这次 GitHub 中间人攻击，个人分析并不是七层精准劫持，而只是在第四层做了攻击。

我先获取 GitHub 的 ip：

> nslookup github.com 8.8.8.8
Server:  dns.google
Address:  8.8.8.8

Name:    github.com
Address:  13.229.188.59

这个 ip 是没问题的，位于新加坡的 Amazon，应该是个 CDN

然后测试证书：

$ openssl s_client -showcerts -servername github.com -connect 13.229.188.59:443
CONNECTED(00000005)
depth=1 C = CN, ST = GD, L = SZ, O = COM, OU = NSP, CN = CA, emailAddress = 346608453@qq.com
verify error:num=19:self signed certificate in certificate chain
---
Certificate chain
 0 s:C = CN, ST = GD, L = SZ, O = COM, OU = NSP, CN = SERVER, emailAddress = 346608453@qq.com
   i:C = CN, ST = GD, L = SZ, O = COM, OU = NSP, CN = CA, emailAddress = 346608453@qq.com
   
省略……

就是那个诡异的 QQ 号证书。

我再找个 cloudflare 的 ip 试试（ GitHub 没有使用 cloudflare 的 CDN ）

$ host v2ex.com
v2ex.com has address 104.20.9.218
v2ex.com has address 104.20.10.218
v2ex.com has IPv6 address 2606:4700:10::6814:ada
v2ex.com has IPv6 address 2606:4700:10::6814:9da

同样测试证书，SNI 为 github.com ，没有被劫持：

$ openssl s_client -showcerts -servername github.com -connect 104.20.9.218:443
CONNECTED(00000005)
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO ECC Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO ECC Domain Validation Secure Server CA 2
verify return:1
depth=0 CN = ssl509603.cloudflaressl.com
verify return:1
---
Certificate chain
 0 s:CN = ssl509603.cloudflaressl.com
   i:C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO ECC Domain Validation Secure Server CA 2
-----BEGIN CERTIFICATE-----

省略……

各位怎么看？