You Can Surf From China. But Should You?

In Beijing, Internet access will soon be in high demand: Half a million people are expected to visit the city of 17 million for the Olympics, and most of them will want web-based access to personal and corporate sites. This may well be the largest international remote access event ever. Much of the attention has been around whether visitors can surf the Internet. But some people are wondering whether they should. Is it safe to surf from China?

“With Software-as-a-Service applications, more users will access their applications across the Internet, so companies can’t rely on physical or firewall access,” said Marc Gaffan, director of product marketing for RSA’s Identity and Access Assurance Group. “The risks are significantly increased.” The U.S. government’s head of counter-espionage, Joel Brenner, is also cautioning travelers to Beijing about identity theft and other threats.

Most users assume that a secure web connection makes them safe. After all, that little yellow SSL padlock doesn’t just mean your traffic is encrypted, it also tells you the URL you’re visiting is the one you wanted — right? Not always, said Jayson Agagnier, a security consultant who specializes in corporate counter-espionage. “On older browsers, the padlock will still be there even if the user accepts a certificate that is not publicly signed.”

To collect passwords, hackers only need to trick surfers into logging in. Many casual users won’t think twice about typing in and being redirected to, provided that the new site looks the same. “Obtaining a certificate is fairly easy,” said Gaffan, “and no one really checks the certificate in the lock.”

Phishing for usernames can happen anywhere, but when half a million people descend upon a country that heavily regulates its Internet, it’s an excellent opportunity for mischief. So how can organizations protect themselves? Here are some suggestions:

  • Have vacationing workers check URLs closely to be sure the site they’re on matches what they entered, even if it looks the same.
  • Get a more trusted — and more costly — Extended Validation certificate. These are harder for a fly-by-night operation to get because they require more thorough background checks.
  • Use dynamic passwords that change every minute, so even if someone intercepts a password it quickly expires.
  • Use “fat client” VPNs based on IPSEC or SSL instead of relying on a secure web login. VPN clients can’t be tricked into thinking they’re at the right site.

Capturing logins isn’t the only risk, however. It would take a real conspiracy to present a completely faked site, complete with the right URL and a valid SSL certificate. But if a government owns the network, it’s the lawful man in the middle, and it has the resources for such schemes. “You can control the DNS, display any page you like, entice people to log in,” said Gaffan. As IOC president Jacques Rogge said on July 31, “We are not running the Internet in China. The Chinese authorities are running the Internet.”

Agagnier says Olympics-related travel presents a huge industrial and economic espionage opportunity, but Gaffan says he thinks an elaborate network attack may be more work than it’s worth. “If I were a fraudster, I would just spend two hours in Beijing hotels and Internet cafes installing key loggers. You could collect names and passwords, even things like frequent flier numbers that could be used for corporate espionage to track the travel patterns of a competitor’s employees.

Syntenic CTO Daniel Koffler agrees: “I would be concerned about malicious WiFi access points … You don’t really need to own the back-end pipe; a cheap access point and an SSL proxy is all anyone on the street would need to collect some serious information. While you’re in Beijing, if the state wants your data, they’re going to get it. It’s the billion or so citizens you have to watch out for.”

Perhaps the best defense is to take the week off. Several enterprise IT professionals I interviewed for this story said they’re simply telling their users not to log in from China.