Slashdot Mirror
Mozilla Accepts Chinese CNNIC Root CA Certificate
Josh Triplett writes "Last October, Mozilla accepted the China Internet Network Information Center as a trusted CA root (Bugzilla entry). This affects Firefox, Thunderbird, and other products built on Mozilla technologies. The standard period for discussion passed without comment, and Mozilla accepted CNNIC based on the results of a formal audit. Commenters in the bug report and the associated discussion have presented evidence that the Chinese government controls CNNIC, and surfaced claims of malware production and distribution and previous man-in-the-middle attacks in China via their secondary CA root from Entrust. As usual, please refrain from blindly chiming into the discussion without supporting evidence. Since Mozilla has already accepted CNNIC as a trusted root CA, the burden rests with those who argue for its removal."
Taken from comments section of article:
Individual CAs can be removed via the "advanced" preferences panel. It's instructive, actually, to look at the list - there's a lot of entries there.
One could switch to another browser, but it's worth thinking about how open that browser's CA inclusion process is first.
You could just delete the certificate yourself. "Edit, Preferences, Advanced, Encryption, View Certificates"[1]. Select the one from CNNIC and hit "Delete".
:)
[1] "Tools, Options, Advanced, Advanced, View Certificates" if you are on Windows, but if you are on Windows the CNNIC certificate is probably not the most significant of your security worries...
UNIX? They're not even circumcised! Savages!
Did you notice how many CAs are in the list? How do you feel about each?
I might recommend encouraging technologies like Perspectives to provide defense in depth.
Opera trusts CNNIC also.
I just checked, and both MacOS X and Windows 7 seem to trust the CNNIC root...
If this is really a problem, and I haven't the slightest idea if it is, then it extends way beyond firefox.
"The worst tyrannies were the ones where a governance required its own logic on every embedded node." - Vernor Vinge
Weird thing is, I can't find it in there at all, unless I'm just blind. There's nothing that says CNNIC (or even anything obviously Chinese).
One addendum to your directions, you have to be in the "Encryption" subtab of the Advanced tab or you won't see the "View Certificates" button.
Visit the test site and look again.
In a fair world, refrigerators would make electricity.
He means, "please don't spam the Bugzilla comments unless you have something constructive to add." BMO used to block all slashdot referers at one point...
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
If I have it right, it is actually a simple thing to do, the UI is just awkward. Edits to the trust settings of the certificate will disable it and persist (another post indicates that deleting the certificate also marks it as untrusted, so even if the certificate gets added back to the system, it won't be trusted).
Nerd rage is the funniest rage.
Select "Tools", then "Options".
Click "Advanced", "Encryption" and "View Certificates".
Scroll down to "CNNIC" and select the "CNNIC Root" certificate.
Finally click "Edit", uncheck "This certificate can identify web sites" and press OK until all the little windows go away.
Now even if the root certs are updated, that cert remains untrusted.
In IE you have to select "Tools", "Internet Options", "Content", "Certificates", "Trusted Root Certification Authorities", select the certificate you want, then click "Advanced", uncheck the "Server Authentication" role and then click "Ok", "Close", and "OK" again to finally make your change stick.
What is ironic is that when you do that in IE with no problems, it actually takes more mouse clicks than doing the same thing in Firefox.
Why does there have be hysteresis to the process? That is, why does the burden of proof change once Mozilla has accepted the certificate? If you see how the process worked, it was basically the case that by the time it became relatively common knowledge that the CNNIC certificate was going be added, the time for comments had passed (not many people make the habit of trolling through Bugzilla entries or the Mozilla "RFC" page to find things they may want to comment on). If, once it became common knowledge, there were serious objections raised to adding the certificate - why not start the process again from scratch? Why force anyone to prove that CNNIC will violate the duties of a CA, especially given that these violations may be in the future? Furthermore, the whole discussion should be considered special given that the "great firewall" has apparently begun blocking most of the threads discussing the issue, such that open discussion isn't even possible since the very people who may be affected by this most (those within China) are being prevented from discussing it.
The parent post was hit by moderator abuse. My post was also hit by moderator abuse. It looks like someone sympathetic to the Chinese government is abusing Slashdot. If you have mod points and you see this message, please browse through the down modded posts to check for abuse.
Of course Opera also trusts this CA. But yes, there's always Opera. ;)
Deleting it does no good for ones that are marked "Builtin Object Token" -- they will come back when you restart. Instead "Edit" it and uncheck the trust boxes. The (lack of) trust settings are stored in your profile so updating Firefox will not affect it.
To those who don't see it, that's because you are not running Firefox 3.6, the first browser version released since CNNIC was added. The next 3.5. update will probably include it too.