Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mozilla Accepts Chinese CNNIC Root CA Certificate

Posted by kdawson on from the who-do-you-trust dept.

Josh Triplett writes "Last October, Mozilla accepted the China Internet Network Information Center as a trusted CA root (Bugzilla entry). This affects Firefox, Thunderbird, and other products built on Mozilla technologies. The standard period for discussion passed without comment, and Mozilla accepted CNNIC based on the results of a formal audit. Commenters in the bug report and the associated discussion have presented evidence that the Chinese government controls CNNIC, and surfaced claims of malware production and distribution and previous man-in-the-middle attacks in China via their secondary CA root from Entrust. As usual, please refrain from blindly chiming into the discussion without supporting evidence. Since Mozilla has already accepted CNNIC as a trusted root CA, the burden rests with those who argue for its removal."

4 of 256 comments (clear)

  1. Given they've bowed to Chinese pressure by sethstorm · · Score: 4, Interesting

    ...is there a straightforward way to mark CNNIC as untrusted?

    --
    Twitter supports and protects racists - by smearing their critics with the "Hate Speech" label.
  2. Disagree with the premise. by Jane+Q.+Public · · Score: 5, Interesting

    "Since Mozilla has already accepted CNNIC as a trusted root CA, the burden rests with those who argue for its removal."

    I am not sure I agree with this. When accepting something that is very controversial, like for example accepting CNNIC as a neutral authority, or backing a perpetual-motion technology, the burden may very well be on the actor to defend its actions.

  3. Something more substantial than Wikipedia ? by Antiocheian · · Score: 5, Interesting

    "surfaced claims of malware production and distribution"

    This claim cites Wikipedia and in particular this unverifiable, POV-ridden paragraph:

    "CNNIC produces one of the best-known malwares in China: the Chinese-Language-Surfing Official Edition(). The software is frequently bundled with other adware/sharewares. It was declared malware by Beijing Network Industry Association() and San Ji Wu Xian Co Ltd., the company behind 360 Safeguard(360), an anti-virus software. San Ji Wu Xian was sued by CNNIC for 150,000 RMB and the court ruled out favorably towards CNNIC."

    Which libels CNNIC for connections with malware while the only case against CNNIC was actually ruled towards their favor.

    Why is CNNIC untrustworthy ? In plain English please.

  4. Re:restricting it to *.cn would make sense by ScrewMaster · · Score: 4, Interesting

    Seeing as China makes lots of the core internet routers these days (with quickly growing market share) there is every reason to assume we're getting man-in-the-middle pwned.

    I'm not in *.cn, and I'm not visiting *.cn, so why in Hell should this certificate apply to me? If suddenly www.adobe.com is signed by China, there sure is a problem!

    It's funny, you know ... if we were all buying high-end routers from Russia everyone would flipping out about security. But China makes inroads on that market (with the obvious intention of dominating it) and nobody really seems too upset. You have to assume that a hostile totalitarian state might try to exploit that advantage in some way.

    Weird. And I always thought denial was a river.

    --
    The higher the technology, the sharper that two-edged sword.