On March 26th, when accessing Github and Github pages in many regions of the country, Google Chrome prompted the error message "Your connection is not a private connection". Many users want to know why this is the case. In this incident, I concluded that due to BGP hijacking, the affected users in the country accessed the wrong Github server.
In order to understand the whole picture of the whole incident, let's start with some basic knowledge:
Why is there such a prompt
If you are using Google Chrome, you may have seen other tips besides "Your connection is not a private connection".
This page contains a redirect loop
This website cannot provide a secure connection; the response sent by the network connection error is invalid
Your clock is slow, your clock is fast
The server's instant Diffie-Hellman public key is too weak
This page can not be displayed
The software on your computer prevents Chrome from connecting to the network securely
Delete expired DigiCert certificate
You can guess that to connect to the server correctly is not as simple as it seems, but it needs to undergo a series of careful verifications, not only to ensure that you are accessing the correct server, but also to ensure that the data is not accessed during the access process. Monitor or tamper. We need to know:
When users visit github.com, github.com only allows encrypted connections using HTTPS (you can use the browser ’s developer tools and see that github.com ’s request has an HTTP header Strict-Transport-Security: max-age = 31536000; includeSubdomains; preload)
When using HTTPS to establish an encrypted connection, the browser will request the server to provide an SSL / TLS certificate, and then the browser uses the public key of the digital certificate authority (CA) to carry out the digital signature of the CA in the certificate provided by the server. verification.
The error "Your connection is not a private connection" appears because the certificate provided by the server has not been verified. The following reasons may cause the certificate to fail verification:
The certificate expires or does not meet the requirements
If the certificate of github.com expires or the appropriate encryption algorithm is not used, the certificate cannot be verified by the browser (the prompt message mentioned above will be displayed according to the specific reason). However, according to the prompt information and this incident only happened in the country, and abroad can normally access github.com, so rule out this reason.
DNS resolution error
When we visit github.com, we need to first convert the domain name into an IP address, the browser will first look for the local hosts file, if it does not find the corresponding record, it will request a resolution from the DNS server (some omitted here has nothing to do with this article For details, the entire process can refer to what-happens-when). If the DNS server resolves errors or is contaminated, resolving github.com to the wrong IP address will cause users to access the wrong server. The wrong server cannot provide the correct certificate. However, according to screenshots provided by netizens, DNS resolved to the correct Github IP address, which also ruled out this reason.
Correct IP address, wrong server
Even if you know the correct IP address, it does not mean that you are connected to the server corresponding to the IP. What does it mean? Recall that when you use the SSH protocol and IP address to connect to a remote server that has never been accessed, this prompt will appear:The authenticity of host ’138.197.19.xxx (138.197.19.xxx)’ can’t be established. ECDSA key fingerprint is SHA256:qwR9naUT7NA6RrLSnu9RQ/jR1fJ2K5eakv52ONEyuOE. Are you sure you want to continue connecting (yes/no)?
Most people directly choose yes and ignore this information, but why does the SSH protocol have this "extra prompt"? Simply put, the IP protocol is not reliable. A malicious server may use ARP spoofing or other means to pretend that it is a server with an IP address. You cannot believe it because the server says it is an IP address. In order to prevent this problem, third-party VPS server vendors such as DigitalOcean will provide fingerprints of the corresponding servers on the web page. When you connect for the first time, you can compare whether the fingerprint in the prompt is consistent with the fingerprint of the web page to ensure that you are not connected to the wrong server. . After the first connection is successful, the client will save this information in the local known_hosts, which means that the server will be trusted in the future. ARP spoofing is beyond the scope of this article, because ARP can only be spoofed in the subnet. We mainly discuss another method, called BGP hijacking.
What is BGP
BGP is a routing protocol. We know that the connection server needs to use the IP protocol, and the connection process needs to jump between different routers (also known as hop). Each router is only responsible for the server on its own network segment. For table distribution, the BGP protocol is an optimal routing algorithm for routing. It uses the Bellman-Ford algorithm to help us efficiently find the optimal routing path from server A to server B. Domestic operators use it to plan routing routes. In the terminal, we can use the traceroute command to find this router path.
What is BGP hijacking
BGP hijacking is that some ASs direct a request for an IP address to some malicious server by declaring that they own an IP address. The AS in the figure below refers to a network of a large number of computers in an area, and various operators in China manage the corresponding AS. After users know the IP address of github.com, they start from AS 1. Normally, they should visit the Github server in AS 4. However, AS 5 and AS 6 deceive BGP that it has the IP address of github.com and misleads the path of BGP. It, so the user becomes access to the AS 6 server, but the user thought he was connecting to the correct server (according to the IP address). Fortunately, because the AS 6 server cannot provide the correct Github certificate, the HTTPS connection cannot be established correctly, and this is the real reason for the entire incident. Cloudflare has a very good article What Is BGP Hijacking? Which explains what BGP is and what is BGP hijacking.
Throughout the incident, an organization or individual used BGP hijacking to point the IP address of github.com to a server using a self-signed certificate of a qq mailbox. Since the browser did not trust the certificate, the message "Your connection is not private "Connect" error message. This is not the first time this happened. In 2008, Pakistan ’s ISP operators used BGP hijacking to block users from browsing YouTube. In 2018, hackers redirected traffic from Amazon ’s DNS servers through BGP hijacking, and then stolen cryptocurrency.