In designing security protocols, it is often assumed that the parties at either end of an exchange, have complete control over their computers. "Alice sends Bob the product of two prime numbers, but she keeps the prime numbers on her own machine secret..." Obviously this kind of logic is not valid if Alice is running an insecure machine that Bob or anybody else can break into. The issue is important in the context of designing systems for Chinese users to circumvent the "Great Chinese Firewall", since the Chinese government may try to defeat the protocol by attacking the computers of Chinese users trying to get past the firewall, or computers run by overseas users who are helping them.
Machines of Chinese computer users. If the Chinese censors detect, for example, that a Chinese user is attempting to connect to an overseas HTTPS site (indicating that the user might be trying to reach a circumventor), then the censors' normal eavesdropping capabilities would not be enough to determine what the user is downloading over HTTPS, since HTTPS is designed to be secure against eavesdroppers. However, they could try to infect the user's machine with a Trojan horse, which would allow them to take control of it remotely and view what the Chinese user was downloading.
These users would often have slow dial-up connections, which would mean that even if they wanted to keep their machines secure with all the latest security patches, it would not be practical for them to download every new security patch published by Microsoft, since these can often be several megabytes. The advantage of a slow, temporary dial-up connection would be that the user might not be online long enough for an attacker to probe their machine thoroughly for weaknesses, and even if an attacker found a weakness an opened a backdoor, the attacker wouldn't be able to predict what IP address the machine would have next time it came online, so that the attacker could connect through the backdoor again. However, if the Chinese government were attacking users' machines, it would not be practical for them to attack each machine manually; rather, the attack would have to be done using some type of automated script, and a dial-up connection would probably stay active at least long enough to be attacked by a simple script. In addition, if the attacker planted a backdoor on the user's machine, the backdoor could also be configured so that every time the machine re-connected to the Internet, it would re-connect with the attacker's computer.
Machines of overseas users who are running servers to help the Chinese users circumvent the firewall. These are users who are running circumventor-type Web servers on their home computers, which Chinese users can connect to in order to view banned sites. These machines would almost always have fast, stable connections, making it easier for them to install security patches to protect them against recently discovered exploits. The disadvantage is that because their machines are online almost all of the time and keep the same IP address for long periods (which is, after all, how the Chinese users are able to find them repeatedly), that makes them easier long-term targets for an attack.
Any machine playing a "central" role in a circumventor network operating outside China. If volunteers outside China are simply running circumventors that take incoming requests and send the contents of banned pages back to Chinese users, then there is no need for a "central" server coordinating the circumventors. However, some designs have proposed a role for a centralized machine that would keep track of other circumventors that are available. For example, in SafeWeb's "Triangle Boy" architecture, user A in China would send a request to a machine run by user B outside China, user B's machine would forward the request to SafeWeb's machine C at some central, fixed location, and machine C would send reply packets back to user A in China, but spoofed as if they had come from machine B -- so that to user A, it would look as if they were communicating transparently with machine B.
I. Denial-of-service attacks. These are the easiest type of attack to launch, especially if an attacker has sufficient resources. If the Chinese government wanted to mount a denial-of-service attack on a particular host, whether inside or outside their country, it would be hard to stop them -- the government would have as many machines and IP addresses at their disposal as they needed. Fortunately, there are few scenarios where the Chinese censors would have any need to launch a DOS attack.
Against a Chinese user's computer. If the censors detected that a Chinese user were trying to access banned content, then there would be no need for them to launch a DOS attack against the Chinese user's computer; instead, they could just block that IP address from accessing the page.
Against a circumventor outside China. If the Chinese censors detected that a given machine outside China were operating a circumventor server to help Chinese users access banned content, they wouldn't need to launch a DOS attack against the machine -- they could just block it, making it inaccessible to Chinese users. The machine owner could dodge the attack by moving to a new IP address, but that's just what the machine owner would do anyway if he found out that his address were blocked. In fact, if the censors conducted a DOS attack against the machine, the machine owner would find out pretty quickly, but if they simply blocked the machine's IP address, the machine owner might not find out for hours or days -- so it would be to the censors' advantage to simply block the machine.
There is one strategy under which the censors might want to DOS-attack outside machines running circumventors, and that is if they are trying to make it so hard for people to run circumventors, that people stop doing it. Essentially, the censors would be blackmailing the would-be volunteers outside China: anyone who runs a circumventor on their machine that we manage to find, will be attacked. To save face for the Chinese government, the censorship bureau wouldn't even have to make the threat themselves; rather, they could hope that by launching anonymous attacks against circumventor sites, it would simply become common knowledge that anyone who runs a circumventor is at risk of getting their machine flooded. If a machine were attacked heavily enough, not only would it be impossible for Chinese users to use it to circumvent the firewall, but the machine owner would see their machine performance seriously impaired.
Against a "central" server. A central server outside China, run by Voice of America or some other entity to coordinate efforts between circumventors, could become the target of a DOS attack.
Such a server would already be blocked from China, but that wouldn't make any difference, since the server is not designed for Chinese users to connect to it directly, but rather for circumventors outside China to connect to. So this server would be a potential target for a DOS attack from Chinese censors. To mitigate this type of an attack, if a circumventor architecture is used that does rely on this type of "central server", these steps should at least be taken:
II. Attacks that rely on user naivete. This includes "attacks" like mailing an executable file to a user, or asking a user to download and run an executable file from a Web page.
Against a Chinese user's computer. A certain proportion of Chinese users might be naive enough to run an executable file emailed to them by a stranger or presented to them on a random web page. The Chinese censors would be limited in their ability to infect a user's computer in this way by email, because if the censors simply see the IP address of a Chinese user connecting to the IP address of a site outside of China, there's no way for them to determine the email address of the Chinese user. What they could do, though, would be to inject HTML into a page downloaded by the Chinese user, telling them to download and install an executable. In fact, if the user were browsing a site that they "trusted" like www.microsoft.com, they would be even more likely to download and install it, because even fairly experienced Internet users will frequently download and install software from sites that they trust.
If the Chinese user were browsing the Web via a circumventor site that used SSL to encrypt traffic, then the censors would not be able to inject HTML into the download pages, since you cannot inject HTML into an encrypted traffic stream. However, the censors could just watch to see the next site visited by that user, and inject the HTML into that site's contents instead.
There is no easy way to guard against this, so Chinese users should simply be wary of downloading any software from the Web, whether they "trust" the site or not. If the Chinese censors were discovered to be using this strategy of injecting executable download links into high-traffic trusted sites like www.microsoft.com, then any existing circumventors could start carrying banners warning the Chinese users not to fall for these traps.
Against a circumventor outside China. Most of the time, the Chinese censors would not be able to determine the email address of the person running a circumventor site, and, unlike the case of the Chinese user, there would be nothing they could do to make the circumventor owner view a particular Web page either. And even if they could, the average person hosting a circumventor on their home computer would usually be sophisticated enough not to download an executable from an untrusted source -- although that might change, if circumventors become easier to install, and fast, semi-permanent Internet connections become more common, such that the demographics of circumventor owners change to include less sophisticated users.
However, the Chinese censors probably still would not go to this trouble, since it would be easier for them to simply put the circumventor site on the Great Firewall's block list. And if they wanted a way to "strike back" at sites for running circumventors, as part of a campaign to discourage people outside China from running them, it would be easier for them to run DOS attacks as discussed previously.
Against a "central" server. Any server outside China that plays a role in a distributed circumventor network, operated by Voice of America or someone else, should be administered by people who are experienced enough not to open viruses and other executable attachments that people send them, so this should be a non-issue.
III. Attacks based on known exploits. These are attacks which do not rely on user naivete, but rather on flaws in programs running on the victim's computer. These can be further divided into categories:
Attacks where the attacker only has to know the IP address of the victim. These are very rare, but when they are found, are considered extremely dangerous -- an example being the Universal Plug n Play security hole found in 2001, which the discoverer called the "the worst default security vulnerability in Windows ever". However, these attacks can be stopped by a firewall that prevents external connections from reaching the victim's computer.
Attacks that depend on the victim viewing a Web page or downloading an email message. These types of security holes are more common, but they cannot be used to attack someone's machine simply by knowing the IP address of the machine; you would need to know how to send the machine's owner an email or instant message to get them to look at a site. However, the Windows XP Messenger service allows anyone (including spammers, who have exploited this trick extensively) to send a pop-up message to someone's Windows XP desktop, simply by knowing the person's IP address, so this trick could be used to get someone to visit a "dangerous" URL. Browser and mail-reader exploits will also work even against someone who is behind a firewall -- if you can get someone to read your "booby-trapped" Web page from behind the firewall, the firewall almost certainly won't protect them from the page's dangerous contents.
Most security holes found in email readers are found in Microsoft Outlook (which, for this reason, is to many virus researchers as "Lookout!"). However, Outlook is far from the dominant email program in the Western world, and probably comprises even less market share in China, where a higher proportion of users would simply have Web-based email accounts. Meanwhile, most browser security holes are found in Internet Explorer, which is the dominant Web browser in the Western world, but not everywhere in China, where the Tencent browser is commonly used in cybercafes.
So consider in turn how these attacks could be used against the computers in our model:
Against a Chinese user's computer. If the censors used an exploit which only required that they be able to connect to a victim's computer, they could connect to the IP address of any machine that attracted their attention. However, many computers that are used to access the Internet from China, are in cyber cafes where an Internet connection with a single IP address is split among many computers using a router/firewall. This prevents an outside attacker from using any exploits against these computers that would require them to connect directly to the users' machines.
An email attack would be unlikely to be used, since the censor has no way of knowing the email address of the user in China viewing a page. The only way this could be effective would be for the Chinese censors to "blanket bomb" Chinese email addresses with Trojan horses, hoping some of them would download and install them, in order to take control of a significant number of users' machines. This would be unlikely to work against the more net-savvy users (the very ones who are likely to be using circumventors in the first place).
However, the censors could exploit a known browser security hole by injecting the "booby-trapped" HTML code into random pages that users were downloading; again, the code could not be injected into an SSL-encrypted page, but the censors could inject the code into almost any non-encrypted page viewed by the user. The censors could target particular users whom they wanted to watch more closely, or they could target users at random with the hope of gaining control of as many PCs inside China as possible. As noted, however, many Chinese users use the Tencent browser, which is not vulnerable to the many known security holes in Internet Explorer.
Against a circumventor outside China. If the Chinese censors found a way to attack a user's computer simply by knowing its IP address, circumventor machines would be easy prey. A circumventor machine could not hide itself completely behind a firewall, either, since the firewall would have to permit at least some inbound traffic in order for the circumventor to be reached. For best security, the firewall could be configured to only allow access to the port running the circumventor, but even then, if the circumventor is based off of a Web server, the attackers could exploit a security hole in the Web server itself (which is what the Code Red worm did to machines running Microsoft's IIS Web server). So it's fortunate that these exploits are rare.
As for browser and email exploits, since the Chinese censors would have no way of sending an email to a circumventor operator, or injecting content into the Web traffic that they downloaded, the only way the censors could use a browser or email exploit to attack the operator would be to send them an XP Messenger service message, telling them to visit a given Web site. While it's true that many users are jaded about the spam messages they receive through the Messenger service, it wouldn't be hard to craft a message that would appeal to circumventor operators specifically and probably get them to follow the link. (This would probably do it: "Hey, I'm Kim, a 19-year-old Chinese girl, and I used your computer to get past the firewall, thank you! Come check out my picture site!!" It would certainly work on me.)
The question is whether the censors would have any reason to use an exploit against a circumventor machine. As is the case with denial-of-service attacks, it would seem at first that the censors wouldn't go to the trouble of attacking the circumventor when they could just block it. But once again, it's possible that the censors might use this as a means of blackmail against the circumventor-operating community -- plant a few Trojan horses that display a message saying "The circumventor installed on your machine has caused your hard drive to crash", and then trash the user's computer. The idea would be to spread the word that running a circumventor exposes people to retaliation -- or worse, that the circumventor itself compromised their machine.
|
|
||||||
| Denial of service | Naive user | Email exploit | Browser exploit | Direct-IP-connection exploit | ||
|
Type of computer targeted |
Chinese user's computer | Not necessary. | Most likely by injecting executable download link into a Web page viewed by a user. Web-based circumventors could carry banners to warn users about "known scams". | Censors generally wouldn't know the users' email address; would have to "blanket-bomb" Chinese emails with Trojan horses to be effective. | Could inject booby-trapped HTML code into a page downloaded by a user. However, many Chinese users don't use insecure Internet Explorer. | Vulnerable -- but many Chinese users surf in cybercafes, where a firewall prevents direct connections from the outside. |
| Circumventor machine | Possible as a way to "blackmail" people into not running them. | Most circumventor ops wouldn't be that naive; easier for Chinese censors to block them, or to use DOS attacks for blackmail. | Censors generally wouldn't know operator's email address. | No way to get operator to view a page, except Messenger service spam. Might be used to blackmail circumventor operators, or to create the impression that running a circumventor was unsafe. | Vulnerable (fortunately, such exploits are rare). Always apply all the latest patches. | |
| "Central" machine | Possible; circumventors should have "fail-safe" mode so they can continue operating if central machine goes down. | Should not apply if administered properly. | Should not apply if administered properly. | Should not apply if administered properly. | Should not apply if administered properly. Always apply all the latest patches. | |