[Full-disclosure] Gmail and China's GFW



Gmail can be blocked by simply blocking Google's SSL certificate(s).

When you visit Gmail, Google sends your browser its SSL Server
Certificate. Without this certificate, no connection can be made.

For example, running the following command, then browsing to
<https://mail.google.com/>, will produce the following output:

$ sudo ngrep -d eth0 -x 'Google Inc'
...
47 6f 6f 67 6c 65 20 49 6e 63 31 18 30 16 06 03 Google Inc1.0...
55 04 03 14 0f 6d 61 69 6c 2e 67 6f 6f 67 6c 65 U....mail.google
2e 63 6f 6d 30 81 9f 30 0d 06 09 2a 86 48 86 f7 .com0..0...*.H..
...

This output shows part of Google's ASN.1 encoded X.509 certificate.

Therefore, the following Linux firewall commands will stop any
connection to Gmail:

$ sudo iptables -I INPUT -m string --algo bm --hex-string
'|476f6f676c6520496e63311830160603550403140f6d61696c2e676f6f676c652e636f6d30819f30|'
-j DROP

Try it, you will get a connection timeout:

$ curl --connect-timeout 60 https://mail.google.com/
curl: (28) SSL connection timeout

The same applies for Twitter, Facebook... Much more efficient than
DNS/IP blocking!

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



Relevant Pages

  • Re: Secure web page?
    ... All SSL ensures is that the transport of data between your web browser ... matched the domain name in the domain name digital certificate ... entered as part of connecting to the website) ... ... domain name connection to the webserver that the user entered ... ...
    (alt.computer.security)
  • [UNIX] SSL Certificate Validation Problems in Ximian Evolution
    ... Due to missing SSL validation code, ... regarded invalid by camel) for the server and a self-signed certificate ... * Ximian Evolution version 1.0.x and earlier ... Imagine e.g. an IMAP connection over SSL. ...
    (Securiteam)
  • SSL certificate validation problems in Ximian Evolution
    ... Due to missing SSL validation code, ... regarded invalid by camel) for the server and a self-signed certificate ... Evolution 1.1.x is no ... Imagine e.g. an IMAP connection over SSL. ...
    (Bugtraq)
  • Re: Secure web page?
    ... All SSL ensures is that the transport of data between your web browser ... matched the domain name in the domain name digital certificate ... entered as part of connecting to the website) ... ... domain name connection to the webserver that the user entered ... ...
    (alt.computer.security)
  • RE: Locally created certificate for web site - works?
    ... If you want to test the SSL feature of IIS, you can set up one test ... environment in your machine to build one secure connection. ... Some Certificate Authoritiesmay provide some test certificates. ...
    (microsoft.public.inetserver.iis.security)