We deleted this tweet earlier today. Thanks to everyone who fact checked our statement and reached out to notify us about the mistake! A correction has been posted here:
https://twitter.com/netresec/status/1440298935868743686
The PCAP in the referenced tweet was created using PolarProxy, which decrypts and re-encrypts TLS traffic while saving the decrypted traffic to a PCAP file.
MitM'ing the traffic using a trusted root CA allows TLS traffic to be decrypted, even if perfect forward secrecy is used. That's what we did to produce the decrypted PCAP shown in the Wireshark screenshot.
If you use an HTTP proxy or terminate the TLS connection in some other way, yes. I was thinking of the situation where you use Wireshark directly on one of the endpoints, i.e. a passive MitM attack.
You are completely right. The traffic was sent as TLS encrypted HTTP/2 traffic to Microsoft. We decrypted it using PolarProxy in order to see what was transmitted. The screenshot in the tweet shows the decrypted PCAP generated by PolarProxy.
You are correct. This traffic was not generated by typing text into the "run box", it was generated by typing text into the "start menu box". We are very sorry for the confusion this has caused.
The wireshark screenshot shown in our tweet was showing TLS traffic that has been decrypted by PolarProxy. That’s why it shows up as HTTP/2 traffic over TCP port 80.
We first tried to post replies with corrected information, but it didn't seem to help. The tweet has now been deleted and a correction tweet has been posted instead.
The purpose of the "Great FIrewall of China" is to censor the Internet, i.e. the intention of this MITM doesn't seem to be to covertly spy on the University user's searches.
A self signed X.509 cert is enough in order to see what they are searching for and to block/RST queries for topics like "Tiananmen Square protests". The CH authorities don't care if users notice the MITM in this case.
