Industry News

GreatFire accuses China of Intercepting CERNET Traffic to Google, Man-In-The-Middle Attack via Fake X.509 Certificates

Online censorship monitor GreatFire accused the Chinese government of carrying out a MitM (Man-In-the-Middle) attack by intercepting encrypted SSL traffic between the China Education and Research Network (CERNET) and Google, according to a blog post.

Google and many of its services are blocked in China due to internet censorship and the only access is through CERNET.


“Instead of just outright blocking Google on CERNET, which would have raised the ire of students, educators and researchers across China, the authorities felt that a MITM attack would serve their purpose,” the blog says. “By placing a man-in-the-middle, the authorities can continue to provide students and researchers access to Google while eavesdropping or blocking selective search queries and results.”

The MitM attack appears to date back to August 28, when China-based users complained on Google Plus and Weibo that they were receiving warning invalid SSL certificate messages when accessing and (Hong Kong) via CERNET.

GreatFire made two network captures that were analyzed by Netresec.

The analysis concluded that the MitM attack wasn’t carried out through DNS spoofing and the TTL (Time-To-Live) value was 248 or 249 in both cases as the highest TTL number is 255, which means the packets were carried out through more than six or seven router hops.

The low number of router hops indicated the presence of an IP MitM attack, as the normal router hops at the Peking University would be close to 14.

Signs of a MitM attack were also spotted when the round-trip time was measured at 8ms when the average best is about 150ms. This indicated the machine carrying out the MitM was near Peking University. Although the three-way TCP handshake was very quick, communication on the application layer was very slow at a 500ms, compared to an average of 150ms, which would be the normal ServerHello response-time.

As well, Netresec analyzed the X.509 certificates extracted from the two captures which were both self-signed for “”. Self-signed certificates pose a serious security issue as they are signed and certified by the same authority that generates them.

mitm cert

So far, all evidence points to an IP hijacking MitM attack which means that the MitM machine is impersonating the host, as the other possibility would be the HTTPS traffic forwarding toward a transparent SSL proxy.

“An alternative to changing the router config would also be to add an in-line device that redirects the desired traffic to the SSL proxy,” Erik Hjelmvik of Netresec said. “However, regardless of how they did it the attacker would be able to decrypt and inspect the traffic going to Google.”

The analysis alleges that the Chinese Government tampered with network traffic by faking the Google SSL certificate and hijacking the SSL session by impersonating the host. This way, the MitM machine can collect all transferred data between host and server.

Allegedly, the Chinese Government has past-practical experience as this is the second MitM attack on a high-profile target, after the GitHub MitM attack from January 2013.

About the author

Lucian Ciolacu

Still the youngest Bitdefender News writer, Lucian is constantly after flash news in the security industry, especially when something is vulnerable or exploited. Besides digging for 'hacker' scoops and data leaks, he enjoys sports, such as football and tennis.
He has also combined an interest for social and political sciences, as a graduate of the Political Science Faculty, with a passion for guitar and computer games.