iCloud face man-in-the-middle attack in China

Yesterday, I was posted an article to report iCloud got Man-in-the-middle attack in China,
and repost to two major Chinese geek community,

Chinese attacker is running a Man-in-the-middle attack on SSL encrypted traffic between iCloud server and China Unicom users. The ISP (probably asked by the government to do so) replaced the certificate of iCloud with a self-issued one. The government conducted similar attacks against GitHubGoogleWindows Live and Yahoo.

Evidence and Reproduce: using CDN provide by ,they have a lot of DNS result when you access, such as: , ,

When you access those IP via SSL like , it will popup the SSL warning and you can check the certificate issued by trust certificate authority, but did not match the domain because we are using IP directly. end user get above DNS records randomly when access

we are confirm that face man-in-the-middle attack in China, when people who live in China mainland access , it will popup the SSL warning, but the certificate not issued by trust certificate authority, it is self-issued. it means China ISP can steal anyone iCloud user’s information when they using DNS Pollution(DNS spoofing)  and Man-in-the-middle attack both. now we don’t know the attacker using anycast technology to fake response from or just insert content between end user and real , it seems not personal resource can m
ake it. it is possible State sponsored attack and operate by China Unicom.


self-issued certificate

self-issued certificate

here is the trace route result when I using China VPN:

gongzuola:~ zola$ traceroute

traceroute to (, 64 hops max, 52 byte packets

1 (  56.559 ms  55.089 ms  53.591 ms

2 (  59.504 ms  59.694 ms  67.255 ms

3 (  60.369 ms  59.645 ms  59.935 ms

4 (  65.318 ms  66.238 ms  64.967 ms

5 (  72.216 ms  75.174 ms  71.490 ms

6 (  71.202 ms  86.678 ms  70.070 ms

7 (  80.942 ms  80.418 ms  78.451 ms

8 (  145.922 ms  148.226 ms  152.103 ms

9 (  119.905 ms  120.990 ms  120.094 ms

10 (  135.492 ms  141.408 ms  131.901 ms

gongzuola:~ zola$

man-in-the-middle attack ONLY affects people who live in China. , did not face man-in-the-middle attack.

normal certificate from

after my report, there are many media report that issue:

Leave a Reply

Your email address will not be published. Required fields are marked *