Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mozilla Debates Whether To Trust Chinese CA

Posted by timothy on from the but-that-would-never-happen dept.

At his Freedom to Tinker blog, Ed Felten has a thoughtful, accessible piece on the debate at Mozilla about whether Firefox, by default, should trust a Chinese certificate authority (as it has since October). Felten explains in clear language why this is significant, and therefore controversial. An excerpt: "To see why this is worrisome, let's suppose, just for the sake of argument, that CNNIC were a puppet of the Chinese government. Then CNNIC's status as a trusted CA would give it the technical power to let the Chinese government spy on its citizens' 'secure' web connections. If a Chinese citizen tried to make a secure connection to Gmail, their connection could be directed to an impostor Gmail site run by the Chinese government, and CNNIC could give the impostor a cert saying that the government impostor was the real Gmail site."

16 of 276 comments (clear)

  1. Well in that case by Monkeedude1212 · · Score: 4, Insightful

    Maybe I shouldn't trust the North American Certificates either, since I don't want my government spying on me either.

    As long as the Chinese CA only deals with China, I have no problems with it. Any of the certifying agencies could be puppets for anyone.

    1. Re:Well in that case by Fantom42 · · Score: 4, Insightful

      Maybe I shouldn't trust the North American Certificates either, since I don't want my government spying on me either.

      As long as the Chinese CA only deals with China, I have no problems with it. Any of the certifying agencies could be puppets for anyone.

      I guess this is true, although considering the amount of malware coming out of China, and China's human rights record as compared to north american countries, I think there is reason not to equivocate about this.

    2. Re:Well in that case by Anonymous Coward · · Score: 5, Interesting

      Precisely. It's not exactly a subtle way of snooping, either. Anyone technically competent could see that the SSL has been changed.

      A better way for the browsers to make things like this secure would be to remember the first SSL they received from the site and notify once that changes - similar to SSH. Yes it would be a PITA for them to implement, but once it's done, that's it, security went up a bit.

    3. Re:Well in that case by Hatta · · Score: 4, Insightful

      Unless your nation has a track record of spying on its citizens web traffic, then you have a much more unfounded claim.

      You mean, like when the FBI put splitters into AT&T offices to monitor all the internet traffic going through them?

      Remember, any authority that can be abused will be abused. I wouldn't trust any certificate authority to protect me against the government.

      --
      Give me Classic Slashdot or give me death!
    4. Re:Well in that case by chill · · Score: 5, Insightful

      As long as the Chinese CA only deals with China, I have no problems with it.

      And you know that, how?

      With built-in root certificates, they are automatically trusted. Unless you're examining the entire cert chain of every SSL/TLS site you access, you have no idea which trusted root signed the vendor's certificate.

      --
      Learning HOW to think is more important than learning WHAT to think.
    5. Re:Well in that case by Anonymous Coward · · Score: 4, Insightful

      Where's your proof? Or are you just parroting hate for the sake of parroting hate?

      People throw around accusations of "hate" too lightly these days. Please try not to inject hyperbole into a reasonable disagreement.

    6. Re:Well in that case by cunina · · Score: 5, Insightful

      No, actually, you aren't saddened. You're delighted that he calls them "some mistakes," because it gives you yet another springboard from which to launch your smug, tired assault on the US government. "Look at me," you shout to the grown-ups while twirling about at their cocktail party, "I'm politically aware, I'm morally superior!" You carve out your obnoxious little social niche by dutifully informing the rest of us how evil we are, how "blind" we are, what hypocrites we are.
      You know what? We already know. We're all blind, we're all evil, we're all hypocrites. Including you. The world is not a comic book. It is a big messy mural in progress, with scenes of horrifying savagery and outstanding beauty. Those of us without personality issues to nurse choose to roll up our sleeves and improve the world one brushstroke at a time, rather than sit back in a battered beanbag of self-satisfaction and fling feces at the easiest targets.

    7. Re:Well in that case by theshowmecanuck · · Score: 4, Informative

      And I forgot to add that I disagree with the OP's sig that patriotism is bigotry. While I am not a big fan of deGaulle (let's just say I would have preferred we left him in Dunkirk when the Germans arrived), proving the "exception to the rule" rule, he said one smart thing:

      "Patriotism is when love of your own people comes first; nationalism, when hate for people other than your own comes first." -deGaulle

      Nationalism is bigotry. Nationalism leads to ethnic cleansing, even in the form of language laws. The statement is true even though it is completely at odds with his bullshit behaviour in Quebec in 1967 where he supported nationalism (and stuck his nose in Canada's affairs... and pissed off enough people that he had to fly home early leaving the ship he came in to sail home without him... and earning him the status of "rectum non grata" in Canada).

      --
      -- I ignore anonymous replies to my comments and postings.
    8. Re:Well in that case by iserlohn · · Score: 4, Insightful

      That way of arguing will get you no-where. Most of the stuff we buy from China are cheaply manufactured consumer goods, made in factories staffed by labourers that comes mainly from the rural northern and central regions of the country. The problem of buying goods from China is not because of human rights, but because of the lack of regulation and protection of labour and the environment in general (and also the devalued currency due to capital controls in China). Why? Because this is what puts goods from the developed countries at a disadvantage. We are in effect exporting pollution and bad treatment of labour through this.

      The only way for China to get any resemblance of human-rights that are available in the industrialized nations is for the Chinese people to fight for them. Think back on how long it took for rights to develop in England, for example, from the Magna Carta, to the Bill of Rights, to the development of Universal Suffrage and the Welfare State (no, it's not socialism). Now, when are the conditions right, I'm not so sure. But those in the know would definitely point to Hong Kong and Taiwan as a possible possible catalysts for this. Hong Kong is scheduled for Universal Suffrage in 2017, but many in the territory is trying to speed up the process while Beijing is trying to slow it down (as they fear it is a destabilizing factor to one-party rule in the mainland).

      --
      :. Ultimate Control Dedicated/VM Servers
  2. It's OSS by Anonymous Coward · · Score: 5, Insightful

    Firefox is Open Source. Let the Chinese build their own version of Firefox and see who trusts them to use it.

    1. Re:It's OSS by Thiez · · Score: 4, Funny

      Oh they do, they just don't appear on your browser because China MITM'ed your http session and changed the website.

  3. No. HELL No. by Anonymous Coward · · Score: 5, Insightful

    Why should Mozilla take a chance at this? If someone wants this CA, it is trivial to manually add it to Mozilla's certificates. However, including it will mean that Mozilla's rep is now tied to the Chinese government, and should someone misuse the CA key, it will mean that if China starts another offensive on compromising Western systems, the Mozilla foundation is guilty of espionage by proxy.

    Physical car analogy: A car dealership giving a master key to every vehicle to a group of people who have been noted in the past for car theft.

  4. Re:I wonder... by Sir_Sri · · Score: 4, Insightful

    no they aren't. Which is the problem. The average user probably doesn't know what a security certificate is, let alone when you should, or should not trust one. That's why we have experts debating which ones to actually trust on their behalf.

    Half the first year students we have in computer science courses can't navigate to a directory (note that these are generally not core comp sci students, but taking a course on say how to use photoshop), let alone figure out what a security certificate is. That's why we need experts to design systems which are inherently as secure as is legally possible in the first place.

  5. Re:Configuration Option by drinkypoo · · Score: 4, Insightful

    While we're at it, can we get a paranoid install option that disables ALL CAs by default, and requires you to enable each in turn? Maybe I don't trust Verisign, and would like to pass/fail all certs on an individual basis.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  6. Re:Why not change of certifcation notification? by jhantin · · Score: 4, Informative

    Have a look at Perspectives: an approach to detecting MITM attacks by comparing the keys visible from other vantage points on the net.

    --
    ...when you're writing a game...tweak the difficulty of "Easy" to something [your mother] can cope with. -- onion2k
  7. Forgive me for belaboring the obvious... by Angst+Badger · · Score: 5, Insightful

    ...but maybe the takeaway lesson from this whole affair is that it is impossible to remain ethical while knowingly doing business with an entity you know to be deeply corrupt. Sooner or later, you will find yourself faced with situations in which you directly or indirectly become party to unethical acts.

    This is hardly limited to Google. We all help pay the salaries of the oppressive Chinese regime from the politburo on down to the prison camp guards every time we buy Chinese goods.

    --
    Proud member of the Weirdo-American community.