Slashdot Mirror
Mozilla Debates Whether To Trust Chinese CA
At his Freedom to Tinker blog, Ed Felten has a thoughtful, accessible piece on the debate at Mozilla about whether Firefox, by default, should trust a Chinese certificate authority (as it has since October). Felten explains in clear language why this is significant, and therefore controversial. An excerpt: "To see why this is worrisome, let's suppose, just for the sake of argument, that CNNIC were a puppet of the Chinese government. Then CNNIC's status as a trusted CA would give it the technical power to let the Chinese government spy on its citizens' 'secure' web connections. If a Chinese citizen tried to make a secure connection to Gmail, their connection could be directed to an impostor Gmail site run by the Chinese government, and CNNIC could give the impostor a cert saying that the government impostor was the real Gmail site."
Maybe I shouldn't trust the North American Certificates either, since I don't want my government spying on me either.
As long as the Chinese CA only deals with China, I have no problems with it. Any of the certifying agencies could be puppets for anyone.
Seriously, shouldn't all users manage their certificate trust themselves?
If they aren't capable to do so, are they capable to actually _have_ their things secure?
Firefox is Open Source. Let the Chinese build their own version of Firefox and see who trusts them to use it.
What's to stop a non-Chinese corporation from doing the same thing? Corporations can usually be bought since they exercise profit seeking behavior; it would probably take a ridiculously small bribe for a government such as the People's Republic of China to encourage such a corporation to engage in such compromising behavior and it would be much harder to track.
g=
Let the user decide. Don't be idiots trying to judge everything in the world. If the user is too silly, then bring a default option -- that's the only reason for this debate IMO.
Have you heard about SoylentNews?
Why should Mozilla take a chance at this? If someone wants this CA, it is trivial to manually add it to Mozilla's certificates. However, including it will mean that Mozilla's rep is now tied to the Chinese government, and should someone misuse the CA key, it will mean that if China starts another offensive on compromising Western systems, the Mozilla foundation is guilty of espionage by proxy.
Physical car analogy: A car dealership giving a master key to every vehicle to a group of people who have been noted in the past for car theft.
Just make it a configuration option, default NO.
Yeah, its not the most elegant solution, but welcome to the real world guys.
If the Chinese CA were stupid enough to actually perform this attack, it would be easy to gain incontrovertible evidence of their spying, as the hijacked responses would all be digitally signed with their signature.
Bogtha Bogtha Bogtha
Now if only there was a way for anybody to start a certificate authority and to issue certificates, and for the users to decide for themselves which certificate authorities they trust.
How do I know that the server on the other end is who they say they are? Without a trusted authority, I would need to manually verify (via some other trusted form of communication) each certificate.
As long as I rely on *any* central authority, I'm dependent on that authority to remain neutral.
So there is some doubt over if this is a good idea.
Surely that means it's a bad idea.
One "simple" solution would be for the browser to remember which certificate or CA that a page uses, and put up a warning if it ever changed (within the validation period). A warning if the site all of the sudden went http would perhaps also be a good idea. Yes, people ignore warnings, but it would at least help us in the know.
The loss of one's privacy should always be opt-out, but anyone concerned with privacy should always assume that it's currently being violated and thus take steps to actively protect it. Thus, anyone in China who wants privacy is going to have to do things like ensure that the Chinese CA is disabled in their browser (and actually verify that by accessing a side signed with it).
And of course, it's in interest of it's citizens. Use irony at will :).
Some news are just boring these days. This government good, that government bad.... I suppose we just need simplemindedness of Animal Farm, it's soo good.
Thus said, any person who trusts her privacy to Windo*s is just ridiculous when she starts worrying about governments. Who needs government with spyware stargate on his desk?
http://opencm3.net, http://www.nongnu.org/gm2/
China has been getting a lot of flak recently, and from how I understand it deservedly.
If they have done some stuff that is damning enough for companies like Google and Firefox to risk alienating such a huge market, then how can you trust anything that comes from them?
Troll is not a replacement for I disagree.
Except for the part where you can selectively and trivially turn off keys.
Anybody with non-trivial security needs really better be doing more than trusting the defaults.
Nerd rage is the funniest rage.
There is no good definition of exactly what you're trusting them with, no good independent verification that their trustworthiness is deserved, and as far as I know, no legal recourse if it isn't.
I consider the whole CA system to be fundamentally broken. But a new system would be so significantly different in both character and detail that I don't know how it could ever happen. UIs would have to be redesigned. Crypto geeks would have to start thinking about usability. I think the world would have to end first.
But I consider this to be one of the reasons the concept is broken.
