Private I: Fire Cannon! Encryption everywhere protects you on the web

Imagine if, with no effort on your part, every web connection you made was secured, even the most ordinary, such as visiting our fair site while not logged in. You might think, why bother when I'm just visiting sites I read or use for reference--sites where there's no personal or financial information to steal?

The Great Cannon of China may make you reconsider that, even as it's becoming easier. More ordinary websites are adding the option to browse securely all the time. You can get plug-ins to help, and new methods of encrypting whenever possible are being baked into browsers.

Fire away!

The Great Firewall of China is a term coined to describe how authorities there block, intercept, and shape Internet traffic entering and leaving the country's borders. Other countries, democracies and totalitarian, are known to have or believed to have efforts as strong, but not as invasive or disruptive with few exceptions.

China doesn't mind if its citizens, researchers, and employees of foreign companies can't access any or all of the Internet resources they need. More recently, China has taken to blocking or disrupting virtual private networks (VPNs), secure pathways that are resistent or impossible to crack open, and are widely used by the middle-class in China among others. (Netflix is estimated to have millions of "U.S." customers who use a VPN to connect to American networks.)

Now China has reportedly deployed a new tool: rather than defensive, it's offensive, and has been dubbed by its discoverers, the Great Cannon of China. Put simply, the cannon rewrites webpages and other traffic crossing China's data borders--such as to Baidu and Alibaba--and can insert code into pages that are then executed on the requester's machine.

The cannon is cited as behind large distributed denial of service (DDoS) attacks. These typically involve compromised computers, in which malware has been installed in the past, and which regularly check in to control-and-command centers. When a DDoS is activated, which can be for hire, for politics, or as a tool to deflect attention for an assault elsewhere, thousands to millions of computers direct as much traffic as possible to a small target, even a single address.

In the case of the Great Cannon, the report says the system can insert malicious JavaScript into an unencrypted page request and response, which turns the requester's browser and computer into part of the distributed attack. This requires no malware installation, though the same vector could be used to compromise computers.

This affects Mac users, because these distributed JavaScript attacks rely on perfectly normal browser behavior. The separate issue of being able to infect a Mac or iOS device remains highly constrained, but some Windows systems and mobile devices, new and old, have pathways for exploitation.

This sort of vector needs millions of users visiting sites with most visitors using an insecure connection for at least part of their session. It doesn't even require that you visit Chinese sites: any third-party advertising system or other embedded page element at a site you visit that's hosting part of its content in China can also be affected.

Encrypt at every opportunity

The cannon is the most notable new entry in leveraging unsecured web and other client-server sessions, and you can't counter it entirely by yourself, unless a third-party releases tools to let you block browser sessions or webpage media and JavaScript requests from sites identified as being intercepted and rewritten by the Great Cannon and other attacks.

Websites have to step up to allow always-available encryption, and many are. They recognize that even for elements outside of commerce, finance, and healthcare, the ability for outside parties of any kind to see or redirect your traffic impairs privacy, increases government's ability to meddle (or worse), and casts a negative light on how the company handles your data. In Netflix's quarterly earnings letter released on April 15, the company wrote:

Over the next year we'll evolve from using HTTP to using Secure HTTP (HTTPS) while browsing and viewing content on our service. This helps protect member privacy, particularly when the network is insecure, such as public Wi-Fi, and it helps protect members from eavesdropping by their ISP or employer, who may want to record our members' viewing for other reasons.

The other side is to use browsers and plug-ins that preferentially use encryption and encourage browser makers to step up to enable that functionality.

I've been using a tool for years from the Electronic Frontier Foundation (EFF) and the Tor Project called HTTPS Everywhere which simulates this in part. Using a browser plug-in and a large set of rules about popular websites (including Macworld), HTTPS Everywhere always tries to make a secure connection first unless a rule says that it would break the site. (The plug-in is offered for Firefox, Chrome, and Opera. Safari lacks the ability to rewrite all URLs entered or clicked before the URL is requested from a server.)

Some discussion forums and other web components aren't yet fully compatible with an always-secure world, making pages load incorrectly, but that's already changing. The more users who rely on and want always-secure connections, the more they will see broken pages, and the greater the pressure for sites and services that lag to upgrade them.

Also on the roster is opportunistic encryption (OE), a technology pushed by Mozilla, makers of Firefox, to allow sites to use secure connections that aren't backed by the kinds of certificates that are signed by central certificate authorities. While those certificates are best, and are part of making sure a site is legitimate, the OE argument is that some encryption is better than none.

Mozilla released Firefox 37 with this feature enabled, but a potential exploit let them to disable it in 37.0.1: a malicious party might be able to fool Firefox into accepting an unsigned certificate instead of the legitimate one. This is fixable.

Eventually, all browsers--Apple's included, based on the direction of things and their attitude towards end-to-end encryption--will try to make every connection a secure one, turning down the payload of the Great Cannon and many lesser ones, while also pushing other parties out of our business, whether personal business or the commercial kind. As government officials of any nation try to explain why this kind of encryption everywhere is bad, keep the cannon in mind.

Join the CSO newsletter!

Error: Please check your email address.

Tags EFFsecurityChinaencryptionnetflixprivacy

More about AppleEFFElectronic Frontier FoundationMozillaNetflix

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Glenn Fleishman

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts