Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Censorship China Communications Government Microsoft Security

Microsoft Outlook Users In China Hit With MITM Attack 35

DavidGilbert99 writes A month after it blocked Google's Gmail, the Chinese government now stands accused of hacking Microsoft's Outlook email service, carrying out man-in-the-middle attack to snoop on private conversations. From ZDNet: " On Monday, online censorship watchdog Greatfire.org said the organization received reports that Outlook was subject to a man-in-the-middle (MITM) attack in China....After testing, Greatfire says that IMAP and SMTP for Outlook were under a MITM attack, while the email service's web interfaces were not affected.
This discussion has been archived. No new comments can be posted.

Microsoft Outlook Users In China Hit With MITM Attack

Comments Filter:
  • by JoeyRox ( 2711699 ) on Monday January 19, 2015 @01:09PM (#48850893)
    is reading his email is MITMWC, aka Man in The Middle Without Clue.
  • by Ravaldy ( 2621787 ) on Monday January 19, 2015 @01:15PM (#48850945)

    If my email communication was important enough, I would encrypt it since its the only way to protect against MITM.

    • Totally agree encryption (PGP/GPG, S/MIME) is the right answer here.

      Instead of relying on policies/laws to keep email confidential, I wonder if the internet would be a much safer place if the laws said that any unencrypted email has no expectation of privacy.

      Unencrypted email should be thought of as more like a post-card -- where governments routinely scan them all for law enforcement [nytimes.com].

      If you want anything private in email, encrypt it.

      And if it were widely thought of that way, corporations would insi

      • by Thagg ( 9904 )

        Funny to see somebody complaining about the lack of a good encrypted email program.

        "Geez, there's this billion dollar opportunity here that nobody is taking. Oh well, I'll just go back to reading Facebook." Come on man! Do it!

        • by ron_ivi ( 607351 )
          It's not a billion dollar opportunity so long as people think email privacy is secured adequately by policies and legislation.

          I think the best thing in the world for internet privacy/security would be if the laws were changed to state: "You have no expectation of privacy in any plain text email (other other communication) on the internet. Any such content can be freely used by your ISP, email hosting service, governments, ad-agencies, spammers, etc. If you want your email private, encrypt it.".

          With su

    • That still exposes headers. Sort of important if you're a political dissident who will be taken to task for even communicating with dangerous foreigners.

      • The communication between the client and server is fully encrypted including headers. If you can't trust the server you send the message to, it's no longer a MTIM attack but rather a server hijacking attack. If you encrypt the communication between the server and the client and encrypt the message body separately you are almost full proof. I realize nothing about this is as easy as it sounds but if it's required you will do it.

  • Imagine that. (Score:5, Insightful)

    by Black Parrot ( 19622 ) on Monday January 19, 2015 @01:27PM (#48851013)

    A state spying on it's own citizens... shameful. I'd be outraged, unless of course they said it was part of the war on terror, or whatever China's current favorite boogeyman is.

    • by Opportunist ( 166417 ) on Monday January 19, 2015 @01:32PM (#48851049)

      What?

      Damn those Chinese. Ain't it enough to copy our technology, do they have to copy our boogeymen now, too?

    • Re: (Score:1, Insightful)

      The Chinese Communist government has been at war with its own citizens since 1949. Nothing new here. There's Xinjiang separatists, but those are no big potatoes. China doesn't need an excuse, they govern by executive order. The biggest threat to the government is from its own people, so one can see why they would spy in this way.
  • by Anonymous Coward on Monday January 19, 2015 @01:44PM (#48851145)

    ...for Cameron's plans for the West.

    Capitalism with a Chinese face.

  • Microsoft-In-The-Middle.

  • by WD ( 96061 ) on Monday January 19, 2015 @02:33PM (#48851443)

    The evidence that China was performing MITM attacks on Outlook.com was because of temporary use of an SSL certificate chain that wasn't signed by one of the hundreds of root CAs included with modern operating systems. (and therefore the software complained)

    If the software people are using stops complaining about the SSL certificate chain, does that mean that they're not performing MITM anymore? Hell no. At the very least it means that they're just using an SSL certificate signed by one of the hundreds of trusted root CA certificates. You know, like CNNIC. The internet organization with ties to the Chinese government.

  • Microsoft Outlook, the email client... or Outlook.com the Hotmail replacement?
    • Hell, there's more iterations of Outlook than 2. Last year I was working in front line tech support, I was forced to acquaint myself with their existence.
  • by trippin_efnet ( 713714 ) on Monday January 19, 2015 @04:23PM (#48852069) Homepage
    Remember when we could look at these stories and say things like "Aww, those poor Chinese. Their government is awful, shady, intrusive, abusive, etc.." Now the U.S. government makes the Chinese government look good by comparison. -t
  • Isn't the NSA in the middle of everything already? How is this news?
  • The paper points that CNNIC is under government control and should not be trusted as a CA, but the attack described does not involve any CNNIC wrongdoing: the rogue certificates were self-signed

    That is nonsense to me. Indeed CA integrity should be questioned, but wrongdoing CA leaves trails, since a bad CA they issue is signed.

    • by T-ice ( 1069420 )
      I agree. Hopefully more user agents(MUA and browsers) will come with some system of certificate pinning on by default, just to be on the safe side. I'm confident that would offer motivation to keep CAs honest. And it's quite likely that we'd find a few that aren't so honest. Although, there is still what I call the "lavabit attack" (certificate theft by court action) which, if successfully kept silent, would be completely undetectable.
  • I bet the technical chinese users are becoming real good in VPN and simular technologies. Please tell me, what are the methods that still work to cross the great chinese firewall.? Any good blogs where this is discussed?

Life is a whim of several billion cells to be you for a while.

Working...