Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

They already do this for Chinese traffic. They send traffic from China to Alibaba controlled infrastructure.

Think about the consequences of that. Anyone who connects to your site from China is MITM by Alibaba.

And I would not be surprised if they were abusing their middlebox position to do all kinds of surveillance based on secret "warrants" in other places.



>Think about the consequences of that. Anyone who connects to your site from China is MITM by Alibaba.

Source? AFAIK their China product is entirely separate and you need to specifically sign up for it. AWS/Azure have similar arrangements in China but you wouldn't say the Cloudfront users are getting MITMed by the CCP.


I noticed this years ago while in China. I saw someone at a bar with a laptop out using my web site. I went and chatted him up, and I noticed a different TLS certificate, I don't recall if he moused over the lock icon or if his browser, or back then when browsers showed the issuer in the address bar. Freaked me out.

Apparently it's JD Cloud now. Or maybe it was the, and I don't recall correctly. It was a Chinese company, and it really freaked me out when I saw it.

Our company did not do any configuration to enable this behavior. This was in 2017.

AWS was a completely separate entity in China at the time. Fully backdoored of course. Opening an account there required a local company.

With Cloudflare, they were straight up MITM our site which had nothing to do with China at all.


Are you sure they weren't using a corporate machine with some sort of MITM proxy? That seems far more plausible than what you're suggesting. Moreover it's unclear why they'd even bother minting a new certificate for the China side, rather than copying the certificate like they do for all their other POPs.


Yeah, I'm sure it wasn't a corporate MITM. I turned off my VPN and saw the same on my own machine.

I guess Cloudflare isn't doing this any more by default.

They probably didn't share the other cert because they'd have to give the private keys to these Chinese partner.


Yes, I havent done CDN work in a few years, but AFAIK that applies to all of the cloud "partners" in PRC as well. The customer needs to sign up with the PRC entity, provide ICP & local contacts, etc.

I would say that any MIIT approved infrastructure provider _is_ co-opted by the CCP. Its the entire point of requiring ICPs, tying the ICPs to network addresses/endpoints, and infra providers to be local entities; the MIIT gets their MITM equipment and RTBH routes directly in to the providers local DC.


Isn't anyone who connects from China getting MITM'd by the great firewall anyway?


No, it just blocks you.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: