Slashdot Mirror
Mozilla Accepts Chinese CNNIC Root CA Certificate
Josh Triplett writes "Last October, Mozilla accepted the China Internet Network Information Center as a trusted CA root (Bugzilla entry). This affects Firefox, Thunderbird, and other products built on Mozilla technologies. The standard period for discussion passed without comment, and Mozilla accepted CNNIC based on the results of a formal audit. Commenters in the bug report and the associated discussion have presented evidence that the Chinese government controls CNNIC, and surfaced claims of malware production and distribution and previous man-in-the-middle attacks in China via their secondary CA root from Entrust. As usual, please refrain from blindly chiming into the discussion without supporting evidence. Since Mozilla has already accepted CNNIC as a trusted root CA, the burden rests with those who argue for its removal."
Wow, youre so new here, youre still dripping wet and covered in placenta.
...is there a straightforward way to mark CNNIC as untrusted?
Twitter supports and protects racists - by smearing their critics with the "Hate Speech" label.
Now at last we can have signed Firefox Add-ons!
Taken from comments section of article:
Individual CAs can be removed via the "advanced" preferences panel. It's instructive, actually, to look at the list - there's a lot of entries there.
One could switch to another browser, but it's worth thinking about how open that browser's CA inclusion process is first.
Removing it is fine until an update/reinstall brings it back. Telling the browser to not trust that entity at all is what I'm talking about.
Twitter supports and protects racists - by smearing their critics with the "Hate Speech" label.
Glad I use lynx (and opera)!
Caveat Utilitor
Deleting it as we speak....
Just wait while I go infiltrate the Chinese government to determine if they are doing bad things through CNNIC, so I can come back with evidence. While I'm at it, I'll be travelling through West Africa and I have the sum of $1,000,000,000 USD of money stashed there and I need your help to get it out of the country. I will give you 10% guaranteed.....
"Since Mozilla has already accepted CNNIC as a trusted root CA, the burden rests with those who argue for its removal."
I am not sure I agree with this. When accepting something that is very controversial, like for example accepting CNNIC as a neutral authority, or backing a perpetual-motion technology, the burden may very well be on the actor to defend its actions.
Did you notice how many CAs are in the list? How do you feel about each?
I might recommend encouraging technologies like Perspectives to provide defense in depth.
I take issue to the next phrase: "Since Mozilla has already accepted CNNIC as a trusted root CA, the burden rests with those who argue for its removal."
Are you saying "should Mozilla remove it?" Then the answer is probably no, becuase Mozillia is not an omni-beneficent entity. It probably helps them in some way to include it.
The question is, should individual users remove it? And yes, by the link that you provided indicating it's role in the distribution of malware. Why should I let Mozilla, a large group with contradictory desires and many masters, control whether I delist it as a trusted root?
Your ad here. Ask me how!
Opera trusts CNNIC also.
I have nothing against additional certificate authorities; it makes sense in most situations not to give all the power to a single party.
Nonetheless, the large number of accepted authorities raises serious questions about another aspect of browser security:
Why are self-signed certificates viewed with such relative suspicion?
It only takes a single compromised or misled CA to bypass the entire trust system. The more CAs we have, the easier it is to compromise the system.
Why, then, do we make it so difficult for sites to implement security against passive plaintext snooping (which is arguably much more of a threat in most situations, discounting targeted attacks)? Why do browsers make this basic security effectively unavailable unless you pay a toll to a CA? (And it is effectively unavailable, since the inconvenience and fear-of-the-unknown related to accepting self-signed certificates makes the use of them a self-defeating act.)
As CAs proliferate, it becomes more and more meaningless to view self-signed certificates with such suspicion -- since they become relatively less and less of a risk, as we add more CAs and thus more individual points where the system may be compromised.
Exactly. The spoon and the knife are already laid out.
How do I mark all CAs in Firefox untrusted?
There has to be a better way than change each one manually.
Don't think so. I just checked and I do not have CNNIC listed at all in my copy of Opera v10.10.
Caveat Utilitor
Then you're apparently illiterate. To quote the link
We have now added the following Roots to the repository:
Buypass, a Norwegian CA. This CA has been provisionally EV enabled, please see below. Testsites 1, 2, EV.
CNNIC, China Internet Network Information Centre. Testsite. Note: Currently we are missing a HTTP CRL for the intermediate certificate for this site, so the site will unfortunately not show a padlock. We are working with CNNIC to resolve the problem, which may include adding a CRL override.
Secom (a Japanese CA) has issue a new SHA-256 Root, as part of many CAs transition to more secure certificate signatures: Testsite
I just checked, and both MacOS X and Windows 7 seem to trust the CNNIC root...
If this is really a problem, and I haven't the slightest idea if it is, then it extends way beyond firefox.
"The worst tyrannies were the ones where a governance required its own logic on every embedded node." - Vernor Vinge
Agreed. I find this submission to be quite arrogant. Thanks for posting this gem, Kdawson. Mod parent up.
At issue here is the ability of the Chinese government to run MiTH attacks on their citizens (and others) (who may have no computer security experience) and to arrest political dissidents. Nobody's saying you should wait to remove it. The question is, should it be removed for the safety of others?
The whole point of root certs is trust. We trust them to sign certificates which will be used, in turn, to keep our conversations private. Should CNNIC be trusted to keep conversations private? That is the question. Organizations like Mozilla put their own reputations on the line when choosing which root certs to include. Any abuse by CNNIC will be seen as a security flaw in Mozilla software. That is the issue. That is why Mozilla should care. (even if they disagree)
I won't join Slashcott. OTOH, If Beta goes live, I just won't be back until it's fixed. Sorry Dice.
It would be easy enough to prove that CNNIC is performing man-in-the-middle attacks. To perform a man-in-the-middle attack on (for example) gmail, CNNIC would have to send a fraudulent certificate to users. That certificate would be ironclad evidence that CNNIC can't be trusted, so all someone has to do is present one.
main(c,r){for(r=32;r;) printf(++c>31?c=!r--,"\n":c<r?" ":~c&r?" `":" #");}
Erm, speaking of illiterate -- What part of "I do not have CNNIC listed at all in my copy of Opera v10.10" was unclear to you?
"surfaced claims of malware production and distribution"
This claim cites Wikipedia and in particular this unverifiable, POV-ridden paragraph:
"CNNIC produces one of the best-known malwares in China: the Chinese-Language-Surfing Official Edition(). The software is frequently bundled with other adware/sharewares. It was declared malware by Beijing Network Industry Association() and San Ji Wu Xian Co Ltd., the company behind 360 Safeguard(360), an anti-virus software. San Ji Wu Xian was sued by CNNIC for 150,000 RMB and the court ruled out favorably towards CNNIC."
Which libels CNNIC for connections with malware while the only case against CNNIC was actually ruled towards their favor.
Why is CNNIC untrustworthy ? In plain English please.
https://bugzilla.mozilla.org/show_bug.cgi?id=542689
If only we had the luxury of knowing which certificates to remove if you didn't trust the NSA. Guess MITM is a game for big players.
Our instructions for setting up VPN include a recommended step where you disable all root certificates but one for the connection. From a security standpoint, the whole web should work the same.
It's very annoying how Firefox insists on making self-signed certificates the biggest pain in the ass possible to accept, knowing you can't really trust the 'trusted' signers in the first place. For forums and the likes, just permanently storing the certificate so you can be sure you're getting an encrypted connection to the same entity each time would be sufficient.
I fully expect that the US government can get access to appropriate certs needed for MitM attacks when they want. It isn't hard for them to pressure US based companies to do that.
For the unwashed masses worried about commerce, I doubt the Chinese government has any more interest in messing with that than the US government. For people that are worried about being spied on, they shouldn't be trusting any of those certs on machines used for doing whatever it is that they think might get them in trouble.
Weird thing is, I can't find it in there at all, unless I'm just blind. There's nothing that says CNNIC (or even anything obviously Chinese).
One addendum to your directions, you have to be in the "Encryption" subtab of the Advanced tab or you won't see the "View Certificates" button.
I saw the same thing in my copy of Opera 10.5.x
However, after visiting the test site : https://www.enum.cn/en/
I can now see the cert. My guess is Opera does not come preloaded with all root certs, but perhaps fetches them on demand from an online repository.
I.O.U One Sig.
Except you tried to claim that the GP was wrong about Opera trusting CNNIC which is patently false based on Opera's own posting from last September.
Visit the test site and look again.
In a fair world, refrigerators would make electricity.
What's a MiTH attack? Man in ..?
Because the US will not throw me into a hard labor camp and sell my organs on the black market for talking about wounded knee, the war in the Philippines, the fire bombing of Dresden, the nuking of Hiroshima and Nagasaki, or any other genocidal acts by the government.
Why should I let Mozilla, a large group with contradictory desires and many masters, control whether I delist it as a trusted root?
Because Mozilla is capable of doing it and most computer users are (effectively) not.
Because we care about what happens to the internet.
Because it's going to be our mom's machine, and we'll have to fix it.
Never trust an atom. They make up everything.
I suspect that in practice simply following the SSH model would be pretty much as secure and a lot safer from this kind of attack.
That's the model where all keys are effectively "self signed", and you don't check whether the key is signed by a trusted authority... instead you check whether the key has changed, and raise an alert if so.
Using BOTH techniques... alerting people if the key changes whether it's self-signed or centrally signed... seems to be the best solution. That way if CNNIC wants to MITM you they have to be damn sure you haven't already got the real key in hand.
He means, "please don't spam the Bugzilla comments unless you have something constructive to add." BMO used to block all slashdot referers at one point...
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
What's a MiTH attack? Man in ..?
Man in The Hat
I wouldn't say that. Being able to intercept data like passwords doesn't give blackhats info, it gives them access to things. Picture a company that has their finances quietly eavesdropped on, then when it comes time for revenge, it would be trivial to log on, pull money out of accounts and have it look like the corporate officers embezzled funds.
Result: Shareholders sue, corporate officers get tossed into prison, and nobody is the wiser that it was done offshore.
Actually, you're apparently referring to me (I didn't post the AC comment to which you're replying). But what I said was, "don't think so" which is to say I doubted it. I certainly did not "try to claim that the GP was wrong", but rather merely expressed doubt that he was correct (the provided link is, after all, older than my version of Opera). So anyway, I went to the CNNIC site, got the authority listed, then set opera to warn me. Wasn't hard, no big deal. Maybe you should consider cutting down on the caffeine? These discussions aren't exactly a matter of life and death, and people are certainly free to doubt.
Caveat Utilitor
"a trusted CA root"
Which CA are we talking abpout here?
Canada ?
California
Computer Associates
Cancer
Or is this a new abbreviation for Chinese Authorities ?
men in tiny hats
Man in the
1. Half?
2. Halfway?
3. Halftime?
4. Half-court?
5. Hmiddle (silent H)?
Cheers! :-)
Man In The Hat.
The issue is that most people wear hats to try and hide some type of malicious secret. Thus, we don't trust men who wear hats.
