Community code sharing website Github was subject to a man-in-the-middle attack on Saturday, Jan. 26, that affected users in China. The attack involved a fake GitHub SSL certificate, which could have allowed the attacker(s) to intercept communication between affected users and GitHub.com, provided those users did not see or failed to heed any warning generated by their Web browsers.
GreatFire.org, a blog that follows issues related to censorship in China, has proposed a theory about the motivation for the attack.
A petition posted on Whitehouse.gov last week asks the U.S. government to prevent technology professionals involved in censorship from entering the country.
As an example, the petition cites academics who allegedly helped create the so-called "Great Firewall of China," the country-wide IT infrastructure for censoring speech. And it points to a list of alleged censorship enablers, several Chinese computer engineers and cryptographers, hosted on GitHub, to which commenters have added additional names and a link to a more detailed list of supposed architects of China's censorship system.
Normally, such provocations would simply be blocked by Chinese authorities. But Github's combination of code and communication presents a challenge to censors. That's evident from a prior incident in which GitHub was blocked in China.
"Early last week, it appeared that GitHub was being at least partially blocked by the Great Firewall of China," a GitHub spokeswoman said in an email. "After a couple days, it appeared that GitHub was no longer being blocked. Currently, GitHub.com appears to be operating normally in China."
Though several reasons for the attack have been proposed, the service disruption prompted many objections, including one from prominent Chinese technologist Kai-Fu Lee, who ran Google's operations in China before Google and the Chinese government had a falling out. Lee insisted that blocking GitHub would hurt Chinese programmers, many of whom rely on the social coding service, and that GitHub was apolitical.
Chinese authorities block large websites like Facebook and certain Google services without much blowback. But GitHub is different. With only 3 million users and 5 million code repositories, it punches above its weight as measured in users. GreatFire.org founder Martin Johnson — a pseudonym used for protection — observes in his post that cutting off GitHub affects too many Chinese technology businesses, making the site too important to block.
"That leaves the authorities in a real pickle," Johnson wrote. "They can't selectively block content on GitHub nor monitor what users are doing there. They also cannot block the website altogether lest they hurt important Chinese companies. ...Because all traffic to GitHub is encrypted, and because it seems that the authorities have backed off from blocking the website completely, the only tool left in the censorship toolbox is man-in-the-middle attacks."
There continues to be debate about whether the Chinese government was involved in the attack on GitHub in any capacity. Chinese authorities and their supporters would of course insist they had no involvement this incident.
What makes GitHub interesting from a censorship point of view is that it combines a critical business service — collaborative coding — with social interaction. China can block websites that are purely social or that combine social interaction with entertainment, like Facebook, and its economy won't suffer much. But censoring websites that combine social interaction with economically important activities like software development becomes an exercise in cutting off one's own tongue to save face — an ill-advised way to limit free speech.
To some extent, this is why Google's services are only selectively blocked — authorities in China may object to specific YouTube videos but they don't want to deprive everyone in China of Gmail and other services.
Johnson said he believes GitHub has a special status because it is a Web service that's popular with Chinese users but isn't hosted in China.
"I believe Gmail is similar," he wrote in an email. "Gmail offers encrypted email where you can send and receive any data without the authorities being able to track it. It's a minority player in the Chinese market, but large enough that the authorities have likely backed down from blocking it completely. Switching from YouTube to YouKu is easy. Switching email providers -- and losing your contacts, your history and having to tell everybody to use your new address -- is much more painful. Github is similar. Switching to a different provider means that the whole team has to switch, and that often includes people who are not in China. Plus Github offers access to lots of open source projects that can't easily be duplicated if the site is blocked."
He added, "I believe -- and hope -- that it can be effective. We now have two important, all-encrypted Web services that are available to sizable minorities of Chinese users. With more and more websites switching to HTTPS, I hope others join the club. Though, if the website isn't important enough, the danger of switching is that it will simply be blocked. Wikipedia could switch to HTTPS only -- but there is a real chance that it would just be blocked altogether if it did."
But GitHub differs from Google in one important aspect: Its entire business is speech, the functional speech of code in a combustible social context.
Or to put it in the git vernacular:
$ git commit -m 'Censor this!'