China has historically been an adversary worth mentioning to privacy tools.

While I’m not going to get into the philosophical or political aspects of whether China has a right to filter its citizens internet access or not, the fact of the matter is that they are constantly trying to break the privacy protections of several systems.

The biggest example is their approach to blocking Tor on many many many occasions. But everything they’ve done in this case is generally a somewhat complex, well-thought-out attack. Do we need a powerful country such as China to break most systems? What is China’s interest in iCloud?

WHAT DOES CHINA HAVE THAT MOST ATTACKERS GENERALLY DON’T?

As with some of the attacks on Tor, what China seems to be doing with iCloud users tells us two things:

  1. They are making use of the network vantage point.
  2. They do not need to come up with new tricks to screw over most systems.

So you don’t really need to be a powerful country, you just need to be “standing” in the right place and be up-to-date with the different kind of technology attacks.

China has total access to the tubes that feed internet in and out of the country. And they can do whatever they want with what goes through those wires.

The attack they are performing is a simple man in the middle attack. When you can get a Certificate Authority to sign a certificate for somebody else’s domain (if you are a country, I bet it can’t be too hard), this is quite an effective attack. There will be no unknown certificate warning or anything like that.

So, it’s a known, really simple attack, taking advantage of a user’s access to a really important network point. Which might look like something only a big country can pull off, and yes, at a whole country scale that’s the only way – BUT, I can sit in a coffee shop with WiFi and exploit certain vulnerability and see anything and everything you’re doing while you sip your latte.

HOW DOES SPIDEROAK PROTECT ITS USERS FROM THIS KIND OF ATTACK?

The most effective protection against this kind of attacks is certificate pinning, which SpiderOak has done since version 0.0.1. Does that mean SpiderOak is “China-proof”? No, of course not. There will always be attacks. But as usual, it’s not about making a system “unbreakable”, it’s about making a system as hard to break as possible.