In my opinion, as a half-baked measure that moves a little in the right direction, browsers would do better to just download the certificate from the website, and then warn you if the certificate ever changed when you went back to a website that claimed the same identity. Then you'd have to trust a CA at most once.
Need a Python, C++, Unix, Linux develop
However, including it will mean that Mozilla's rep is now tied to the Chinese government, and should someone misuse the CA key, it will mean that if China starts another offensive on compromising Western systems, the Mozilla foundation is guilty of espionage by proxy.
I'm sorry, but Mozilla trusting any given CA does not make them guilty of a single thing, let alone espionage.
Physical car analogy: A car dealership giving a master key to every vehicle to a group of people who have been noted in the past for car theft.
Yeah, you wouldn't be able to say that the dealership is guilty of theft if the people they gave the key to steal the cars. The people stealing the cars are the ones who are guilty.
"Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
You could say the same about any certificate authority. What reason do we have to believe that any CA is not compromised by the NSA?
If you want to protect yourself against the government, you cannot trust any third party. Exchange your keys manually, in person.
Give me Classic Slashdot or give me death!
this is true of any and all CAs.
Deleted
The debate is over. The results are in. Mozilla decided to trust the Chinese government CA. A transcript of their email debate can be found at english.gov.cn
...but maybe the takeaway lesson from this whole affair is that it is impossible to remain ethical while knowingly doing business with an entity you know to be deeply corrupt. Sooner or later, you will find yourself faced with situations in which you directly or indirectly become party to unethical acts.
This is hardly limited to Google. We all help pay the salaries of the oppressive Chinese regime from the politburo on down to the prison camp guards every time we buy Chinese goods.
Proud member of the Weirdo-American community.
a reason why FF would never be accepted by the US Government as an approved browser.
To me, its simple. Trust is something that should be granted by the user. A browser distribution may well include certificates for various CA's as a convenience, but generally shouldn't include any of them as trusted by default. There should be an option for the user to designate bundled CA certs (or ones obtained elsewhere) as trusted, and installers could even include option to enable them in the install procedure.
I'll ask you the same question I asked CAcert some years ago: "who is going to take responsibility, and what is he going to lose, if your security is compromised ?"
Agreed, besides governments are not all created equal. If you want to buy a government bond for instance, you check its credit rating first. Countries/States/Counties/Cities all have them. As a professional, it's your duty to do your due diligence if other people are relying on your decision to make their decision.
In the case of China, it's not really a big deal anyway. If they really want to use their own certificates, they'll just mirror the source from mozilla/firefox, and distribute their slightly different rebranded version (even a private individual, or a private organization in China could do it). That's what China did for Android, China essentially forked Android 1.5. If you have your own country (with enough resources), it's probably a good idea to do that anyway. You take open source code, you audit it and you plug any security holes, and then you re-release it as your own rebranded version for your people to use (after all, for all you know the NSA and CIA may have forced the Mozilla developers to place backdoors in their code, or left security holes purposefully unpatched).
This way, the open source project is happy (I personally know that Google was actually delighted that 1.5 billion people were going to standardize on a version of Android), the country is happy to have its own browser (it can audit and approve/fork each version every time), and the user is happy too (since, at least he would be aware that he's browsing the web with a version of Firefox that has been rebranded locally, and that is potentially under the control of its own government).
The authenticity of certs no longer matter, and I'm frankly astonished that neither mozilla nor slashdot has ever heard of ssl taps, an *enormous number* of which are currently active in Chinese public networks.
It's a man-in-the middle thing, and I run them at work. They're very easy to configure, and if you really know what you're doing, you can "legitimately" fake the identity of any cert you want, and every single byte of your traffic is sniffable to whoever runs the tap.
The only way to be completely safe is to surf the web in plain text. Never had a virus yet. Of course, buying stuff on Amazon.com is kinda tricky...
After the security researchers were able to get a rogue CA issued by RapidSSL by exploiting an MD5 collision and the predictable sequence number generation, I wish at least some of the major browsers would have revoked that compromised root CA. Despite the fact that any attacker could have gotten their own intermediate CA undetected before the exploit was published, no one bothered to remove their implicit trust of the root CA.
"Trust, but verify." - President Reagan
Why do Certificate Authorities have to be either completely trusted or not trusted at all? It couldn't be a ton of work to enable restrictions to be placed on the domains a CA is authoritative for.
Looks like there's already a thread discussing this for the Mozilla suite.
Here's another idea: Defense in depth. Make CAs just one part of the whole picture. Another big part could be stability of certificate:
Perspectives
The idea might be quickly conveyed by the images on their web demo.
They've even got a Firefox plug-in.
Jeepers...talk about paranoia. Those splitters weren't put in for spying on U.S. citizens; they're only there to intercept the results from electronic voting machines and modify them according to specifications from a@#$$$R6a54@##
Orwell: "In a Time of Universal Deceit, telling the Truth is a Revolutionary Act"
You nerds talk like the Chinese give a damn about what you want. The Chinese government is not to be trusted, ever! How many times over the last two years has something happened in China regarding the Net where their only response was a Bart Simpson's "it wasn't me", to an outright cyber-attack by organs of their government. Chairman Mao is still alive and well in the hearts of those old men who run China. Don't trust them.
My personal opinion is that this goes far beyond China. I actually trust cacert certificates more than any issued by a US corporation. Yes, China is bad, but it is really naive to think that the US government should be trusted more than China.
* Color-code the "secure lock icon" by the trust level of the root authority - less-trusted signers and signers without tight controls on who they sign get yellow, more-trusted ones get green.
* Put always-visible-by-default information saying who signed the page AND who the root is. If acme.com's signature is root-signed by Verisign, I should see "acme.com verified by Verisign" somewhere on the screen, probably in unobtrusive fine print.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Well, Beardo, it's good to see one other sane person on the boards.
Current leader Hu Jintao was among those who ordered the Massacre at Tiananmen Square. As someone who saw Tiananmen live on CNN, it's disturbing to me to hear how many other people think "Well, it's been 20 years since those men killed three thousand kids. I'm sure they're trustworthy by now..."
Can you imagine if Osama Bin Laden were a major trading partner of ours in 2020? It'd be a roughly analogous situation.
He put his boots up on the table and made a face. "The sig," he smirked. "You can waste your life in search of the sig."
...so it's OK to hire him as a babysitter here?
We didn't do business with Nazi Germany or Imperial Japan in 1960. We utterly dismantled those countries, hung their leaders and rebuilt them from scratch before the first dollar changed hands.
Now, if that's what you're proposing for the current murderous regime in China, I could get behind that...
He put his boots up on the table and made a face. "The sig," he smirked. "You can waste your life in search of the sig."
While I can go down the rat hole of an endless paranoia, the fact is that every time you connect to a site, there needs to be a separate path by which you can authenticate certificate for a site with peer review. Perhaps even an old fashioned phone call. Here's my organization's Md5HASH if you don't get the the same number, call for support.
The reality is that we only need a handful of trusted sites, credit card, back accounts, etc. The browser should be able to link a specific cert and authority to a specific site.
I never thought the idea of "corporations" being trusted was a good one
...your moral compass has broken. When you can propose a plan of action that's "cold and uncaring," and you plan to do it anyway; that's when you know your conscience has went down for the count.
No, it does not matter to me in the least that it was just a bunch of foreigners that died. I've spent too much of my life abroad to believe that only American lives count. Perhaps the fact that my children carry dual citizenship has something to do with that.
As for this being a "matter of internal security" to the Chinese, I would have thought a denizen of Slashdot would know their Star Trek better than to accept that.
As for how we would feel if the shoe were on the other foot, I would HOPE that other nations would boycott us if it turned out that, for instance, President Obama had personally ordered those men to fire at Kent State. If we found out that President McCain had personally led Charlie Company during the My Lai Massacre, then I would HOPE we would be ostracized.
As for Japan and Germany not trading with us -- Have you been to those countries? They DON'T trade with us until they know they've got the better end of the bargain. Germany and Japan are a hell of a lot smarter than we are about trade. I can personally assure you from long experience that Japan doesn't let go of a single yen without absolute proof it's a better deal for them than the other guy.
I yearn for the day that my country is as smart about trade as Japan is.
He put his boots up on the table and made a face. "The sig," he smirked. "You can waste your life in search of the sig."
SSL CA authority needs to be tied to domain hierarchy.
This sort of domain-based-CA's should be able to be installed via DNS and DNSSEC should be continue to be rolled out, all the way to the client (browsers should have methods to verify root DNSSEC, and follow the chain).
With SSL based on domain hierarchy, you need to know only the root DNS server's DNSSEC key. Everything else flows down from that.
Then CNNIC would only control .CN. The US Gov would theoretically only control .US, .GOV, .EDU. .COM, .NET, .ORG should be run by (as much as I hate to say it) the UN.
I already put SSH key fingerprints in my DNS and verify with DNSSEC-enabled openssh/bind-resolvers. SSL and/or SSL fingerprints could easily be done, if not just the entire CA public key.
Show User which Cert's active: it's incompetent & beyond belief that this took this long to hit the front page...
There are lots of abusive regimes in the world, and given sufficient time, it's inevitable that ANY nation be subject to abusive regime...
The Hidden Authorization mechanism isn't secure, and is guaranteed to cost lives, eventually.