Seeing as China makes lots of the core internet routers these days (with quickly growing market share) there is every reason to assume we're getting man-in-the-middle pwned.
I'm not in *.cn, and I'm not visiting *.cn, so why in Hell should this certificate apply to me? If suddenly www.adobe.com is signed by China, there sure is a problem!
Sodomy
What's a MiTH attack? Man in ..?
It's an attack that doesn't actually exist, e.g., one that is "mithical". Of course, a mith is as good as a mile anyways.
The higher the technology, the sharper that two-edged sword.
As always, one small typo gets blown way out of proportion. Oh well. Have fun with it.
I won't join Slashcott. OTOH, If Beta goes live, I just won't be back until it's fixed. Sorry Dice.
You can already get fake certs you want from other "trusted" CAs. How is this any different? I wish browsers implemented a better way to handle certs. For initial cert check the CA could be ok (better than nothing), but after that browser should remember the cert and alert you if it changes, regardless of how valid the change looks like.
If the thing is done, the actor doesn't have to do anything additional. It doesn't have to be done again, or done more. The only possible change is to undo it. Those who wish to undo it must justify undoing it, because they are the only ones who have need of an affirmative action to be taken.
It's rare that you're presented with a knob whose only two positions are Make History and Flee Your Glorious Destiny.
It's great that everyone is removing the CNNIC root CA, but that's just a defensive measure. And a temporary one at that too.
We need to take more progressive steps to solve the problem.We should be going on the offensive here.
Just link to CNNIC in the summary and they will disappear from the Internet forever; or at least get hit with a million dollar bandwidth bill.
Why is CNNIC untrustworthy ? In plain English please.
I'm sorry sir, the certificate is in Chinese.
These posts express my own personal views, not those of my employer
Write a script that goes to lots of SSL sites and checks the signing certificate. Run one copy from behind the Great Firewall. Run another from the free world. Compare the output to see if CNNIC ever shows up where it shouldn't. Found a hit? Submit it to all the browser publishers and watch the security updates fly, as CNNIC loses all authority over SSL.
Bonus points if you can get Hillary Clinton to send a strongly-worded letter to China.
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
Um.... no! The CA model exists precisely because the SSH model is vulnerable to MITM!
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
There are different failure modes.
If you know that the victim has not visited a given site before you can MITM them undetectably, but the attack doesn't scale. On the other hand the centralized key distribution hierarchy is vulnerable to widespread undetected MITM attacks if the hierarchy is compromised, where the SSH model would produce a large number of suspicious reports in that scenario... leading to the unmasking of the perpetrator.
Firstly, SSH requires out-of-band key exchanges. You know, like over a USB stick or something. There is no secure certificate exchange. So, in other words, no-one could ever get the certificates for 99.9% of websites.
Secondly, keys *do* change all the time; as they should. No matter how many bits you use, your certificate shouldn't go more than a few years without being renewed, or you put the key at risk of attack.
Thirdly, there would be no mechanism for revoking a certificate once compromised.
In short, no. Put more thought into what the systems you are proposing are actually trying to achieve.
Does this mean I won't have to pay $600/yr soon if I want a wildcard SSL certificate? I've never been able to figure out why they cost more from a technical standpoint, except that they may get more requests on average.
Saying that you "don't think so" because you actually took a real world look at the product in hand seems like a pretty reasonable response, and doesn't need a 'you must be illiterate because I read a statement put out months ago'. Perhaps that's since been revoked? Or perhaps they made a typo. Or perhaps they never got around to actually implementing it.
Turns out they do trust it, just Opera downloads certs on demand.
But I wouldn't go around saying it was "patently false" just because of some blog post and trusting that over looking at the browser itself.
I.O.U One Sig.
That would be interesting to find out, also whether or not the session used to retrieve the root certs is itself secure...
Can you be Even More Awesome?!
For my personal use, I don't have a problem with the suspicion of self-signed certs. I don't intend any visitors to my https service other than the ones I personally invite, and I can guide them through the security exception process. Obviously, I'm not running a business.
I disagree with the parent regarding the proliferation of CAs. It's true that added CAs add to the points of potential compromise. But, they're a drop in the bucket compared to the flood of self-signs we'd be dealing with. Then we'd really be talking compromise, to the point where if the site wasn't some heavy hitter brand, we'd have next to zero confidence in the value of the https connection overhead.
Luke, help me take this mask off
If you never had a chance to look at a root CA list in your browser - now may be the time. Open advanced encryption preferences and look at certificate list. These are, normally, all the CAs that your browser trusts to sign certificates for other sites (or for other signers and so on and so forth). Now - do you know who they are?
FWIW I have never heard of most of these names, and have no reason to trust them or anything they do. The names that I know don't exactly give me the "warm and fuzzy" feeling. Equifax - the company that violates my privacy by enabling extraneous information collection, keeps bogus information on my credit report and is notoriously impossible to deal with? I won't trust them any further than I can throw them.
So China's another CA - big deal. Frankly, Scarlet, I don't give a damn. My browser will gladly accept certificates from anyone for all I care and the entire concept of "trust" is meaningless if I don't *really* trust these guys.
The CA is dead, let it go.
Wow, youre so new here, youre still dripping wet and covered in placenta.
And a Chinese, heavy metal laden one, at that.
Take the cheese to sickbay, the doctor should see it as soon as possible - B'Elanna Torres, "Learning Curve"
I scanned fairly quickly through the comments here but none seems to point out the obvious:
SSL DOES NOT ATTEMPT TO GUARANTEE ANYTHING APART FROM AUTHENTICTY
As it appears, this mob have verified their identity sufficiently for Mozilla to decide they are able to put something on the interweb and verify they put it there.
Should I be worried - no I don't think so.
I've just (skimmed) read the Mozilla bug entry for this and as far as I can tell all was correct.
What exactly is the problem here? SSL is a mechanism (Mozilla very kindly provide that) not a policy (you do that bit)
All of them. The Chinese one might be the safest to retain.
"Since Mozilla has already accepted CNNIC as a trusted root CA, the burden rests with those who argue for its removal." ...
Yah , sure, whatever
Not sure about Opera, but here is the resolution of the same issue for Firefox: https://bugzilla.mozilla.org/show_bug.cgi?id=340198
I'm running version 4.0.249.78 on WinXP. Clicking on "[monkeywrench]/Options" brings up a dialog box. Clicking on the third tab and scrolling to the bottom of the presented list shows a button, "Manage certificates". Clicking on that button brings up the "Trusted Certificates" dialog box. Clicking on the "Trusted Root Certification Authorities" tab reveals a long list of certificates. Scroll down to "CNNIC ROOT" and double-click on its entry to bring up your third dialog box, "Certificate". Click on the "Details" tab and then the "Edit Properties..." button to open the final dialog, "Certificate Properties". Click on "Disable all purposes for this certificate" and then "OK", "OK", "Close" and "Close".
It is unfortunate that this does not preserve the various check-marks on the individual purposes. I would have liked to have that information retained for future reference.
Nothing for 6-digit uids?
Because you can trust Google so much more than China.
No, both models would be detectable. I would notice of my connection to Bank of America says "Signed by China Telecom."
Letting the average user manage keys by himself means both widespread MITM is possible, and users get trained to accept keys.
If you think Grandma shopping online would really be more secure if she managed keys herself, you've never met an end user. SSL MITMs have been fantastically rare, despite extremely widespread use by untrained masses. There's no better proof of SSL's success than that.
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
tl;dr
Ooooh, how did that feel? You spent all that time and effort writing that up, only to find out we don't give a shit.
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
I am chinese web engineer. CNNIC is untrustable. I had delete CNNIC root and Entrust Root both Firefox and IE.
Why would we give a dictatorship the ability to make our browser trust any site we connect to on the internet?
The parent post was hit by moderator abuse. My post was also hit by moderator abuse. It looks like someone sympathetic to the Chinese government is abusing Slashdot. If you have mod points and you see this message, please browse through the down modded posts to check for abuse.
It's different because it's China, and China is the new Evil Empire. As soon as it became clear that we weren't going to be able to destroy every last terrorist, people got bored with blaming everything on them. Now it's the Chinese who are apparently the soulless bad guys who are attacking the very foundations of the Free World. Oh, the humanity.
Systemd: the PulseAudio of init systems
I take issue, too.
"Since Mozilla has already accepted CNNIC as a trusted root CA, the burden rests with those who argue for its removal."
BULLSHIT ASSHOLES! FFFFUUUUU!!!!
Because 90% of internet users don't know what the hell a SSL certificate is and can't intelligently make the decision.
The presence of the cert does more harm than good, if it's being used to distribute malware, then obviously it is not trustworthy, and Mozilla is harming the community by including it.
If you want to go out on your own and install the cert, fine.
Mozilla should have no part in installing by default a cert that is untrustworthy.
They should remove the default authority and let you install manually if you want it.
Firstly, SSH requires out-of-band key exchanges. You know, like over a USB stick or something.
For client authentication, yes. For server authentication (which is what the server's SSL key is used for), no. I'm talking about the SSH host key, not your personal key.
No matter how many bits you use, your certificate shouldn't go more than a few years without being renewed, or you put the key at risk of attack.
And you can post that ahead of time, and some people will get a little paranoid about it because they didn't get the message. It's not as *invisible* as SSL server certificates. People are occasionally bothered by it. As a healthy paranoid, I don't see that as a downside.
Thirdly, there would be no mechanism for revoking a certificate once compromised.
Just create a new host key. Again, people will go o_O when it changes on them, and make a fuss, and you'll maybe get a little noise in the blogs over it, but a little noise is not a problem.
I would notice of my connection to Bank of America says "Signed by China Telecom."
Really? Without looking, can you tell me who your connection to the Bank of America is supposed to be signed by? Do you actually check every time?
Also, the ridiculous warnings serve to train users that you must always override security. Bad firefox!
For the problem of multiple certificate authorities of varying worth, I could see replacing the lock icon with an icon that is specific to the certificate authority. Certificate authorities ought to love it, because it gives them branding ability.
What does the Bank of Montreal have against Slashdot?
Its not obvious to all of us that BMO stands for bugzilla.mozilla.org
Doesn't Firefox warn you if a key for a certain domain suddenly changes to something different? Remember these guys sign keys, they say "this guy is who he says he is", does that really give them the power to listen in on people?
They can only do so by replacing the key with something new, which probably generates a big security warning, and then they have to reencrypt it with the old key, so they do have to intercept communication and not just listen in.
I don't know if you should be concerned about that yet, unless you're Chinese (in which case what is the alternative? only trust American businesses with American CAs?)
// MD_Update(&m,buf,j);
Fuck China. How do we block the Chinese from getting into our webservers and browsers? enquiring minds want to know.
Remember kids, if you're not paying for the service, YOU ARE THE PRODUCT THAT IS BEING SOLD.
So you're admitting that letting grandma manage keys is a bad idea?
No. I don't check every time. It's not hard to check (mouseover in the url bar), so it's not something that would go unnoticed on the internet, either. Which is the point.
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
Uhh, that would be "lanugo" or possibly "vernix" but babies do not typically come out covered with "placenta."
You work for a medical company. Might you have any info the Chinese would want? Oh, yes you do!
Google isn't about to put perfect clones of your medical devices on the market. China does this all the time. Famous example: the Chery QQ automobile. (FYI, Chery is a state-owned company)
Someday, like so many other clueless non-Chinese, you will wake up to find your competitive advantage is gone. Near-perfect clones flood the market. If you're lucky, you can prevent imports into the USA. You'll never stop the clones in China, and you'll never stop them from being imported to most other countries around the world.
the truth is that Chinese don't trust CNNIC, me included. if you search CNNIC on twitter, you'll find many Chinese talking about how to remove it permanently. what I want to add is that the we use SSL/TLS because we trust the CA, but now if the CA is not trusted, what do you think?
Check this out: http://en.wikipedia.org/wiki/Huawei
Huawei is the world's top patent seeker. In 2009 they overtook Alcatel-Lucent to become world's No. 3 mobile network gear maker, doubling market share from the previous year. They also passed Nokia Siemens Networks for the No. 2 position in the global mobile infrastructure equipment market. They are No. 1 for DSLAMs (telco DSL equipment). They even make lots of cell phones.
Even if China were just "low end devices", that's still enough to pwn you. That'll let them get plans for you next product or info about you you plan to negotiate with the Chinese factory that makes your shit. Also, even "low end devices" means a bite out of your product line.
Or do you really believe that Joe Average actually types https://www.mybank.com? You're lucky if they even get the www. part in.
Good point. Firefox should assume https by default.
(anybody have a Bugzilla acount? please file this)
You write 3 paragraphs in response to a response from an Adam Sandler movie? Really? Did it not occur to you that it might be wasted effort?
As always, one small typo gets blown way out of proportion. Oh well. Have fun with it.
Aha, yet another typo! Right ther--oh ...wait. Okay, never mind.
Presumably it was a particularly violent birth.
Not only do I not trust CNNIC, I don't trust Verisign either. Nor any of the dozens of CAs which are installed by default.
In other words, the whole CA concept is flawed.
The daft thing is that I asked the question in all seriousness, thinking "wtf have the security guys come up with now?!"
However, have you looked at some of the certs it already includes? Big guy right at the core we have no option but trusting signs a cert for large national body we have no particular worries about. Large national body signs a cert for small ISP/hosting/security business run purely for profit we know nothing about. Small ISP/hosting/security company will sign anything you pay them to.
All those certs are bundled with your default firefox (or IE, or Opera, or...) install. All signatures by any of those companies are treated equally by firefox - sites either get the green padlock or they don't.
Look at your list - do you actually, through a position of knowledge about them, trust those signing authorities? That one from Turkey, for example - what do you know about them? How would you compare their trustworthiness to the new Chinese one? With facts, figures, and dates, please?
So what happed to the web of trust, as originally proposed? All fractions got rounded up to 1 at every point in the process, and made a mockery of the whole scheme. Call me paranoid - or simply not trusing by default - but I've removed about 90% of the certificates bundled with my browser. I think that should be the default. Every time there's a certificate signed by someone you don't already trust, the browser should pop up a box saying "there's a company called SecuroPlus who are saying 'trust me' - do you trust them?", with the options Yes, No, and NFI, with NFI being the default. (If their signing cert is signed by a company you do or don't trust you should be informed of that additional information). After a while I think you'll find that 99.99% of the world's 'secure' web browsing will fall under the NFI banner. In which case, where was the security?
It's another case of security being nothing but a warm fuzzy feeling.
Also FatPhil on SoylentNews, id 863
...as foretold in the song about freedom of expression by the guys calling themselves "Men Without Hats".
S... A... F... E... T... Y...
Safety... Dance...
The flip side of the "Safety Dance" single was named "Security". The 12" maxi single included a song called "I Got The Message" along with "Antarctica". "Antarctica" was the only other song on the extended dance mix 12" promo.
The song "Safety Dance" (as titled on the band's apparent homepage) itself was about being allowed to express oneself and the resistance to heavy-handed repression of that expression.
HHOS. See the wikipedia entry for the song for the song for even more info.
Thanks, Illinois-Quebecois synth-pop 80's wonders!
Already posted (saying roughly the same thing), so I have one modpoint left that I now can't use here. It needs to be repeated. "Trusted" seems to simply means "money changed hands".
Also FatPhil on SoylentNews, id 863
Not if it continues to be signed back to a root, which is the point. A previous employer of mine had its own root cert in our (IE6) browsers and I only noticed after a similar, related discussion on Slashdot caused me to look. I removed it temporarily and yep, all https traffic was being MITM'd. Given the nature of the organisation, it was understandable that they had to be able to audit such traffic, but that doesn't excuse them not talking about it. I later mentioned it to a 2nd line tech who was doing something unrelated and it was news to him, too.
[FUCK BETA]
Funny, I visited the test site and FireFox 3.5.7 tells me it doesn't trust the certificate issuer. Guess I missed the update where the CNNIC certificate was added...
Well, now it seems they've come up with all kinds of things ;)
I won't join Slashcott. OTOH, If Beta goes live, I just won't be back until it's fixed. Sorry Dice.
It will come back into the list automatically, but all the trust boxes are unmarked when it does.
The same what you block your own government, RIAA and the likes: Encryption and anonymity. Check out stuff like i2p and freenet.
c++;
The question is, should it be removed for the safety of others?
This is nothing more than simple bigotry. You want them removed, not because they are more likely to abuse their position, but because they are Chinese or "Communists" or whatever. Why should I trust CNNIC less than, eg Microsoft Internet Authority, Deutsche Telekom or Sociedad Cameral de Certificacion Digital, just to mention three at random?
The whole point of root certs is trust
No, the point is convenience. It is ultimately your own responsibility who you choose to trust, which is why you can edit the list of authorities your browser trusts.
I've had first-hand experience with CCNIC that ought to put things into perspective. I registered a domain name at Godaddy, and also registered a couple of DNS servers. Use of these registered DNS servers worked flawlessly, until I had to set them for Chinese clients who had registered their domains via net.cn. They were unable to set these DNS servers because the system kept telling them the DNS servers were invalid. Upon calling net.cn's tech support, the client was told to talk to CNNIC.
So, I spoke to CNNIC on behalf of the client, and was basically told to go talk to Godaddy, and that Godaddy would contact CNNIC and know what to do. I thought this was odd, but sent a support ticket to Godaddy. They confirmed that the DNS servers in question had absolutely no problems and I was even sent a link verifying this over at ICANN, which is an internationally accepted organization for domain names.
I tried CNNIC again and told them that my DNS servers were valid and registered, even recognized by ICANN. I was rebuffed and basically told to go talk to Godaddy again. A few rounds of this with various people resulted in absoF*kinglutely no results. I think Godaddy is right in this case. There's nobody to talk to. The DNS servers are in-fact valid.
What I was told instead, was to go to net.cn and purchase another domain name from there, then pay 10RMB per DNS server for that new domain. I ended up having to do exactly that, to solve this problem.
After this ordeal, I am certain that CNNIC is in fact as evil as they come. They don't care about international standards, just what their omnipotent bosses tell to to do.
eTrade SUCKS
Wait a minute...
From what I understand, it mainly means that when a website is certified by CNNIC, it will appear in Mozilla software as being indeed certified by CNNIC. Mozilla is not in the certification and trust management business. From my point of view, I don't see why they should refuse any organization with a verifiable physical address that is not trying to fool people by using similar names like "Paypel". Users will have to learn how a trust network works and who they trust when they do transactions or secure connections. There is no way around it.
The Wise adapts himself to the world. The Fool adapts the world to himself. Therefore, all progress depends on the Fool.
It seems as though the poster wants to imply that there is something inherently wrong with accepting CNNIC as a CA -- but does not state why it is the case apart from rumor and that the Chinese government "may" be controlling this entity.
It escapes me what the problem is; there are lots and lots of CAs listed as trusted roots -- any number of which could do malicious things without anybody being the wiser (and some of which will gladly hand out certificates to microsoft.com and others, if only either your story is good enough ("internal test server"), or their interface is bad enough). "Trusted CA" is a misnomer in any browser distribution -- I sure as heck do not trust half the companies in that list, and neither should you -- since you never even heard about most of them.
None of this actually impacts the security of SSL. Let's face it, the PKI for SSL is broken. Anybody can claim to be anybody and somebody will sign off on it. You won't even be notified when that happens to "your" domain. There is no such thing as a central registry -- as with DNS, for instance. There is no such thing as proper delegation -- as with DNS, for instance. If you trust a SSL certificate because it is signed by some "trusted" CA in a browser, you are doing it wrong. Not that it really matters -- people do not check certificate chains or even particularly care about changed certs so long as the "Buy now" button works on Amazon.
There is no inherent value in a certificate signed by a "trusted" CA over a self-signed certificate. Both result in a stream-cipher-encrypted connection. That is about all SSL is good for, unless you have a local CA and that local CA is the only trusted CA in any of your CA-aware applications -- and, of course, you have cryptography-savvy users. I'll wait a while for the laughter to die down.
I'm not talking about *customers* managing keys at all.
As for Bank of America changing their SSL key to a different CA... well...
Companies do change CAs, on occasion. It's not common, but it does happen. I can't recall it ever making the news. MAYBE if it's Bank of America, but not if it's Lesser Schenectady Credit Union. But LSCU is already too big of a host key change to have a good enough chance of going undetected.
Don't be silly. Just laugh together too.
> Doesn't Firefox warn you if a key for a certain
> domain suddenly changes to something different?
No, it doesn't. To my knowledge, no browser does.
It's like I've been saying for at least a couple of years: SSL can in theory provide meaningful data security, but HTTPS uses it incorrectly (in several ways; failure to complain when a cert changes is only one of several problems) and therefore does *not* provide meaningful security.
If you want to transfer some data *securely*, you should not use https. There are much better options, e.g., scp.
To be absolutely fully blunt, HTTPS is not significantly more secure than plain old HTTP.
Note that this doesn't stop me from placing orders online. I just send a check -- which is what I would do anyway, because even if the information *transfer* were completely secure I still wouldn't trust somebody else's servers with information that would allow anyone who breaks in to take arbitrary amounts of money from me. (Amazon recently lost my business, because they will no longer let you just send a check for one purchase. They now want to store your checking account numbers. That's just as risky to me as giving them credit card numbers to store. No thanks. I'll find someone else to buy from.)
The insecurity of https does stop me from doing online banking, but I wouldn't be doing that anyway, because my bank is too small to set up their own online banking and chose to outsource it to some outfit operating out of an obscure archipelago in the Indian Ocean. I'm sure the outfit is legit and above-board or my bank wouldn't be using them, but I'm still not comfortable trusting my money to an outfit operating in a jurisdiction where I would have no real recourse if they ever caused me problems. So I don't do online banking. Small loss: my finances aren't that complicated, and the bank is a grand total of five blocks from my house.
Cut that out, or I will ship you to Norilsk in a box.
> Because Mozilla is capable of doing it
No, they're not.
Mozilla, as an organization, still hasn't figured out that whether the server I interact with today has the same private key as the a server I interacted with previously is more important than whether the people running the server paid money to Verisign (or whomever) for a cert signed by somebody on The List.
Mozilla, as an organization, still hasn't figured out that whether the DNS entry that resolves the FQDN to the server's IP address follows a continuously signed path up from the root is more important than whether the people running the server paid money to Verisign (or whomever) for a cert signed by somebody on The List.
Mozilla, as an organization, seems completely unaware of the inherent problems with HTTPS. They seem to think EV (which basically boils down to getting site operators to pay even more for their certs) is a meaningful solution. It is clear to me that they, as an organization, don't understand security at all.
Perhaps there are some people within the organization who do understand security. If so, they are not the people driving policy.
For what it's worth, I'm not aware of any other browser that does any better. But that doesn't mean it's all good. It's not all good. As things stand right now, people should think of https as inherently completely insecure. Because it is.
If you need to transfer information securely, don't use https.
Cut that out, or I will ship you to Norilsk in a box.
So you're admitting that letting grandma manage keys is a bad idea?
The SSH key distribution model has never been shown to work well when managed by untrained masses. The CA model has.
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
This is security theatre of the worst kind. Their whole (and only plausible) excuse for doing this is that nobody can pretend to be CNNIC over https now; given the reactions of people familiar with CNNIC I wonder why the hell anyone would in the first place.
Now thanks to a complete and utter retard at Mozilla blithely following a script without regard to the real world consequences, everyone gets to live with those consequences: hundreds of millions of net users who more often than not blindly click Yes to anything, who have been trained to associate a blue/green address bar with "safe".
Thanks for making the internet a "safer" place, Mozilla. Ugh.
OK, we should untrust CCNIC...
Unfortunately, the ways posted so far are all manual. I'm an IT consultant and manage Windows/Linux networks for multiple companies. I need to be able to untrust CCNIC (and maybe Entrust.net as well...) for all computers on these networks.
Ideally, whatever script, group policy, etc. employed should:
1. check to see if CCNIC is trusted in Firefox, and if so, untrust it
2. check to see if CCNIC is trusted in the OS itself, and if so, untrust it.
And yes, this is a problem apparently on just about all OSes. I really just need a way to do this on Windows XP or greater and Ubuntu, although this problem seems to exist everywhere.
- Matt Borcherding
Grandma managing keys was never on the table, so I still have no idea what you're getting at.
It's just a way to lure Joe Average into a false sense of security. It really shouldn't be any more difficult for someone with a minimal amount of effort to obtain a legit SSL cert from say VeriSign who then uses it for evil. However it's the best scam we have so... My suggestion is to put geographic or political limitations on a trust root's clients. It shouldn't make sense for say an Australian bank site to have a cert from CCNIC. Domain name register and the cert's issuer should match in terms of geographic sphere of influence.
What does the Bank of Montreal have against Slashdot?
"context clues" they call them...
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
This is nothing more than simple bigotry. You want them removed, not because they are more likely to abuse their position, but because they are Chinese or "Communists" or whatever.
I'm hurt by your irrational rush to judgment. Your zeal has blinded you to my motives, and to what I said.
At issue here is the ability of the Chinese government to run [MiTM] attacks on their citizens...
Were I a bigot, I'd simply say that they got what they had coming to them. No, I care what happens to the Chinese people (as much as anyone I haven't met), and the Chinese Government has gone out of its way to be concerning.
... or "Communists" or whatever.
I could live with any form of government, with one STRONG requirement: those who lead the government must do so for the sole benefit of their countrymen. (Granted, it doesn't happen very often. It's really quite rare.) That's it. Kingdom, Democracy, Communism, Republic, whatever. The problem is endurance of this kind of dedication. Corruption creeps in as one generation retires and the next takes the reigns. The reason democracies (& republics) work so well (and are therefore preferable) is that they balance power and have self correcting mechanisms (such as elections). Winston Churchill is often quoted as saying: "Democracy is the worst form of government, except all the others that have been tried."
I don't dislike the Chinese Government because they are Communist, I dislike the Chinese Government because they do not care about their people. They only care about the power they exert over the largest country on Earth. They're paranoid of opposing points of view. They have embraced censorship and propaganda as vital to their continuing governance. They imprison peaceful political dissidents. They've committed mass murder, more than once.
You don't see something wrong with this? You seriously can't imagine how these types of people will abuse a root cert?
The whole point of root certs is trust
No, the point is convenience. It is ultimately your own responsibility who you choose to trust, which is why you can edit the list of authorities your browser trusts.
I see your point, and respect it, but we're going to have to agree to disagree here. It really is about trust. You decide who you are going to trust as a CA, and that's good for you. The average person is not qualified to make this kind of decision. Even if they were, they wouldn't have time (along with the million other things that "responsible" citizens should research on an ongoing basis). As such, they trust the browser to have trustworthy root certs. Right or wrong, they do, and it will work no other way.
You can chalk it up to "security theater" if you insist. (I wouldn't, but you may.)
I won't join Slashcott. OTOH, If Beta goes live, I just won't be back until it's fixed. Sorry Dice.
I'm 99% certain the browser will give no warning. All it cares is that whatever cert is presented by the server is signed by a trusted root. That root can change around all it wants. This happens routinely when people replace their root certs on web servers and switch between issuers. It does not generate any kind of warning.
