Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Does baidu have any say in this at all? Were they hacked to include this script or they just passively allowed it?


The Great Firewall of China can be used to "weaponize" any website passing through it. So, it can be used to inject a malicious script on Baidu delivered to non-Chinese IPs (as we see here) or Chinese IPs. It can also be used to inject a malicious script into Google AdSense for Chinese IPs as well as China has control of a digital certificate provider accepted by all major browsers and operating systems. One they have issued SSL certificates that can be used to impersonate Google et al this year.

The bottom line is that, much like the matrix, everything within China is still part of that system and can be weaponized by the Chinese government. So, be sure you never have anything from within Chinese IP address space loaded by your web pages or apps.


And remember to remove the CNNIC Root CA from your certificate store unless you know you need it.


Baidu have not been hacked. Their servers reside inside the great firewall meaning any request from outside China has to traverse the GFW before arriving at Baidu's servers. During traversal of the GFW, the Chinese gov is modifying the Baidu server response with malicious javascript.

Baidu has no say in the matter. They could try and help Github by swapping to only serving their analytics scripts over HTTPS. Even then, this would only help once a large majority of existing websites that use Baidu analytics have updated their website code to point to the HTTPS URL. Until then the attack would probably still continue to work.


It sounds like to me despite Baidu not being involved they are being used as a vector of attack. It seems reasonable for anyone using Baidu to find an alternative for all of their services. After seeing that China is modifying responses how can we trust any request that goes past the GFW?


"It seems reasonable for anyone using Baidu to find an alternative for all of their services."

As always, majority of them simply don't care. Did many people stopped using Google after Snowden's leak on this side of GFW?


>After seeing that China is modifying responses how can we trust any request that goes past the GFW

You can't unless it's an HTTPS request (and even then you may still want to be suspicious).


For HTTP connections, is there a current best practice that a javascript author can use to make sure that their code hasn't been modified by a MitM prior to execution on the browser?


Use HTTPS. That's it. With HTTP any part of a web page's code can be altered/replaced by a MitM attack. So any theoretical protection a javascript author put in place to try and detect a MitM attack could also easily be circumvented.


As the article points out, the innocent request to baidu is being intercepted by China and replaced with a malicious script.


Various sources are reporting that Baidu says they haven't been hacked, but I'm having trouble finding their source.

eg, Ars - http://arstechnica.com/security/2015/03/github-battles-large...




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: