Fake DNS entries from China/CNNIC
Jan Schejbal
please try the following command:
dig foobartwitter.comfoobar. @203.119.25.123
This should return nothing, REFUSED or a NXDOMAIN, am I correct?
However, it seems to return random-ish IP addresses.
http://whois.domaintools.com/203.119.25.123 says that the IP block
containing the address belongs to CNNIC:
inetnum: 203.119.25.0 - 203.119.25.255
netname: CNNIC-CRITICAL-CN
descr: China Internet Network Information Center
You may try other IP adresses from that subnet. Most have this
behavior. However, their real DNS Servers sometimes return REFUSED
instead of bogus IPs. (It seems that multiple fake replies always get
sent, however sometimes the DNS servers are faster)
This happens with other chinese subnets too, see 123.112.0.0/12 for
example.
Even if CNNIC will surely claim that they have nothing to do with it
(which I think is very hard to believe), operating a CA in an
environment where essential services like DNS are being spoofed seems
problematic to me. What happens if DNS entries used for domain
validation (mailserver IPs where verification mails get sent etc.) get
spoofed?
--
Please avoid sending mails, use the group instead.
If you really need to send me an e-mail, mention "FROM NG"
in the subject line, otherwise my spam filter will delete your mail.
Sorry for the inconvenience, thank the spammers...
Jean-Marc Desperrier
> please try the following command:
> dig foobartwitter.comfoobar. @203.119.25.123
>
> This should return nothing, REFUSED or a NXDOMAIN, am I correct?
> However, it seems to return random-ish IP addresses.
As I'm not a DNS expert, I'm not sure I understand well what this proves.
But at first sight, I understand this shows CNNIC is redirecting some
failing DNS lookup to a default host. Well if so, they're certainly not
the first one found to be playing this game. And even if customer
complaints have often had success getting ISP to stop that practice, I
have not yet seen people claiming it's illegal, or it's a proof the ISP
is ready to steal domains.
Jan Schejbal
> But at first sight, I understand this shows CNNIC is redirecting some
> failing DNS lookup to a default host.
Maybe even just someone/-thing on the way to/from CNNIC. Why just
operating in such a network is a problem I already explained. But the
faking of DNS replies is specific to certain domains
(censorship-relevant ones) and you get back unallocated IPs, IPs not
responding on port 80, multiple replies with different IPs (try it with
wireshark) etc.
Lets make it more interesting:
Querying for an EXISTING censored domain, say twitter.com. We ask one
of the nameservers for cn:
> dig twitter.com. @203.119.25.1
It is not responsible, so it gives you a REFUSED answer. But look at
the packets you get with a sniffer. You get REFUSED *and* four more
replies. The four remaining ones have fake IPs. It is random which one
reaches you first (most times, the REFUSED reply is approx. 1
millisecond faster).
Facebook? The same thing, but only one fake.
Fakebook.com? No fakes, only REFUSED.
Weird coincidence.
Come on. EVERYONE sees and knows what is happening, but still
"evidence" is needed.
What is a user experiencing an actual MitM supposed to do to get
"evidence"? Is there even a way to extract a faked cert without having
extensions installed before the attack?
Oh, on a side note, isn't SSL the only thing that protects some firefox
extension updates from being replaced with fake versions, thus taking
full control over the client? Might be hard to present "evidence" after
that.
Jan
Jan Schejbal
http://www.itworld.com/networking/102576/after-dns-problem-chinese-root-server-shut-down
They removed a DNS root server located in China, because it was messing
up the internet worldwide.
tophits
domain name to random IP of CNNIC, it happened years ago that google's
IP domain name was kidnapped to websites inside PRC, in order to block
access to google. Many other dissident websites suffered the similar
problem by techniques to pollute routing table through dynamic route
table updating protocols. All these were done by the PRC government
and CNNIC was an executive organ of these actions.
Though we have no hard evidence to prove that CNNIC participated in
each of these wrong doings, unless after the secret documents be
revealed after the collapse of the rogue government as the former
Soviet Union or East Germany, CNNIC claims to follow orders of the PRC
government, which organized active systematical attacks with keyword
filtering, IP blockage, DNS spoofing and trojan phishing emails which
caused great loss to the Chinese Internet users and many foreign
companies. CNNIC is proved to have conducted many related wrong
doings which already proved that it's not a responsible or trustworthy
administrator, thus not suitable as a root CA.
On Apr 1, 5:36 am, "Jan Schejbal" <jan.schejbal_n...@gmx.de> wrote:
> This might be interesting, too:http://www.itworld.com/networking/102576/after-dns-problem-chinese-ro...
