Chinese Certificate Authority CNNIC Is Dropped From Google Products

← Back to Stories (view on slashdot.org)

Chinese Certificate Authority CNNIC Is Dropped From Google Products

Posted by timothy on Thursday April 2, 2015 @12:42AM from the reject-your-reality-and-substitute-our-own dept.

eldavojohn writes A couple weeks ago, Google contacted the CNNIC (China's CA) to alert them of a problem regarding the delegated power of issuing fraudulent certificates for domains (in fact this came to light after fraudulent certificates were issued for Google's domains). Following this, Google decided to remove the CNNIC Root and EV CA as trusted CAs in its Chrome browser and all Google products. Today, the CNNIC responded to Google: "1. The decision that Google has made is unacceptable and unintelligible to CNNIC, and meanwhile CNNIC sincerely urge that Google would take users' rights and interests into full consideration. 2. For the users that CNNIC has already issued the certificates to, we guarantee that your lawful rights and interests will not be affected." Mozilla is waiting to formulate a plan.

176 comments

Min score:

Reason:

Sort:

Good. +1 for Google. by Anonymous Coward · 2015-04-02 00:50 · Score: 5, Insightful

If a CA clearly can't be trusted, then it has absolutely no business being trusted. This is a good thing, and despite the upheaval it will cause for people requiring new certs (if you want chrome to like the site), it will only improve security by making CA's aware that if they mess about, or don't vet properly, then their business is basically gone.
Of course, the only really secure way is to drop all CA's everywhere, and directly exchange certs with whoever you deal with (banks, etc, etc by going into a branch. Hugely impractical though).
1. Re:Good. +1 for Google. by Dutch+Gun · 2015-04-02 01:14 · Score: 5, Interesting
  
  The fact that ANY root CA can issue Google domain certificate (or whatever domain they want) is bonkers. Nowadays, there are simply too many root CAs to be able to trust them all, if we ever really could. There used to be just a handful. Have you looked at your local CA store? There's hundreds of them nowadays! Did you know the Hong Kong Post Office is a root CA (Hongkong Post Root CA 1)? Doesn't that make you feel warm, fuzzy, and secure, knowing that the fine folks at that establishment could issue a fraudulent certificate for any website in the world?
  This system needs to be fixed, or at least seriously updated. It just hasn't scaled well in the reality of today's world. I don't think we need to go to the extreme of exchanging private certs. Let's face it, that will never, ever happen anyhow. But we do need more assurances than we have now.
  
  --
  Irony: Agile development has too much intertia to be abandoned now.
2. Re:Good. +1 for Google. by rtkluttz · 2015-04-02 01:15 · Score: 1, Interesting
  
  The whole idea of a 3rd party in a secure communication is ludicrous anyway. Stop the stupid ass warning for self signed certs and let secure communications between the two parties it concerns. Yes it requires that each of the 2 sides know a little bit about what is going on to verify the cert, but there simply is no such thing as a security when a 3rd party is involved whether its the Chinese, the NSA, or the CA themselves.
  
  --
  Digital is, by definition, imperfect. Analog is the way to go.
3. Re:Good. +1 for Google. by Anonymous Coward · 2015-04-02 01:20 · Score: 0
  
  What I want to know is if Google would have done this if CNNIC only issued fake certs for everything other than Google (ie. Microsoft, Debian, Ubuntu, etc).
  Just think of the power that a CA has. With a fake cert they can put spyware on your computer via legit looking updates. I'm sure many 3-letter agencies already do it.
4. Re:Good. +1 for Google. by Richard_at_work · 2015-04-02 01:36 · Score: 4, Insightful
  
  So, with the third party out of the equation, how does one know that the security certificate you receive from random-site.com is the one that random-site.com intended you to receive? This is where going to two entity encryption fails, because the web has no inbuilt ability to verify the communication with the website is as secure as intended without going to a third party.
  Just allowing self signed certs won't solve anything, because most people who use the web won't bother with any independent verification (which you would have to do offline or on a different internet connection for it to mean anything anyway) - fuck, do you remember how long it took to beat "look for the padlock symbol" into people in the first place? All it will do is what people have been bitching about for similar other approaches for years now - people will get so many pop ups, they will stop caring and just click OK.
  The CA system isn't the best solution in the world, but its better than most suggestions, including allowing self signed certs for general communication.
5. Re:Good. +1 for Google. by neoform · 2015-04-02 01:36 · Score: 1
  
  >Doesn't that make you feel warm, fuzzy, and secure, knowing that the fine folks at that establishment could issue a fraudulent certificate for any website in the world?
  I was under the impression that the CA only gets used for verification *if* the site's cert claims to be from that CA.
  
  --
  MABASPLOOM!
6. Re:Good. +1 for Google. by Anonymous Coward · 2015-04-02 01:41 · Score: 2, Informative
  
  And what CA do you think will be listed on the cert that you get from the site pretending to be that site?
7. Re:Good. +1 for Google. by Anonymous Coward · 2015-04-02 01:42 · Score: 0
  
  Which is why you MITM.
8. Re:Good. +1 for Google. by IamTheRealMike · 2015-04-02 01:50 · Score: 1
  
  Doesn't that make you feel warm, fuzzy, and secure, knowing that the fine folks at that establishment could issue a fraudulent certificate for any website in the world?
  The issue is that browsers and OS makers, not being a bunch of unprofessional amateurs, need policies that are more precise than "warm and fuzzy". So the CA system has very clearly written policies, audits, best practices and so on. If you pass them you can be a CA.
  I'm not sure what kind of fix you have in mind, but I suspect it boils down to "America is more trustworthy when it comes to internet surveillance than Hong Kong". Except we know that's not true. So it seems intractable.
  The brutal reality is what people want is a public key infrastructure that cannot be beaten by any government anywhere and no such infrastructure exists. Nor is there any credible design proposal for such a system.
9. Re:Good. +1 for Google. by DarkOx · 2015-04-02 01:57 · Score: 1
  
  This is a good thing, and despite the upheaval it will cause for people requiring new certs
  
  Except that it won't cause much upheaval, which is really the only reason they can do it in the fist place.
  Google is not the player in China that it is in the west, there is quite a bit of local competition for most Google services there, they really are not even a leader and that has a lot to do with Google actually being "not evil" and refusing to cooperate with the 'Party' on some things.
  Chrome isn't Internet Explorer, the people using it across the world are far more likely to understand what a digital certificate is than the general population of Internet browser users. Which is not to say they all do but the fact is if you are using Chrome and to a somewhat lessor extent a Droid device you have somewhat self selected by picking your technology which makes it likely you know something about it. Now select for the users that are making use of Chinese sites, and the pool gets even smaller.
  I may be cynical but I still don't believe if say Verisign, Thawte, or GeoTrust had got caught either negligently or willfully making bogus certificates available the result would be the same. I suspect they would be considered To Big to Fail. If you are Google you can't push an update that breaks 30% of the SSL sites westerns (your better paying advertising demographic) visit often. To many of them won't like it, even if in an abstract way a large portion of them do recognize you are looking out for there interests. They will go back to IE or worse put down the Droid phone and pickup their IPad because 'Amazon works with those' and they can 'Watch the Netflix'.
  
  --
  Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
10. Re: Good. +1 for Google. by Anonymous Coward · 2015-04-02 02:00 · Score: 1
  
  Hong Kong is special administrative region of China. It has different laws, open culture, democracy, and freedoms, unlike mainland China. Don't put Hong Kong with the dictatorship of the China.
11. Re:Good. +1 for Google. by DarkOx · 2015-04-02 02:11 · Score: 1
  
  Stop the stupid ass warning for self signed certs and let secure communications between the two parties it concerns.
  You don't get those warnings if you have verified and installed and trusted the cert.
  This argument that warning about self signed certs is stupid. Look the software has to do something to let you know the connection is insecure, you should assume http is insecure and you know that because the little lock icon is not present. You know http does not contain any other authenticity or integrity controls, you make your choice. https (SSL/TLS) normally is you authentication, integrity, and privacy control suite, you have to be told somehow those things can't be assured when https is in use but no trust relationship has been established.
  I suppose the little lock could simply not be displayed but than as use how do I know what the problem is? Is the site using plain text, is the cert expired, not trusted, etc, I have no information about what I might need to do to obtain a secure channel. So you can object to the warning all you want but somehome this information fundamentally must be displayed so a human can make a security decision and take some action.
  
  --
  Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
12. Re:Good. +1 for Google. by VGPowerlord · 2015-04-02 02:15 · Score: 2
  
  I was under the impression that the CA only gets used for verification *if* the site's cert claims to be from that CA.
  How often do you stop and look at which CA signed the certificate for the HTTPS site you're using?
  As long as the certificate is signed by a CA certificate the browser has in its CA store, the browser won't show any warnings. Browser makers are also notoriously bad at checking if certificates are on Certificate Revocation Lists (CRLs), of which each CA has (at least?) one.
  
  --
  GLaDOS for President 2016! "Well here we are again. It's always such a pleasure." -- GLaDOS, 2011
13. Re: Good. +1 for Google. by Anonymous Coward · 2015-04-02 02:15 · Score: 0
  
  Not yet anyways.
  But for now, google, facebook, youtube for everyone!
14. Re:Good. +1 for Google. by Anonymous Coward · 2015-04-02 02:20 · Score: 1
  
  The whole concept has been broken from the day it was proposed. This was never and never will be secure...
15. Re:Good. +1 for Google. by mwvdlee · 2015-04-02 02:42 · Score: 1
  
  Google's web services may not be a player in China (irrelevant, so I didn't check), but their browsers (desktop and android) most certainly are: http://www.chinainternetwatch....
  I don't think "lessor" is a word, but if you meant "lesser" then you couldn't be more wrong: http://www.zdnet.com/article/n...
  I'm quite confident that most of these Google-browser users don't have a clue what digital certificates are.
  Verisign, Thawte and GeoTrust would probably be treated the same way, if they failed to act of known false certificates. This isn't just "negligently or willfully making bogus certificates", this is mostly about failing to fix the problem after having been informed of having created "bogus certificates". Matter of fact, these CA's regularly update their recovation lists (CRL): https://isc.sans.edu/crls.html
  
  --
  Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
16. Re:Good. +1 for Google. by zarthrag · 2015-04-02 02:43 · Score: 1
  
  Maybe this could someday be a decent p2p application? Self-sign your cert, then throw your public-key into the wild. Instead of trusting just 1 CA, you can have others w/whom you've directly exchanged the key "endorse" you. More endorsements = more trust. It's not absolute, but at least it's some kind of measure that doesn't plunge from 100%->0% after a single security breach. Maybe if such a system handled dns, as well, it may be possible to reduce the ability to launch a MITM attack? (I'm just typing w/my butt, at this point - but maybe I'm getting the idea across.)
  
  --
  Why can't all fpga/microcontroller manufacturers just release free optimizing compilers???
17. Re: Good. +1 for Google. by pla · 2015-04-02 02:57 · Score: 2
  
  Hong Kong is special administrative region of China. It has different laws, open culture, democracy, and freedoms, unlike mainland China. Don't put Hong Kong with the dictatorship of the China.
  
  SARs exist only by staying in the good graces of the PRC. Hong Kong and Macau could lose their special status tomorrow and would have zero say in the matter.
  
  Of course, China currently enjoys playing both sides of the "capitalism" fence, so that almost certainly wouldn't happen; but if Beijing says "Hey, you like all that freedom you have? Yeah, we need you to make something to happen ASAP - Reeeal shame if we reallocated your entire region into a coal ash dump"? You'd see how much "independence" China's SARs really have.
18. Re: Good. +1 for Google. by Anonymous Coward · 2015-04-02 02:57 · Score: 0
  
  If evil person 1 does not cooperate with evil person 2, it does not make evil person 1 not evil.
19. Re:Good. +1 for Google. by dotancohen · 2015-04-02 02:58 · Score: 1
  
  If a CA clearly can't be trusted, then it has absolutely no business being trusted.
  The issue is, though, why wait for the CA to go before deciding not to trust it? Why should all users in the world have Chinese, American, Iranian, Russian, and other potentially-rogue CAs trusted by their browser?
  This Stack Exchange (SuperUser) question about how to know which certs to leave in and which to remove has gone without a decent answer for months:
  http://superuser.com/questions...
  
  --
  It is dangerous to be right when the government is wrong.
20. Re:Good. +1 for Google. by Archangel+Michael · 2015-04-02 03:06 · Score: 1
  
  Lessor is indeed a word. Having to do with Leases. It is incorrect usage in this context.
  
  --
  Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
21. Re:Good. +1 for Google. by mlts · 2015-04-02 03:14 · Score: 3, Insightful
  
  Even worse is that certificates can't be removed on some devices. For example, if a CA is broken on iOS, there is no way to mark that CA as untrusted until Apple gets around to pushing out a set of new root certs. Android, it is easier, but still onerous going through every unwanted CA and unchecking it.
  The CA system is a subset of a WoT system. It was placed originally because CAs used to be meticulous about who they signed certs for. Now, especially after the fiascos a few years back, no so much.
  The fix? Part of it would probably say prompt the user on the device to install the relevant CAs for their geographic region. If on mainland China, having a CA for the HK post office makes sense. Not so in the US, unless one travels abroad or has a lot of business with Chinese sites.
  The second fix is that OS and Web browser makers will need to enforce with sheer brutality the rules they have on how CAs behave. If the CA screws up, they get their cert pulled, no questions, no appeals.
22. Re: Good. +1 for Google. by reanjr9417 · 2015-04-02 03:17 · Score: 1
  
  Great idea. Too bad no one cares. http://en.m.wikipedia.org/wiki...
23. Re:Good. +1 for Google. by darkonc · 2015-04-02 03:24 · Score: 1
  
  The warning about self-signed certs is just that. If you know that you're talking to the right site, you can add the cert to your trusted list.
  "trusted" root certs are organizations that you are supposed to be able to trust to be proper with the certs that they give out. CNNIC is (properly) being removed from that list. The point isn't to 'punish' their customers. It's to protect the rest of us. If CNNIC manages to convince Google (and others) that they've fixed the problem anf won't let it happen again, they'll be admitted to the trusted group, again.
  
  --
  Sometimes boldness is in fashion. Sometimes only the brave will be bold.
24. Re:Good. +1 for Google. by mlts · 2015-04-02 03:29 · Score: 4, Informative
  
  This is why so many variants of adware that sneak their certs into the root CA list and then create a local loopback proxy is so common -- nobody looks at what key is presented. If the lock icon is green... good enough.
25. Re:Good. +1 for Google. by phayes · 2015-04-02 03:30 · Score: 2
  
  That any of the "trusted" CAs could issue a cert for any site is why we should all be using the Certificate Patrol or another equivalent plugin that also notifies when ANY certificates change instead of just blindly accepting them. It adds a little admin to browsing the web as I have to accept/reject expired certificates.
  In a number of cases it has alerted me when on client sites that they perform SSL inspection so that I can avoid using anything sensitive like banking.
  
  --
  Democracy is a sheep and two wolves deciding what to have for lunch. Freedom is a well armed sheep contesting the issue
26. Re:Good. +1 for Google. by IamTheRealMike · 2015-04-02 03:41 · Score: 1
  
  It was tried already. It doesn't work. Nobody wants to be a volunteer CA, which is effectively what the web of trust demands of people.
27. Re: Good. +1 for Google. by Anonymous Coward · 2015-04-02 03:42 · Score: 0
  
  the mainland has been slowly taking away hong kong's privs and freedoms ever since they got their grimy little red hands on the territory..
28. Re:Good. +1 for Google. by rtkluttz · 2015-04-02 03:50 · Score: 1
  
  I don't buy the whole... "because people can't use it properly" as an excuse for self signed certs. 3rd parties involved in the process give the illusion of security but in fact guarantee its insecurity. If used PROPERLY self signed certs are the best solution. "Because it is hard" isn't an excuse and is the same issue that makes every company make bad security decisions. They want 100% transparent security, if it can't be transparent they don't want it all. True security will never be transparent.
  
  --
  Digital is, by definition, imperfect. Analog is the way to go.
29. Re:Good. +1 for Google. by Richard_at_work · 2015-04-02 04:01 · Score: 1
  
  Ok, how do you get the general population to "use self signed certs correctly"? Go on, convince me that you can.
  If its hard, people won't do it. Thats why email encryption has never caught on while https usage has. So if you want to do away with third party CA usage, then you need to come up with something that is better security wise, but is no harder to use. If its any harder to use, you are already well on the back foot convincing people to use it.
  Sorry, but I completely disagree with your assertion that self signed certs are the solution to anything at all.
30. Re:Good. +1 for Google. by Black+Copter+Control · 2015-04-02 04:07 · Score: 1
  
  self signed certs simply ensure that your communication is secure between yourself and .. well whomever has the cert (be it your intended recipient or a malicious third party). They have no intrinsic proof that you're talking to who you're trying to talk to. You need to be able to do the work to ensure the identity of the other end. Onlyabout 5% of the general population has the knowledge to do that, and about 1% of that group is willing to do the work on a regular basis.
  3rd party certification of certs is a 'best we can do' thing for the 99.95% who aren't in that last group... and it depends on the fourth parties like google being willing to defend the integrity of the process, and give you warnings when it's broken.
  If you want to blindly trust self signed certs, or you're willing to do the work of verifying them, you're free to do the two clicks to ignore them. For the rest of us, they serve a real purpose.
  
  --
  OS Software is like love: The best way to make it grow is to give it away.
31. Re:Good. +1 for Google. by mlts · 2015-04-02 04:35 · Score: 1
  
  What should happen is that CAs should be part of SSL's security, not all of it. There should be some additional options:
  1: QR codes a company can print out to validate not just their address, but a key ID and fingerprint.
  2: Some form of P2P mechanism, coupled with trust weightings. That way, if Alice says a key to Last National Bank is genuine, it has more weight to Bob than 1000 other people who have no reputation, but are showing different key IDs for the same bank.
  3: Some caching to notice if an intermediary key changes.
  None of this is perfect. #1 can be defeated by an attacker printing out their own flyers. #2 can be defeated by a lot of bogus peers saying that someone else's key is bogus, and by hacking people's accounts for better rep. #3 doesn't work if a computer is new or compromised. However, in combination with a CA, it can help preserve security.
  There is always having a key signed by multiple CAs so if one CA is compromised, another shows a key is valid... but the hard part would be making sure people know a key is signed by multiple CAs, versus a bogus key that states they are only vetted by one. Perhaps this could be a different icon (similar to how EV SSL certs have a green titlebar.)
32. Re:Good. +1 for Google. by Anonymous Coward · 2015-04-02 04:42 · Score: 1
  
  Yet all the browsers consider unencrypted connections more secure than connections encrypted with a self signed certificate. This is the problem. Either they should remove the big scary warning for self signed certificates or put the same big scary warning on all unencrypted connections.
  It just makes no sense that unencrypted connections are considered more secure than encrypted connections using a self-signed certificate.
33. Re:Good. +1 for Google. by Dagger2 · 2015-04-02 04:47 · Score: 1
  
  So, with the third party out of the equation, how does one know that the security certificate you receive from random-site.com is the one that random-site.com intended you to receive?
  By comparing the fingerprint with the list of valid fingerprints for the site, as published by the site via DANE.
  Of course, browsers refuse to implement that...
34. Re:Good. +1 for Google. by Anonymous Coward · 2015-04-02 04:50 · Score: 1
  
  makes me wonder WHY WHY WHY "DNS-based Authentication of Named Entities" has not taken off, en-mass.
  I get it --its newer---it looks published in 2012, but... cmon, google could easily have implemented this in chrome by now
35. Re: Good. +1 for Google. by fustakrakich · 2015-04-02 05:17 · Score: 1
  
  Hong Kong and Macau could lose their special status tomorrow and would have zero say in the matter.
  I believe that would be considered a poor business strategy.
  
