In the wake of the claims that the Chinese authorities have mounted a MITM attack against iCloud and Microsoft account holders by redirecting them to spoofed login pages, Apple has published an update of iCloud.com security.
They didn’t name the Chinese government as the attacker. Instead, they simply said that they were “aware of intermittent organized network attacks using insecure certificates to obtain user information.”
“These attacks don’t compromise iCloud servers, and they don’t impact iCloud sign in on iOS devices or Macs running OS X Yosemite using the Safari browser,” they made sure to note, then followed with some advice for users on how to check whether the login page they are on is the legitimate one.
“The iCloud website is protected with a digital certificate. If users get an invalid certificate warning in their browser while visiting www.icloud.com, they should pay attention to the warning and not proceed. Users should never enter their Apple ID or password into a website that presents a certificate warning,” they instructed.
They also showed how users can check whether the digital certificate used by the site is the correct one. The process is the same in Safari, Firefox and Chrome: click on the green lock in the toolbar next to Apple Inc. and trust the connection only if it’s defined as encrypted, secure, trusted, or the identity of the website is verified.
If the page is not what it seems, all three browsers will show a warning message, saying either that the connection is not private, is untrusted, or the identity of the website can’t be verified.
There is no mention of how the validity of the certificate can be checked on the Qihoo browser which is very popular in China, but according to web censorship watchdog Great Fire who first raised the alarm on Monday, Qihoo seamlessly redirected users to the phishing pages and did not show any warning.
Great Fire has offered evidence about the attack, and believes that the Chinese authorities are behind it. Other security experts reviewed the evidence and say that this is the most likely theory.
Netresec analyst Erik Hjelmvik says that the packet capture file provided by Great Fire shows that the MITM attack is being performed “at several different locations rather centrally in the Chinese Internet infrastructure.”
“To be more specific, it appears as if the MITM attacks are being performed on backbone networks belonging to China Telecom (CHINANET) as well as China Unicom,” he shared, and added that “this use of self signed certificates is consistent with previous SSL MITM attacks performed in China against GitHub, Google, Yahoo and live.com.”
The Chinese government denies being involved in the attack. “China is resolutely opposed to hacker attacks in all forms and China itself is a major victim of cyber attacks,” the Chinese Foreign Ministry spokeswoman Hua Chunying stated. According to the BBC, China Telecom also denied any involvement.