Slashdot Mirror
Mozilla Debates Whether To Trust Chinese CA
At his Freedom to Tinker blog, Ed Felten has a thoughtful, accessible piece on the debate at Mozilla about whether Firefox, by default, should trust a Chinese certificate authority (as it has since October). Felten explains in clear language why this is significant, and therefore controversial. An excerpt: "To see why this is worrisome, let's suppose, just for the sake of argument, that CNNIC were a puppet of the Chinese government. Then CNNIC's status as a trusted CA would give it the technical power to let the Chinese government spy on its citizens' 'secure' web connections. If a Chinese citizen tried to make a secure connection to Gmail, their connection could be directed to an impostor Gmail site run by the Chinese government, and CNNIC could give the impostor a cert saying that the government impostor was the real Gmail site."
Maybe I shouldn't trust the North American Certificates either, since I don't want my government spying on me either.
As long as the Chinese CA only deals with China, I have no problems with it. Any of the certifying agencies could be puppets for anyone.
Firefox is Open Source. Let the Chinese build their own version of Firefox and see who trusts them to use it.
Why should Mozilla take a chance at this? If someone wants this CA, it is trivial to manually add it to Mozilla's certificates. However, including it will mean that Mozilla's rep is now tied to the Chinese government, and should someone misuse the CA key, it will mean that if China starts another offensive on compromising Western systems, the Mozilla foundation is guilty of espionage by proxy.
Physical car analogy: A car dealership giving a master key to every vehicle to a group of people who have been noted in the past for car theft.
Just make it a configuration option, default NO.
Yeah, its not the most elegant solution, but welcome to the real world guys.
If the Chinese CA were stupid enough to actually perform this attack, it would be easy to gain incontrovertible evidence of their spying, as the hijacked responses would all be digitally signed with their signature.
Bogtha Bogtha Bogtha
no they aren't. Which is the problem. The average user probably doesn't know what a security certificate is, let alone when you should, or should not trust one. That's why we have experts debating which ones to actually trust on their behalf.
Half the first year students we have in computer science courses can't navigate to a directory (note that these are generally not core comp sci students, but taking a course on say how to use photoshop), let alone figure out what a security certificate is. That's why we need experts to design systems which are inherently as secure as is legally possible in the first place.
Actually, this debate is about the default option. You can add and delete trusted certificate authorities all you want once you install Firefox.
Options / Encryption / Advanced / View Certificates / Authorities.
Personally, I think the Chinese CAs should be unlisted in Firefox by default, and those users that want to trust them can simply say "always trust this CA" when Firefox asks. Then again, I think every CA should be treated that way. Why does Firefox automatically trust TurkTrust, Dell, the Japanese government, and the Netherlands (to randomly pick four out of the hundreds of trusted CAs in the default list)?
Actually, that has a simple answer. A nontechnical segment of the population is simply going to do exactly what they do every time you ask a security question - answer YES, ALLOW, or whatever button is stopping them from seeing the cute video of the cat puking up noodles or the boobage behind the prompt box. Bombarding them with more security questions isn't really going to increase security, it's just going to increase frustration. So you add the (hopefully!) truly trustworthy CAs to the default list, then if a user ever encounters a CA warning box it'll be unusual enough that they might pause a few seconds before pressing ALLOW, and maybe even call a neighborhood 12-year-old to check to see if it's a really good idea.
The "hopefully!" part is important. If you're making decisions for your users in the form of shipped defaults, they'd better be well-thought-out.
"This post contains words, known to the State of California to cause thought. Wash brain thoroughly after reading."
No. They're not capable of securing their own things. I'm not talking about the 'average' user, who may be somewhat competent, but the 'below average' user who falls for phishing schemes and virus attacks. If a 'below average' or even an 'average' user somehow learns that they need to add CA's to their browser to view certain sites then SSL will be completely and thoroughly broken and useless. Incidentally, clicking on a link to a .pem file makes it worryingly easy to add a CA in FireFox.
But that doesn't mean that web browsers shouldn't give users a better idea of how SSL works. Users have no idea they are relying on third party CA's to prove that the site they're connecting to is the right site, and hasn't been tampered with.
The most sensible option would be to include all the CAs by default, but mark some as "iffy". CACert.org could for example be included. If you browse to an 'iffy' website for the first time a window will pop explaining that your connection is verified by a certain organization, and you can 'always trust' this organization, 'trust but warn' with a *small and less-obnoxious* dialog box, or 'never trust'. Maybe they should just do this for all CAs. This is really the only way to make the user understand that they are implicitly trusting some organization, whether it be VeriSign, a non-profit CA, or a company that might be under the control of the Chinese government.
China has been getting a lot of flak recently, and from how I understand it deservedly.
If they have done some stuff that is damning enough for companies like Google and Firefox to risk alienating such a huge market, then how can you trust anything that comes from them?
Troll is not a replacement for I disagree.
There is no good definition of exactly what you're trusting them with, no good independent verification that their trustworthiness is deserved, and as far as I know, no legal recourse if it isn't.
I consider the whole CA system to be fundamentally broken. But a new system would be so significantly different in both character and detail that I don't know how it could ever happen. UIs would have to be redesigned. Crypto geeks would have to start thinking about usability. I think the world would have to end first.
But I consider this to be one of the reasons the concept is broken.
In my opinion, as a half-baked measure that moves a little in the right direction, browsers would do better to just download the certificate from the website, and then warn you if the certificate ever changed when you went back to a website that claimed the same identity. Then you'd have to trust a CA at most once.
Need a Python, C++, Unix, Linux develop
...but maybe the takeaway lesson from this whole affair is that it is impossible to remain ethical while knowingly doing business with an entity you know to be deeply corrupt. Sooner or later, you will find yourself faced with situations in which you directly or indirectly become party to unethical acts.
This is hardly limited to Google. We all help pay the salaries of the oppressive Chinese regime from the politburo on down to the prison camp guards every time we buy Chinese goods.
Proud member of the Weirdo-American community.
To me, its simple. Trust is something that should be granted by the user. A browser distribution may well include certificates for various CA's as a convenience, but generally shouldn't include any of them as trusted by default. There should be an option for the user to designate bundled CA certs (or ones obtained elsewhere) as trusted, and installers could even include option to enable them in the install procedure.
"Trust, but verify." - President Reagan
You nerds talk like the Chinese give a damn about what you want. The Chinese government is not to be trusted, ever! How many times over the last two years has something happened in China regarding the Net where their only response was a Bart Simpson's "it wasn't me", to an outright cyber-attack by organs of their government. Chairman Mao is still alive and well in the hearts of those old men who run China. Don't trust them.
Well, Beardo, it's good to see one other sane person on the boards.
Current leader Hu Jintao was among those who ordered the Massacre at Tiananmen Square. As someone who saw Tiananmen live on CNN, it's disturbing to me to hear how many other people think "Well, it's been 20 years since those men killed three thousand kids. I'm sure they're trustworthy by now..."
Can you imagine if Osama Bin Laden were a major trading partner of ours in 2020? It'd be a roughly analogous situation.
He put his boots up on the table and made a face. "The sig," he smirked. "You can waste your life in search of the sig."
...so it's OK to hire him as a babysitter here?
We didn't do business with Nazi Germany or Imperial Japan in 1960. We utterly dismantled those countries, hung their leaders and rebuilt them from scratch before the first dollar changed hands.
Now, if that's what you're proposing for the current murderous regime in China, I could get behind that...
He put his boots up on the table and made a face. "The sig," he smirked. "You can waste your life in search of the sig."
...your moral compass has broken. When you can propose a plan of action that's "cold and uncaring," and you plan to do it anyway; that's when you know your conscience has went down for the count.
No, it does not matter to me in the least that it was just a bunch of foreigners that died. I've spent too much of my life abroad to believe that only American lives count. Perhaps the fact that my children carry dual citizenship has something to do with that.
As for this being a "matter of internal security" to the Chinese, I would have thought a denizen of Slashdot would know their Star Trek better than to accept that.
As for how we would feel if the shoe were on the other foot, I would HOPE that other nations would boycott us if it turned out that, for instance, President Obama had personally ordered those men to fire at Kent State. If we found out that President McCain had personally led Charlie Company during the My Lai Massacre, then I would HOPE we would be ostracized.
As for Japan and Germany not trading with us -- Have you been to those countries? They DON'T trade with us until they know they've got the better end of the bargain. Germany and Japan are a hell of a lot smarter than we are about trade. I can personally assure you from long experience that Japan doesn't let go of a single yen without absolute proof it's a better deal for them than the other guy.
I yearn for the day that my country is as smart about trade as Japan is.
He put his boots up on the table and made a face. "The sig," he smirked. "You can waste your life in search of the sig."
They are not mad, they just don't have a process for dealing with entities that lie in their application and have immense resources to make those lies appear as truth.
As a related rant, this is an universal problem in US and other western countries. You have never seen a really evil government in your lives, and you can't begin to imagine what it looks like. You think Obama/Bush/whoever is evil, when they are just misguided, dishonest or stupid. A really evil government does not bother about trying to answer, they just send the troops to make questions go away.