Slashdot Mirror
Mozilla Debates Whether To Trust Chinese CA
At his Freedom to Tinker blog, Ed Felten has a thoughtful, accessible piece on the debate at Mozilla about whether Firefox, by default, should trust a Chinese certificate authority (as it has since October). Felten explains in clear language why this is significant, and therefore controversial. An excerpt: "To see why this is worrisome, let's suppose, just for the sake of argument, that CNNIC were a puppet of the Chinese government. Then CNNIC's status as a trusted CA would give it the technical power to let the Chinese government spy on its citizens' 'secure' web connections. If a Chinese citizen tried to make a secure connection to Gmail, their connection could be directed to an impostor Gmail site run by the Chinese government, and CNNIC could give the impostor a cert saying that the government impostor was the real Gmail site."
Firefox is Open Source. Let the Chinese build their own version of Firefox and see who trusts them to use it.
Why should Mozilla take a chance at this? If someone wants this CA, it is trivial to manually add it to Mozilla's certificates. However, including it will mean that Mozilla's rep is now tied to the Chinese government, and should someone misuse the CA key, it will mean that if China starts another offensive on compromising Western systems, the Mozilla foundation is guilty of espionage by proxy.
Physical car analogy: A car dealership giving a master key to every vehicle to a group of people who have been noted in the past for car theft.
Precisely. It's not exactly a subtle way of snooping, either. Anyone technically competent could see that the SSL has been changed.
A better way for the browsers to make things like this secure would be to remember the first SSL they received from the site and notify once that changes - similar to SSH. Yes it would be a PITA for them to implement, but once it's done, that's it, security went up a bit.
...but maybe the takeaway lesson from this whole affair is that it is impossible to remain ethical while knowingly doing business with an entity you know to be deeply corrupt. Sooner or later, you will find yourself faced with situations in which you directly or indirectly become party to unethical acts.
This is hardly limited to Google. We all help pay the salaries of the oppressive Chinese regime from the politburo on down to the prison camp guards every time we buy Chinese goods.
Proud member of the Weirdo-American community.
As long as the Chinese CA only deals with China, I have no problems with it.
And you know that, how?
With built-in root certificates, they are automatically trusted. Unless you're examining the entire cert chain of every SSL/TLS site you access, you have no idea which trusted root signed the vendor's certificate.
Learning HOW to think is more important than learning WHAT to think.
No, actually, you aren't saddened. You're delighted that he calls them "some mistakes," because it gives you yet another springboard from which to launch your smug, tired assault on the US government. "Look at me," you shout to the grown-ups while twirling about at their cocktail party, "I'm politically aware, I'm morally superior!" You carve out your obnoxious little social niche by dutifully informing the rest of us how evil we are, how "blind" we are, what hypocrites we are.
You know what? We already know. We're all blind, we're all evil, we're all hypocrites. Including you. The world is not a comic book. It is a big messy mural in progress, with scenes of horrifying savagery and outstanding beauty. Those of us without personality issues to nurse choose to roll up our sleeves and improve the world one brushstroke at a time, rather than sit back in a battered beanbag of self-satisfaction and fling feces at the easiest targets.