China exploiting lack of encryption, advocate says

If Chinese search giant Baidu was using more widespread encryption, the recent cyberattack against popular coding site GitHub would have been impossible, according to a digital rights advocate.

Beijing officials are widely thought to have orchestrated the massive digital assault against GitHub in an effort to suppress content content that is normally blocked in the country.

ADVERTISEMENT

The Electronic Frontier Foundation (EFF) called the incident a "disquieting and unprecedented development in the history of state-orchestrated [cyber]attacks.”

Hackers directed high volumes of traffic at certain pages on GitHub in an effort to knock them offline. The strategy is known as a distributed denial-of-service (DDoS) attack.

In a blog post, EFF software engineer Bill Budington said the digital attackers benefited from the fact that Baidu, essentially China’s version of Google, doesn’t automatically use a form of encryption called "HTTPS" for its analytics script on websites.

Analytics are the browsing data that search engines, browsers and social media sites collect on their users.

The unencrypted analytics script allowed hackers to inject malicious software that hijacked a user’s browser.

“This was only possible due to the fact that the Baidu analytics script included on sites is not using encryption by default,” Budington said.

From there, the hackers were able to direct traffic from these browsers toward GitHub. It’s suspected the Chinese government co-opted millions of computers around the world.

“These facts allowed China to marshal an incredible number of ‘zombie’ systems both inside and outside of China, making billions of requests in an attempt to overwhelm the targets' servers,” Budington said.

Since government leaker Edward Snowden’s disclosed government hacking programs, major U.S. tech firms like Google and Facebook have adopted added HTTPS features. But the practice has not necessarily spread worldwide, allowing governments to exploit Internet users and promote censorship, the EFF argued.

“These attacks were a deep violation of the basic trust that allows the Internet to function smoothly,” Budington said.