Stephen Schultze
> This might be interesting, too:http://www.itworld.com/networking/102576/after-dns-problem-chinese-ro...
>
> They removed a DNS root server located in China, because it was messing
> up the internet worldwide.
They disabled it temporarily. It is back now. There has been no
conclusive explanation of what happened, but its hard to come up with
any explanation that looks good for CNNIC.
https://lists.dns-oarc.net/pipermail/dns-operations/2010-March/005343.html
In any case, Jan is right. They have been hijacking known domains and
pointing them to their own IP block for some time. The bleeding of
this practice to the non-China internet is not yet totally explained,
but this type of thing has happened in the past.
Stephen Schultze
wrote:
> They disabled it temporarily. It is back now.
Correction: it's still down, until they get a better explanation of
what happened.
"Once we had determined that the incorrect replies were associated
with queries sent to our anycast node in Beijing, and we had performed
some testing, we withdrew the announcements of the i.root-servers.net
service from that location. That withdrawal remains in effect."
tophits
sevices stopped to resolve his NGO website without any reason.
This is believed to be one stop to suppress liberal NGO operations in
PRC.
CNNIC did many of such things following the orders of the PRC
government to ban liberal blog websites by stopping their DNS
resolving.
Those who insist to include CNNIC root CA cert should consider this as
an important background to understand why CNNIC is not a trustable CA.
Stephen Schultze
As noted earlier in this debate, reports like this do not help unless
they are more specific and are verifiable.
tophits
blog sphere.
I think it's useless to report these evidences because it's already
common knowledge for the Chinese people.
Only the Mozilla security group ignores the common knowledge and dance
with the evil.
On Apr 2, 2:58 pm, Stephen Schultze <sjschultze.use...@gmail.com>
wrote:
tophits
just ignore all but "fake certificate".
Still, if I come across any evidences that takes no big effort to
collect, I'll CC to this group just for your information.
I don't believe it's useful to add concrete evidences to this
discussion because this discussion is doomed to be ignored by the
arrogance of the Mozilla Firefox security group.
On Apr 2, 2:58 pm, Stephen Schultze <sjschultze.use...@gmail.com>
wrote:
Nelson Bolyard
> If you can read Chinese, there are too many reports in the Chinese blog
> sphere. I think it's useless to report these evidences because it's
> already common knowledge for the Chinese people.
Statements like "I know someonw who knows this to be true" are called
"hear say". Hearsay is not admissible evidence in any Western court of
competent jurisdiction. Please stop spamming us with hearsay.
> Only the Mozilla security group ignores the common knowledge and dance
> with the evil.
Courts that would convict based on hearsay are not respected in free societies.
> On Apr 2, 2:58 pm, Stephen Schultze <sjschultze.use...@gmail.com> wrote:
>> As noted earlier in this debate, reports like this do not help unless
>> they are more specific and are verifiable.
That's correct.
Kurt Seifried
> "hear say". Hearsay is not admissible evidence in any Western court of
> competent jurisdiction. Please stop spamming us with hearsay.
Actually many western courts allow hearsay evidence. Canada for example:
There are exceptions to the hearsay rule. In other words, hearsay is
admissible under certain circumstances. Dying or death-bed declarations is
one example of an exception. Other traditional exceptions are spontaneous
or excited utterances and admissions or declarations against self-interest. A
witness being “unavailable” may also constitute an exception, as when the
witness has died, is missing, or might suffer trauma if required to testify
even if testimonial aids are used. If the witness is unavailable to testify for
these or other reasons, introduction of the hearsay may be deemed by the
Court as “necessary.”
http://www.lfcc.on.ca/6_HearsayEvidence.pdf
I also know Switzerland has much broader allowance of hearsay.
If you're going to argue/cite the law, make sure you get it right.
Under western law I suspect a judge would make an exemption for
hearsay in a case such as this seeing as how the Chinese people can't
testify due to availability, risk to themselves (i.e. government
reprisals for testifying), etc.
-Kurt
Nelson Bolyard
>> Statements like "I know someonw who knows this to be true" are called
>> "hear say". Hearsay is not admissible evidence in any Western court of
>> competent jurisdiction. Please stop spamming us with hearsay.
>
> Actually many western courts allow hearsay evidence. Canada for example:
>
> There are exceptions to the hearsay rule. In other words, hearsay is
> admissible under certain circumstances. Dying or death-bed declarations is
> one example of an exception. Other traditional exceptions are spontaneous
> or excited utterances and admissions or declarations against self-interest. A
> witness being “unavailable” may also constitute an exception, as when the
> witness has died, is missing, or might suffer trauma if required to testify
> even if testimonial aids are used. If the witness is unavailable to testify for
> these or other reasons, introduction of the hearsay may be deemed by the
> Court as “necessary.”
