Microsoft Outlook Users In China Hit With MITM Attack 35
DavidGilbert99 writes A month after it blocked Google's Gmail, the Chinese government now stands accused of hacking Microsoft's Outlook email service, carrying out man-in-the-middle attack to snoop on private conversations. From ZDNet: " On Monday, online censorship watchdog Greatfire.org said the organization received reports that Outlook was subject to a man-in-the-middle (MITM) attack in China....After testing, Greatfire says that IMAP and SMTP for Outlook were under a MITM attack, while the email service's web interfaces were not affected.
Confucius say he who does not know Chinese Govermt (Score:3)
Re: (Score:2)
And coincidentally, Windows 8's Mail program does not work with POP anymore.
Re: (Score:1)
You say that as if somehow POP were immune to MITM attacks which of course it ISN'T
Encrypt if you need to (Score:4)
If my email communication was important enough, I would encrypt it since its the only way to protect against MITM.
Encryption = same as an envelope for real mail. (Score:3)
Instead of relying on policies/laws to keep email confidential, I wonder if the internet would be a much safer place if the laws said that any unencrypted email has no expectation of privacy.
Unencrypted email should be thought of as more like a post-card -- where governments routinely scan them all for law enforcement [nytimes.com].
If you want anything private in email, encrypt it.
And if it were widely thought of that way, corporations would insi
Re: (Score:2)
Funny to see somebody complaining about the lack of a good encrypted email program.
"Geez, there's this billion dollar opportunity here that nobody is taking. Oh well, I'll just go back to reading Facebook." Come on man! Do it!
Re: Encryption = same as an envelope for real mai (Score:3, Informative)
The problem isn't that Joe User is too stupid. The problem is that these crypto systems are a real bitch to use effectively. They can take far too long to set up, and to work through any problems can waste too much time. Even when they're working, they're a pain in the ass to use. It's so bad that even experienced and knowledgeable people who can get them working don't want to bother with using these systems!
Re: (Score:2)
The big problem is key management, actually. The encrypted mail systems are mostly well integrated a
Re: (Score:2)
Replying to you mostly for myself, to write down what I try to explain to people when it comes to what PGP actually is and if anyone gets edumacated by what I wrote, that's fine.
The problem is sending keys - and most users would just blindly well, email them around.
This is why we have public key encryption, e.g., PGP, in the first place.
You're supposed to post/email/etc the public key to your various contacts to encrypt. It doesn't matter what the channel is that you use to transport the public key - email
Re: (Score:2)
Where it all breaks down though is you need to get a public key from a trusted source.
For instance with SSL it works.
A)You ask for example.com and get 244.244.244.244 as the DNS result.
B)244.244.244.244 responds and presents a certificate (public key) for example.com
C)You check the certificate for example.com is legit by verification of a signature done with a 3rd party private key and check that with a public key you already have (root CA list). You can now trust 244.244.244.244's claim to be example.com
Re: (Score:2)
I think the best thing in the world for internet privacy/security would be if the laws were changed to state: "You have no expectation of privacy in any plain text email (other other communication) on the internet. Any such content can be freely used by your ISP, email hosting service, governments, ad-agencies, spammers, etc. If you want your email private, encrypt it.".
With su
Re: (Score:2)
That still exposes headers. Sort of important if you're a political dissident who will be taken to task for even communicating with dangerous foreigners.
Re: (Score:2)
The communication between the client and server is fully encrypted including headers. If you can't trust the server you send the message to, it's no longer a MTIM attack but rather a server hijacking attack. If you encrypt the communication between the server and the client and encrypt the message body separately you are almost full proof. I realize nothing about this is as easy as it sounds but if it's required you will do it.
Imagine that. (Score:5, Insightful)
A state spying on it's own citizens... shameful. I'd be outraged, unless of course they said it was part of the war on terror, or whatever China's current favorite boogeyman is.
Re:Imagine that. (Score:5, Funny)
What?
Damn those Chinese. Ain't it enough to copy our technology, do they have to copy our boogeymen now, too?
Re: (Score:3)
Careful what you wish for, a domestic cold war is pretty much what we're heading for. It's likely that it's going to be asymmetric too.
Luckily this time WE will be the ones with the few resources.
Re: (Score:1, Insightful)
Merely beta testing... (Score:4, Insightful)
...for Cameron's plans for the West.
Capitalism with a Chinese face.
They were already subject to (Score:1, Troll)
Microsoft-In-The-Middle.
Who says that the attack is over? (Score:5, Informative)
The evidence that China was performing MITM attacks on Outlook.com was because of temporary use of an SSL certificate chain that wasn't signed by one of the hundreds of root CAs included with modern operating systems. (and therefore the software complained)
If the software people are using stops complaining about the SSL certificate chain, does that mean that they're not performing MITM anymore? Hell no. At the very least it means that they're just using an SSL certificate signed by one of the hundreds of trusted root CA certificates. You know, like CNNIC. The internet organization with ties to the Chinese government.
Confusing (Score:1)
Re: (Score:2)
Ah the good ol' days (Score:3, Insightful)
What about the NSA? (Score:2)
CNNIC (Score:2)
The paper points that CNNIC is under government control and should not be trusted as a CA, but the attack described does not involve any CNNIC wrongdoing: the rogue certificates were self-signed
That is nonsense to me. Indeed CA integrity should be questioned, but wrongdoing CA leaves trails, since a bad CA they issue is signed.
Re: (Score:1)
Use a vpn like software. (Score:1)
I bet the technical chinese users are becoming real good in VPN and simular technologies. Please tell me, what are the methods that still work to cross the great chinese firewall.? Any good blogs where this is discussed?