  --
  “He’s not deformed, he’s just drunk!”
36. Re:Good. +1 for Google. by david_thornley · 2015-04-02 05:43 · Score: 1
  
  In Firefox, if you know you're talking to the right site, you have to do some nonintuitive clicks to accept the cert and use the site.
  BTW, if you're connected to the right site, you still can't trust the cert. It could be a part of a man-in-the-middle attack.
  
  --
  "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
37. Re:Good. +1 for Google. by Rich0 · 2015-04-02 05:44 · Score: 1
  
  I'm not sure what kind of fix you have in mind, but I suspect it boils down to "America is more trustworthy when it comes to internet surveillance than Hong Kong". Except we know that's not true. So it seems intractable.
  Simple, stick the certs in the DNSSEC records. Then only registrars between you and the root can spoof you. If you don't trust the USA, then pick a registrar in a country you do trust, and now the USA can't spoof your records.
  If you want convenience you'll always have to trust somebody, but with the DNSSEC proposal only a few companies could spoof any particular website (with the list being different for each website). The Chinese government couldn't spoof nsa.gov, and the NSA couldn't spoof government.cn.
  The root still involves some challenges, but that is high-profile and doesn't need to change much, so there are a lot of options there which won't scale up to the entire DNS tree.
38. Re:Good. +1 for Google. by Frobnicator · 2015-04-02 06:06 · Score: 1
  
  It was tried already. It doesn't work. Nobody wants to be a volunteer CA, which is effectively what the web of trust demands of people.
  Actually it does work. Just not so well for web sites and servers.
  For all their other issues, a CA network works reasonably well for hardware-level communications trust. I can look at the algorithm type selected and trust that math ensures that eavesdropping is hard. I can also have some degree of confidence that the site really is who they say they are... but I also know there is a high risk they may have been hacked or compromised by anyone from government agencies to skript kiddies. There is no need for a fake cert when it is easy for them to infiltrate their networks through legal or illegal means. A CA doesn't mean I can trust the server or their services, only that the connection is slightly more safe from eavesdropping.
  A web of trust solves a different problem. It is focused mostly on authentication and social trust, not eavesdropping. I can give corporate secrets to my co-workers because people I already trust connected us, but I don't trust strangers on the street who claim to be co-workers because I cannot authenticate them as being part of the company.
  When it comes to authenticating people under a WOT model, I have high trust in those I have personally verified, and progressively lower trust in those I have not personally verified. Those in HR or IT can use their own key to sign all their employee keys and I can set a level of trust on those because I have personally met the HR or IT person. It works much like real life social rules, my direct friends I can trust, the friends-of-friends less so, the friends-of-friends-of-friends I will be skeptical of. Key servers can (and do) provide easy access to see who else trusts an individual, letting me quickly build a web of trust, where just like in the physical world I can decide how much trust I give anybody I personally know, and I can decide to trust no one, to trust only those few people I know well, or to trust anybody who comes along.
  The parallel with real life social trust is exactly why they work so well for email and similar social uses. That is how people have been doing it for ages.
  The reason it doesn't work too well on random web sites is that the web of trust model cannot be automated, or used to verify servers rather than people.
  What does it mean to trust a bank's signature? I may be able to verify my bank's digital certificate matches the card I got in their lobby. I probably have a WOT with a few friends and friends-of-friends that get me connected to individual workers at the bank. But that breaks down on a bigger scale when you are trusting servers rather than trusting people. I may know a teller at the bank as a human, but how does that give me any trust of the servers? Sure I probably know people who work at Discover Card's call centers, but just because I know some people why should I fully trust that DiscoverCard's servers have not been compromised? I may know some people working at Google, but does that mean I can trust that their million servers to not give up information to the NSA? No way, because the WOT method focuses on individuals and people rather than hardware.
  WOT works well for social connections and personal identities. It doesn't work so well in other contexts. The need for a 'volunteer CA' is not the reason it breaks down. It breaks down because social trust models do not map well to hardware trust models. And for the interwebs that is okay because my trust level to any web site is incredibly low, I can assume they are likely hacked and NSA-backdoored, all I'm looking for is protection from casual eavesdropping.
  
  --
  //TODO: Think of witty sig statement
39. Re:Good. +1 for Google. by Anonymous Coward · 2015-04-02 06:31 · Score: 0
  
  What? No.
  Certs need domain restrictions. Root CAs with * domain should be very few, local CAs allowed only to issue *.fr, *.cn, *.hk, or whatever is their TLD. Then browsers will automatically and by design not accept when the HK post office for example issues a certificate for Google.
  Add DANE to the mix, and you have a vast improvement.
  But I somehow suspect the CAs themselves don't want security. It's expensive and eats their margins, after all.
40. Re:Good. +1 for Google. by real+gumby · 2015-04-02 06:55 · Score: 1
  
  The fix? Part of it would probably say prompt the user on the device to install the relevant CAs for their geographic region. If on mainland China, having a CA for the HK post office makes sense. Not so in the US, unless one travels abroad or has a lot of business with Chinese sites.
  That doesn't make a lot of sense. .com domains are issued worldwide, and I am glad to have the choice of CAs to use for my com and org domains. And if I go to a .cn site I would like to know it's trusted.
  The rest of your message does make sense. But to my case above: how do I know it's trusted? There's no explicit endorsement.
41. Re:Good. +1 for Google. by Richard_at_work · 2015-04-02 07:11 · Score: 1
  
  So we are back to a third party, only this time involving lists that need updating and collating...
42. Re:Good. +1 for Google. by Ben+Hutchings · 2015-04-02 07:16 · Score: 1
  
  Yet all the browsers consider unencrypted connections more secure than connections encrypted with a self signed certificate.
  No. They consider that entering or following a link to an 'https:' URL means that you expect a secure connection. In this context, a self-signed certificate that has not been whitelisted is an error.
43. Re:Good. +1 for Google. by IamTheRealMike · 2015-04-02 07:41 · Score: 4, Informative
  
  WoT doesn't work anywhere. I know it's a popular idea but it doesn't work, period, end of story.
  Problem: the PGP web of trust is tiny and has fewer than 4 million keys published to the SKS key pool, EVER. That's pathetic. But of those keys, many are not really connected to the WoT at all. The strong set is only 50k keys. The WoT is a failure, numerically. For comparison: "Yo", an app created as an April fools joke which only lets you send the word "yo" to other users, managed to get 3 million users. The WoT's entire existence has been matched by an April fools.
  Problem: the PGP web of trust converts everyone you trust a CA. Unlike real CAs that protect their keys with hardware security modules, are audited, etc, PGP users routinely do things like carrying their private keys through airports on general purpose laptops onto which they install whatever the latest cool toy is. If any of the users you trust are compromised, the entire WoT can be faked through them and your client will accept it. Sure, if you're some kind of crypto guru you can maybe detect this. But most people aren't.
  Problem: the "web of trust" is misleadingly named. The graph edges in it are not indicative of social trust. They are in fact reflecting a trust that is more like, "I trust you to protect your private key and do accurate ID verification" which has nothing to do with the more ordinary, human, every day use of the word trust. In your post you mix up these very different kinds of trust, and this is a very frequent but fundamental error. Protecting private keys and doing accurate ID verification are difficult, skilled tasks, whereas what being trustworthy usually means simply requires loyalty.
  Problem: the primary criticism of the CA system is that CA's could be coerced by governments via legal means. However the same is true for people in the web of trust - any of those people can be served with a a court order forcing them to sign the governments key.
  Problem: the WoT leaks the entire social graph to the entire public. In this day and age, that's unacceptable.
  Problem: the WoT has fake keys uploaded to it and there's nothing anyone can do about it. This isn't theoretical, it has happened and routinely fools large numbers of people.
  In short, after many years I've come to the conclusion that the web of trust has no redeeming qualities at all. It was a neat sounding idea, it was tried, it has failed. It should be taken out the back and quietly shot, so it can't mislead any more people into thinking it's a good idea.
44. Re:Good. +1 for Google. by leuk_he · 2015-04-02 07:58 · Score: 1
  
  There are some mistakes.
  " CAs used to be meticulous about who they signed certs for.". what you say may be misunderstood., what signing is used for in most of the times. They sign that you are who you say you are. Not about who. you can get crooksincorperated.com, or mikerowsoft.com signed very simple if you own the corresponding domain. Even if it is signed you might not be able to find the owner of that site. The certificate only proves the data is not modified.
  What went wrong here is that MCS got the certificate to create more certificates, and MCS did not protect that cert very well. You know what happened in egypt with internet? It got monitored to be very simple. Maybe with help of the MCS proxy device.
45. Re:Good. +1 for Google. by rtkluttz · 2015-04-02 08:34 · Score: 1
  
  Thats the point.. Don't give a shit if they can. I'm sorry but I am a bit of a computer elitest. I don't think ISP's should be reponsible for blocking ports or making security decisions on the behalf of their users either, but if they start spewing malware all over the place, then they need to be banned. Proper usage and consequences, there is a secure way to do transactions, people just don't like security. In that case don't bitch about the consequences (not you, just people in general aren't willing to do what is necessary to secure themselves).
  When people insist that things are done for them, restrictions get tighter on those of who DO know what we are doing. Companies start catering the lowest common denominator... case in point... Android and Apple walled gardens where you are no longer the admin of your own device. You aren't deemed smart enough to control your own security destiny so they take the functionality away.
  Yes, I am a computing elitest. If people don't know what they are doing, then deal with the consequences.
  