>
> http://www.lfcc.on.ca/6_HearsayEvidence.pdf
Fine, but none of those conditions is applicable here.
> If you're going to argue/cite the law, make sure you get it right.
> Under western law I suspect a judge would make an exemption for
> hearsay in a case such as this seeing as how the Chinese people can't
> testify due to availability, risk to themselves (i.e. government
> reprisals for testifying), etc.
It's not going to wash here. Hearsay about ISP activities isn't going to
convict a CA of abrogation of CA responsibilities.
Stephen Schultze
wrote:
> It's not going to wash here. Hearsay about ISP activities isn't going to
> convict a CA of abrogation of CA responsibilities.
"Conviction" is not the standard. "[C]ases where we believe that
including a CA certificate (or setting its "trust bits" in a
particular way) would cause undue risks to users' security..." is the
standard.
tophits
website was blocked by CNNIC by stopping DNS resolving.
This happened countless times for other independent websites in China
and it's not a news so I'm really tired to repeat it again and again.
Please read the countless English reports on Internet censorship
policies of PRC and how they did it, what role CNNIC played in the
censorship.
I feel it's a waste of effort to repeat every well known evidences to
persuade an arrogant group of stupid guys who never did any research
before they nonsense.
I don't think Mozilla Firefox security group will respond to real
evidences properly. So I don't bother to do so.
They only accept postmortem evidences as qualified. They already re-
defined the term "risk" and "security" specifically for CNNIC. :)
All I can say is: Fuck!
On Apr 4, 2:40 am, Nelson Bolyard <NOnelsonS...@NObolyardSPAM.me>
wrote:
Matt McCutchen
> It's not hearsay. It's my friend told me directly that his NGO
> website was blocked by CNNIC by stopping DNS resolving.
Please humor the Mozilla community and provide the domain name and the
time period for which it was blocked, so we'll have a specific
allegation that CNNIC can confirm or deny. (I realize it may be hard to
establish now whether DNS said something at a specific time in the
past.)
--
Matt
Kai Engert
Dear tophits,
when you wrote your complaints a couple of weeks ago, I felt a lot of
sympathy.
I strongly believe in human rights. I think we should avoid everything
that looks similar to Orwell's 1984. I think freedom of information is
very important and will help to improve the societies of the world and
eventually (maybe in a couple of hundred years) will lead to elimination
of wars and suppression (everyone may now call me an idealist).
But in my opinion this can only work if we follow a very important rule:
When in doubt, the accused must remain free and unpunished.
The Mozilla project has been originated in a society that tries to
follow the above rule. That's the reason why we ask you to prove your
accusation.
I understand that it may be very difficult to gather the prove. As I
followed the discussion in this newsgroup I had decided I want to do
something to help potential victims of potential abuse scenarios.
I decided I want to try to give people a tool that can help them
discover and prove an abuse. That's the reason why I've worked on the
Firefox add-on which I've called "Conspiracy".
After I had published it and announced it in this newsgroup, I had
expected a reaction from you (and from other people who accussed the CA).
I expected some feedback. You could have said "thanks for trying to help
us", or you could have said "that's a good start, but we need something
better to collect evidence".
I've waited for a while, but I haven't seen such feedback. I'm asking
myself, why not? Have I done something completely irrelevant, or are you
not trying to collect evidence?
Instead I've seen very harsh words that you've directed to everyone
participating in this discussion. You've insulted me and all of us. I
think that's not fair. I hope you will apologize to the group for your
impulsive reaction.
Maybe it's not obvious for you, but we're really trying to help you.
You asked for help, and we said, we'll help you, if you follow our most
important rule: An accusation needs prove.
Help us to help you. Make it possible for us to help you. Provide a proof.
I believe you should not be sent to jail, simply because your neighbour
accuses you, do you agree? You have the right to ask for a doubtless
prove. This principle is the reason why we are still asking you to
provide prove. A prove without doubt.
We may appear to be stubborn, but we're following an important, if not
the most important, principle of our society.
If the abuse scenario happens as frequently as you say, it should be
easy to collect the prove. Use extensions that allow you to watch
certificates on sites, use an extension that allows you to save
certificates. Send us a fake certificate. Send it to the list or send a
personal message to several people who have participated in this
discussion. Would it possible for you to ask friends to help you? (Under
the assumption you feel it's safe to do, won't cause harm to anyone and
isn't against the laws of your country. I don't want to encourage anyone
to violate laws.)
I don't understand the following part of your comment:
>> I don't believe it's useful to add concrete evidences to this
>> discussion because this discussion is doomed to be ignored by the
>> arrogance of the Mozilla Firefox security group.
