Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mozilla Accepts Chinese CNNIC Root CA Certificate

Posted by kdawson on from the who-do-you-trust dept.

Josh Triplett writes "Last October, Mozilla accepted the China Internet Network Information Center as a trusted CA root (Bugzilla entry). This affects Firefox, Thunderbird, and other products built on Mozilla technologies. The standard period for discussion passed without comment, and Mozilla accepted CNNIC based on the results of a formal audit. Commenters in the bug report and the associated discussion have presented evidence that the Chinese government controls CNNIC, and surfaced claims of malware production and distribution and previous man-in-the-middle attacks in China via their secondary CA root from Entrust. As usual, please refrain from blindly chiming into the discussion without supporting evidence. Since Mozilla has already accepted CNNIC as a trusted root CA, the burden rests with those who argue for its removal."

11 of 256 comments (clear)

  1. Marking as untrusted by Saishuuheiki · · Score: 5, Informative

    Taken from comments section of article:

    Individual CAs can be removed via the "advanced" preferences panel. It's instructive, actually, to look at the list - there's a lot of entries there.

    One could switch to another browser, but it's worth thinking about how open that browser's CA inclusion process is first.

  2. Re:Given they've bowed to Chinese pressure by Zocalo · · Score: 4, Informative

    You could just delete the certificate yourself. "Edit, Preferences, Advanced, Encryption, View Certificates"[1]. Select the one from CNNIC and hit "Delete".

    [1] "Tools, Options, Advanced, Advanced, View Certificates" if you are on Windows, but if you are on Windows the CNNIC certificate is probably not the most significant of your security worries... :)

    --
    UNIX? They're not even circumcised! Savages!
  3. delete cert? finger in dike by Onymous+Coward · · Score: 4, Informative

    Did you notice how many CAs are in the list? How do you feel about each?

    I might recommend encouraging technologies like Perspectives to provide defense in depth.

    1. Re:delete cert? finger in dike by zonky · · Score: 4, Informative

      Sound advice. For those new to perspectives, it uses notary servers, and compares the thumbprint of the SSL cert with what 4-5 other points on the internet see. This should at least prevent localised MITM, even with a trusted CA issuing the MITM cert.

    2. Re:delete cert? finger in dike by Onymous+Coward · · Score: 4, Informative

      They've got a Firefox extension, too: http://www.cs.cmu.edu/~perspectives/firefox.html#install

      And this conveys the idea quickly and visually... the web demo: http://moo.cmcl.cs.cmu.edu/perspectives/

      They're also looking for developers to take the project. This could be a great tool for everyone.

  4. Re: As usual, please refrain from blindly chiming by TSHTF · · Score: 4, Informative

    Opera trusts CNNIC also.

  5. Does anyone notable *not* support CNNIC? by RalphBNumbers · · Score: 4, Informative

    I just checked, and both MacOS X and Windows 7 seem to trust the CNNIC root...

    If this is really a problem, and I haven't the slightest idea if it is, then it extends way beyond firefox.

    --
    "The worst tyrannies were the ones where a governance required its own logic on every embedded node." - Vernor Vinge
    1. Re:Does anyone notable *not* support CNNIC? by iammani · · Score: 3, Informative

      Chrome does not.

  6. Re: As usual, please refrain from blindly chiming by bill_mcgonigle · · Score: 3, Informative

    He means, "please don't spam the Bugzilla comments unless you have something constructive to add." BMO used to block all slashdot referers at one point...

    --
    My God, it's Full of Source!
    OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
  7. Re:Was pointing towards something like a CRL. by Minwee · · Score: 3, Informative

    Select "Tools", then "Options".

    Click "Advanced", "Encryption" and "View Certificates".

    Scroll down to "CNNIC" and select the "CNNIC Root" certificate.

    Finally click "Edit", uncheck "This certificate can identify web sites" and press OK until all the little windows go away.

    Now even if the root certs are updated, that cert remains untrusted.

    In IE you have to select "Tools", "Internet Options", "Content", "Certificates", "Trusted Root Certification Authorities", select the certificate you want, then click "Advanced", uncheck the "Server Authentication" role and then click "Ok", "Close", and "OK" again to finally make your change stick.

    What is ironic is that when you do that in IE with no problems, it actually takes more mouse clicks than doing the same thing in Firefox.

  8. Re:Why bother, there's always opera by BZ · · Score: 3, Informative

    Of course Opera also trusts this CA. But yes, there's always Opera. ;)