Interesting article in the New York Times – “How China meddled with the Internet,” based on a report to Congress by the United States-China Economic and Security Review Commission. The Times article talks about an incident where IDC China Telecommunication broadcast inaccurate Web traffic routes for about 18 minutes back in April. According to the Times, Chinese engineering managers said the incident was accidental, but didn’t really explain what happened, and “the commission said it had no evidence that the misdirection was intentional.” So there was a technical screwup, happens all the time, no big deal? Or should we be paranoid?
No doubt there’s a lot to worry about in the world of cyber-security, but what makes the Times article interesting is this contention (not really attributed to any expert):
While sensitive data such as e-mails and commercial transactions are generally encrypted before being transmitted, the Chinese government holds a copy of an encryption master key, and there was speculation that China might have used it to break the encryption on some of the misdirected Internet traffic.
That does sound scary right? China has an “encryption master key” for Internet traffic?
Except it doesn’t seem to be true. Experts tell me that there are no “master keys” associated with Internet traffic. In fact, conscientious engineers have avoided creating that sort of thing. They use public key encryption.
So why would the times suggest that there’s a “master key”?
Is it not true that the common SSL encryption scheme used online does have a passkey of some sort integrated into it’s structure for trusted providers, i.e., the top tier connection providers? I’ve heard this discussion come up several times back during the Blackberry fuss in the mideast, and it was pointed out that some of the entities entrusted with the required authentication keys were in no way trustworthy at all.
Sounds like the Times is making a hash of of this issue (just as I am- I lack the technical mojo to properly lay out the underlying issues), but I believe that there is something there- the Internet by design relies on trusted peers, but not everyone online plays by those rules
I think Trey is correct: I suspect that China is in fact a Certificate Authority, but the danger of that is not that they could somehow ‘break the encryption’ of misdirected traffic, but that they could use that certificate to make a man-in-the-middle or impersonation kind of attack work without raising any kind of ‘This site is untrusted’ flags.