Slashdot Mirror
Mozilla Accepts Chinese CNNIC Root CA Certificate
Josh Triplett writes "Last October, Mozilla accepted the China Internet Network Information Center as a trusted CA root (Bugzilla entry). This affects Firefox, Thunderbird, and other products built on Mozilla technologies. The standard period for discussion passed without comment, and Mozilla accepted CNNIC based on the results of a formal audit. Commenters in the bug report and the associated discussion have presented evidence that the Chinese government controls CNNIC, and surfaced claims of malware production and distribution and previous man-in-the-middle attacks in China via their secondary CA root from Entrust. As usual, please refrain from blindly chiming into the discussion without supporting evidence. Since Mozilla has already accepted CNNIC as a trusted root CA, the burden rests with those who argue for its removal."
Wow, youre so new here, youre still dripping wet and covered in placenta.
...is there a straightforward way to mark CNNIC as untrusted?
Twitter supports and protects racists - by smearing their critics with the "Hate Speech" label.
Taken from comments section of article:
Individual CAs can be removed via the "advanced" preferences panel. It's instructive, actually, to look at the list - there's a lot of entries there.
One could switch to another browser, but it's worth thinking about how open that browser's CA inclusion process is first.
Removing it is fine until an update/reinstall brings it back. Telling the browser to not trust that entity at all is what I'm talking about.
Twitter supports and protects racists - by smearing their critics with the "Hate Speech" label.
Just wait while I go infiltrate the Chinese government to determine if they are doing bad things through CNNIC, so I can come back with evidence. While I'm at it, I'll be travelling through West Africa and I have the sum of $1,000,000,000 USD of money stashed there and I need your help to get it out of the country. I will give you 10% guaranteed.....
"Since Mozilla has already accepted CNNIC as a trusted root CA, the burden rests with those who argue for its removal."
I am not sure I agree with this. When accepting something that is very controversial, like for example accepting CNNIC as a neutral authority, or backing a perpetual-motion technology, the burden may very well be on the actor to defend its actions.
Did you notice how many CAs are in the list? How do you feel about each?
I might recommend encouraging technologies like Perspectives to provide defense in depth.
I take issue to the next phrase: "Since Mozilla has already accepted CNNIC as a trusted root CA, the burden rests with those who argue for its removal."
Are you saying "should Mozilla remove it?" Then the answer is probably no, becuase Mozillia is not an omni-beneficent entity. It probably helps them in some way to include it.
The question is, should individual users remove it? And yes, by the link that you provided indicating it's role in the distribution of malware. Why should I let Mozilla, a large group with contradictory desires and many masters, control whether I delist it as a trusted root?
Your ad here. Ask me how!
Opera trusts CNNIC also.
I have nothing against additional certificate authorities; it makes sense in most situations not to give all the power to a single party.
Nonetheless, the large number of accepted authorities raises serious questions about another aspect of browser security:
Why are self-signed certificates viewed with such relative suspicion?
It only takes a single compromised or misled CA to bypass the entire trust system. The more CAs we have, the easier it is to compromise the system.
Why, then, do we make it so difficult for sites to implement security against passive plaintext snooping (which is arguably much more of a threat in most situations, discounting targeted attacks)? Why do browsers make this basic security effectively unavailable unless you pay a toll to a CA? (And it is effectively unavailable, since the inconvenience and fear-of-the-unknown related to accepting self-signed certificates makes the use of them a self-defeating act.)
As CAs proliferate, it becomes more and more meaningless to view self-signed certificates with such suspicion -- since they become relatively less and less of a risk, as we add more CAs and thus more individual points where the system may be compromised.
I just checked, and both MacOS X and Windows 7 seem to trust the CNNIC root...
If this is really a problem, and I haven't the slightest idea if it is, then it extends way beyond firefox.
"The worst tyrannies were the ones where a governance required its own logic on every embedded node." - Vernor Vinge
At issue here is the ability of the Chinese government to run MiTH attacks on their citizens (and others) (who may have no computer security experience) and to arrest political dissidents. Nobody's saying you should wait to remove it. The question is, should it be removed for the safety of others?
