Slashdot Mirror
Mozilla Debates Whether To Trust Chinese CA
At his Freedom to Tinker blog, Ed Felten has a thoughtful, accessible piece on the debate at Mozilla about whether Firefox, by default, should trust a Chinese certificate authority (as it has since October). Felten explains in clear language why this is significant, and therefore controversial. An excerpt: "To see why this is worrisome, let's suppose, just for the sake of argument, that CNNIC were a puppet of the Chinese government. Then CNNIC's status as a trusted CA would give it the technical power to let the Chinese government spy on its citizens' 'secure' web connections. If a Chinese citizen tried to make a secure connection to Gmail, their connection could be directed to an impostor Gmail site run by the Chinese government, and CNNIC could give the impostor a cert saying that the government impostor was the real Gmail site."
Maybe I shouldn't trust the North American Certificates either, since I don't want my government spying on me either.
As long as the Chinese CA only deals with China, I have no problems with it. Any of the certifying agencies could be puppets for anyone.
Seriously, shouldn't all users manage their certificate trust themselves?
If they aren't capable to do so, are they capable to actually _have_ their things secure?
Firefox is Open Source. Let the Chinese build their own version of Firefox and see who trusts them to use it.
Why should Mozilla take a chance at this? If someone wants this CA, it is trivial to manually add it to Mozilla's certificates. However, including it will mean that Mozilla's rep is now tied to the Chinese government, and should someone misuse the CA key, it will mean that if China starts another offensive on compromising Western systems, the Mozilla foundation is guilty of espionage by proxy.
Physical car analogy: A car dealership giving a master key to every vehicle to a group of people who have been noted in the past for car theft.
Just make it a configuration option, default NO.
Yeah, its not the most elegant solution, but welcome to the real world guys.
If the Chinese CA were stupid enough to actually perform this attack, it would be easy to gain incontrovertible evidence of their spying, as the hijacked responses would all be digitally signed with their signature.
Bogtha Bogtha Bogtha
Actually, this debate is about the default option. You can add and delete trusted certificate authorities all you want once you install Firefox.
Options / Encryption / Advanced / View Certificates / Authorities.
Personally, I think the Chinese CAs should be unlisted in Firefox by default, and those users that want to trust them can simply say "always trust this CA" when Firefox asks. Then again, I think every CA should be treated that way. Why does Firefox automatically trust TurkTrust, Dell, the Japanese government, and the Netherlands (to randomly pick four out of the hundreds of trusted CAs in the default list)?
Actually, that has a simple answer. A nontechnical segment of the population is simply going to do exactly what they do every time you ask a security question - answer YES, ALLOW, or whatever button is stopping them from seeing the cute video of the cat puking up noodles or the boobage behind the prompt box. Bombarding them with more security questions isn't really going to increase security, it's just going to increase frustration. So you add the (hopefully!) truly trustworthy CAs to the default list, then if a user ever encounters a CA warning box it'll be unusual enough that they might pause a few seconds before pressing ALLOW, and maybe even call a neighborhood 12-year-old to check to see if it's a really good idea.
The "hopefully!" part is important. If you're making decisions for your users in the form of shipped defaults, they'd better be well-thought-out.
"This post contains words, known to the State of California to cause thought. Wash brain thoroughly after reading."
China has been getting a lot of flak recently, and from how I understand it deservedly.
If they have done some stuff that is damning enough for companies like Google and Firefox to risk alienating such a huge market, then how can you trust anything that comes from them?
Troll is not a replacement for I disagree.
Have a look at Perspectives: an approach to detecting MITM attacks by comparing the keys visible from other vantage points on the net.
...when you're writing a game...tweak the difficulty of "Easy" to something [your mother] can cope with. -- onion2k
There is no good definition of exactly what you're trusting them with, no good independent verification that their trustworthiness is deserved, and as far as I know, no legal recourse if it isn't.
I consider the whole CA system to be fundamentally broken. But a new system would be so significantly different in both character and detail that I don't know how it could ever happen. UIs would have to be redesigned. Crypto geeks would have to start thinking about usability. I think the world would have to end first.
But I consider this to be one of the reasons the concept is broken.
In my opinion, as a half-baked measure that moves a little in the right direction, browsers would do better to just download the certificate from the website, and then warn you if the certificate ever changed when you went back to a website that claimed the same identity. Then you'd have to trust a CA at most once.
Need a Python, C++, Unix, Linux develop
...but maybe the takeaway lesson from this whole affair is that it is impossible to remain ethical while knowingly doing business with an entity you know to be deeply corrupt. Sooner or later, you will find yourself faced with situations in which you directly or indirectly become party to unethical acts.
This is hardly limited to Google. We all help pay the salaries of the oppressive Chinese regime from the politburo on down to the prison camp guards every time we buy Chinese goods.
Proud member of the Weirdo-American community.
I'll ask you the same question I asked CAcert some years ago: "who is going to take responsibility, and what is he going to lose, if your security is compromised ?"
The authenticity of certs no longer matter, and I'm frankly astonished that neither mozilla nor slashdot has ever heard of ssl taps, an *enormous number* of which are currently active in Chinese public networks.
It's a man-in-the middle thing, and I run them at work. They're very easy to configure, and if you really know what you're doing, you can "legitimately" fake the identity of any cert you want, and every single byte of your traffic is sniffable to whoever runs the tap.
"Trust, but verify." - President Reagan
You nerds talk like the Chinese give a damn about what you want. The Chinese government is not to be trusted, ever! How many times over the last two years has something happened in China regarding the Net where their only response was a Bart Simpson's "it wasn't me", to an outright cyber-attack by organs of their government. Chairman Mao is still alive and well in the hearts of those old men who run China. Don't trust them.
Well, Beardo, it's good to see one other sane person on the boards.
Current leader Hu Jintao was among those who ordered the Massacre at Tiananmen Square. As someone who saw Tiananmen live on CNN, it's disturbing to me to hear how many other people think "Well, it's been 20 years since those men killed three thousand kids. I'm sure they're trustworthy by now..."
Can you imagine if Osama Bin Laden were a major trading partner of ours in 2020? It'd be a roughly analogous situation.
He put his boots up on the table and made a face. "The sig," he smirked. "You can waste your life in search of the sig."
...so it's OK to hire him as a babysitter here?
We didn't do business with Nazi Germany or Imperial Japan in 1960. We utterly dismantled those countries, hung their leaders and rebuilt them from scratch before the first dollar changed hands.
Now, if that's what you're proposing for the current murderous regime in China, I could get behind that...
He put his boots up on the table and made a face. "The sig," he smirked. "You can waste your life in search of the sig."
While I can go down the rat hole of an endless paranoia, the fact is that every time you connect to a site, there needs to be a separate path by which you can authenticate certificate for a site with peer review. Perhaps even an old fashioned phone call. Here's my organization's Md5HASH if you don't get the the same number, call for support.
The reality is that we only need a handful of trusted sites, credit card, back accounts, etc. The browser should be able to link a specific cert and authority to a specific site.
I never thought the idea of "corporations" being trusted was a good one
...your moral compass has broken. When you can propose a plan of action that's "cold and uncaring," and you plan to do it anyway; that's when you know your conscience has went down for the count.
No, it does not matter to me in the least that it was just a bunch of foreigners that died. I've spent too much of my life abroad to believe that only American lives count. Perhaps the fact that my children carry dual citizenship has something to do with that.
As for this being a "matter of internal security" to the Chinese, I would have thought a denizen of Slashdot would know their Star Trek better than to accept that.
As for how we would feel if the shoe were on the other foot, I would HOPE that other nations would boycott us if it turned out that, for instance, President Obama had personally ordered those men to fire at Kent State. If we found out that President McCain had personally led Charlie Company during the My Lai Massacre, then I would HOPE we would be ostracized.
As for Japan and Germany not trading with us -- Have you been to those countries? They DON'T trade with us until they know they've got the better end of the bargain. Germany and Japan are a hell of a lot smarter than we are about trade. I can personally assure you from long experience that Japan doesn't let go of a single yen without absolute proof it's a better deal for them than the other guy.
I yearn for the day that my country is as smart about trade as Japan is.
He put his boots up on the table and made a face. "The sig," he smirked. "You can waste your life in search of the sig."
SSL CA authority needs to be tied to domain hierarchy.
This sort of domain-based-CA's should be able to be installed via DNS and DNSSEC should be continue to be rolled out, all the way to the client (browsers should have methods to verify root DNSSEC, and follow the chain).
With SSL based on domain hierarchy, you need to know only the root DNS server's DNSSEC key. Everything else flows down from that.
Then CNNIC would only control .CN. The US Gov would theoretically only control .US, .GOV, .EDU. .COM, .NET, .ORG should be run by (as much as I hate to say it) the UN.
I already put SSH key fingerprints in my DNS and verify with DNSSEC-enabled openssh/bind-resolvers. SSL and/or SSL fingerprints could easily be done, if not just the entire CA public key.
Why should they ever consider trusting a shameless organization which distrubutes malware (something really disgusting, took me half an hour to remove with tools like HijackThis) to unsuspecting netizens of China, and steals/deletes .cn domain names at will? And, yes, it's just a puppet of the government.
Are they mad? Forgot to do some research first?