  --
  Digital is, by definition, imperfect. Analog is the way to go.
46. Re:Good. +1 for Google. by nullchar · 2015-04-02 09:14 · Score: 1
  
  Great for small sites, but doesn't work for giant sites like the Google properties.
47. Re:Good. +1 for Google. by Dagger2 · 2015-04-02 10:42 · Score: 1
  
  It's the same third party that lets you have random-site.com rather than an IP, so you're stuck with them anyway.
48. Re:Good. +1 for Google. by stooo · 2015-04-02 11:01 · Score: 1
  
  >>How often do you stop and look at which CA
  Every time. There are addons that do exactly that. Use them.
  
  --
  aaaaaaa
49. Re:Good. +1 for Google. by stooo · 2015-04-02 11:09 · Score: 1
  
  >>registrars between you and the root can spoof you.
  Not good.
  It would be much better to require two (or more) cert chains at the same time that won't cooperate.
  For example, take a cert from USA, North Korea, and India. You could only be spoofed if theese 3 CAs or their intermediary cooperate.
  
  --
  aaaaaaa
50. Re:Good. +1 for Google. by Rich0 · 2015-04-02 12:12 · Score: 1
  
  >>registrars between you and the root can spoof you.
  Not good.
  It would be much better to require two (or more) cert chains at the same time that won't cooperate.
  For example, take a cert from USA, North Korea, and India. You could only be spoofed if theese 3 CAs or their intermediary cooperate.
  Sure, but how do you specify which three have to collaborate for any particular domain, and who do you have to trust to have made that certification?
51. Re:Good. +1 for Google. by Anonymous Coward · 2015-04-02 13:29 · Score: 0
  
  No. They consider that entering or following a link to an 'https:' URL means that you expect a secure connection. In this context, a self-signed certificate that has not been whitelisted is an error.
  No. The average user we are talking about here never types anything in the address bar (Google is the new DNS didn't you know?), nor do they look at where a link actually points before clicking on it.
  Give the average user a link to the same site on an unencrypted connection and one on an encrypted connection with a self signed certificate, and the browser will tell them that the encrypted site is insecure and tell them that the unencrypted site is secure (through lack of any warning of any kind) which is completely and totally wrong.
  I can only conclude root CA browser payola.
52. Re:Good. +1 for Google. by Dutch+Gun · 2015-04-02 14:06 · Score: 2
  
  Certificate Patrol is worthless for anyone who uses Google services, which mints new certificates and expires old ones on a near daily basis. You're notified nearly every time you visit their site, which eliminates the value of the warning in the first place. Google has apparently decided that it's more secure to have rapidly-expiring certificates in lieu of long-term certificates that may have to be revoked, probably partially because they don't have an effective revocation system in place.
  More critically, any solution that requires a third-party plugin and expecting the user to watch carefully for certificate changes is a complete non-starter for the general public.
  
  --
  Irony: Agile development has too much intertia to be abandoned now.
53. Re:Good. +1 for Google. by phayes · 2015-04-02 15:39 · Score: 1
  
  Did I say that CP was a solution for the general public or covered all cases? No. I said that CP is generally useful in the absence of anything better in the browsers to the /. public.
  Other than junking the present certificate system & replacing it with something else, do you have a better suggestion than CP? Anything useful today?
  
  --
  Democracy is a sheep and two wolves deciding what to have for lunch. Freedom is a well armed sheep contesting the issue
54. Re:Good. +1 for Google. by stooo · 2015-04-02 21:07 · Score: 1
  
  I don't do implementation details. Of course, the whole cert chain system needs reword. But we already know that.
  
  --
  aaaaaaa
55. Re:Good. +1 for Google. by virtual_mps · 2015-04-03 00:30 · Score: 1
  
  >>registrars between you and the root can spoof you.
  Not good.
  Why is that not good? If your registrar is malicious, they can get a certificate issued for you anyway. The really nice thing about the "you have to trust your registrar" model is that you can actually vote with your wallet. Don't care about security? Get a cheap registrar. Want really good security? Pay extra for a registrar that has stronger guarantees. Even better: if a registrar screws up, its customers can leave. (Unlike the CA model, where if the CA screws up, they're too big to fail.) The techincal aspects are almost secondary to the benefits of providing economic incentives for the security-critical actors to do the right things.
56. Re:Good. +1 for Google. by stooo · 2015-04-03 01:38 · Score: 1
  
  as I said, it's not good. For correctly done security, no single organization should be in position to spoof you. Whatever the price. ( since when is price indicative of quality ??)
  
  --
  aaaaaaa
57. Re:Good. +1 for Google. by virtual_mps · 2015-04-03 02:45 · Score: 1
  
  Who decides who "example.com" is? A collection of CAs or the person who gets the money for adding the NS entry for example.com? You may have existential angst over this, but at a practical level the registrar is going to be intimately involved in deciding who owns your domain and will have a de facto ability to spoof that, cut you off, or do other bad things. The question is whether they can do any of this stealthily. One nice thing about DANE is that you can actually monitor the records which are being provided to ensure that people are getting the correct records (doing this right would mean either having a number of test locations or hiring a third-party provider that does this as a service). This is in contrast to the CA model, in which you don't know that someone is presenting a bogus cert unless you're google and you get to instrument everybody's browser.
  As for the price, you misunderstand. Paying more certainly doesn't guarantee quality, but not paying certainly guarantees that a provider won't implement expensive controls. If you need a highly secure domain in the DNSSEC scheme, then you want a registrar that will implement things like out of band verification of changes, multi-party controls on their end to prevent unauthorized changes, routine auditing, etc. That will cost more than getting a domain from a registrar that doesn't provide those services. You're probably going to be using a registrar that has a low enough volume that they can actually inspect changes to a degree impossible if you support automated bulk registrations (so the costs are spread over fewer customers).The neat thing is, you get to decide what you need--there's no good reason why my vanity domain needs the same level of security as microsoft.com. If you're on the really high end, I'd expect that you'd actually third-party audit the registrar to make sure that they're doing the things they say they are. (That also won't be free.) But at least there would be economic incentives to do all of these things, unlike the current regime where there's no effective difference between a $100k verisign EV cert and a free startssl cert.
58. Re:Good. +1 for Google. by mrchaotica · 2015-04-03 03:38 · Score: 1
  
  Having to do with Leases. It is incorrect usage in this context.
  Unfortunately, so is trying to use a dependent clause as a complete sentence.
  
  --
  "[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
59. Re:Good. +1 for Google. by Archangel+Michael · 2015-04-07 05:02 · Score: 1
  
  This isn't a formal communication channel.
  
  --
  Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
Lawful rights and interests? by fuzzyfuzzyfungus · 2015-04-02 00:51 · Score: 2

What 'rights and interests', exactly is CCIN blathering about? Google has changed absolutely nothing about any certain they have issued, the hierarchy will be precisely as it was, they just decided that 'being untrustworthy' was incompatible with being among the trusted CAs.
Is this just swagger, or are they attempting the theory that CAs have some sort of right to be trusted?
1. Re:Lawful rights and interests? by gstoddart · 2015-04-02 01:18 · Score: 5, Insightful
  
  Ever read any other press releases coming out of China?
  They very often miss the point, and just fall back to "this is true because we say it is".
  The "rights and interests" of users is to not be spoofed. The users in China don't have a "right" to use a google product which has been hacked, and the CNNIC doesn't have a "right" to issue fake certificates.
  Some of it is swagger, but from people who are used to being able to wave their collective dicks around and have that influence reality. Now, they've come up against an entity who says "we simply don't care what you want to claim, this is what's happening".
  
  --
  Lost at C:>. Found at C.
2. Re:Lawful rights and interests? by david672orford · 2015-04-02 01:47 · Score: 1
  
  What 'rights and interests', exactly is CCIN blathering about? Google has changed absolutely nothing about any certain they have issued, the hierarchy will be precisely as it was, they just decided that 'being untrustworthy' was incompatible with being among the trusted CAs. Is this just swagger, or are they attempting the theory that CAs have some sort of right to be trusted?
  If their certificates are not trusted by major browsers, then they are worthless blobs of bits. This will hurt the 'rights and interests' of the customers who paid for them and whose web servers will (as far as the customer can see) stop working. CCIN is trying to transfer the blame to Google.
3. Re:Lawful rights and interests? by mwvdlee · 2015-04-02 02:48 · Score: 2
  
  Browser manufactures have a responsibility towards their own customers (users), not towards the victims of some untrustworthy CA.
  
  --
  Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
4. Re:Lawful rights and interests? by freeze128 · 2015-04-02 03:52 · Score: 1
  
  Also, "The decision that Google has made is unintelligible to CNNIC."
  
  So, CNNIC doesn't understand the concept of trust, or is it ALL of China? It's a simple concept that humans have had for Centuries. I guess they're just not used to being on the receiving end of the punishment.
5. Re:Lawful rights and interests? by Anonymous Coward · 2015-04-02 05:13 · Score: 0
  
  I think they are referring to the many legitimate certificates issued by CNNIC. The holders of these certificates are innocent and will be harmed by the consequences of CNNIC's failure to prevent fraudulent certificates from being produced. They ought to prepare a lawsuit, using CNNIC's own words.
6. Re:Lawful rights and interests? by amicusNYCL · 2015-04-02 05:52 · Score: 1
  
  Wait, your username is " ", did Slashdot start supporting Unicode all of a sudden?
  
  --
  "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
7. Re:Lawful rights and interests? by amicusNYCL · 2015-04-02 05:53 · Score: 1
  
  No. Apparently Slashdot did not start supporting Unicode.
  
  --
  "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
8. Re:Lawful rights and interests? by HiThere · 2015-04-02 07:28 · Score: 1
  
  Sorry, but the "right" it issue "fake" certificates is pretty much what a CA is about. You are trusting them not to abuse that right. Google has said that they don't trust one particular CA, which happens to be in China. Many others also shouldn't be trusted, but still are. I have a real question as to which CAs actually *do* validate that the folk they issue certificates represent those with an actual right to the name...and my suspicion is that none of them do. If they did you wouldn't get so many "off by one letter" phishes.
  
  --
  
  I think we've pushed this "anyone can grow up to be president" thing too far.
9. Re:Lawful rights and interests? by shutdown+-p+now · 2015-04-02 15:32 · Score: 1
  
  No, it's just because it comes from G+, and they don't filter that.
  (Slashdot does support Unicode, they just have a super-long blacklist of things that you can't use)
10. Re:Lawful rights and interests? by Anonymous Coward · 2015-04-03 05:17 · Score: 0
  
  "The decision that Google has made is unintelligible to CNNIC."
  Translation:
  "CNNIC does not like the decision that Google has made, and acknowledging that we acted badly is not something we wish to do, so, please blame Google for the mistake we made and have no excuse or reasonable non-incriminating explanation for."
Too bad for CNNIC by Anonymous Coward · 2015-04-02 00:55 · Score: 5, Insightful

Given the events that transpired, it seems like Google is completely in the right here. It would be best if Mozilla, Microsoft, et. al. followed suit.
1. Re:Too bad for CNNIC by gtall · 2015-04-02 01:01 · Score: 2
  
  1. All that will happen is that CCIN will disappear and magically pop up again with a new name, different premises, different phone numbers, but with the same slimeballs in charge. The companies will whine, if they find out about it, to the Chinese government. The Chinese government will open an alleged investigation and that will be last anyone will hear the investigation. Meanwhile, the companies will again become frustrated, do to the new entity what they did to CCIN. Go to 1.
2. Re:Too bad for CNNIC by QuietLagoon · 2015-04-02 01:28 · Score: 4, Insightful
  
  All that will happen is ...
  If that is what happens, then other measures would need to be taken to assure new CA's are trustworthy.
  .
  If the same problem continues to recur and nothing is done to prevent it, then the whole web of trust will fail.
3. Re:Too bad for CNNIC by Zocalo · 2015-04-02 01:31 · Score: 5, Interesting
  
  It's not quite that simple. CNNIC is the Chinese national equivalent of a LIR - they are responsible for all the IP assignments in China, so they can hardly "disappear" like that. Shutting down their CA division and re-opening it as a new shell company might be an option however.
  
  The main thing here is that this also invalidates all of the certificates issued by CNNIC's intermediaries like MCS that are decended from the soon to be invalidated root certificates, and so on all the way down the chain of trust. That's a *lot* of customers and customers of customers that are going to be looking to push at least some of the costs of sorting this out upstream. Ultimately the buck stops at CNNIC, so they are going to have to make a decision about how much of that costs they are going to bear - get it wrong and there are plenty of other root CAs that intermediate level CAs can go to instead of CNNIC.
  
  That sends a pretty strong message to other CAs that might be considering something similar, or to governments looking to strong arm a CA into doing it on their behalf. Break the chain of trust (whether through imcompetence, negligence or deliberate intent being immaterial), and you can expect to face very public, and potentially very expensive, consequences. Given that this also has implications for everyone's privacy, absolutely Apple, Microsoft, Mozilla et. al ought to follow suit and take at least some form of punitive action. Following on from DigiNotar I'm actually expecting to see them publishing some form of formalised policies about this in the near future, and hopefully no more exceptions (like TrustWave) are going to be made.
  
  --
  UNIX? They're not even circumcised! Savages!
4. Re:Too bad for CNNIC by Anonymous Coward · 2015-04-02 02:01 · Score: 2, Insightful
  
  The problem is that, while it sends a message, it also seems like the strong message was only sent because it mostly affects some Chinese that do bad things anyway. Had the same strong message been sent if it had been Verisign or DigiCert?
5. Re:Too bad for CNNIC by david672orford · 2015-04-02 02:08 · Score: 1
  
  1. All that will happen is that CCIN will disappear and magically pop up again with a new name, different premises, different phone numbers, but with the same slimeballs in charge. The companies will whine, if they find out about it, to the Chinese government. The Chinese government will open an alleged investigation and that will be last anyone will hear the investigation. Meanwhile, the companies will again become frustrated, do to the new entity what they did to CCIN. Go to 1.
  Ah, but as we see from this story, it is not the Chinese government which gets to decide if they will be allowed to do that, it is the the makers of web browsers and similar software. If popular software is not configured to trust their certificates, they will be useless.
6. Re:Too bad for CNNIC by Zocalo · 2015-04-02 02:17 · Score: 4, Interesting
  
  That's the big question, isn't it? Like CNNIC, the Turkish DigiNotar got the boot also, yet the US-based TrustWave was let off. It's probably worth pointing out that TrustWave's problems occurred pre-Snowden so people were a little more complacent even before you consider the "local US company" vs. "country with poor reputation for civil rights" issues. I'd like to hope that in today's climate TrustWave would meet a similar fate to DigiNotar and CNNIC/MCS, but without a clear no-exceptions policy from the application and OS vendors there's no real way to be sure. Even if there were such a policy, I doubt anyone would be willing to unilaterally revoke a compromised root certificate from one of the *really* major players in the CA game without a mutually agreed grace period to migrate users to replacement certificates.
  
  --
  UNIX? They're not even circumcised! Savages!
7. Re:Too bad for CNNIC by mwvdlee · 2015-04-02 02:50 · Score: 1
  
  Meanwhile, Google and the like will get requests to add a new CA, they will research the new CA and find the same slimeballs in charge and never add the new CA to begin with. Nothing hurt but the pockets of some slimeballs.
  
  --
  Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
8. Re:Too bad for CNNIC by Anonymous Coward · 2015-04-02 02:59 · Score: 0
  
  Nit: DigiNotar was Dutch.
9. Re:Too bad for CNNIC by Archangel+Michael · 2015-04-02 03:09 · Score: 1
  
  The Chinese government will open an alleged investigation and that will be last anyone will hear the investigation.
  Sounds an awful lot like the US government these days.
  
  --
  Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
10. Re:Too bad for CNNIC by Anonymous Coward · 2015-04-02 04:53 · Score: 0
  
  DigiCert?
  DigiCert got a long, comfortable lead time before their cert was removed, but so did CNNIC. I bet the length of time Google equivocated is a signal about how secure they think certs are in general (not very), and not about politics. Too bad we'll never hear the whole story.
11. Re:Too bad for CNNIC by Luthair · 2015-04-02 05:17 · Score: 1
  
  One downside however is that it does provide an incentive for CAs to cover up any mistakes they make rather than disclose them.
12. Re:Too bad for CNNIC by fustakrakich · 2015-04-02 05:32 · Score: 1
  
  Rest assured, This "web of trust" is pure fantasy, with the very pillars of every institution crumbling away, it's an illusion built on pure desire and natural appeal to authority. I don't know why people even discuss it, aside from the snake oil salesmen trying to sell it.
  
  --
  “He’s not deformed, he’s just drunk!”
13. Re:Too bad for CNNIC by fustakrakich · 2015-04-02 05:42 · Score: 1
  
  ...a clear no-exceptions policy from the application and OS vendors...
  This cannot happen. They all have their fingers in each others pies. It would break the entire ecosystem. The house of cards would collapse.
  
  --
  “He’s not deformed, he’s just drunk!”
14. Re:Too bad for CNNIC by amicusNYCL · 2015-04-02 05:57 · Score: 1
  
  It would be best if Mozilla, Microsoft, et. al. followed suit.
  It would, for the sake of their own customers, but in reality it's not even necessary. TFA calls Chrome the second most popular browser, although I'm pretty sure it's firmly in first place. If those certificates are not trusted in Chrome then, regardless of whether or not they are trusted in IE or Firefox, the website owners are still going to get a new certificate from a different CA. Even with only Google taking these steps, CNNIC is hosed. If Mozilla follows suit it's really only academic at that point, but it would be right for them to do so just to remove an untrusted CA.
  
  --
  "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
15. Re:Too bad for CNNIC by Anonymous Coward · 2015-04-02 07:28 · Score: 0
  
  I think the Mozilla ticket involving the addition of CNNIC a few years ago speaks volumes.... https://bugzilla.mozilla.org/show_bug.cgi?id=476766
  Some real gems like "Being a former Chinese resident, I still remembered years ago CNNIC automatically installed their UNREMOVABLE system drivers to our systems by using IE 6 bugs. CNNIC is really a gangster."
  Why the HELL did anybody add this organization as a root CA? If they are pulling crap like this, they're not trustworthy. If the rules for who can be a root CA don't exclude people who do this kind of thing, the rules need to be modified. Anyone with a smidgen of common sense back then could see that this incident would eventually happen.
  And loads and loads of other Chinese users begging Mozilla not to add this root CA, which is basically a branch of the government. No way in hell I trust them. The US and its NSA may have problems but I'd still trust a US-based root CA any day over CNNIC.
16. Re:Too bad for CNNIC by Anonymous Coward · 2015-04-02 09:58 · Score: 0
  
  You're almost right.
  Diginotar wasn't Turkish. What you're probably thinking of was the Turkish CA "TURKTRUST Inc" which gave intermediate CA authority to organisations which in turn created & issued fake SSL certificates. See article by Brian Krebs.
  TURKTRUST claims it gave the intermediate CA authority accidentally. Difficult to believe considering one of the recipients of such authority was a government authority. And particularly in light of what little respect the Erdogan government has for human rights, and his penchant for spying on his own citizens.
17. Re:Too bad for CNNIC by shutdown+-p+now · 2015-04-02 15:35 · Score: 1
  
  Chrome the second most popular browser, although I'm pretty sure it's firmly in first place.
  
