China authorities launched a ‘devious’ man-in-the-middle attack against IMAP and SMTP for Microsoft’s Outlook email system, reported non-profit online censorship watchdog GreatFire. Furthermore, GreatFire urged Microsoft, Apple and other major software vendors to immediately revoke trust for the China Internet Network Information Center certificate authority.
If I’m Alice and you are Bob, then over the weekend China’s official Cyberspace Administration (CAC) was man-in-the-middle attacker Mallory. Chinese authorities were less Big Brother in the browser and more of an evil eavesdropper on Chinese users who attempted to access Outlook email via email clients like Outlook, Mozilla’s Thunderbird and mobile apps using email protocols IMAP (for receiving) and SMTP (for sending).
Although GreatFire noted that users accessing outlook via the browser were not affected, the MITM attack against IMAP and SMTP for Outlook was “especially devious.” That’s “because the warning messages users receive from their email clients are much less noticeable than the warning messages delivered to modern browsers.” The censorship watchdog urged users to never ignore certificate error messages and bypass the warning by clicking continue.
In addition, email clients normally run in the background. Users will only see an abrupt pop-up warning when the client tries to automatically retrieve messages. Users will then be able to tap on a “continue” button and ignore the warning message. As the user did not initiate the retrieval of emails, most users will not think twice about clicking on “continue” and will likely attribute the warning message to a network problem. If users do click on the “continue” button, then all of their emails, contacts and passwords will be logged by the attackers.
A few weeks ago, China blocked Gmail and the email service is still entirely inaccessible to Chinese users. The latest MITM attack is similar to other such attacks on Google, Apple and Yahoo conducted by Chinese authorities. GreatFire suspects the Cyberspace Administration of China of having orchestrated or willingly allowed the attack on Outlook. “If our accusation is correct,” GreatFire said, “this new attack signals that the Chinese authorities are intent on further cracking down on communication methods that they cannot readily monitor."
Time to revoke trust for CNNIC CA
Furthermore, GreatFire urged Microsoft, Apple and other major software vendors to immediately revoke trust for the China Internet Network Information Center (CNNIC) certificate authority. “CNNIC is directly governed by the Cyberspace Administration of China and should not be trusted as a certificate authority by major software vendors.”
This is not the first time GreatFire has called for a revocation of CNNIC CA. Back in October, GreatFire warned, “Microsoft, Apple and Mozilla among others, trust CNNIC (China Internet Network Information Center) to protect your communications on their platforms by default, regardless of whether or not you are in China. CNNIC has implemented (and tried to mask) internet censorship, produced malware and has very bad security practices. Tech-savvy users in China have been protesting the inclusion of CNNIC as a trusted certificate authority for years.”
"CNNIC can issue certificates to intercept encrypted connections without your knowledge," the watchdog said. Large scale MITM attacks would likely be discovered, but highly targeted attacks can go unnoticed like the large scale attack on Microsoft's Outlook back in October. At that time Microsoft downplayed the event, telling Mashable, "We’re aware of reports that a small number of account logins in China were affected by a redirect caused by invalid certificates."
As of today, if you surf over to China’s CNNIC site (https://www1.cnnic.cn/gywm/CNNICjs/jj/), here’s what Internet Explorer, Firefox and Chrome say about the CNNIC certificate: