Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mozilla Accepts Chinese CNNIC Root CA Certificate

Posted by kdawson on from the who-do-you-trust dept.

Josh Triplett writes "Last October, Mozilla accepted the China Internet Network Information Center as a trusted CA root (Bugzilla entry). This affects Firefox, Thunderbird, and other products built on Mozilla technologies. The standard period for discussion passed without comment, and Mozilla accepted CNNIC based on the results of a formal audit. Commenters in the bug report and the associated discussion have presented evidence that the Chinese government controls CNNIC, and surfaced claims of malware production and distribution and previous man-in-the-middle attacks in China via their secondary CA root from Entrust. As usual, please refrain from blindly chiming into the discussion without supporting evidence. Since Mozilla has already accepted CNNIC as a trusted root CA, the burden rests with those who argue for its removal."

6 of 256 comments (clear)

  1. Re: As usual, please refrain from blindly chiming by Actually,+I+do+RTFA · · Score: 5, Insightful

    I take issue to the next phrase: "Since Mozilla has already accepted CNNIC as a trusted root CA, the burden rests with those who argue for its removal."

    Are you saying "should Mozilla remove it?" Then the answer is probably no, becuase Mozillia is not an omni-beneficent entity. It probably helps them in some way to include it.

    The question is, should individual users remove it? And yes, by the link that you provided indicating it's role in the distribution of malware. Why should I let Mozilla, a large group with contradictory desires and many masters, control whether I delist it as a trusted root?

    --
    Your ad here. Ask me how!
  2. Relative security of self-signed certificates by Anonymous Coward · · Score: 4, Insightful

    I have nothing against additional certificate authorities; it makes sense in most situations not to give all the power to a single party.

    Nonetheless, the large number of accepted authorities raises serious questions about another aspect of browser security:

    Why are self-signed certificates viewed with such relative suspicion?

    It only takes a single compromised or misled CA to bypass the entire trust system. The more CAs we have, the easier it is to compromise the system.

    Why, then, do we make it so difficult for sites to implement security against passive plaintext snooping (which is arguably much more of a threat in most situations, discounting targeted attacks)? Why do browsers make this basic security effectively unavailable unless you pay a toll to a CA? (And it is effectively unavailable, since the inconvenience and fear-of-the-unknown related to accepting self-signed certificates makes the use of them a self-defeating act.)

    As CAs proliferate, it becomes more and more meaningless to view self-signed certificates with such suspicion -- since they become relatively less and less of a risk, as we add more CAs and thus more individual points where the system may be compromised.

  3. Re: As usual, please refrain from blindly chiming by gd2shoe · · Score: 5, Insightful

    At issue here is the ability of the Chinese government to run MiTH attacks on their citizens (and others) (who may have no computer security experience) and to arrest political dissidents. Nobody's saying you should wait to remove it. The question is, should it be removed for the safety of others?

    The whole point of root certs is trust. We trust them to sign certificates which will be used, in turn, to keep our conversations private. Should CNNIC be trusted to keep conversations private? That is the question. Organizations like Mozilla put their own reputations on the line when choosing which root certs to include. Any abuse by CNNIC will be seen as a security flaw in Mozilla software. That is the issue. That is why Mozilla should care. (even if they disagree)

    --
    I won't join Slashcott. OTOH, If Beta goes live, I just won't be back until it's fixed. Sorry Dice.
  4. Evidence by Spy+Hunter · · Score: 5, Insightful

    It would be easy enough to prove that CNNIC is performing man-in-the-middle attacks. To perform a man-in-the-middle attack on (for example) gmail, CNNIC would have to send a fraudulent certificate to users. That certificate would be ironclad evidence that CNNIC can't be trusted, so all someone has to do is present one.

    --
    main(c,r){for(r=32;r;) printf(++c>31?c=!r--,"\n":c<r?" ":~c&r?" `":" #");}
  5. Re: As usual, please refrain from blindly chiming by Anonymous Coward · · Score: 4, Insightful

    If only we had the luxury of knowing which certificates to remove if you didn't trust the NSA. Guess MITM is a game for big players.
    Our instructions for setting up VPN include a recommended step where you disable all root certificates but one for the connection. From a security standpoint, the whole web should work the same.

    It's very annoying how Firefox insists on making self-signed certificates the biggest pain in the ass possible to accept, knowing you can't really trust the 'trusted' signers in the first place. For forums and the likes, just permanently storing the certificate so you can be sure you're getting an encrypted connection to the same entity each time would be sufficient.

  6. Re:Something more substantial than Wikipedia ? by Jeremy+Erwin · · Score: 4, Insightful

    San Ji Wu Xian was sued by CNNIC for 150,000 RMB and the court ruled out favorably towards CNNIC.

    Tell me why I should trust a Chinese court. Because the Chinese Communist Party tells me they're trustworthy? Sorry, I'm not sure I should trust the CCP. Can you provide a trustworthy source that will attest to the CCP's ethics?