  I think they might mean popularity in China. The picture looks very different there.
Just forbid CAs from delegating already by Anonymous Coward · 2015-04-02 00:57 · Score: 0

Google and Mozilla should just forbid any CAs from issuing CA certificates to anyone else that is not itself. This effectively means no sub-CAs on third-parties. There, fixed.
It is still utterly useless, the current CA model is not salvageable. Not even if we augment it with DNSSEC+DANE to enforce the trust chains for each domain.
And that's not even going into the nightmare that it will be to get the CDNs to behave, fixing it on their end will be either expensive as all heck, or unsafe as all heck.
Firefox response by Lennie · 2015-04-02 00:58 · Score: 2

Judging by the discussions on the Mozilla mailinglists I wouldn't be surprised if Firefox will include a whilelist of currently certificates issues by CCNIC and make it so no new certificates issues by CCNIC will be valid.
At least as long as they CCNIC doesn't adhere to the proper rules. Maybe CCNIC will even get stricter rules applied to them.

--
New things are always on the horizon
1. Re:Firefox response by Lennie · 2015-04-02 01:06 · Score: 5, Informative
  
  Here is a link to the latest Mozilla statement on the mailinglist/newsgroup:
  https://groups.google.com/d/ms...
  
  --
  New things are always on the horizon
2. Re:Firefox response by drinkypoo · 2015-04-02 02:10 · Score: 5, Insightful
  
  Now that is fascinating. FTFN[ewspost]:
  
  The current incident falls into this category:
  "Problem: CA mis-issued a small number of intermediate certificates that they can enumerate
  Uh, no. No, that is not the problem. The problem is that the CA has been demonstrated to use untrustworthy practices. They are fundamentally untrustworthy, and Google did the Only Right Thing(tm) while Mozilla is failing, and hard.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
3. Re:Firefox response by Lennie · 2015-04-02 23:56 · Score: 1
  
  The reasons might end up being less important than the actions.
  Here is the official announcement:
  https://blog.mozilla.org/secur...
  
  --
  New things are always on the horizon
Mozilla formulating a plan? by wezelboy · 2015-04-02 00:58 · Score: 2

This plan does not need to be formulated. Drop their root CA ASAP.
1. Re:Mozilla formulating a plan? by Anonymous Coward · 2015-04-02 01:38 · Score: 5, Informative
  
  You know you can do this yourself in Firefox and Thunderbird.
  Options -> Advanced -> Certificates -> View Certificates -> Authorities -> Delete or Distrust...
2. Re:Mozilla formulating a plan? by Archwyrm · 2015-04-02 02:56 · Score: 2
  
  Multiply by the number of browser profiles you care about and on friends' and relatives' computers. And, yeah.. I'd prefer this change to come as part of regular browser updates.
  
  --
  Fascism should more properly be called corporatism because it is the merger of state and corporate power. -- Mussolini
3. Re:Mozilla formulating a plan? by Anonymous Coward · 2015-04-02 02:57 · Score: 0
  
  Alternatively, use the "Edit Trust..." option, and uncheck all of the boxes. Since it's a built-in certificate, it has the same outcome, but for non-built-in ones, this means the difference between distrusting it and outright deleting it from the list entirely.
4. Re:Mozilla formulating a plan? by Anonymous Coward · 2015-04-02 03:17 · Score: 0
  
  Done.
5. Re:Mozilla formulating a plan? by phayes · 2015-04-02 03:36 · Score: 3, Informative
  
  Unless this has changed, deleting the ingrown CAs in chrome & Firefox has little effect as they reappear if you quit & relaunch the application. It's why I installed the Certificate Patrol plugin which at least lets me see when certificates change.
  
  --
  Democracy is a sheep and two wolves deciding what to have for lunch. Freedom is a well armed sheep contesting the issue
6. Re:Mozilla formulating a plan? by Anonymous Coward · 2015-04-02 03:53 · Score: 0
  
  "With great power comes great responsibility."
  And hopefully some decent scripting ability.
7. Re:Mozilla formulating a plan? by Anonymous Coward · 2015-04-02 05:15 · Score: 0
  
  which is exactly what I've done in Firefox for all certificates. I don't have that many sites I visit, thus I'm quite willing to add the needed exceptions for those sites while not trusting ANY Cert Authority. I've even gone so far as to begin doing this in Windows to prevent such a problem though they make it far harder to ensure that only those Certs I actually trust are valid.
  as to the issue with Mozilla formulating a plan - what plan? Simply distrust the Root CA until they've corrected the issue. There's no need to remove them but it would help everyone who uses their product to become aware of the issue.
8. Re:Mozilla formulating a plan? by CrimsonAvenger · 2015-04-02 06:50 · Score: 1
  
  Thanks for the tip. Don't look at Certificates often enough to have realized that I couldn't permanently remove those CAs. Luckily I can edit the trust levels to the point that they're completely untrusted anyways.
  
  --
  
  "I do not agree with what you say, but I will defend to the death your right to say it"
Important note: this is potentially not permanent by kav2k · 2015-04-02 00:58 · Score: 4, Informative

What this summary neglects to say is that Google is open to the idea of adding them back. Quote (link mine):

[...] CNNIC will be working to prevent any future incidents. CNNIC will implement Certificate Transparency for all of their certificates prior to any request for reinclusion. We applaud CNNIC on their proactive steps, and welcome them to reapply once suitable technical and procedural controls are in place.
Lotsa butthurt by FatherDale · 2015-04-02 00:58 · Score: 2, Interesting

"The unauthorized certificates were issued by Egypt-based MCS Holdings, an intermediate certificate authority that operated under the authority of CNNIC. MCS used the certificates in a man-in-the-middle proxy, a device that intercepts secure connections by masquerading as the intended destination" Looks like Google and CNNIC have already agreed that if CNNIC are good boys for the next few weeks they wont turn them off. Wonder how closely MCS Holdings works with the Chinese gov?
Link to the announcement by YA_Python_dev · 2015-04-02 00:59 · Score: 4, Informative

Google announced the decision in an update at the bottom of https://googleonlinesecurity.blogspot.com/2015/03/maintaining-digital-certificate-security.html. I'm happy they did: certification authorities need to understand that there are consequences to gross negligence or worse.

--
There's a hidden treasure in Python 3.x: __prepare__()
1. Re:Link to the announcement by Anonymous Coward · 2015-04-02 01:02 · Score: 0
  
  That link is found in the story from last week (first link in this summary).
Too big to fail by Anonymous Coward · 2015-04-02 01:00 · Score: 0

But would they do the same if Verisign fucked up like that?
1. Re: Too big to fail by Anonymous Coward · 2015-04-02 01:18 · Score: 0
  
  Do you doubt that Verisign would be handing out CA powers to shady parties in a heartbeat if they didn't think that there would be consequences? CAs have one product and purpose in life: trust. Once they fuck that up, they perish, as it should be.
Good move google. Mozilla, we're waiting...???? by QuietLagoon · 2015-04-02 01:10 · Score: 1

I commented on this in an earlier thread.
Re:Important note: this is potentially not permane by ledow · 2015-04-02 01:12 · Score: 4, Informative

"Fix your shit once-and-for-all and we might deal with you again."
That's not really an endorsement, any way you look at it.
Web of trust cannot survive politics by sinij · 2015-04-02 01:12 · Score: 4, Insightful

Web of trust cannot survive politics, if we tolerate any bad behavior from any trusted parties, then nobody could be trusted and whole construct falls apart.
1. Re:Web of trust cannot survive politics by Anonymous Coward · 2015-04-02 03:00 · Score: 0
  
  This is the idea behind the concept of certificate notaries:
  1) Site publishes certificate
  2) Notaries cruise web signing certificates they find
  3) User goes to site, finds cert, finds which notaries have signed cert, determines if the cert can be trusted*
  * final step can be a function of which notaries you personally trust and how many of them you require agreement from.
  This system allows untrusted notaries to be ignored without breaking the web. Problem is this system provides no income for notaries.
Wrong. Read What You Quoted. by Anonymous Coward · 2015-04-02 01:16 · Score: 1

What this summary neglects to say is that Google is open to the idea of adding them back. Quote (link mine):

[...] CNNIC will be working to prevent any future incidents. CNNIC will implement Certificate Transparency for all of their certificates prior to any request for reinclusion. We applaud CNNIC on their proactive steps, and welcome them to reapply once suitable technical and procedural controls are in place.
Ahahaha, this just says "basically before you can even talk to us again, you'll need to implement Certificate Transparency." That's not reinclusion, that's a requirement for you before you can request to be reincluded.
tough nuts by slashmydots · 2015-04-02 01:17 · Score: 2

In China anyone can rip off or scam anyone, make a fake product, clone something, lie about specs, sell defective gear, etc.
"The decision that Google has made is unacceptable and unintelligible"
WELCOME TO AMERICA. We don't put up with that shit.
1. Re:tough nuts by ZorinLynx · 2015-04-02 01:57 · Score: 1
  
  Yet. :(
2. Re:tough nuts by Anonymous Coward · 2015-04-02 02:59 · Score: 0
  
  Except your "small government" idiots want exactly that ... no controls over what corporations can do, based on the false premise that "the market" would solve these problems.
  These people are clueless idiots who would give you this exact scenario.
3. Re:tough nuts by Tokolosh · 2015-04-02 03:20 · Score: 2
  
  In this case Google has done something. What has the US or any other government done?
  
  --
  Prove anything by multiplying Huge Number times Tiny Number
4. Re:tough nuts by OhPlz · 2015-04-02 08:16 · Score: 1
  
  The market did this, not the feds. So the market does work, if you let it.
Internet Explorer by jfdavis668 · 2015-04-02 01:34 · Score: 1

All this talk about Google and Mozilla, what is Microsoft doing?
1. Re:Internet Explorer by Diss+Champ · 2015-04-02 01:42 · Score: 1
  
  Noone who cares about security and keeps themselves informed is using Internet Explorer anyway. Microsoft therefore doesn't have any bussiness need to deal with this quickly.
2. Re:Internet Explorer by Zocalo · 2015-04-02 01:47 · Score: 4, Informative
  
  Microsoft have decided that the buck stops with MCS Holdings and will be revoking all of their certificates, but letting CNNIC and their other customers off the hook. I suspect the update will go out as part of the regular patch batch on April 14th.
  
  --
  UNIX? They're not even circumcised! Savages!
California occupied by jfdavis668 · 2015-04-02 01:37 · Score: 0

California has been occupied since 1847. Shouldn't Google do something about that first?
1. Re:California occupied by Anonymous Coward · 2015-04-03 06:14 · Score: 0
  
  1847?
  California was occupied by the Mexicans starting in 1821
  And by the Spanish from 1769
  And by "Europeans" increasingly from "first contact" in 1542.
  If the argument is "give it back". To whom?
  The US took it from Mexico, who took it from Spain, who, through some mess and stuff, ultimately took it from the natives who were living there.
  And those natives, did they have conflict over land? A quick look by me finds none, but it might well be.
2. Re:California occupied by jfdavis668 · 2015-04-03 07:42 · Score: 1
  
  Ok, correction: California has been occupied since 13,000 B.C.
3. Re:California occupied by Anonymous Coward · 2015-04-03 16:20 · Score: 0
  
  Then what would you like to have google do about this occupation?
4. Re:California occupied by jfdavis668 · 2015-04-05 05:15 · Score: 1
  
  Do what the first guy said, but for California.
Re:What is trust these days? by Etherwalk · 2015-04-02 01:41 · Score: 1

I think we were fools to ever trust China in the first place. Now look at how indebted the US is to China. We are just as weak to China as we are to Iran. No leverage anymore because we have basically sold out in order to obtain goods at a better price and US companies can make bigger profits. Google certainly should be praised for its action, but let's also realize how China is slowing killing off any Western connections.
Um... no. China is a much, much, much bigger threat. Going to war with Iran would be like going to war with Maryland.
http://en.wikipedia.org/wiki/L...
http://en.wikipedia.org/wiki/L...
http://en.wikipedia.org/wiki/A...
http://en.wikipedia.org/wiki/P...
Re:What is trust these days? by MightyYar · 2015-04-02 01:46 · Score: 3, Insightful

Obtaining actual physical goods for IOUs is a pretty good deal IMHO.

--
W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
No excuses by ZorinLynx · 2015-04-02 01:53 · Score: 4, Insightful

This is kind of equivalent to hiring a locksmith, then noticing that he copied one of your keys and it's on his personal keychain.
There is no reason to ever trust this locksmith again. Some institutions, like certificate authorities and locksmiths, are sacred. The whole POINT of their existence is to be an entity you can trust to keep things secure. If they are irresponsible and let this happen, then there's no reason to trust them.
Ever again.
1. Re:No excuses by FatherDale · 2015-04-07 12:47 · Score: 1
  
  Agreed. Forgive my paranoia, but I still wonder what... connection there might be.
Trusted is... by Anonymous Coward · 2015-04-02 01:54 · Score: 0

...as trusted does.
Reality check, please by Anonymous Coward · 2015-04-02 01:54 · Score: 0

The very fact that the security level becomes a battlefield between entities of different interests,
is telling plenty about how flawed the CA model -as implemented in modern browsers- was in the first place.
F.
DANE by chihowa · 2015-04-02 01:56 · Score: 2

Until we come up with a better fix for the whole CA system, browser support for DANE would be a huge step in the right direction. Especially, the type 2 (Trust anchor assertion) records would be helpful. So Google could say that only certificates issued by their own CA are legitimate. Or any site owner could publicly restrict trust to the CA that they actually get their certs from (or just specify a particular cert).

--
If you want a vision of the future, imagine a youtube comments section scrolling - forever.
1. Re:DANE by Anonymous Coward · 2015-04-02 02:53 · Score: 0
  
  And how many people bother with DNSSEC? And how many ISP resolvers verify DNSSEC? And how many people even care who verified what domain with what CA?
  There you go. Almost no one gives a rat's ass about this. They just see the little lock and think it's "unpossible to break". Anything else, and their eyes glaze over. And I'm talking about the people with websites, not their users.
2. Re:DANE by Anonymous Coward · 2015-04-02 03:03 · Score: 0
  
  We don't need DANE - HPKP does the same thing and has browser support already.
3. Re:DANE by Anonymous Coward · 2015-04-02 04:47 · Score: 0
  
  The "better fix" is https://eff.org/sovereign-keys
  It's not mentioned enough, so I think DANE is being promoted at its expense. However I think we should implement DANE because it's easy.
4. Re:DANE by chihowa · 2015-04-02 09:01 · Score: 1
  
  This looks interesting. Thanks.
  DANE isn't being promoted, either, because Google's all excited about Certificate Transparency and is pushing it hard. CT is nice, but it (like hardcoded certificate pinning in Chrome) is foremost a solution for Google's specific needs. They solve subtly different problems and shouldn't need to be exclusive.
  HPKP is nice, but it takes place in-channel and is very subject to MitM on first contact.
  
  --
  If you want a vision of the future, imagine a youtube comments section scrolling - forever.
5. Re:DANE by nullchar · 2015-04-02 09:20 · Score: 1
  
  Missing the point. Of course end users don't care. But if the browsers supported DANE and performed their own DNSSEC lookups if the local resolver can't, then DANE could work.
  If the destination site doesn't publish their certs and/or designated CAs in DNS, then the old "trust all built-in CAs" will still apply.
6. Re:DANE by Anonymous Coward · 2015-04-02 09:25 · Score: 0
  
  Most people don't bother with HTTPS. Under no circumstances should we limit ourselves to what most people do. It's well established that most people are idiots.
  ISP resolvers don't need to verify DNSSEC. They only need to pass the RRSIGs from the authoritative server, which they all do unless they're broken. Clients verify the sigs.
  "Who verified what domain with what CA" could easily translate into using your DNSSEC server in place of a costly and otherwise useless CA signed certificate. If browsers trusted DANE as much as they trusted the fetid pile of CAs, self-signed and DNSSEC hosted certificates could supplant CA signed certs. Users wouldn't care any more than they do now, but companies smaller than Google (who can't just push their CA into all the other browsers) could run their own CA that only extends as fair as their domain.
7. Re:DANE by Anonymous Coward · 2015-04-02 09:27 · Score: 0
  
  DANE does far more than HPKP (extending to protocols other than HTTP for a start), and HPKP support is pretty limited.
8. Re:DANE by virtual_mps · 2015-04-03 00:29 · Score: 1
  
  Their politics are irrelevant. The question is whether the entire world should trust the post office in hong kong to secure every web site in the entire world.
9. Re:DANE by chihowa · 2015-04-03 02:23 · Score: 1
  
  Which DANE and CT both solve. DANE, by simply putting an RR in DNS. CT, by watching every certificate ever made and contracting someone/some-system to look for certs issued to your domain. DANE can be rolled out domain by domain, but CT only fully works when every CA in the world is onboard.
  I only brought Google into this because the GP mention that DANE was being promoted at the expense of sovereign keys. Their refusal to include their already written DANE code (and Mozilla's refusal to ever add any actually useful features) leaves the whole world trusting every CA due to politics.
  
  --
  If you want a vision of the future, imagine a youtube comments section scrolling - forever.
Karma by swschrad · 2015-04-02 01:58 · Score: 1

be weasels, be labelled sneaky. I have no problems with this. the whole security thing needs a serious re-engineering. too many sneaky Petes hiding under the CA mechanism, and too many holes in our other security software systems.

--
if this is supposed to be a new economy, how come they still want my old fashioned money?
Re:What is trust these days? by ScentCone · 2015-04-02 02:03 · Score: 3, Funny

Going to war with Iran would be like going to war with Maryland.
You've never been to Maryland, have you? You'd never win such a war. There's too much paperwork involved in even establishing a war in Maryland. Just the recurring fees and annual compliance filings with the state would be enough to crush the fighting will of any invading army. Not to mention the tax rates on any pillaged loot seized during said invasion, especially in certain Maryland counties, would be enough to make the whole thing completely unprofitable. Just don't bother. Invade nearby Virginia, or maybe Delaware or Pennsylvania, instead. They're much easier to deal with.

--
Don't disappoint your bird dog. Go to the range.
Sounds like they're just trying to be ICANN by damn_registrars · 2015-04-02 02:22 · Score: 1

While they don't have identical roles, it does sound like CNNIC is taking a page from the ICANN playbook by handing out more favors to better donors. Yet we trust the information that ICANN endorses...

--
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
Recommendations on certs to manually remove? by ChoGGi · 2015-04-02 02:23 · Score: 1

So far I'm blocking
China Internet Network Information Center (its next to cnnic :) and I doubt I'll ever need to use it)
Chunghwa Telecom Co. (same)
CNNIC
SecureTrust Corporation (trustwave)
I'm looking to enlarge my list; any other certs I should be blocking as well?
1. Re:Recommendations on certs to manually remove? by Lead+Butthead · 2015-04-02 02:56 · Score: 1
  
  Actually Chunghwa Telecom Co. is in Taiwan. Don't confuse them with the mainland scumbags.
  
  --
  ELOI, ELOI, LAMA SABACHTHANI!?
Re:What is trust these days? by Anonymous Coward · 2015-04-02 02:29 · Score: 0

Particularly when the IOUs are denominated in dollars and you control the printing press for dollars.
So what? by Anonymous Coward · 2015-04-02 02:49 · Score: 0

Chinese companies are inherently corrupt anyway, so what does it matter?
Honeybadger can't not give a shit forever...
FSCK China! by Anonymous Coward · 2015-04-02 02:53 · Score: 0

If they are doing shady stuff with certificates (obviously issuing fraudulent ones to the gov't hackers to use) then they don't deserve to be trusted. Eff em all.
Re:What is trust these days? by Tokolosh · 2015-04-02 03:32 · Score: 1

If you owe the bank $1,000, you have a problem.
If you owe the bank $1,000,000, the bank has a problem.

--
Prove anything by multiplying Huge Number times Tiny Number
The update was posted on.. by electrofelix · 2015-04-02 03:33 · Score: 1

the 1st of April, so yay or nay on this being an epic April fools that duped the CNNIC as well?
Mozilla accepts CNNIC by klui · 2015-04-02 04:02 · Score: 1

There was an article in 2010 about this subject and the naysayers were correct.
http://slashdot.org/story/1308...
I've personally deleted its authority entry in Firefox.
"Fool me once. Shame on you..." and all that.
1. Re:Mozilla accepts CNNIC by Anonymous Coward · 2015-04-02 04:48 · Score: 0
  
  Fool me once, shame on you. Fool me twice, heh, can't fool ME twice.
  - Former President George W. Bush
Unintelligible? by ilsaloving · 2015-04-02 04:37 · Score: 1

I can't tell if these people are just blustering and trying to save face, or if they are actually really so stupid and morally bankrupt that they don't see fraud as bad.
1. Re:Unintelligible? by rickb928 · 2015-04-02 05:52 · Score: 1
  
  User distrust is bad.
  User dissatisfaction is bad.
  CA fraud causes the above.
  Any questions?
  
  --
  deleting the extra space after periods so i can stay relevant, yeah.
I have no particular problem with this -- but by satsuke · 2015-04-02 05:28 · Score: 1

I have no problem with this, if the CA can't be trusted than they should be de-listed from browser default behavior as soon as possible.
However, I do see the Chinese government reacting in a particular way. They could start requiring that _only_ government approved CA are used within China's borders (with the little detail of Google's certs not be accepted / listed).
This is epic but are we learning the wrong lesson? by WaffleMonster · 2015-04-02 05:28 · Score: 1

This is an epic thread.. amusing.. and very sad.. at the same time..
https://bugzilla.mozilla.org/s...
However I'm afraid we often are not understanding the bigger picture.
The underlying problem is our own behavior. We are hoisting responsibility for security of everything in the "cyber world" upon CAs and acting surprised when the tidal wave of pressure from all sources to betray that trust washes them away.
Trusted third parties should be used only for initially establishing trust... after that we should be finding off-ramps and decentralizing trust as much and as quickly as possible. The goal is to reduce "tidal waves" of incentive to something more manageable by reducing the reasons for wanting to compromise these systems in the first place.
For example while I am creating my gmail account I should be able to establish a separate trust relationship (password...etc) with Google that does not depend on third party CAs. A PAKE algorithm (TLS-SRP) would fit the bill nicely here.
Later even if some government wanted to clamp down or spy on everyone compromising PKI does not result in compromise of users... and better still the offloaded trust can be used to crosscheck PKI detecting intrusions quickly.
This is critically important because not only will the pay out for successful compromise be relegated to "new users" but your chance of being caught in the act instantly goes up to 100%.
DNS type Cert Auth Server? by Anonymous Coward · 2015-04-02 05:31 · Score: 0

Why not implement some sort of verification server that can verify the cert that you are given, and ties into DNS.
It could go like this -
1. User goes to https://google.com
2. Browser gets cert from https://google.com
3. Browser checks if cert matches local store of verified certs. If pass goto 5, if fail goto 4.
4. Browser checks DNS of google.com for the CVS (cert verification server) and checks if the cert that was received in step 2 matches. If pass save cert to local store, if fail error 403.
5. Profit!!
The local store is optional but provides quicker response, but should have a drop off after a set time. The above system does need some fixes, like if you are dealing with a compromised DNS server, but would also allow self-signed certs to verify.
Hell, google and firefox and others could implement this in their browsers now, and just verify the certs to their own servers for what others have verifyed before (think AcoustID type system).
HA HA /nelson by Anonymous Coward · 2015-04-02 06:25 · Score: 0

Suck it bitches!
Spam by Anonymous Coward · 2015-04-02 06:42 · Score: 0

This problem is in the same ballpark as spam. There is clear black and white. But because there are so many levels of grey you cannot draw a line anymore. You need to device a mechanism that will allow you to do that again. That means you have to be able to identify the individual actors again (instead of intermediaries). The actors need to have an interest to keep up their reputation.
Maybe all you need is an ssl certificate that can be validated by DNS (but not created)?
Re:What is trust these days? by MightyYar · 2015-04-02 07:10 · Score: 1

Yes, exactly. And on top of it all, ultimately dollars are only good for purchasing US goods and services. So at some point - admittedly it could be far in the future - those dollars will presumably help support American jobs.

--
W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
Firefox also dropping CCNIC by AaronW · 2015-04-02 07:18 · Score: 1

It seems that Mozilla will also be dropping CCNIC..

--
This post is encrypted twice with ROT-13. Documenting or attempting to crack this encryption is illegal.
google seems a bit over-reacting by Anonymous Coward · 2015-04-02 07:26 · Score: 0

Well, google seems a bit over-reacting. According to http://www.theregister.co.uk/2015/04/02/google_furious_dodgy_chinese_certs_cnnic_chrome_warning/,
Adam Langley, a security engineer at the Chocolate Factory, wrote that Google had become aware of unauthorised certificates issued by an intermediate certificate authority "apparently held by a company called MCS Holdings", adding that the "intermediate certificate was issued by CNNIC."
The Chocolate Factory state that "While neither we nor CNNIC believe any further unauthorized digital certificates have been issued, nor do we believe the misissued certificates were used outside the limited scope of MCS Holdings’ test network. CNNIC will be working to prevent any future incidents."
Re:What is trust these days? by HiThere · 2015-04-02 07:40 · Score: 1

Why use the dollars to support foreign (to them) jobs, when they can just use them to purchase resources, companies, etc. True some minimal number of jobs will be involved in that, but any labor intensive processes can be shipped back home.
So its not just "jobs in the far future" it's "strip mine the country when convenient".

--

I think we've pushed this "anyone can grow up to be president" thing too far.
Re:What is trust these days? by Anonymous Coward · 2015-04-02 07:45 · Score: 0

Virginia's light on the paperwork, but the people there can actually shoot back.
Also, avoid Pennsylvania - you might win, and then Pittsburg would belong to you!
Re:What is trust these days? by Anonymous Coward · 2015-04-02 08:49 · Score: 0

Might wanna look elsewhere, Virginia has all the pretty toys.
"Migration Period" is a Phishers dream by Anonymous Coward · 2015-04-02 10:03 · Score: 0

My Dear user,
As you may no, our top certificate signing program is being droped from Majer browsers in 60 days.
Please follow *this* link for having a certificate signed by new top authoritarian.
If asks you for account numbers, this is normal and safe (see this green securely signed certificate indicator in address bar!).
Best Wishes,
Your'e esteamed provider.
Re:What is trust these days? by MightyYar · 2015-04-02 14:02 · Score: 1

Resources == Jobs. Companies are nothing but collections of people. Even real estate is an almost infinite resource in the US. I'm not going to say that running a constant deficit is a good thing, but we could do far worse than to have another country lend us a bunch of our own currency at a rate below inflation.

--
W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
please publish all valid certs by aigars · 2015-04-02 18:51 · Score: 1

Why cant we request all trusted CA to publish all issued and still valid certs ( in form of list or by some protocol) ? Then we can crawl those lists or search for our domain or wildcards or....
Re:What is trust these days? by HiThere · 2015-04-03 07:46 · Score: 1

Sorry, but resources are not identical to jobs, and there is not constant relation between them. If all you do is use robots to mine the ore and ship it to China, yes, a FEW jobs will be involved, not many.
When Lenovo bought IBM ThinkPad division, do you think that the people who worked there continued to work there? Well, they did for awhile, during the transition. They don't anymore. If they're lucky they work for IBM. But that's a very big if.
I'll agree this much. Part of what makes a company is the people. In particular the people hold much of the knowlege. But often the right to use that knowlege is held by the company itself, not by the people. This is certainly true in the case of patents, copyrights, trademarks, trade secrets, etc. So when the company is sold, the people working ther have a "duty" to share the knowlege with the new owners. They may also continue to have jobs, but often this will mean relocating. Sometimes it means training someone else to do the job you currently hold.
You seem to be sincere, but to have a radically oversimplified idea of how economics, companies, etc. work.

--

I think we've pushed this "anyone can grow up to be president" thing too far.
Re:What is trust these days? by MightyYar · 2015-04-03 09:32 · Score: 1

Resources may not make enough jobs to keep you happy, but it does provide jobs - and good ones at that. Look at the boon to the Texas economy from fracking.
Lenovo may not be the best example for you to use, since Thinkpads were already manufactured overseas. But I take your point - sometimes a purchase is just the brand name, and the jobs go up in a puff of smoke. But to be honest, those cases are usually fire sales where the company is on its last legs anyway. Think Palm or AMC.
I agree that my posts are radically simplified. They spent over an hour talking about this on a recent NPR show, and they barely scratched the surface. Nevertheless, I stand by my narrative that owing the Chinese government over a trillion dollars is not as incredibly horrible as it would seem at first blush.

--
W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
NEVER trust a Chinese. by moneybabylon · 2015-04-04 02:03 · Score: 0

NEVER trust a Chinese. I would know. I am Chinese.