious since the users whose traffic was modified didn't know they had been roped into the attack.

It was also a clearly orchestrated affair, as it required "privileged access to backbone routers within its borders to modify the Baidu resources," wrote Bill Budington, an EFF software engineer.

The reason GitHub's adversaries were able to swap out the code is because many of the Chinese websites weren't encrypting their traffic, indicated by "HTTPS" in the URL, Budington wrote.

"This was only possible due to the fact that the Baidu Analytics script included on sites is not using encryption by default," Budington wrote. "Without HTTPS, anyone sitting between the web server and the end user can modifying the content arbitrarily."

The EFF and other privacy groups have been advocating for some time that all websites move to HTTPS. Traffic exchanged with a client is encrypted, which prevents interlopers from reading it if it is intercepted, and it also makes it hard to figure out what page within a domain a person is accessing.

But HTTPS can be tricky to set up, and it's complicated when a website uses content from other sources, such as advertising networks, which also need to make the change.

For its part, GitHub is fully HTTPS encrypted. That has made it hard for China to censor the site on a per-URL basis. It could simply block the entire site as it did in January 2013, but that move drew criticism from a Google executive who said it also hurt Chinese developers, Budington wrote.

The latest attack focused on two projects, one that mirrors the content of publications including The New York Times and another run by Greatfire.org, a group that monitors websites censored by the Chinese government and develops ways for Chinese users to access banned services. Those specific URLs were not working as of Wednesday evening, although the rest of GitHub appears to be working.

One solution would be for Baidu, which has not been implicated as complicit in the attacks, to ensure its analytics script uses HTTPS, Budington wrote.

 

1  2  Next Page 

Sign up for CIO Asia eNewsletters.