The whole point of root certs is trust. We trust them to sign certificates which will be used, in turn, to keep our conversations private. Should CNNIC be trusted to keep conversations private? That is the question. Organizations like Mozilla put their own reputations on the line when choosing which root certs to include. Any abuse by CNNIC will be seen as a security flaw in Mozilla software. That is the issue. That is why Mozilla should care. (even if they disagree)
I won't join Slashcott. OTOH, If Beta goes live, I just won't be back until it's fixed. Sorry Dice.
It would be easy enough to prove that CNNIC is performing man-in-the-middle attacks. To perform a man-in-the-middle attack on (for example) gmail, CNNIC would have to send a fraudulent certificate to users. That certificate would be ironclad evidence that CNNIC can't be trusted, so all someone has to do is present one.
main(c,r){for(r=32;r;) printf(++c>31?c=!r--,"\n":c<r?" ":~c&r?" `":" #");}
"surfaced claims of malware production and distribution"
This claim cites Wikipedia and in particular this unverifiable, POV-ridden paragraph:
"CNNIC produces one of the best-known malwares in China: the Chinese-Language-Surfing Official Edition(). The software is frequently bundled with other adware/sharewares. It was declared malware by Beijing Network Industry Association() and San Ji Wu Xian Co Ltd., the company behind 360 Safeguard(360), an anti-virus software. San Ji Wu Xian was sued by CNNIC for 150,000 RMB and the court ruled out favorably towards CNNIC."
Which libels CNNIC for connections with malware while the only case against CNNIC was actually ruled towards their favor.
Why is CNNIC untrustworthy ? In plain English please.
If only we had the luxury of knowing which certificates to remove if you didn't trust the NSA. Guess MITM is a game for big players.
Our instructions for setting up VPN include a recommended step where you disable all root certificates but one for the connection. From a security standpoint, the whole web should work the same.
It's very annoying how Firefox insists on making self-signed certificates the biggest pain in the ass possible to accept, knowing you can't really trust the 'trusted' signers in the first place. For forums and the likes, just permanently storing the certificate so you can be sure you're getting an encrypted connection to the same entity each time would be sufficient.
He means, "please don't spam the Bugzilla comments unless you have something constructive to add." BMO used to block all slashdot referers at one point...
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
What's a MiTH attack? Man in ..?
Man in The Hat
Seeing as China makes lots of the core internet routers these days (with quickly growing market share) there is every reason to assume we're getting man-in-the-middle pwned.
I'm not in *.cn, and I'm not visiting *.cn, so why in Hell should this certificate apply to me? If suddenly www.adobe.com is signed by China, there sure is a problem!
It's funny, you know ... if we were all buying high-end routers from Russia everyone would flipping out about security. But China makes inroads on that market (with the obvious intention of dominating it) and nobody really seems too upset. You have to assume that a hostile totalitarian state might try to exploit that advantage in some way.
Weird. And I always thought denial was a river.
The higher the technology, the sharper that two-edged sword.
Why is CNNIC untrustworthy ? In plain English please.
I'm sorry sir, the certificate is in Chinese.
These posts express my own personal views, not those of my employer
Of course Opera also trusts this CA. But yes, there's always Opera. ;)
Not only do I not trust CNNIC, I don't trust Verisign either. Nor any of the dozens of CAs which are installed by default.
In other words, the whole CA concept is flawed.
Not if it continues to be signed back to a root, which is the point. A previous employer of mine had its own root cert in our (IE6) browsers and I only noticed after a similar, related discussion on Slashdot caused me to look. I removed it temporarily and yep, all https traffic was being MITM'd. Given the nature of the organisation, it was understandable that they had to be able to audit such traffic, but that doesn't excuse them not talking about it. I later mentioned it to a 2nd line tech who was doing something unrelated and it was news to him, too.
[FUCK BETA]