Slashdot Mirror
Mozilla Accepts Chinese CNNIC Root CA Certificate
Josh Triplett writes "Last October, Mozilla accepted the China Internet Network Information Center as a trusted CA root (Bugzilla entry). This affects Firefox, Thunderbird, and other products built on Mozilla technologies. The standard period for discussion passed without comment, and Mozilla accepted CNNIC based on the results of a formal audit. Commenters in the bug report and the associated discussion have presented evidence that the Chinese government controls CNNIC, and surfaced claims of malware production and distribution and previous man-in-the-middle attacks in China via their secondary CA root from Entrust. As usual, please refrain from blindly chiming into the discussion without supporting evidence. Since Mozilla has already accepted CNNIC as a trusted root CA, the burden rests with those who argue for its removal."
Wow, youre so new here, youre still dripping wet and covered in placenta.
...is there a straightforward way to mark CNNIC as untrusted?
Twitter supports and protects racists - by smearing their critics with the "Hate Speech" label.
Taken from comments section of article:
Individual CAs can be removed via the "advanced" preferences panel. It's instructive, actually, to look at the list - there's a lot of entries there.
One could switch to another browser, but it's worth thinking about how open that browser's CA inclusion process is first.
Removing it is fine until an update/reinstall brings it back. Telling the browser to not trust that entity at all is what I'm talking about.
Twitter supports and protects racists - by smearing their critics with the "Hate Speech" label.
Just wait while I go infiltrate the Chinese government to determine if they are doing bad things through CNNIC, so I can come back with evidence. While I'm at it, I'll be travelling through West Africa and I have the sum of $1,000,000,000 USD of money stashed there and I need your help to get it out of the country. I will give you 10% guaranteed.....
"Since Mozilla has already accepted CNNIC as a trusted root CA, the burden rests with those who argue for its removal."
I am not sure I agree with this. When accepting something that is very controversial, like for example accepting CNNIC as a neutral authority, or backing a perpetual-motion technology, the burden may very well be on the actor to defend its actions.
Did you notice how many CAs are in the list? How do you feel about each?
I might recommend encouraging technologies like Perspectives to provide defense in depth.
I take issue to the next phrase: "Since Mozilla has already accepted CNNIC as a trusted root CA, the burden rests with those who argue for its removal."
Are you saying "should Mozilla remove it?" Then the answer is probably no, becuase Mozillia is not an omni-beneficent entity. It probably helps them in some way to include it.
The question is, should individual users remove it? And yes, by the link that you provided indicating it's role in the distribution of malware. Why should I let Mozilla, a large group with contradictory desires and many masters, control whether I delist it as a trusted root?
Your ad here. Ask me how!
Opera trusts CNNIC also.
I have nothing against additional certificate authorities; it makes sense in most situations not to give all the power to a single party.
Nonetheless, the large number of accepted authorities raises serious questions about another aspect of browser security:
Why are self-signed certificates viewed with such relative suspicion?
It only takes a single compromised or misled CA to bypass the entire trust system. The more CAs we have, the easier it is to compromise the system.
Why, then, do we make it so difficult for sites to implement security against passive plaintext snooping (which is arguably much more of a threat in most situations, discounting targeted attacks)? Why do browsers make this basic security effectively unavailable unless you pay a toll to a CA? (And it is effectively unavailable, since the inconvenience and fear-of-the-unknown related to accepting self-signed certificates makes the use of them a self-defeating act.)
As CAs proliferate, it becomes more and more meaningless to view self-signed certificates with such suspicion -- since they become relatively less and less of a risk, as we add more CAs and thus more individual points where the system may be compromised.
I just checked, and both MacOS X and Windows 7 seem to trust the CNNIC root...
If this is really a problem, and I haven't the slightest idea if it is, then it extends way beyond firefox.
"The worst tyrannies were the ones where a governance required its own logic on every embedded node." - Vernor Vinge
At issue here is the ability of the Chinese government to run MiTH attacks on their citizens (and others) (who may have no computer security experience) and to arrest political dissidents. Nobody's saying you should wait to remove it. The question is, should it be removed for the safety of others?
The whole point of root certs is trust. We trust them to sign certificates which will be used, in turn, to keep our conversations private. Should CNNIC be trusted to keep conversations private? That is the question. Organizations like Mozilla put their own reputations on the line when choosing which root certs to include. Any abuse by CNNIC will be seen as a security flaw in Mozilla software. That is the issue. That is why Mozilla should care. (even if they disagree)
I won't join Slashcott. OTOH, If Beta goes live, I just won't be back until it's fixed. Sorry Dice.
It would be easy enough to prove that CNNIC is performing man-in-the-middle attacks. To perform a man-in-the-middle attack on (for example) gmail, CNNIC would have to send a fraudulent certificate to users. That certificate would be ironclad evidence that CNNIC can't be trusted, so all someone has to do is present one.
main(c,r){for(r=32;r;) printf(++c>31?c=!r--,"\n":c<r?" ":~c&r?" `":" #");}
"surfaced claims of malware production and distribution"
This claim cites Wikipedia and in particular this unverifiable, POV-ridden paragraph:
"CNNIC produces one of the best-known malwares in China: the Chinese-Language-Surfing Official Edition(). The software is frequently bundled with other adware/sharewares. It was declared malware by Beijing Network Industry Association() and San Ji Wu Xian Co Ltd., the company behind 360 Safeguard(360), an anti-virus software. San Ji Wu Xian was sued by CNNIC for 150,000 RMB and the court ruled out favorably towards CNNIC."
Which libels CNNIC for connections with malware while the only case against CNNIC was actually ruled towards their favor.
