Ubiquitous web encryption to blast away China’s Great Cannon
A research body based in Toronto revealed the presence of yet another Chinese web censorship machine, being increasingly referred to as the‘Great Cannon’, which can intercept traffic and manipulate it —for all the wrong reasons.
However, the latest analysis shows that the attack was carried out by a separate offensive system with different capabilities and designs,prompting the research body to name it the Great Cannon.The Great Cannon boasts a distinct attack tool that hijacks traffic individual IP addresses and can arbitrarily replace unencrypted content as a man-in-the-middle.
The researchers noted that the Great Cannon could be abused to intercept traffic and insert malware to infect anyone visiting non-encrypted sites within the reach of the attack tool by simply telling the system to manipulate traffic from specific targets.
How to counter the Great Cannon
One simple way to stop the Great Cannon from infecting masses of users: encrypt all websites on the internet, which will prevent the system from tampering with traffic that is effectively encrypted. The SSL/TLS protocols (which most users commonly use when on HTTPS websites rather than HTTP) drop connections when a “man-in-the-middle” like the Cannon is detected, whilst preventing anyone from peeking at the content of web communications.
Projects underway to fight against such weapons
There are some significant projects underway designed to bring about ubiquitous web encryption. Just this week, the Linux Foundation announced it would be hosting the ‘Let’s Encrypt’ project, which seeks to make SSL certificates, which website owners have to own and integrate into their servers to provide HTTPS services, free and easy to acquire. These secure certificates shall be integrated in mid-2015 as per Josh Aas, executive director at the the Internet Security Research Group (ISRG), which runs Let’s Encrypt. It has some serious backers, including Akamai, Cisco, Electronic Frontier Foundation and Mozilla.
It’s unclear whether Let’s Encrypt would provide certificates to Chinese sites. “The default stance is that we want to issue to everyone – but we will have to comply with US laws… our legal team is looking into it.”
“There’s a lot of the web that isn’t encrypted,” added Jim Zemlin, executive director at The Linux Foundation. “We think that’s a big deal for internet security.”
Sources: citizenlab / TechCrunch/ Forbes