( wouldn't Stalin or Stasi have loved this gift to 'em )
Therefore, MAKE the cert visible, and if I see that my session with "google mail" is authorized by the Government Regime ( any ), then *I* can know I'm being "hit"...
Why should they ever consider trusting a shameless organization which distrubutes malware (something really disgusting, took me half an hour to remove with tools like HijackThis) to unsuspecting netizens of China, and steals/deletes .cn domain names at will? And, yes, it's just a puppet of the government.
Are they mad? Forgot to do some research first?
...those three thousand kids who died literally fighting for Democracy? As far as I'm concerned, that MAKES them Americans.
He put his boots up on the table and made a face. "The sig," he smirked. "You can waste your life in search of the sig."
to sell organs because they need money.
And also Israeli doctor do this to Palestinians also.
On one hand Firefox will annoy to hell if you access a site with self-signed certificate, on the other hand they make you trust the Chinese government by default. Personally I trust a self-signed certificate million times more then a certificate signed by the Chinese authority. And any other authority is only marginally better then self-signed, since they will issue a certificate to basically anyone with minimum checking.
With the self signed one at least I know they are not trying to fool me, and I know whether site certificate has changed since my last visit. With "trusted" certificate you don't gain any more certainty than that, in fact you gain less because the certificate can change without you even noticing.
While his concern is very real, if Firefox removes trust for that CA it loses market share in China.
And if that happens, then Firefox themselves have negated their own security benefits.
I think it's prudent to keep an eye on CNNIC for this very issue, but until suspect behavior is detected, I think that any rash moves on the part of Mozilla could be worse than what's currently seen.
No.
The issue isn't which government or entity is involved. The real issue is, that SSL relies on a trust model, that flies in the face of anything human beings do in real life to trust someone. Putting blind faith in organizations you have no idea of is, well, a bad idea. Certainly it has nothing to do with trust. If the worry is, that the chinese gov will use it to stage MITM's then it applies euqally to all other gov's. If something can be abused, it will be abused in the name of 'protecting' from [insert favorite horsemen of the day here]. These people will never stop to amass even more snooping power, no matter the location. It's a mindset.
So that leaves us with SSL: great encryption (for the time being) - lousy trust/authentication model = lousy overall architecture. All other points of hawking about the chinese or whomever are completely irrelevant.
To see a bunch of Americans arguing about Chinese issues(threats, human rights) based on their ridiculous perceptions, twice more entertaining when it's a bunch of Slashdot geeks doing this. I'm always amazed to find out despite someone calling the two countries G2, how little poeple from both countries know each other.
CNN
"For CNN, it all started in early April when Alec Miran, CNN's special events producer for the Gorbachev visit, went to Beijing to propose an "outlandish idea" to the Chinese authorities -- bringing in the network's own transmission equipment to beam live television pictures from China.
"It was unprecedented," said Miran. Before that, networks would feed their material from CCTV (Chinese Central Television), who would monitor -- and censor -- everything that was sent out.
"Our own transmission was a scary idea to them," said Miran. But he says he thinks the Chinese eventually agreed -- after much back and forth -- because, above all, they wanted international coverage of Gorbachev's visit.
The Chinese gave CNN permission to bring in their own "flyaway" satellite dish and additional microwave gear to be able to transmit live -- a permission unheard of at the time in closed, Communist China. CNN was granted exactly one week's permission, timed to coincide with the Soviet leader's visit."
He put his boots up on the table and made a face. "The sig," he smirked. "You can waste your life in search of the sig."
Are you just too young and stupid to remember this Major Event of the 20th Century, or a shill for the Chinese Government?
He put his boots up on the table and made a face. "The sig," he smirked. "You can waste your life in search of the sig."
I try to find CNNIC in FireFox I saw verisign thawte and whole heap of others but not CNNIC does that mean I don't have it?
That mere things facts and reality don't have any influence on you.
He put his boots up on the table and made a face. "The sig," he smirked. "You can waste your life in search of the sig."
"was bad and a very grave mistake by the Chinese government"
3000 dead students is not a "mistake." It definitely qualifies as a massacre.
And yes, the world remembers.
He put his boots up on the table and made a face. "The sig," he smirked. "You can waste your life in search of the sig."
I don't see how this would work. It makes the argument that if a CA were under the authority of a government (e.g. China) then it could redirect you to a fake Gmail site but you would think it was actually Gmail. Wouldn't this also require the DNS to be controlled by a government? And even if they did redirect you to a fake site... you'd know it was a fake site because your email wouldn't be there, because you weren't accessing Gmail but a different server. The most they could get you to do (possibly) is divulge your password, right?