I don't dislike the Chinese Government because they are Communist, I dislike the Chinese Government because they do not care about their people. They only care about the power they exert over the largest country on Earth. They're paranoid of opposing points of view. They have embraced censorship and propaganda as vital to their continuing governance. They imprison peaceful political dissidents. They've committed mass murder, more than once.
You don't see something wrong with this? You seriously can't imagine how these types of people will abuse a root cert?
Your sweeping statements demonstrate what I mean by bigotry - to take them one by one:
They only care about the power they exert
Do you somehow possess special insight into the inner workings of their minds? Do you even know who "they" are? I don't think so - very few real persons are completely void of positive traits, and the majority of politicians genuinely care about the people. Even American politicians do, although I am given to understand that they are particularly obnoxious. But politics is "the art of the possible", and compromises rarely make everybody happy.
They're paranoid of opposing points of view
Really? It is my impression that they are openminded and willing to listen to contructive criticism; but they are not willing to waste time on fools, and they can't afford to be lenient towards troublemakers. When activists cover behind labels like religion or democracy, do we really know what they stand for? I mean, aren't al Qaeda "religious activists", just to pick an extreme example?
They have embraced censorship and propaganda as vital to their continuing governance
I doubt it - not that I deny they use them, but if those things were all that vital, they would have done a much better job of it. As far as I can see, the internet filters are there because most Chinese want them; parents don't want their children to get caught up in what they see as Western filth in a medium they don't understand.
And the propaganda part - are they any worse than other governments? Much of what you call propaganda, the Chinese probably think of as obvious expressions of their cultural mindset; they aren't Americans, you know.
They imprison peaceful political dissidents
I am not entirely sure about that - all I know is that western media have declared them to be "peaceful dissidents"; but I don't know enough about the sources of information to be certain that I can trust them. Trust is something you earn, it can't simply be assumed a priori.
They've committed mass murder, more than once
Only in the same sense that the American government have massacred thousands of native Americans, not to mentions unknown numbers of Vietnamese etc etc. Of course, we both know that you can't blame Obama or even George Bush for those things; but then, why shold we blame the current Chinese government for what happened during the Cultural Revolution?
No, I stand by my words: you speak from a basis of bigotry, even if you aren't aware of it.
MiTH = Make It Trust Hackers"
Are you a Chinese agent? Sorry, but I couldn't resist asking. I'm just curious why you're an apologist for their government. Do you work for a large corporation with foreign interests? Are you a poly-sci major at an "interesting" college?
Trust is something you earn, it can't simply be assumed a priori.
Ok. Right back at you. Why are you so willing to trust them.
(I can understand your distrust of American media. I take that as a given.)
... the majority of politicians genuinely care about the people. Even American politicians do...
You have a more optimistic outlook on life than I do. Are there politicians who care? Yes. The ones with real power? Maybe a few of them. Google "pork barrel" sometime.
Really? It is my impression that they are openminded and willing to listen to contructive criticism; but they are not willing to waste time on fools, and they can't afford to be lenient towards troublemakers.
If you were offended by my use of the word apologist above, please read and reread what you just wrote.
When activists cover behind labels like religion or democracy, do we really know what they stand for? I mean, aren't al Qaeda "religious activists", just to pick an extreme example?
Next you'll tell me about the Tibetan Jihad. This makes you look like the Bigot here. Please be careful. If you use a brush much broader, you won't be able to get it into the paint can.
And the propaganda part - are they any worse than other governments?
No. From time to time most governments have been just as bad. (USA during WW2, for example.)
As far as I can see, the internet filters are there because most Chinese want them; parents don't want their children to get caught up in what they see as Western filth in a medium they don't understand...
Much of what you call propaganda, the Chinese probably think of as obvious expressions of their cultural mindset;
To be clear, you're saying that the Chinese people don't enjoy free speech (as part of "their cultural mindset")? I believe it's possible. People can be taught that. I just want to be clear what you're saying.
And what about Chinese history? Are you saying that these parents don't want their children learning about their own history?
they aren't Americans, you know.
I know, but they are human, you know. Sooner or later, they're going to want to think for themselves.
I won't join Slashcott. OTOH, If Beta goes live, I just won't be back until it's fixed. Sorry Dice.
I blame the people who might have known about it but didn't comment on this at all during the review stage. If there's some proof showing sites using this certificate are actually releasing malware, though, it's easy enough to have Mozilla reject it again.
I am not devoid of humor.
Forget about "bigotry" or cultural issues or any of that.
The real problem with CNNIC being a CA is independent of politics: a single entity (CCP) controls both your network access (at two points: SOE ISPs and GFW of China) and your SSL certificates (through CNNIC, which is subject to party control).
Game over, man. Forget about privacy.
[CCP=Chinese Communist Party; SOE=State Owned Enterprise; GFW=Great Firewall]
Checkmate.
Are you a Chinese agent?
:-)
Sorry, but I couldn't resist asking. I'm just curious why you're an apologist for their government. Do you work for a large corporation with foreign interests? Are you a poly-sci major at an "interesting" college?
Why do I defend the Chinese government? Well, I tend to side with the ones that are treated unfairly; on slashdot it often means China. On other occasions it has meant America, Iran and even Microsoft.
Believe it or not, but fairness and objectivity are things that matter a lot to me. And trying to see both sides to every problem. How else can you reach the truth?
Browsers should warn you if the CA for a site changes. That won't help the situation you describe, nor will it save you if you visit a new site, but at least the typical user visiting a Banana Republic like China can reach his usual email provider safely from his laptop. Unfortunately, those already in such a country are likely out of luck, since who knows which version of Firefox (or Chrome or even IE) they wind up downloading.
Psst: It's copypasta.