Yesterday, I was posted an article to report iCloud got Man-in-the-middle attack in China,
and repost to two major Chinese geek community,
Chinese attacker is running a Man-in-the-middle attack on SSL encrypted traffic between iCloud server and China Unicom users. The ISP (probably asked by the government to do so) replaced the certificate of iCloud with a self-issued one. The government conducted similar attacks against GitHub, Google, Windows Live and Yahoo.
Evidence and Reproduce:
iCloud.com using CDN provide by akamai.com ，they have a lot of DNS result when you access iCloud.com, such as: 188.8.131.52 , 184.108.40.206 , 220.127.116.11
When you access those IP via SSL like https://18.104.22.168/ , it will popup the SSL warning and you can check the certificate issued by trust certificate authority, but did not match the domain because we are using IP directly. end user get above DNS records randomly when access iCloud.com.
we are confirm that https://22.214.171.124/ face man-in-the-middle attack in China, when people who live in China mainland access https://126.96.36.199/ , it will popup the SSL warning, but the certificate not issued by trust certificate authority, it is self-issued. it means China ISP can steal anyone iCloud user’s information when they using DNS Pollution(DNS spoofing) and Man-in-the-middle attack both. now we don’t know the attacker using anycast technology to fake response from 188.8.131.52/ or just insert content between end user and real 184.108.40.206 , it seems not personal resource can m
ake it. it is possible State sponsored attack and operate by China Unicom.
here is the trace route result when I using China VPN:
gongzuola:~ zola$ traceroute 220.127.116.11
traceroute to 18.104.22.168 (22.214.171.124), 64 hops max, 52 byte packets
1 126.96.36.199 (188.8.131.52) 56.559 ms 55.089 ms 53.591 ms
2 184.108.40.206 (220.127.116.11) 59.504 ms 59.694 ms 67.255 ms
3 18.104.22.168 (22.214.171.124) 60.369 ms 59.645 ms 59.935 ms
4 126.96.36.199 (188.8.131.52) 65.318 ms 66.238 ms 64.967 ms
5 184.108.40.206 (220.127.116.11) 72.216 ms 75.174 ms 71.490 ms
6 18.104.22.168 (22.214.171.124) 71.202 ms 86.678 ms 70.070 ms
7 126.96.36.199 (188.8.131.52) 80.942 ms 80.418 ms 78.451 ms
8 184.108.40.206 (220.127.116.11) 145.922 ms 148.226 ms 152.103 ms
9 ae-1.r00.osakjp02.jp.bb.gin.ntt.net (18.104.22.168) 119.905 ms 120.990 ms 120.094 ms
10 a23-59-94-46.deploy.static.akamaitechnologies.com (22.214.171.124) 135.492 ms 141.408 ms 131.901 ms
after my report, there are many media report that issue: