Slashdot Mirror

← Back to Stories (view on slashdot.org)

Chinese CA Issues Certificates To Impersonate Google

Posted by Soulskill on from the doing-trust-wrong dept.

Trailrunner7 writes: Google security engineers, investigating fraudulent certificates issued for several of the company's domains, discovered that a Chinese certificate authority was using an intermediate CA, MCS Holdings, that issued the unauthorized Google certificates, and could have issued certificates for virtually any domain. Google's engineers were able to block the fraudulent certificates in the company's Chrome browser by pushing an update to the CRLset, which tracks revoked certificates. The company also alerted other browser vendors to the problem, which was discovered on March 20. Google contacted officials at CNNIC, the Chinese registrar who authorized the intermediate CA, and the officials said that they were working with MCS to issue certificates for domains that it registered. But, instead of simply doing that, and storing the private key for the registrar in a hardware security module, MCS put the key in a proxy device designed to intercept secure traffic.

139 comments

  1. I'm sure IBM is right on that... by Maser · · Score: 1

    If we only knew what was really in that "partnership" agreement... Now we do!

  2. The Web of trust only works by Virtucon · · Score: 5, Insightful

    When we all agree to the same rules.

    --
    Harrison's Postulate - "For every action there is an equal and opposite criticism"
    1. Re:The Web of trust only works by Anonymous Coward · · Score: 1

      The beginning of the end... I expect this will end with other countries de-trusting chinese authorities and vice versa. China is obviously trying to man-in-the-middle their citizens TLS connections to google.

    2. Re:The Web of trust only works by Feral+Nerd · · Score: 3, Informative

      The Web of trust only works ... When we all agree to the same rules.

      The CA system is broken.Trusting many different CAs has proven to be a bad idea since any CA can issue a certificate for any domain name they please like these guys did plus the fact that many CAs have suffered serious security breaches. What we've needed for years is some sort of DNS like system for certificates where certificates can be revoked and the action will be cascaded through the entire net quickly like domain name changes. There even have been proposals to use DNS for this purpose which as far as I understand it would render CAs redundant. Under the current system Google can only remove the certificates from the CA Root lists Google controls if the bad certificates have made it into those, and politely request that others who maintain CA Root lists do the same. I can only theorise that CA reform has proven problematic since implementing such a system would be taking a bowl of soup from the cauldron of certain set of people who have an interest in maintaining the old system and have resisted reform. I can't imagine any other reason why the certificate system hasn't been changed.

    3. Re:The Web of trust only works by Vlad_the_Inhaler · · Score: 2

      So what happens when the "bad guys" start revoking legitimate certificates? In this context, that would be MCS or CNNIC revoking Google's real certificates.
      I can imagine an NSA pulling a stunt like that as well.

      --
      Mielipiteet omiani - Opinions personal, facts suspect.
    4. Re:The Web of trust only works by blippo · · Score: 3, Interesting

      It's a bit of a scam from the beginning. I remember almost 20 years ago I asked where the safety was in that we had to shell up a relatively large sum of money to some unknown company on the other side of the world, so that they could "verify" our identity (how exactly?) - just because they had bought (?) a place in Netscape's or Internet Explorer's root CA list.

      Since there are so many certificate authorities it's safe to assume that too many are compromised by- or under the influence of- criminal organisations or non-democratic and/or corrupt governments. (Ignoring the just-for-lulz hackers, I'm not that worried about them.)

      I really wished PGP/GPG-style trust chain model worked in real life, but it's a hassle even for techies.

      One idea would be to utilize the existing social networks + phones for something, but I doubt it would be possible to build something that is idiot-proof enough.
      (Especially since a lot of people seems to have no idea who some of their contacts actually are...)

      It could potentially solve email too though.

    5. Re:The Web of trust only works by Anonymous+Brave+Guy · · Score: 4, Insightful

      Trusting many different CAs has proven to be a bad idea

      Trusting any one of many different CAs has obvious vulnerabilities, as this case demonstrates (and it's not exactly the first time the problem of an untrustworthy CA has been observed in the wild). The current CA system isn't really a web of trust, because it ultimately depends on multiple potential single points of failure.

      One way or another, in the absence of out-of-band delivery of appropriate credentials, you have to trust someone, so I suspect the pragmatic approach is to move to a true web-of-trust system, where you trust a combination of sources collectively but never trust any single source alone, and where mistrust can also be propagated through the system. Then at least you can still ship devices/operating systems/browsers seeded with a reasonable set of initial sources you trust, but any single bad actor can quickly be removed from the trust web by consensus later while no single bad actor can undermine the credibility of the web as a whole. Such a system could still allow you to independently verify that the identity of a system you're talking to via out-of-band details if required.

      --
      If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
    6. Re:The Web of trust only works by currently_awake · · Score: 0

      A decentralized system is harder for a single group to control. It's better to have a list of CA's you trust than to be forced to use a single one (that you don't). A centralized system means the NSA controls trust.

    7. Re:The Web of trust only works by antdude · · Score: 1

      I don't always agree with https://www.mywot.com/ ... :P

      --
      Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
    8. Re:The Web of trust only works by mcrbids · · Score: 1

      If only a domain could publish information about the CA authorized to sign its certificates... perhaps with a record via DNS called "info", and secured with something called DNSSEC so you can be relatively sure it's correct.

      Naw. Stuff like that couldn't happen, could it?

      --
      I have no problem with your religion until you decide it's reason to deprive others of the truth.
    9. Re:The Web of trust only works by GuB-42 · · Score: 1

      The problem is that we are using a _chain_ of trust rather than a _web_ of trust.

      The difference between the two is that in a chain of trust model, a certificate is signed by a single authority, whereas in a web of trust, a certificate can be signed by several authorities. In other words, a web of trust can do everything a chain of trust can do, and more.

      In the case of Google impersonation, the browser could require that google have at least 3 independent signatures from a trusted list. If one of the authority in the trusted list decides to allow someone to impersonate Google, that's one signature : not enough to break the system.

    10. Re:The Web of trust only works by psyclone · · Score: 1

      You mean like DANE?

    11. Re:The Web of trust only works by Anonymous Coward · · Score: 0

      Then your browser will warn you. If the site uses HSTS the page will simply not load. It would be a nuisance but wouldn't gain the NSA anything. At worst it could be used for a denial of service type attack, not something that goes under the radar.

  3. Are the CAs that do this revoked? by QuietLagoon · · Score: 5, Interesting

    Or at least their certs removed from valid CA Root lists that, for example, Mozilla uses. If not, why not? A trust has been breached.

    1. Re:Are the CAs that do this revoked? by BenJeremy · · Score: 5, Insightful

      THIS.

      Make an example out of them, at the very least. I doubt MCS or CNNIC will do anything to disengage themselves from the Chinese government (Most likely culprit here). Revoke their authority and put an end to this nonsense.

    2. Re:Are the CAs that do this revoked? by gnasher719 · · Score: 5, Interesting

      It seems that you are right. It very much looks like there was a genuine Certificate Authority behind this, and that means an Internet death sentence needs to be issued - removing that Certificate Authority from the root certificates of Windows, MacOS X, iOS, Android, Linux etc.

    3. Re:Are the CAs that do this revoked? by RelaxedTension · · Score: 4, Informative

      Yup, same as DigiNotar. This company is no longer trustworthy, regardless of if this happened on purpose, or due to being incompetent.

    4. Re:Are the CAs that do this revoked? by Anonymous Coward · · Score: 5, Insightful

      So are we going to revoke Verisign's root CA certificate (and screw up the millions of websites that use their certs) when we eventually find out that the NSA strong-armed them into doing the same thing?

    5. Re:Are the CAs that do this revoked? by Holi · · Score: 5, Insightful

      If we are serious about trust then yes, otherwise this isn't the beginning of the end, it's just the end. If the cert's cannot be trusted and we are not willing to take the steps to preserve that trust then the whole internet economy goes poof.

      --
      Sorry, teleporters just kill you and then make a copy. A perfect, soul-less copy.
    6. Re:Are the CAs that do this revoked? by meerling · · Score: 2

      A lot of people were predicting this type of problem back when certs were being pushed out and proclaimed to be the solution to security.
      (There have been numerous other issues of fraudulent certs, but I don't think they were as large as Google.)

    7. Re:Are the CAs that do this revoked? by sexconker · · Score: 5, Interesting

      We should. We won't.

      A system built around certificate authorities is broken by design. Self-signed certs are much more secure than anything stamped by a CA.
      And can we start using client certs, please? I should be able to walk into my bank and hand them a unique cert that they attach to my account and use for verification. Additionally, I should be able to request a unique cert on their end that they use only for my account so I can do my own verification.
      Since this is all self-signed shit, it can be easily automated.

      For revocation, all either party has to do is stop using/trusting the cert. No one can regenerate the bank's unique cert that I trust because there is no authority with that power. No one can regenerate mine. If the bank wants to issue a new cert, I have to go in and get the new cert and trust it. You can dumb down your trust if you want - the bank could mail you the cert, mail you a letter saying it's going to be changed, post the thumbprint of the cert on their site, to their support phone line, whatever. If I want to issue a new cert, I have to get them to trust me in a similar fashion.

      Doing it this way is more work, but you have ACTUAL trust, negotiated equally by both parties. You can choose convenience over security if you want, but you're not subject to some government/CA MITMing everything on a whim.

    8. Re:Are the CAs that do this revoked? by Anonymous Coward · · Score: 0

      At the very least, there should be an easy option in every browser to un-select all registrars and allow us to select which registrars we would like to trust. The current method in Firefox is stupendously annoying in that you have to do each one on its own.

      I bet mine would be a very tiny list and that's the way I would prefer it.

    9. Re:Are the CAs that do this revoked? by Anonymous Coward · · Score: 1

      And what about when you need to be sure that a company that's half-way across the country (or planet) are who they claim they are? Just book a round-trip flight so you can pick up a copy of their cert in person at their corporate HQ?

    10. Re:Are the CAs that do this revoked? by Anonymous Coward · · Score: 0

      Yes, absolutely. Any CA which issues forged fertificates (on anybody's behalf) should be dropped.

    11. Re:Are the CAs that do this revoked? by praxis · · Score: 2

      The company can generate a certificate (public and private key pair) and send you the public key pair through an unsecure channel. They can then tell you the fingerprint over a secure channel. You do the same. You each verify that the public key of the other party is actually the other party's public key and then you two can communicate securely.

      No, what constitutes a secure channel for key verification? That's where you can get levels of trust from one posted on their website (weak) to one read to you over a phone by a human (weak) to travelling and exchanging (stronger). Of course, if you are travelling you might as well just exchange public keys that way.

    12. Re:Are the CAs that do this revoked? by Anonymous Coward · · Score: 1

      It seems that you are right. It very much looks like there was a genuine Certificate Authority behind this

      If you believe that Verisign, or any other US-based CA would refuse a 'request' from NSA to quietly issue them a certificate in the name of a 3rd party, then you haven't been paying attention. If you believe there are no CAs or CA employees willing to issue false certs in exchange for money or favors, then you're also naive. The 'web of trust' is a tool, like a password, and it does not guarantee anything.

    13. Re:Are the CAs that do this revoked? by kbonin · · Score: 2

      Agreed. The ONLY effective punishment for a CA that breaches trust or competence this poorly is to mark its roots as permanently untrusted. In a world that has set aside morals and ethics (or redefined them into doublespeak meaninglessness), the only punishment that will actually make corporations change their behavior are penalties that significantly exceed the full gains of breaking the rule or law. The related challenge is raising the certification bar, so this doesn't become a "whack a mole" with CCNIC2, CCNIC3, TOTALLY_NOT_CCNIC, etc...

    14. Re:Are the CAs that do this revoked? by DarkOx · · Score: 2

      Yes its a To big to Fail problem, just in another form. If your browser throws errors on just about ever site you visit pretty soon "many" people will start using another browsers. So no we won't revoke Verisign's root pretty much no matter what.

      Maybe an independent like Mozilla might would drop them, if the entire Verisign organization was discovered by an NSA front run by vampires with pedophilia it could happen but even then its only a maybe at best.

      --
      Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
    15. Re:Are the CAs that do this revoked? by Zocalo · · Score: 2

      Personally, I'd say screw them, revoke the certificates in the OS/browsers, and let CNNIC figure out how to sort out the mess with their customers. Even if you were to then allow them to create a new certificate, they'll still need to go through the financial and administrative pain of having to re-issue all the certificates to their immediate customers like MCS, who will then have to re-issue all their certificates and so on... That's a huge slap on the wrist and a massive deterrant to any other CA messes with the web of trust, or a good defence they can use when their authoritarian government "requests" that they do so, which is more likely what happened here.

      In the meantime, you can always delete the trust yourself. Open your Browsers Certificate List ("Options, Advanced, Certificates, View Certificates" in Firefox), find CNNIC's certs (there are two in Firefox - "CNNIC ROOT" and "China Internet Network Information Center EV Certificates Root") and either delete them altogether or edit the trust and remove the ability to sign websites. That's pretty useless as anything other than a feel good factor though because it doesn't stop you accessing any sites in that particular chain of trust; you'll just get a warning that the site uses an untrusted certificate and prompt to abort or add the site's specific certificate without any upstream CA certificates.

      --
      UNIX? They're not even circumcised! Savages!
    16. Re:Are the CAs that do this revoked? by Anonymous Coward · · Score: 0

      None of this remotely addresses the underlying problem, as you admit yourself. I'm not clear on why you made this post.

    17. Re:Are the CAs that do this revoked? by Ted+Stoner · · Score: 3, Interesting

      I am annoyed that Firefox does not respect my choices for trusted certs when it does an update. Every time FF updates I go in an un-trust certs from CAs from foreign countries (China, Turkey, etc.). But after the next update, they are back. This is not a secure way to operate.

    18. Re:Are the CAs that do this revoked? by Mattcelt · · Score: 2

      If you can't trust that the entity with which you're exchanging information has the security of the information as their highest priority, no amount of securing of channels is going to help.

      How do you know the person handing you the fingerprint hasn't switched it for a manky one?

      How do you know the server that generated the key hasn't been compromised?

      For that matter, how do you know that the remote entity hasn't been strong-armed into simply giving over all of your information? A government threatening to shut down a business or jail its workers shifts the priority to their own self-preservation, which means that in most cases, you're fucked.

      The Certificate Authority model is the best one we've been able to come up with to date. It's been around for 20+ years, and while it does have its flaws, it is the least flawed system I've seen proposed.

    19. Re:Are the CAs that do this revoked? by Vlad_the_Inhaler · · Score: 1

      If the consequences are severe enough, they would have to refuse. Would the NSA even push that hard if both parties knew that this would be a death sentence for Verisign once the truth emerged?

      --
      Mielipiteet omiani - Opinions personal, facts suspect.
    20. Re: Are the CAs that do this revoked? by DigiShaman · · Score: 1

      Next stop is for actual CCP or PLA boots on the ground. I'm convinced the velvet gloves come off. Either code a back door into your web services for official government access, or don't have a physical presence in the mainland. As for the MITM attack, totally legal. What are you going to do, sue the Chinese government??!

      --
      Life is not for the lazy.
    21. Re:Are the CAs that do this revoked? by Anonymous Coward · · Score: 0

      We should. We won't.

      A system built around certificate authorities is broken by design. Self-signed certs are much more secure than anything stamped by a CA.
      And can we start using client certs, please? I should be able to walk into my bank and hand them a unique cert that they attach to my account and use for verification. Additionally, I should be able to request a unique cert on their end that they use only for my account so I can do my own verification.
      Since this is all self-signed shit, it can be easily automated.

      For revocation, all either party has to do is stop using/trusting the cert. No one can regenerate the bank's unique cert that I trust because there is no authority with that power. No one can regenerate mine. If the bank wants to issue a new cert, I have to go in and get the new cert and trust it. You can dumb down your trust if you want - the bank could mail you the cert, mail you a letter saying it's going to be changed, post the thumbprint of the cert on their site, to their support phone line, whatever. If I want to issue a new cert, I have to get them to trust me in a similar fashion.

      Doing it this way is more work, but you have ACTUAL trust, negotiated equally by both parties. You can choose convenience over security if you want, but you're not subject to some government/CA MITMing everything on a whim.

      Great idea!
      Would you do me a small favor and help my grandma through the process for her new bank account?

    22. Re:Are the CAs that do this revoked? by arth1 · · Score: 4, Interesting

      The irony here is that Google wants https with chain-of-trust certificates, and advocate https, and without self-signed certs harder than anyone. Now it comes back to bite Google's own derriere.

      The reason they want https (or SPDY or HTTP/2.0) everywhere isn't our best interest, but because you can't easily hide behind caching proxy servers, giving them better fingerprinting as well as a higher hit count on ads.

      When I have to go to Google, I go to the non-redirecting http page they have hidden.
      My personal privacy is worth more to me than the risk of a 3rd party listening in on my searches (other than the three letter agencies who already listen in).

    23. Re:Are the CAs that do this revoked? by Anonymous+Brave+Guy · · Score: 1

      Yes its a To big to Fail problem, just in another form.

      If anything is too big to fail, you are usually better off making it fail anyway as soon as possible to minimise the damage. Some of the problems in the global financial industry today aren't because of inherent weaknesses in the system. Instead they have been caused precisely by allowing organisations to grow too big, or perhaps more accurately by allowing them to take on disproportionate levels of risk, and then supporting those organisations at government level instead of allowing them to go under when they should have.

      If your browser throws errors on just about ever site you visit pretty soon "many" people will start using another browsers.

      But it won't, because plenty of other CAs are used and plenty of sites don't use HTTPS routinely yet. All the big sites, the Facebooks and Googles and Amazons of the world, would have switched to another CA within an hour. All the truly security-sensitive organisations like your bank or card company or government would update their certificates very quickly as well.

      CAs determined to protect their reputation at a time when their industry would inevitably be seriously damaged in the credibility stakes might take longer to issue things like EV certificates as they made a point of fully validating the organisations requesting them. However, basic HTTPS access and the highly recognisable padlock symbol would be back on all the big sites almost immediately. The worst they would likely suffer would be a few minutes of downtime (assuming organisations on that scale don't routinely have back-up certificates with a completely independent chain on permanent stand-by anyway) and maybe a slight increase in customer support calls as genuinely security-conscious users noticed the lack of EV identity for a while.

      Meanwhile, any browser that didn't remove a known-compromised CA from its trusted list very quickly would be vulnerable to justified criticism and no doubt plenty of rhetoric built on top about being insecure, and how users mustn't use that browser to visit safe sites like their bank or someone will empty their account. The geeks would get hold of the story first, of course, but as soon as it made front-page news (and something on this scale probably would) everyone would be talking about it that day.

      --
      If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
    24. Re:Are the CAs that do this revoked? by vux984 · · Score: 2

      Self-signed certs are much more secure than anything stamped by a CA.

      Agreed, sort of. Its true ONLY if you load the client browser with the cert. There no security at all in being presented an arbitrary and here-to-for unknown self-signed-cert when browsing the the web, which means self-signing is suitable for managing your own users securely; more securely than than using the major roots.

      But -- one -- unless you actually remove the major roots; and we assume they're compromised then they can still present valid certs for your stuff - so switching to self signed doesn't really get you much security in that case. Because few of us can really afford to realistically pull all the major root authorities out of our browsers. If I normally self-sign my-private-domain; and then access it from my-laptop with my certs preloaded -- I can still be MITM'd if bad-actor can drop a versign signed cert or my domain in front of my browser -- I won't catch that unless i inspect the cert manually each time i visit; or I pull verisign out of my browser -- neither is convenient.

      And two -- self signed is useless for securing the public web. After all, if I browse to your-domain and get presented a self-signed certificate how do I know its from you? I could be looking at ANYBODY's self-signed certificate for your domain. That's far worse than the current root-CA situation where at worst a small number of entitties can impersonate me... as opposed to absolutely anybody using self-signed certs.

    25. Re:Are the CAs that do this revoked? by dotancohen · · Score: 1

      Or at least their certs removed from valid CA Root lists that, for example, Mozilla uses. If not, why not? A trust has been breached.

      The truth is that users have no way of knowing which of the tens of certificates included in the browser to leave and which to remove. This Super User question remains without a satisfactory answer, even as browser cert issues pile up almost monthly:
      http://superuser.com/questions...

      --
      It is dangerous to be right when the government is wrong.
    26. Re:Are the CAs that do this revoked? by Anonymous Coward · · Score: 1

      Actually, Google doesn't rely on CAs as much as it appears at first glance: Chrome and Firefox come with Google's public keys and will not accept other keys. Not sure what other browsers do the same, although obviously not all of them (otherwise the attack this article is about never would have happened).

    27. Re:Are the CAs that do this revoked? by sexconker · · Score: 2

      If you can't establish trust in a secure manner, then you cannot trust them.
      Welcome to actual security.

    28. Re:Are the CAs that do this revoked? by sexconker · · Score: 2

      The cert is as secure as the cryptography and implementation.
      The trust is up to you, not some web of "authorities".

    29. Re:Are the CAs that do this revoked? by vux984 · · Score: 1

      The cert is as secure as the cryptography and implementation.

      The point however, is that, as implemented, if you trust verisign as a root CA for any domain; then you trust verisign as a possible root CA for ALL domains.

      Including your own private domain, the one you signed yourself, and installed your own certificates for.

      The trust is up to you, not some web of "authorities".

      But you and I when presented with a self-signed certificate on the world wide web are not generally in a position to have any information at all whatsoever whether to trust it or not.

      The web of authorities may be broken and unreliable in edge cases; but taking them out the equation and saying "the trust is up to me" is meaningless ... if I browse to www.slashdot.org how am I supposed to make an informed decision whether to trust the cert or not? Putting the decision in my hands is useless if I can't make an informed decision.

    30. Re:Are the CAs that do this revoked? by RabidReindeer · · Score: 1

      Realistically, what we need is a "web of trust". The idea that there are certain incorruptible agencies who can vouch for anyone is pretty preposterous to begin with.

      If, instead, anyone could vouch for another and we could build up our own list of trusted authenticators and score unknown parties against their associations, a la degrees of Kevin Bacon, it would probably be a lot more secure than the current binary system with unreliable certifiers in it.

      As it is, I'm already dealing with a number of agencies who've allowed their certs to expire but I have to bite the bullet and trust that their site isn't being spoofed. Local/state government agencies are especially bad at this, since they frequently have crap tech resources to begin with. If the city, county, and/or state could be a trust source in its own right and vouch for local agencies it would be a move up.

    31. Re:Are the CAs that do this revoked? by RabidReindeer · · Score: 1

      If you can't trust that the entity with which you're exchanging information has the security of the information as their highest priority, no amount of securing of channels is going to help.

      Why sir, I have no doubt that my insurance company/big-bog retailer, etc. is totally dedicated to keeping my information secure and not in simply making the cheapest token security gestures they can get away with.

      After all, if you can't trust major corps like Anthem, Home Depot and Target, who can you trust?

    32. Re:Are the CAs that do this revoked? by ahodgson · · Score: 1

      It's more likely the NSA would hack Verisign, take their keys, and use them to create whatever certificates they want. And if you think they care about what happens to Verisign as a result, I have a bridge to sell you.

    33. Re:Are the CAs that do this revoked? by Fnord666 · · Score: 2

      In the meantime, you can always delete the trust yourself. Open your Browsers Certificate List ("Options, Advanced, Certificates, View Certificates" in Firefox), find CNNIC's certs (there are two in Firefox - "CNNIC ROOT" and "China Internet Network Information Center EV Certificates Root") and either delete them altogether or edit the trust and remove the ability to sign websites.

      What happens the next time there's an update to firefox?

      --
      'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
    34. Re:Are the CAs that do this revoked? by dog77 · · Score: 1

      I second this, and add that we should start using trusted authorities to get, verify, and monitor all of the self signed public certificates, similar to how PGP works. We generally trust a few reputable companies and organizations and so these entities could setup the registries for the self signed certificates, and could monitor and establish mechanisms for generating creditibilty ratings for certificates. They can monitor for complaints, fraud, abuse, impersonations, etc. Your browser and operating system (which you already trust) would have a base line list of entities to establish the reliability of a given certificate, and you could modify that list if it suited you.

      Along with your 2 way authentication proposal, establish an authentication protocol with acceptance level similar to SSL that allows the authentication to be done securely between key manager on the client side (away from any trojans or keyloggers) and a user/key database on the server side (away from any hackers). This way way we can keep the most sensitive information (the keys), in a simple isolated device or server, that does one thing, manage keys, thus drastically reducing risk of being compromised. Also, a well established authentication protocol standard, is needed if we want to rid ourselves of using passwords (not just for browsers, but also applications).

    35. Re:Are the CAs that do this revoked? by Trogre · · Score: 1

      Yes.

      --
      "Nine times out of ten, starting a fire is not the best way to solve the problem." - my wife
    36. Re:Are the CAs that do this revoked? by dog77 · · Score: 1

      I think the idea is on the right track, and that properly implemented could simplify life for everyone, including your Grandma. A good authentication standard, akin to SSL, so that we all only had to carry and manage one key manager, for all of the the items we secure: house, car, hotel room, bank account, web site, safe. No more remembering or coming up with passwords. One method to interface and manage authentication.

    37. Re:Are the CAs that do this revoked? by Anonymous Coward · · Score: 0

      The reason they want https (or SPDY or HTTP/2.0) everywhere isn't our best interest, but because you can't easily hide behind caching proxy servers, giving them better fingerprinting as well as a higher hit count on ads.

      Except you can hide just as easily behind a caching SPDY or HTTP/2.0 proxy server as an HTTP/1.1 proxy. Perhaps you should read about the protocols before making unsubstantiated claims that are clearly wrong!

    38. Re:Are the CAs that do this revoked? by dog77 · · Score: 1

      If the self signed idea is combined with trust authorities (not signers), that verifiy this certificate is actually a valid one, and is say verified to be valid by several trust authorities (e.g. Google, Microsoft, Ubuntu, US.gov, etc) who you do have certificates for then I think it is a good alternative or supplemental approach to what we currently have.

    39. Re:Are the CAs that do this revoked? by sjames · · Score: 1

      Yes. No exceptions, breech trust == no longer trusted.

      The CAs inclined to integrity will be able to use the potential wipeout as a good reason their cooperation can't be legally demanded and the less scrupulous may be deterred by the consequences.

      Meanwhile, what's the alternative? Bend over and spread 'em wide?

    40. Re:Are the CAs that do this revoked? by sjames · · Score: 1

      Just make the block screen read blocked for the sake of the children.

    41. Re:Are the CAs that do this revoked? by arth1 · · Score: 1

      Trolling much, AC?
      I have written a proxy server. What are your creds?

      From the Wikipedia entry on SPDY:

      SPDY requires the use of SSL/TLS (with TLS extension ALPN), and does not support operation over plain TCP.

      This means that (a) unless you can get the client to install the proxy server's CA, it cannot act as a man-in-the-middle on your behalf, and (b) they know who you are because of the SSL session being unique for each client - there's no mistaking your request for the request of anyone else behind the same proxy. Even more so because it re-uses a single connection. Make no mistake, this protocol was designed to thwart proxies and caching, and making the user trackable for the servers. Speed is the carrot, not the horse.

      Similar for HTTP/2.0, which in large parts are based on SPDY, and written largely by the same people.

    42. Re:Are the CAs that do this revoked? by thegarbz · · Score: 1

      Similar for HTTP/2.0, which in large parts are based on SPDY, and written largely by the same people.

      Except for the bits which would suit your argument. HTTP/2.0 does not mandate encryption of any kind and that was one of the biggest complaints of slashdot discussions on the topic in the past.

    43. Re:Are the CAs that do this revoked? by Lennie · · Score: 1

      Your bank still has an office you can go to ?

      Mine doesn't anymore, they are busy getting rid of all their bank locations and clerks.

      Automation is what they want.

      And getting rid of cash seems to be a policy.

      They are even reducing the number of ATMs.

      This doesn't just apply to the my bank, but all banks in my country.

      Even if they had an office I could go to, I doubt the clerk knows security procedures well enough to check if my ID is correct.

      So, no, I don't think your idea will work. :-(

      --
      New things are always on the horizon
    44. Re:Are the CAs that do this revoked? by praxis · · Score: 1

      Yes, of course you also have to trust the sender. We're talking about securing communications here, not trusting a sender. If you don't trust the sender, why even talk about trusting their communication? We need to first trust the sender, then we can think about "how do I know this message is from that specific trusted sender and not compromised."

      Authentication using a certificate gives you no inherent trust of the other party. I thought that was obvious.

    45. Re:Are the CAs that do this revoked? by Anonymous Coward · · Score: 0

      Incorrect.

      Google is forbidden by FTC consent-decree https://www.ftc.gov/sites/default/files/documents/cases/2011/04/110405googlebuzzfrn.pdf from targeting ads in the vague ways you allege.

      Any web site that doesn't want their page cached can ask proxies to do that with headers or by varying the URL, no need to resort to https.

      Browser fingerprinting uses javascript stuff mostly, not things stripped by caches.

      Most people don't have proxy caches. If you set one up yourself it would likely make you easier to track since you'd be coming from the cache even at a cafe, but this is silly. If you want to be anonymous you need to use tor, and use the bundled browser.

    46. Re:Are the CAs that do this revoked? by Anonymous Coward · · Score: 0

      >Self-signed certs are much more secure than anything stamped by a CA.

      Until the NSA realizes they can just make a new cert and MITM all your traffic.

    47. Re:Are the CAs that do this revoked? by Anonymous Coward · · Score: 0

      That's why there's a thing called HTTP Public Key Pinning, where you can say "only this cert for n years". It basically lets you revoke root CAs for your domain.

    48. Re:Are the CAs that do this revoked? by Anonymous Coward · · Score: 0

      Sounds like 'Don't cry for me, I'm already dead.' That GPG stuff sure sounds interesting, as long as ur BIOS isnt ratting you out ultrasonically.

  4. Google wants a monopoly... by Anonymous Coward · · Score: 0

    ...on processing of your private information. It is in its interests to make sure everything is secure until the moment it reaches their servers.

    1. Re:Google wants a monopoly... by Shoten · · Score: 5, Insightful

      ...on processing of your private information. It is in its interests to make sure everything is secure until the moment it reaches their servers.

      And if you live there, China wants a monopoly on knowing your private information...plus incarcerating you and even killing you to harvest your transplantable organs should it find that it doesn't like something it learns about you. Like that you think Tibet should be free. Or if you worship the wrong god.

      Please do try to keep a sense of perspective?

      --

      For your security, this post has been encrypted with ROT-13, twice.
    2. Re:Google wants a monopoly... by Anonymous Coward · · Score: 0

      Nothing wrong in pointing out that an advertising company whose sole business is spying on their users would make sure that any competition is eliminated.

      It is possible to dislike both. Please do try to use your brain.

    3. Re:Google wants a monopoly... by Shoten · · Score: 2

      Nothing wrong in pointing out that an advertising company whose sole business is spying on their users would make sure that any competition is eliminated.

      It is possible to dislike both. Please do try to use your brain.

      There is when it's totally off-topic and entirely irrelevant. It doesn't matter that Google is involved; this is about China and spying on their own citizens. Google's business model has nothing to do with it. Disliking Google has even less to do with it...because Google is, to date, the only tech company that has ever stood up to China over things like this. In this situation Google is actually the good guys.

      And, for the record, every company wants a monopoly. That's why monopolies were outlawed. I think it's you that should use your brain.

      --

      For your security, this post has been encrypted with ROT-13, twice.
    4. Re:Google wants a monopoly... by Anonymous Coward · · Score: 0

      It doesn't matter that Google is involved; this is about China and spying on their own citizens.

      It totally matters. Google is only involved and crying their crocodile tears because they don't want third parties to tamper with their product (i.e. users information). You'd have to be stupid to miss that.

      And I just remembered.. .. Google is completely OK with sharing personal info with all governments.They have already been caught supplying users' data to the US government. They make money on that as well because they charge the US government a fee for that service. So I guess this move is just a hint-wink-nudge to the Chinese government to say - "Pay us and we'll give you everything you want"

      Google is, to date, the only tech company that has ever stood up to China over things like this.

      Stood up and achieved what? Get told by the Chinese government to STFU or GTFO? You must be a child to think that a foreign company can "stand up" to the Chinese government.

      In this situation Google is actually the good guys.

      For people who care about privacy, no matter what the situation, Google will *never* be the good guys.

    5. Re:Google wants a monopoly... by Anonymous Coward · · Score: 0

      You sure it's just China because it reads very much like USA.

    6. Re:Google wants a monopoly... by swillden · · Score: 2

      Google is completely OK with sharing personal info with all governments

      Not true, not in the slightest. Google has fought hard to minimize the information they have to give to governments, and to be as transparent as the law will allow about what they do give. Remember that Google created the transparency report, and was the company that managed to negotiate permission to share aggregated data about National Security Letters. Many other companies have followed suit, but Google led the way.

      They have already been caught supplying users' data to the US government.

      No, Google has been shown to comply with legal requirements, and to fight questionable requests in court. Snowden also revealed that the NSA was tapping Google's fiber. Google responded by encrypting the data on that fiber.

      They make money on that as well because they charge the US government a fee for that service.

      Cite? Since Google is a publicly-traded company, it should be easy to point to that line item in their SEC filings.

      Stood up and achieved what? Get told by the Chinese government to STFU or GTFO?

      No, told by the Chinese government to participate in government-mandated censorship or GFTO. Google participated for a while and then decided it wasn't what they ought to be doing, and so chose to GTFO of the biggest market on the planet (albeit one in which they had a small market share.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    7. Re:Google wants a monopoly... by Anonymous Coward · · Score: 0

      wow.. were you asleep through the snowden leaks?

      http://www.theguardian.com/wor...

      http://www.forbes.com/sites/ro...

      Im sure you will come up with countless excuses as to why this is not really the case, and how .. secretly good old google was being the usual friendly open source mascot and trying to actually undermine the NSA.

      That aside even if google was trying to minimally cooperate with the government to fulfil some legal requirement, many people including myself would not trust them. Sorry buddy, the advertising business is dirty and slimy and when you play in that playground you get slime on ya that's hard to shake off.

    8. Re:Google wants a monopoly... by thegarbz · · Score: 1

      this is about China and spying on their own citizens.

      Yes but this doesn't fit in with any other of China's methods which block google completely at the great firewall. All software that bypasses the firewall is done via proxy or VPN and using public DNS so you wouldn't even end up intercepting the connection to use the certificate.

      If this was done with the intention of spying on citizens then it won't amount to much at all.

  5. One-sided relationship by Tablizer · · Score: 4, Interesting

    Please explain why we offer nearly tariff-free trade with such a prick country? They bleep with US entertainment companies, networking companies, search companies, etc. etc.

    --
    Table-ized A.I.
    1. Re:One-sided relationship by nitehawk214 · · Score: 4, Insightful

      Because American voters can't see past the end of their noses. If congress enacted laws that increased prices on their Wallmart goods, they would be voted out so fast. Coupled with this the fact that the lobbies of corporations want to keep the status quo that keeps them rich.

      --
      I'm a good cook. I'm a fantastic eater. - Steven Brust
    2. Re:One-sided relationship by Anonymous Coward · · Score: 0

      America was popular after WWII.

    3. Re:One-sided relationship by gstoddart · · Score: 3, Insightful

      And, so what?

      American spy agencies fuck with everybody else on the planet. Are you laboring under the belief you are special little flowers or something?

      On behalf of the rest of the world, listening to Americans complain about what the Chinese are doing is pathetic.

      Because you don't seem to give a shit about how we feel about you spying on us.

      --
      Lost at C:>. Found at C.
    4. Re: One-sided relationship by Anonymous Coward · · Score: 1

      It's so cute how you think voters had anything at all to do with this. Quaint fairy tale, there.

    5. Re:One-sided relationship by Em+Adespoton · · Score: 1

      I've got some other questions that might help answer yours.

      What country owns a large portion of New York City?
      What country owns a significant portion of the US-based shipping companies?
      What country has huge cash reserves of US currency?
      What country owns more than 10 percent of the US federal debt?
      What country has invested in more than 60 of America's most visible brands?

      The answer is not the USA.

      We offer low-trade with such a country because it is not in America's best interest to put up trade barriers between US companies and their funders.

    6. Re: One-sided relationship by Tablizer · · Score: 1

      Amen! The lobbyists and "campaign contributors" slipped in lopsided trade slice by slice starting around the mid 1960's. Polls of citizens consistently showed voters ambivalent about lopsided trade. It's being blindsided in slow motion.

      --
      Table-ized A.I.
    7. Re:One-sided relationship by Tablizer · · Score: 1

      I'm not talking about spying, but of interfering with commerce.

      --
      Table-ized A.I.
    8. Re:One-sided relationship by gstoddart · · Score: 3, Interesting

      Oh, well, if it's commerce it's magically exempt and everybody will know it's divine and protected by god, right?

      Sorry, but do you expect us to use the US wouldn't use spying for commercial advantage if they had a chance? Or that they don't? Or that they restrict how they spy on everybody else int he world?

      The difference between the US government saying "We can break into any system we want" and the Chinese government saying "We can break into system we want" is the self entitled nature of the person who says they're different.

      These two are exactly the same. Claiming otherwise is just exceptionalism. It's just one government hacking security for their own ends.

      To everyone who is neither American nor Chinese, you're both convinced magical unicorns give you the right to do as you please.

      --
      Lost at C:>. Found at C.
    9. Re:One-sided relationship by Tablizer · · Score: 1

      but do you expect us to use the US wouldn't use spying for commercial advantage if they had a chance?

      Guilty until proven innocent?

      These two are exactly the same. Claiming otherwise is just exceptionalism.

      Sorry, I don't see it that way. I expect all nations to spy for political and military reasons and I don't blame them for doing it. But the gov't spying for commercial advantage of non-military products is a different issue.

      From another perspective, if a nation is caught cheating, they have no right to ask for open-trade status. If a gov't does commercial spying, they forfeit their claim on open-trade. Thus, you can view it as a trade-off choice rather than a "sin".

      --
      Table-ized A.I.
    10. Re:One-sided relationship by Coren22 · · Score: 1

      What magical country do you live in that doesn't spy? Ethiopia?

      --
      APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
    11. Re:One-sided relationship by gstoddart · · Score: 1

      I live in so such magical country.

      I'm saying I don't trust any of them, and people pretending like "this kind of spying is good and this kind is bad" or that it's "OK when we do it but not when they do" ... well, I think those people are full of shit.

      Countries can, will, and do spy for any benefit they can find for themselves. They'll also barter that information for even more benefit to themselves.

      The rules are there are no rules. All of the countries have admitted they do it, and will continue to do it.

      Stop pretending that it's somehow shocking when China does this crap. It's no more shocking that the crap we hear about America tapping the phone system of entire countries.

      --
      Lost at C:>. Found at C.
    12. Re:One-sided relationship by currently_awake · · Score: 2

      It is said that a Capitalist will sell you the rope you use to hang him. American companies have willingly sold out their own industrial base in order to gain a few extra percent of profit for the next quarter.

    13. Re:One-sided relationship by flonker · · Score: 1

      We don't want American spy agencies listening to our https traffic either. Just because Alice is shooting at me, it doesn't suddenly make it OK for Bob to stab me too.

      This is an attack against the SSL trust model. A CA knowingly created a rogue certificate for malicious purposes. This wasn't an accident. A Diginotar type response would not be inappropriate.

    14. Re:One-sided relationship by Anonymous Coward · · Score: 0

      Yeah like the USA doesn't fuck with the commerce of the rest of the country.

    15. Re:One-sided relationship by Anonymous Coward · · Score: 0

      The political and legal structure of China isn't exactly the same as in western culture, but (a) they have a distinct history which has had its own defining moments, and (b) their system of protections for property and privacy while not on par are at least good enough to support a thriving economy, and occasionally more effective in that regard than that of western culture.

      China's cultural heritage is one of unlimited executive power, constrained only by intentional benevolence merged with the self-interest that arises from not stirring up too much animosity from the public at large. In current day terms this means that the Chinese communist party is not constrained by law, it *is* the law. But by acting with self-restraint and benevolent intention the party as a whole seeks to persist beyond the length of time that a purely self-interested elite could manage.

      But the end state is that China itself can have no inherent problem with appropriating e.g. a domain name by fiat, because they also have no problem with appropriating real property in the same way. It is simply a matter of what is best for China's ruling party, and by benevolent extension what is best for China as a whole, with almost no consideration for what is best for any individual property owner.

      As for why western states continue to engage with China, what useful alternative is there? Western opinion is that there is no more efficient market than a free market, but China under efficient management can free up and redirect resources more efficiently that we can in the west. Inefficiency of controlled markets depends on mismanagement of those markets, and in the current information climate the tools for central management of a market are better than they have ever been before. Of course the old problems of nepotism and familial lateral wealth could impinge on the quality of that central management, but the Chinese have a lot of experience in coping with the conflicting goals of kinship bonds in society, and it isn't as if western culture were entirely free of those concerns given the progressive reduction in inheritance taxes, among other factors.

      Ultimately, I think we engage with China because it is the best option we have.

  6. Re:hymenologist's lament; missing monkey hymens? by Holi · · Score: 0

    The crazy is strong in this one.

    --
    Sorry, teleporters just kill you and then make a copy. A perfect, soul-less copy.
  7. At what point do we stop playing? by tekrat · · Score: 5, Interesting

    Sooner or later, greed trumps useability. Companies are going to screw one another over in attempts to dominate. We, the users of the internet, lose when these entities play their games on one another, and sooner or later we are going to take to take our marbles and go home -- it's not worth it to play.

    I feel we have already reached this state; between the NSA essentially hacking every router as it leaves the factory to China issuing false certs to Google putting their own interests at the top of every search, it seems that the time has come to either consider some international organization to regulate the internet, or abandon TCP/IP and start again with a whole new internet based on something else. Clean sheet.

    The way we are currently headed will breed a cesspool of an internet you can't trust for anything -- so why would you use it for shopping, news, banking, or any other activity if you KNOW that every single time you do, you will regret using this medium for anything?

    If Amazon, Google, CNN, and heck even Facebook want to stay in business, they need to learn to stop fucking around with their users, because I've essentially had it, and I'm guessing that I cannot be alone in my disdain and distrust of what has become of an internet I used to like.

    --
    If telephones are outlawed, then only outlaws will have telephones.
    1. Re:At what point do we stop playing? by cavreader · · Score: 3

      Oh yes another International organization. The current ones have such a wonderful track record. Maybe the UN can take over the internet regulations.

    2. Re:At what point do we stop playing? by Anonymous Coward · · Score: 0

      *The business of the internet is business*. And right now, the best business is the Bubble business. It has never been so easy to move money that doesn't exist outside a 'promise to pay'. And regrets? Nah... Always keep some cash on hand. And bank in Iceland. They actually prosecute the fraudsters there.

    3. Re:At what point do we stop playing? by Lost+Race · · Score: 1

      The beauty of the Internet is that you can do your part all by yourself, without waiting for anyone else to get their shit together first. You don't need to start a movement, you don't need to tear anything down or build some international organization to oversee everything. Just do what you said -- stop using Google, stop trusting root CAs, roll your own encryption, use VPNs, etc.

      If other people want to continue using commercial / government crap, well, that's their prerogative. If it's as bad as you say then they'll eventually see the light and the Internet will be a better place for them too.

  8. Re:hymenologist's lament; missing monkey hymens? by slashdime · · Score: 0

    Thank you for being so technologically inept to post links to youtube search queries so that I don't even need to follow them to see what kind of crazy you're selling.

  9. Re:hymenologist's lament; missing monkey hymens? by slashdime · · Score: 0

    Also, in response: https://www.youtube.com/result...

  10. Bet the US can as well ... by gstoddart · · Score: 3, Insightful

    Can't pretty much any high enough level certificate authority issue any damned certificate it wants?

    You think America or any other country can't do this stuff? You think they don't?

    Sorry, but when every other damned nation is spying and lying, WTF difference is it when China does it? You don't get to pretend it's OK for one country but not another.

    Until we start designing stuff which is inherently more secure, and which doesn't have back doors for government .. this is the state of security. You may or may not have it, you have no control over that fact.

    America doesn't want people to bypass their spy apparatus any more than China does. Let's not pretend this is any different.

    --
    Lost at C:>. Found at C.
    1. Re:Bet the US can as well ... by SuricouRaven · · Score: 4, Insightful

      The big difference is that China got caught. I'm sure the US has this capability too - but they use it only in targeted intercepts, so as to maintain deniability.

    2. Re:Bet the US can as well ... by JustNiz · · Score: 1

      >> Until we start designing stuff which is inherently more secure

      I agree but I'm afraid that If something was truly secure enough that the NSA cant hack it, the US gov would just find a lame excuse to make it illegal.

    3. Re:Bet the US can as well ... by Anonymous Coward · · Score: 0

      What about Stuxnet? That was signed.

    4. Re:Bet the US can as well ... by fustakrakich · · Score: 1

      The US made it ubiquitous, and doesn't have to bother 'denying' anything. Most people are perfectly happy as long as the latency isn't too heavy.

      --
      “He’s not deformed, he’s just drunk!”
    5. Re:Bet the US can as well ... by gnasher719 · · Score: 1

      Can't pretty much any high enough level certificate authority issue any damned certificate it wants?

      Yes, they can. But that only works if Microsoft puts a root certificate for that certificate on all Windows PCs, and Apple puts it on all Macs and iOS devices, and Google puts it as a root certificiate on all Android devices and so on. If you get caught, the next Windows/Apple/Google security update removes the root certificate, and that certificate authority is dead.

    6. Re:Bet the US can as well ... by Anonymous Coward · · Score: 0

      So you think the chinese don't know their goverment is spying on them?

    7. Re:Bet the US can as well ... by fustakrakich · · Score: 1

      Everybody knows they're being spied on.

      --
      “He’s not deformed, he’s just drunk!”
  11. US Authorities by Anonymous Coward · · Score: 0, Interesting

    Legally, could the US authority be forced to give over a certificate to the US government?

  12. oh look.. by Anonymous Coward · · Score: 0

    More BS that the chineses are trying to do... What a surprise.

  13. zscaler does the same thing by Anonymous Coward · · Score: 0

    Zscaler does this for every site you visit using https and it's based on California.

  14. geo-block this crap by tommyatomic · · Score: 2

    My company had massive amounts of fraudulent connection attempts originating from china. We geoblocked china and 95% of it went away. I feel for what the people who live there have to endure but I give ZERO $hits about the negative effects of blocking access to a country that blatantly allows and endorses state sponsored criminal hackers attacking businesses.

    I believe in one set of rules for everyone. How do you suppose China would respond if the tables were turned and the governments of GB,France,Germany,USA, Australia, and Canada all set China in their crosshairs and declared open season.

    1. Re:geo-block this crap by gstoddart · · Score: 1

      I believe in one set of rules for everyone.

      There is one set of rules for everyone: every government on the planet has decided it is legal for them to spy on anybody they want.

      Sorry, but once the US and UK governments publicly said it was OK, how the hell can you expect it to be different when the Chinese do it?

      Sorry, but the level of cognitive dissonance required for that isn't sustainable.

      --
      Lost at C:>. Found at C.
    2. Re:geo-block this crap by Anonymous Coward · · Score: 0

      #BlockChinaAtYourFirewall

    3. Re:geo-block this crap by Anonymous Coward · · Score: 0

      Sure the NSA has inarguable pulled some criminally shady shit but I'm quite certain that the US gov has never showed up at a Blackhat Con and said 'Go Hack Chinese businesses" . Hacking foreign business isnt even a crime in China. And the possibility that the Chinese government would prosecuting anyone for intellectual property theft from a foreign business.....LMFAO that will be the day.

    4. Re:geo-block this crap by jmcvetta · · Score: 1

      My neighborhood bar uses an old mechanical cash register - the kind you pull a lever to operate. Pretty sure it will work just fine even without internet connectivity to China.

    5. Re:geo-block this crap by tommyatomic · · Score: 2

      That is two significant leaps past being idiotic. An internet connection is not required for a cash transaction and registers dont all use integrated credit. ATM's and integrated credit cash registers authenticate to the merchant service subscribed to by the business which would in turn authenticate to various card issueing banks. Zero authentication through China. Geo-block the crap out of China and your ATM's and Cash registers will run just fine.

    6. Re:geo-block this crap by Anonymous Coward · · Score: 0

      I have long held to the theory that ultimately China wants the entire world to block them. We do their Great Firewall work for them. If the rest of the world blocks China, then China does not have to go to the effort to block their people from being able to access the rest of the world.

    7. Re:geo-block this crap by Anonymous Coward · · Score: 0

      Facetiousness, live it, embrace it.

      The concept of geo blocking is absurd at face value. I'm sure Walmart will stand right there with you. You all can stop with the silly political nonsense anytime. Learn about the nature of business and empire.

  15. Re:Let me see if I got this right by Anonymous Coward · · Score: 0

    You got it wrong. RTFA.

  16. Revoke the certs by Imagix · · Score: 5, Insightful

    At a _minimum_ MCS's rights need to be revoked. There needs to be an independent audit of any cert that CNNIC has issued _at CNNIC's expense_, and of their operations (both CNNIC, and the organizations to which they've issued certs), or CNNIC should have its rights revoked as well. MCS is completely untrustable, and CNNIC has to prove that they are currently trustable. CNNIC's operations need to be audited or they may just turn around an issue a new cert to MCS. (Or "MCS" with a new name)

  17. Remove them by Anonymous Coward · · Score: 0

    Only one solution. Remove them from the cert chain immediately. Do that a few times and then the CAs will start acting as they should.

  18. It would be naive... by Anonymous Coward · · Score: 1

    ...to believe that China is the only government doing this.

    1. Re:It would be naive... by Anonymous Coward · · Score: 0

      no it's not. But if this discussion here would happen on a Chinese server you can be assured that it would have been deleted by the censors already, and that certain posters would get visits in the middle of the night by people who "want to read the gas meter".

  19. Re:Let me see if I got this right by Xenx · · Score: 2

    The issue isn't about Google giving them their key or anything. CNNIC is a root level CA and is considered trusted by all the major operating systems. CNNIC gave their keys to MCS temporarily and MCS used that authority to issue certs with falsified info.

  20. Sovereign interference by Anonymous Coward · · Score: 0

    When a sovereign government or a malicious commercial trusted provider and much up the internet addresses, certificates, keys, or DNS systems, it's time for a white listed internet for regular people.

    The dark web is dark for a reason.

    JJ

  21. Re:Fuck off, you complete piece of shit by Anonymous Coward · · Score: 0

    Where can one find this "free and open society" you speak of, friend? Here in the good ol' USSA we've been totalitarian since 2001.

  22. TLS House of Cards by Anonymous Coward · · Score: 0

    anyone can revoke certificates, those revoked can be self signed or CA signed. It means you no longer can access that site without a agreeing to some annoying warning dialog. In my software I can easily deny access to anywhere, and push those updates to my users.

    What's the real danger is if we start accepting certificates from third parties who cannot be trusted. Remember, CAs are third parties we trust, if we can't trust them then the system falls apart.

  23. Inclined to agree w/ 1 statement you made... apk by Anonymous Coward · · Score: 0

    "Sorry, but when every other damned nation is spying and lying" - by gstoddart (321705) on Tuesday March 24, 2015 @02:38PM (#49329601) Homepage

    See subject & above quote: Makes me ill, but that's what you get with all the "fine fearless leadership" we & other nations have in place (put their by "secret handshake" weasel organization that, for example, MOST our presidents ALL seem have been members of). Guys that join those? Imo, they're whimps that couldn't make it MINUS joining such a group, living a fucking lie (where it's ALL 'setup' for them beforehand, pushing out the RIGHT guys for the job & then putting those dicks in place instead)... yes, folks - that IS how it all really TRULY works!

    (... & all it takes is that old saying "1 rotten apple will rot the entire barrel" since 1 does it? Hey, the rest just "join the party"... & for what? Hey, the sociopath's FAVORITE DRUGS: POWER, & CONTROL!)

    I mean wtf - what a bunch of BULLSHIT & what makes me say that? Simple - LOOK @ THE RESULTS OF THE JOB THEY DO for shit's sake!

    (Seriously... who are ANY of these "politicians" with their bullshit educations (for most of them), & what do they REALLY accomplish, except chaotic lunacy? Are THEY curing AIDS or CANCER?? Hell no! They just breed problems galore!)

    I don't *LIKE* bitching but after doing a bit of reading here as well as following 'current events'? I don't like what I see as the results - like ANY employer wouldn't & yes - politicians are our EMPLOYEES, not our masters.

    APK

    P.S.=> IF our leaders were actually educated people (not taking BULLSHIT like Political Science or Government & Politics for example)?

    Well, THEN, We just *might* have a logically & sensibly run planet instead of a nest of power-hungry leeches living off our taxes (& getting retirements for what - a lousy 2-8 yrs. of what they call "work"?) fucking everyone over, including YOU & ME, as well as their own peers + other nations, constantly!

    Sometimes, I truly feel I was better off keeping my head in the sand not paying attention to the stupidities I see nowadays since I've started actually listening to the lunacies & madness of their "political world"... apk

  24. DANE by Anonymous Coward · · Score: 0

    DANE/TLSA helps, if browsers actually look for such entries in DNS records.

  25. My UK employer does this too. by Anonymous Coward · · Score: 0

    That's right, they change the authentication cert so that they can pretend to be Google and some others on work computers. This is so they can use their servers as a MITM and sniff https traffic.

    When they did that, boy did I complain. But nobody really cared. "It's their computer", "They're required by law!", "You shouldn't be using work computers for that!".

    And apparently there are many employers in the western world who do this. It's normal, even a "So what? They're ALLOWED".

    But when *China* does it, oh boy is it a different problem then. Then EVERYONE can see why this sort of thing is wrong. Oh yes indeedie.

    The problem is we don't like the Chinese government, therefore we LIKE to consider their actions as bad faith, therefore CAN see them as bad faith. We don't see us as them either, so making them out to be bad doesn't reflect badly on us. We DO however like our democracy and companies are, in capitalism, the new church order, therefore attacking OUR governments or OUR companies is reflecting badly on us, because we hope one day to change our government with our actions and give our money to corporations, therefore fund their activities. So when we make them bad, we make our actions bad.

    We don't like to think of ourselves as bad people, so the companies we support CANNOT be bad.

    But those we don't identify with, we can vilify no problem.

  26. Joe Biden for 2016 by Anonymous Coward · · Score: 0

    Joe Biden is a square shooter. Joe Biden for 2016!

  27. The Web of Trust only Works by Anonymous Coward · · Score: 0

    when the other party isn't smiling and saying Yes while meaning No and backstabbing you with a smile.

  28. Stunned That They Were Removed by Anonymous Coward · · Score: 0

    Remember when Trustwave did the same thing, but escaped the CA Death Sentence?

    http://www.computerworld.com/article/2501291/internet/trustwave-admits-issuing-man-in-the-middle-digital-certificate--mozilla-debates-punishment.html

    Why did these guys finally get it, what was the trigger to differentiate between the two events? Will Mozilla follow suit? They still have a bug about the Trustwave CA MITM issue here:

    https://bugzilla.mozilla.org/show_bug.cgi?id=724929

    Glad to see some responsibility coming down the pipes...