Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mozilla Accepts Chinese CNNIC Root CA Certificate

Posted by kdawson on from the who-do-you-trust dept.

Josh Triplett writes "Last October, Mozilla accepted the China Internet Network Information Center as a trusted CA root (Bugzilla entry). This affects Firefox, Thunderbird, and other products built on Mozilla technologies. The standard period for discussion passed without comment, and Mozilla accepted CNNIC based on the results of a formal audit. Commenters in the bug report and the associated discussion have presented evidence that the Chinese government controls CNNIC, and surfaced claims of malware production and distribution and previous man-in-the-middle attacks in China via their secondary CA root from Entrust. As usual, please refrain from blindly chiming into the discussion without supporting evidence. Since Mozilla has already accepted CNNIC as a trusted root CA, the burden rests with those who argue for its removal."

8 of 256 comments (clear)

  1. As usual, please refrain from blindly chiming in? by gad_zuki! · · Score: 5, Funny

    Wow, youre so new here, youre still dripping wet and covered in placenta.

  2. Marking as untrusted by Saishuuheiki · · Score: 5, Informative

    Taken from comments section of article:

    Individual CAs can be removed via the "advanced" preferences panel. It's instructive, actually, to look at the list - there's a lot of entries there.

    One could switch to another browser, but it's worth thinking about how open that browser's CA inclusion process is first.

  3. You're kidding, right? by taoye · · Score: 5, Funny

    Just wait while I go infiltrate the Chinese government to determine if they are doing bad things through CNNIC, so I can come back with evidence. While I'm at it, I'll be travelling through West Africa and I have the sum of $1,000,000,000 USD of money stashed there and I need your help to get it out of the country. I will give you 10% guaranteed.....

  4. Disagree with the premise. by Jane+Q.+Public · · Score: 5, Interesting

    "Since Mozilla has already accepted CNNIC as a trusted root CA, the burden rests with those who argue for its removal."

    I am not sure I agree with this. When accepting something that is very controversial, like for example accepting CNNIC as a neutral authority, or backing a perpetual-motion technology, the burden may very well be on the actor to defend its actions.

  5. Re: As usual, please refrain from blindly chiming by Actually,+I+do+RTFA · · Score: 5, Insightful

    I take issue to the next phrase: "Since Mozilla has already accepted CNNIC as a trusted root CA, the burden rests with those who argue for its removal."

    Are you saying "should Mozilla remove it?" Then the answer is probably no, becuase Mozillia is not an omni-beneficent entity. It probably helps them in some way to include it.

    The question is, should individual users remove it? And yes, by the link that you provided indicating it's role in the distribution of malware. Why should I let Mozilla, a large group with contradictory desires and many masters, control whether I delist it as a trusted root?

    --
    Your ad here. Ask me how!
  6. Re: As usual, please refrain from blindly chiming by gd2shoe · · Score: 5, Insightful

    At issue here is the ability of the Chinese government to run MiTH attacks on their citizens (and others) (who may have no computer security experience) and to arrest political dissidents. Nobody's saying you should wait to remove it. The question is, should it be removed for the safety of others?

    The whole point of root certs is trust. We trust them to sign certificates which will be used, in turn, to keep our conversations private. Should CNNIC be trusted to keep conversations private? That is the question. Organizations like Mozilla put their own reputations on the line when choosing which root certs to include. Any abuse by CNNIC will be seen as a security flaw in Mozilla software. That is the issue. That is why Mozilla should care. (even if they disagree)

    --
    I won't join Slashcott. OTOH, If Beta goes live, I just won't be back until it's fixed. Sorry Dice.
  7. Evidence by Spy+Hunter · · Score: 5, Insightful

    It would be easy enough to prove that CNNIC is performing man-in-the-middle attacks. To perform a man-in-the-middle attack on (for example) gmail, CNNIC would have to send a fraudulent certificate to users. That certificate would be ironclad evidence that CNNIC can't be trusted, so all someone has to do is present one.

    --
    main(c,r){for(r=32;r;) printf(++c>31?c=!r--,"\n":c<r?" ":~c&r?" `":" #");}
  8. Something more substantial than Wikipedia ? by Antiocheian · · Score: 5, Interesting

    "surfaced claims of malware production and distribution"

    This claim cites Wikipedia and in particular this unverifiable, POV-ridden paragraph:

    "CNNIC produces one of the best-known malwares in China: the Chinese-Language-Surfing Official Edition(). The software is frequently bundled with other adware/sharewares. It was declared malware by Beijing Network Industry Association() and San Ji Wu Xian Co Ltd., the company behind 360 Safeguard(360), an anti-virus software. San Ji Wu Xian was sued by CNNIC for 150,000 RMB and the court ruled out favorably towards CNNIC."

    Which libels CNNIC for connections with malware while the only case against CNNIC was actually ruled towards their favor.

    Why is CNNIC untrustworthy ? In plain English please.