Mozilla Debates Whether To Trust Chinese CA

At his Freedom to Tinker blog, Ed Felten has a thoughtful, accessible piece on the debate at Mozilla about whether Firefox, by default, should trust a Chinese certificate authority (as it has since October). Felten explains in clear language why this is significant, and therefore controversial. An excerpt: "To see why this is worrisome, let's suppose, just for the sake of argument, that CNNIC were a puppet of the Chinese government. Then CNNIC's status as a trusted CA would give it the technical power to let the Chinese government spy on its citizens' 'secure' web connections. If a Chinese citizen tried to make a secure connection to Gmail, their connection could be directed to an impostor Gmail site run by the Chinese government, and CNNIC could give the impostor a cert saying that the government impostor was the real Gmail site."

Re:Well in that case

Unless your nation has a track record of spying on its citizens web traffic, then you have a much more unfounded claim.

This should be default off, with an option to enable it. I certainly do not want to visit a site that has a trusted certificate whose root authority resides in China.

Re:Well in that case

Precisely. It's not exactly a subtle way of snooping, either. Anyone technically competent could see that the SSL has been changed.

A better way for the browsers to make things like this secure would be to remember the first SSL they received from the site and notify once that changes - similar to SSH. Yes it would be a PITA for them to implement, but once it's done, that's it, security went up a bit.