联通对 iCloud 服务器进行 SSL 劫持？

艹，影响范围似乎是全国，我在青岛和广西的节点上测试，也发现了同样的问题

可以使用命令
curl https://23.59.94.46 -vk -H'Host: www.icloud.com' -I
进行测试，如果结果里有

* Server certificate:
* subject: C=cn; O=www.icloud.com; CN=www.icloud.com
* start date: 2014-10-04 10:35:47 GMT
* expire date: 2015-10-04 10:35:47 GMT
* issuer: C=cn; O=www.icloud.com; CN=www.icloud.com
* SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.

说明中招

Server certificate:
* subject: 1.3.6.1.4.1.311.60.2.1.3=US; 1.3.6.1.4.1.311.60.2.1.2=California; businessCategory=Private Organization; serialNumber=C0806592; C=US; postalCode=95014; ST=California; L=Cupertino; street=1 Infinite Loop; O=Apple Inc.; OU=Internet Services for Akamai; CN=www.icloud.com
* start date: 2014-04-16 00:00:00 GMT
* expire date: 2016-04-16 23:59:59 GMT
* issuer: C=US; O=Symantec Corporation; OU=Symantec Trust Network; CN=Symantec Class 3 EV SSL CA - G3
* SSL certificate verify ok.

草 这样岂不是太恶心了 手机里的隐私联通岂不是直接拿去看了

移动4G测试没问题 看来以后联通上网的时候要小心了

@Showfom
主要还是钓浏览器，客户端不可能没有安全措施的。

山东联通正常?

联通 3G 也没问题。

其实苹果应该不会被中间人攻击的……苹果与中国政府关系挺好的，现在比微软都强

win下有没有命令可以测试？

* About to connect() to 23.59.94.46 port 443 (#0)
* Trying 23.59.94.46...
* connected
* Connected to 23.59.94.46 (23.59.94.46) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using AES256-SHA
* Server certificate:
* subject: C=cn; O=www.icloud.com; CN=www.icloud.com
* start date: 2014-10-04 10:35:47 GMT
* expire date: 2015-10-04 10:35:47 GMT
* issuer: C=cn; O=www.icloud.com; CN=www.icloud.com
* SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
> HEAD / HTTP/1.1
> User-Agent: curl/7.26.0
> Accept: */*
> Host: www.icloud.com
>
* additional stuff not fine transfer.c:1037: 0 0
* HTTP 1.1 or later with persistent connection, pipelining supported
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Server: Apache
Server: Apache
< Last-Modified: Tue, 16 Sep 2014 16:32:33 GMT
Last-Modified: Tue, 16 Sep 2014 16:32:33 GMT
< ETag: "5d35-503314c5d0a40"
ETag: "5d35-503314c5d0a40"
< Cache-Control: no-cache, no-store, private
Cache-Control: no-cache, no-store, private
< Expires: Sat, 18 Oct 2014 04:42:19 GMT
Expires: Sat, 18 Oct 2014 04:42:19 GMT
< Strict-Transport-Security: max-age=31536000; includeSubDomains
Strict-Transport-Security: max-age=31536000; includeSubDomains
< X-UA-Compatible: IE=Edge
X-UA-Compatible: IE=Edge
< X-Frame-Options: SAMEORIGIN
X-Frame-Options: SAMEORIGIN
< Content-Type: text/html; charset=utf-8
Content-Type: text/html; charset=utf-8
< Content-Language: en-us
Content-Language: en-us
< Date: Sat, 18 Oct 2014 04:42:19 GMT
Date: Sat, 18 Oct 2014 04:42:19 GMT
< Connection: keep-alive
Connection: keep-alive
* no chunk, no close, no size. Assume close to signal end

<
* Closing connection #0
* SSLv3, TLS alert, Client hello (1):

武汉电信打开正常。

青岛联通curl确实有，vpn之后就好了。但是浏览器打开没提示啊。

@virusdefender 因为你DNS解析出来的不一定是这个地址啊

直接访问 https://23.59.94.46/ 查看证书是否自签名就知道了。北京联通重现。

不过，根据 http://alibench.com/rp/f5ea0ba25cbe95600d7cfb57aa4d47f2 测试，好像只有：
广东 中山 电信 0ms 23.59.94.46 [ 美国 ] 这一处的DNS会返回这个IP，其他98个都不是。

这种问题现在越来越多了...是不是以后国外网站必须得全局挂VPN或者代理呢

深圳电信确认23.59.94.46被中间人

$ mtr -T --port 443 -n 23.59.94.46
My traceroute [v0.85]
siyanmao-k29 (0.0.0.0) Sat Oct 18 19:26:07 2014
Keys: Help Display mode Restart statistics Order of fields
quit Packets Pings
Host Loss% Snt Last Avg Best Wrst StDev
1. 192.168.1.1 0.0% 17 0.6 0.7 0.6 0.8 0.0
2. ------------ 0.0% 16 2.8 2.6 1.7 3.3 0.3
3. ------------- 0.0% 16 2.0 2.2 1.4 4.0 0.4
4. ???
5. 119.145.47.78 0.0% 16 6.4 7.7 4.3 27.0 5.2
183.56.65.54
183.56.65.50
119.145.47.74
121.34.242.250
121.34.242.138
6. 23.59.94.46 25.0% 16 168.5 171.4 166.8 201.3 9.4

iCloud.com 的 https://23.48.140.239 和 https://23.13.186.46 这两个 iCloud 服务器上没有被替换证书。

但是直接访问 https://23.59.94.46/ ，在台湾没有被替换证书，换苏州联通的VPN后，证书被替换为自签名的证书。这况味着 iCloud 服务器在中国被人使用SSL中间人劫持，中国苹果用户隐私不保呀。

截图放在 http://www.zhoushuguang.com/2014/10/icloud-ssl-attack.html

curl https://23.59.94.46 -vk -H'Host: www.icloud.com' -I
* Rebuilt URL to: https://23.59.94.46/
* Hostname was NOT found in DNS cache
* Trying 23.59.94.46...

这咋回事？ 深圳联通

南方电信返回 60.254.134.46 没问题

天津电信返回IP 23.36.99.167，没啥问题……

刚看了一下，包括黑龙江、吉林、以及上海等的部分线路也有劫持。

估计是使用DNS TTL来做轮询，所以刚好轮到这个IP的时候就会出问题。

手机端有影响吗？感觉最近一次重刷恢复备份让我输了好几次密码……开启两步验证对这个有没有作用

经过BLOGGER、 freebuf、solidot、washable、people.com.cn、dw.de 等网站报道后，23.59.94.46上的中间人劫持似乎暂时停止了。

http://www.zhoushuguang.com/2014/10/icloud-ssl-attack.html

http://www.freebuf.com/news/47744.html
http://www.solidot.org/story?sid=41521
http://blog.zuola.com/2014/10/icloud-face-man-in-the-middle-attack-in-china.htm

http://mashable.com/2014/10/20/china-attacks-apple-microsoft/
http://it.people.com.cn/n/2014/1021/c1009-25874921.html
http://www.dw.de/a-18009603?maca=chi-rss-chi-all-1127-rdf

华尔街日报：苹果中国内地iCloud服务受攻击 http://cn.wsj.com/gb/20141022/tec071917.asp

苹果关于中国的中间人攻击事件的官方声明：《Apple 有关 iCloud.com 安全的最新消息》 http://support.apple.com/kb/HT6550?viewlocale=zh_CN&locale=en_US

苹果iCloud遭SSL中间人劫持，用户如何防范隐私泄露？http://www.wosign.com/news/icloud-ssl.html