No, the opposite is true. If you have evidence, don't keep it for
yourself. (But please make sure you're safe).
If I said, "the USA has never been to moon and I have evidence, because
I have a video of the people who faked the moon landing, but I will not
show it to anyone", would I be credible?
Thanks for listening.
Good luck and take care.
Kai
Stephen Schultze
wrote:
Let me do my best to defuse this before it gets out of hand.
First, knowing the identity of the site mentioned is actually
irrelevant (or at least duplicative), because DNS hijacking is already
well documented. As such, tophits' report is (as I noted) not helpful
in that regard, but also not -- as we say in Western law --
dispositive. The question is whether the Mozilla community is
interested in considering the well-documented DNS hijacking questions
at all... a question being discussed over here:
http://groups.google.com/group/mozilla.dev.security.policy/browse_thread/thread/70948da946780ec7
Second, Kai's work deserves praise... more praise than it has received
so far. It is a significant contribution and among other things it
anticipated related work subsequently published by a prominent
security researcher.
Third, let me conjecture a reason why tophits may not want to identify
the site in question: retribution. This is actually a useful
demonstration of precisely why this is such an important issue. Not
only is it important to design our trust model so that it is robust to
hostile entities, but it is important to design our deliberation and
resolution process to be resilient to these forces as well. This is a
point that Eddy has made recently with respect to the CA approval
process, and I think he's right.
Matt McCutchen
> First, knowing the identity of the site mentioned is actually
> irrelevant (or at least duplicative), because DNS hijacking is already
> well documented.
If it is so well documented, could you please provide a link documenting
CNNIC DNS hijacking (other than of nonexistent domains to ad pages)?
> The question is whether the Mozilla community is
> interested in considering the well-documented DNS hijacking questions
> at all... a question being discussed over here:
>
> http://groups.google.com/group/mozilla.dev.security.policy/browse_thread/thread/70948da946780ec7
The answer is yes:
https://groups.google.com/group/mozilla.dev.security.policy/msg/62bfd270330c8abd
--
Matt
Stephen Schultze
> On Sun, 2010-04-04 at 20:02 -0700, Stephen Schultze wrote:
> > First, knowing the identity of the site mentioned is actually
> > irrelevant (or at least duplicative), because DNS hijacking is already
> > well documented.
>
> If it is so well documented, could you please provide a link documenting
> CNNIC DNS hijacking (other than of nonexistent domains to ad pages)?
>
> > The question is whether the Mozilla community is
> > interested in considering the well-documented DNS hijacking questions
> > at all... a question being discussed over here:
>
>
> The answer is yes:
>
> https://groups.google.com/group/mozilla.dev.security.policy/msg/62bfd...
>
> --
> Matt
The links I provided later in that thread are a starting point.
Nelson Bolyard
> It's not hearsay. It's my friend told me directly that his NGO
> website was blocked by CNNIC by stopping DNS resolving.
and now you're SAYing what you HEARD your friend tell you. HEAR SAY.
All we have is someone (you) saying what he heard another say.
> This happened countless times for other independent websites in China
> and it's not a news so I'm really tired to repeat it again and again.
SO, please, don't.
> I feel it's a waste of effort to repeat every well known evidences to
> persuade an arrogant group of stupid guys who never did any research
> before they nonsense.
Yes, it is a waste of effort. Please don't waste your effort any more.
Jan Schejbal
> If it is so well documented, could you please provide a link
> documenting CNNIC DNS hijacking (other than of nonexistent domains to
> ad pages)?
I already posted to this group the information needed to test this. If
you want, I will look up the data again, but I repeat that the problem
I mentioned happens both with existing and nonexisting domains.
Jan
tophits
wrote:
> I believe you should not be sent to jail, simply because your neighbour
> accuses you, do you agree? You have the right to ask for a doubtless
You're trying to repeating the wrong question. Now it's about trust,
but not criminal accusation.
It's about security, risk but not punishment to CNNIC.
Please clarify these differences.
Should you trust a bank with bad reputation and wrong doings? Will
you deposit your life saving in a bank until you have hard evidence
that it steals money from you? Do you think that you have no reason to
avoid a bank with bad reputation unless you have a hard evidence that
it's cheating the customers with Ponzi scheme?
Why are people repeating these false questions to waste our precious
time?
To Matt:
If the Mozilla security group officially claim that if concrete
evidence of DNS blockage done by CNNIC is provided, they will remove
CNNIC root CA from Firefox, I will bother to collect the evidences.
Otherwise, why do I need to provide all these evidences that waste my
time?
We have provided many evidences but they keep ignoring!