What if China went all GitHub on your website? Grab this coding tool

But testing tool's taking flak from top infosec bods


A security developer has released a coding tool that aims to help websites test their defences against a China-style GitHub attack.

China upgraded its infamous website blocking system, dubbed The Great Firewall, last year so that it was capable of blasting foreign businesses and orgs off the internet.

The weaponised censorship tool was reportedly deployed against US-based GitHub.com, which was hosting two projects that circumvented the Great Firewall's censorship mechanisms at the time, and GreatFire.org, a free speech website dedicated to fighting China's web censorship last March.

The Great Firewall of China was used to change JavaScript files being returned for requests to Baidu, in order to push a massive Layer 7 traffic flood against Github.

GitHub mitigated the assault but concerns remained that follow-ups, and perhaps even more powerful JavaScript-based DDoS assaults, might be launched.

In response, internet plumbers developed a technique called Subresource Integrity (SRI), which is geared towards pulling the fangs from this type of attack, as previously reported. The technique, backed by the Word Wide Web Consortium (W3C), assigns a cryptographic hash to Content Delivery Network-hosted JavaScript and Cascading Style Sheet (CSS) assets to protect them against tampering.

In order to boost this security protection technique, Gabor Szathmari has published a new service to scan and grade websites for SRI hashes. The sritest.io service scans submitted websites and grades them against compliance.

More details about SRI and the scanning service can be found in the announcement on Szathmari’s blog here.

Szathmari told El Reg that the main target audience for the service was website developers. “These developers can go on to any URL on the website they are developing, and quickly assess and verify if SRI is implemented,” he explained.

Website owners and penetration testing security consultants might also find the service useful, Szathmari added.

Dynamic dilemma

Despite Szathmari's enthusiasm and encouragement of others, as well as the backing of the W3C, some independent experts, at least, remain unconvinced of the benefits of SRI technology. For example, Rob Graham of Errata Security told El Reg that although SRI is useful in “some narrow situations” the roll-out of the technology would be problematic in dynamic website environments.

“It [SRI] is of course useful in some narrow situations, but the article largely gets it wrong," according to Graham. “The issue isn't that they'll change on the network (as in the Great Firewall issue), but that files will change on the third party provider. We can already stop the network issue with SSL/TLS.”

“Moreover, it's hostile to the web, where files are changing constantly. You don't want a fixed JavaScript library that won't change, but the latest version with bug fixes and support for newer browsers,” he added.

Great Cannon blocker

Szathmari could not be reached immediately to respond to Graham’s criticism of the utility of SRI. However his earlier explanation of the benefits of SRI gives a flavour of the arguments in favour of the technology.

“SRI could have partially mitigated that particular type of attack Great Cannon was doing. What they did is [serve] an advertising script from Baidu’s CDN. If someone visited any Chinese website from Taiwan for example, the great firewall replaced Baidu’s script with a malicious payload.”

SRI offers at least partial remediation against this type of JavaScript-based DDoS, according to Szathmari.

“SRI could have partially prevented this, because China was tampering with cleartext traffic served over http:// and passing through the Great Firewall of China,” Szathmari argued. “They could not tamper with https:// traffic though. However, China already demonstrated that they are willing to tamper with innocuous web traffic to weaponise it, and nothing prevents them to modify the script at Baidu’s data-centres next time.”

Applications of the technology extend beyond further alleged malfeasance by the Chinese state, according to Szathmari.

Someone broke into MaxCDN in 2013 and tampered with the popular scripts served from their side project named BootstrapCDN, as explained in a post-mortem by the firm after the attack here.

SRI could have protected website visitors in this case, according to Szathmari, who adds that BootstrapCDN now includes the SRI hashes in the tags that website owners can copy-paste into your own website.

Slow train to SRI

SRI seems to be akin to DNSSec in that there's a genuine debate about how useful the technology is and that this may be a factor in its slow roll-out, it seems to El Reg's security desk.

Szathmari has his own take on the slow adoption of SRI.“The technology is relatively new and the adoption rate is poor, because website developers need to modify their HTML source code to include SRI hashes in the script and link tags,” he told El Reg.

“Website owners, who are not developers, may also add SRI without any programming skills. For instance WordPress now offers a plugin that adds the SRI hashes automagically once the plugin is installed,” he added. ®

Similar topics

Broader topics


Other stories you might like

  • Lonestar plans to put datacenters in the Moon's lava tubes
    How? Founder tells The Register 'Robots… lots of robots'

    Imagine a future where racks of computer servers hum quietly in darkness below the surface of the Moon.

    Here is where some of the most important data is stored, to be left untouched for as long as can be. The idea sounds like something from science-fiction, but one startup that recently emerged from stealth is trying to turn it into a reality. Lonestar Data Holdings has a unique mission unlike any other cloud provider: to build datacenters on the Moon backing up the world's data.

    "It's inconceivable to me that we are keeping our most precious assets, our knowledge and our data, on Earth, where we're setting off bombs and burning things," Christopher Stott, founder and CEO of Lonestar, told The Register. "We need to put our assets in place off our planet, where we can keep it safe."

    Continue reading
  • Conti: Russian-backed rulers of Costa Rican hacktocracy?
    Also, Chinese IT admin jailed for deleting database, and the NSA promises no more backdoors

    In brief The notorious Russian-aligned Conti ransomware gang has upped the ante in its attack against Costa Rica, threatening to overthrow the government if it doesn't pay a $20 million ransom. 

    Costa Rican president Rodrigo Chaves said that the country is effectively at war with the gang, who in April infiltrated the government's computer systems, gaining a foothold in 27 agencies at various government levels. The US State Department has offered a $15 million reward leading to the capture of Conti's leaders, who it said have made more than $150 million from 1,000+ victims.

    Conti claimed this week that it has insiders in the Costa Rican government, the AP reported, warning that "We are determined to overthrow the government by means of a cyber attack, we have already shown you all the strength and power, you have introduced an emergency." 

    Continue reading
  • China-linked Twisted Panda caught spying on Russian defense R&D
    Because Beijing isn't above covert ops to accomplish its five-year goals

    Chinese cyberspies targeted two Russian defense institutes and possibly another research facility in Belarus, according to Check Point Research.

    The new campaign, dubbed Twisted Panda, is part of a larger, state-sponsored espionage operation that has been ongoing for several months, if not nearly a year, according to the security shop.

    In a technical analysis, the researchers detail the various malicious stages and payloads of the campaign that used sanctions-related phishing emails to attack Russian entities, which are part of the state-owned defense conglomerate Rostec Corporation.

    Continue reading

Biting the hand that feeds IT © 1998–2022