Why is CNNIC untrustworthy ? In plain English please.
"Is there an add-on that does this automatically?"
There supposedly is, except its certification is provided by CNNIC...
If only we had the luxury of knowing which certificates to remove if you didn't trust the NSA. Guess MITM is a game for big players.
Our instructions for setting up VPN include a recommended step where you disable all root certificates but one for the connection. From a security standpoint, the whole web should work the same.
It's very annoying how Firefox insists on making self-signed certificates the biggest pain in the ass possible to accept, knowing you can't really trust the 'trusted' signers in the first place. For forums and the likes, just permanently storing the certificate so you can be sure you're getting an encrypted connection to the same entity each time would be sufficient.
Weird thing is, I can't find it in there at all, unless I'm just blind. There's nothing that says CNNIC (or even anything obviously Chinese).
One addendum to your directions, you have to be in the "Encryption" subtab of the Advanced tab or you won't see the "View Certificates" button.
Visit the test site and look again.
In a fair world, refrigerators would make electricity.
What's a MiTH attack? Man in ..?
Why should I let Mozilla, a large group with contradictory desires and many masters, control whether I delist it as a trusted root?
Because Mozilla is capable of doing it and most computer users are (effectively) not.
Because we care about what happens to the internet.
Because it's going to be our mom's machine, and we'll have to fix it.
Never trust an atom. They make up everything.
He means, "please don't spam the Bugzilla comments unless you have something constructive to add." BMO used to block all slashdot referers at one point...
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
What's a MiTH attack? Man in ..?
Man in The Hat
Seeing as China makes lots of the core internet routers these days (with quickly growing market share) there is every reason to assume we're getting man-in-the-middle pwned.
I'm not in *.cn, and I'm not visiting *.cn, so why in Hell should this certificate apply to me? If suddenly www.adobe.com is signed by China, there sure is a problem!
It's funny, you know ... if we were all buying high-end routers from Russia everyone would flipping out about security. But China makes inroads on that market (with the obvious intention of dominating it) and nobody really seems too upset. You have to assume that a hostile totalitarian state might try to exploit that advantage in some way.
Weird. And I always thought denial was a river.
The higher the technology, the sharper that two-edged sword.
Why is CNNIC untrustworthy ? In plain English please.
I'm sorry sir, the certificate is in Chinese.
These posts express my own personal views, not those of my employer
There are different failure modes.
If you know that the victim has not visited a given site before you can MITM them undetectably, but the attack doesn't scale. On the other hand the centralized key distribution hierarchy is vulnerable to widespread undetected MITM attacks if the hierarchy is compromised, where the SSH model would produce a large number of suspicious reports in that scenario... leading to the unmasking of the perpetrator.
Wow, youre so new here, youre still dripping wet and covered in placenta.
And a Chinese, heavy metal laden one, at that.
Take the cheese to sickbay, the doctor should see it as soon as possible - B'Elanna Torres, "Learning Curve"
Uh, no. It guarantees against eavesdropping as well.
No. They can now put anything on the web _as any name they like_ and verify that the authorized user of that name did so. For instance, they can put up their own "www.gmail.com" site that verifies as real; it can even say the certificate was issued to Google.
Not sure about Opera, but here is the resolution of the same issue for Firefox: https://bugzilla.mozilla.org/show_bug.cgi?id=340198
Why does there have be hysteresis to the process? That is, why does the burden of proof change once Mozilla has accepted the certificate? If you see how the process worked, it was basically the case that by the time it became relatively common knowledge that the CNNIC certificate was going be added, the time for comments had passed (not many people make the habit of trolling through Bugzilla entries or the Mozilla "RFC" page to find things they may want to comment on). If, once it became common knowledge, there were serious objections raised to adding the certificate - why not start the process again from scratch? Why force anyone to prove that CNNIC will violate the duties of a CA, especially given that these violations may be in the future? Furthermore, the whole discussion should be considered special given that the "great firewall" has apparently begun blocking most of the threads discussing the issue, such that open discussion isn't even possible since the very people who may be affected by this most (those within China) are being prevented from discussing it.
The parent post was hit by moderator abuse. My post was also hit by moderator abuse. It looks like someone sympathetic to the Chinese government is abusing Slashdot. If you have mod points and you see this message, please browse through the down modded posts to check for abuse.
Of course Opera also trusts this CA. But yes, there's always Opera. ;)
Doesn't Firefox warn you if a key for a certain domain suddenly changes to something different? Remember these guys sign keys, they say "this guy is who he says he is", does that really give them the power to listen in on people?
They can only do so by replacing the key with something new, which probably generates a big security warning, and then they have to reencrypt it with the old key, so they do have to intercept communication and not just listen in.
I don't know if you should be concerned about that yet, unless you're Chinese (in which case what is the alternative? only trust American businesses with American CAs?)
// MD_Update(&m,buf,j);
Not only do I not trust CNNIC, I don't trust Verisign either. Nor any of the dozens of CAs which are installed by default.
In other words, the whole CA concept is flawed.
Already posted (saying roughly the same thing), so I have one modpoint left that I now can't use here. It needs to be repeated. "Trusted" seems to simply means "money changed hands".
Also FatPhil on SoylentNews, id 863
Not if it continues to be signed back to a root, which is the point. A previous employer of mine had its own root cert in our (IE6) browsers and I only noticed after a similar, related discussion on Slashdot caused me to look. I removed it temporarily and yep, all https traffic was being MITM'd. Given the nature of the organisation, it was understandable that they had to be able to audit such traffic, but that doesn't excuse them not talking about it. I later mentioned it to a 2nd line tech who was doing something unrelated and it was news to him, too.
[FUCK BETA]