Wider use of HTTPS could have prevented attack against GitHub

EFF said the GitHub attack reinforces the case for using HTTPS

The unique attack method used to disrupt the code-sharing site GitHub over the last week could have been prevented if more websites enabled encryption, the Electronic Frontier Foundation (EFF) said Wednesday.

The attack against GitHub was enabled by someone tampering with regular website traffic to unrelated Chinese websites, all of which used a JavaScript analytics and advertising related tool from Baidu.

Somewhere on China's network perimeter, that analytics code was swapped out for code that transparently sent data traffic to GitHub, at times crippling parts of the popular website, particularly two projects that specialize in anti-censorship tools. It was also particularly insidious since the users whose traffic was modified didn't know they had been roped into the attack.

It was also a clearly orchestrated affair, as it required "privileged access to backbone routers within its borders to modify the Baidu resources," wrote Bill Budington, an EFF software engineer.

The reason GitHub's adversaries were able to swap out the code is because many of the Chinese websites weren't encrypting their traffic, indicated by "HTTPS" in the URL, Budington wrote.

"This was only possible due to the fact that the Baidu Analytics script included on sites is not using encryption by default," Budington wrote. "Without HTTPS, anyone sitting between the web server and the end user can modifying the content arbitrarily."

The EFF and other privacy groups have been advocating for some time that all websites move to HTTPS. Traffic exchanged with a client is encrypted, which prevents interlopers from reading it if it is intercepted, and it also makes it hard to figure out what page within a domain a person is accessing.

But HTTPS can be tricky to set up, and it's complicated when a website uses content from other sources, such as advertising networks, which also need to make the change.

For its part, GitHub is fully HTTPS encrypted. That has made it hard for China to censor the site on a per-URL basis. It could simply block the entire site as it did in January 2013, but that move drew criticism from a Google executive who said it also hurt Chinese developers, Budington wrote.

The latest attack focused on two projects, one that mirrors the content of publications including The New York Times and another run by Greatfire.org, a group that monitors websites censored by the Chinese government and develops ways for Chinese users to access banned services. Those specific URLs were not working as of Wednesday evening, although the rest of GitHub appears to be working.

One solution would be for Baidu, which has not been implicated as complicit in the attacks, to ensure its analytics script uses HTTPS, Budington wrote.

Even if Baidu does that, there are still ways to interfere, however. The Chinese government could force Baidu to turn over the private keys it uses to encrypt traffic, which then would allow visibility into the data, Budington wrote. Or, the government could force Baidu to deliver its malicious code.

GitHub's problems came just ahead of the signing of an executive order on Wednesday by U.S. President Barack Obama that authorizes sanctions against perpetrators of cyberattacks. The sanctions are intended to act as a punishment when nations are unwilling or unable to crack down on those responsible, Obama said.

The U.S. has become increasingly aggressive in laying blame for cyberattacks, which it claims have damaged businesses. In mid-December, North Korea was blamed for the devastating attacks against Sony Pictures Entertainment. Obama subsequently authorized even more sanctions against the already marginalized country.

In the first legal action of its kind in May 2014, federal prosecutors charged five members of the Chinese Army with stealing trade secrets from U.S. organizations over eight years. China denied the accusations.

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk

Join the CSO newsletter!

Error: Please check your email address.

Tags securityElectronic Freedom Foundationencryption

More about BillEFFElectronic Frontier FoundationGoogleSony

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jeremy Kirk

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts