Slashdot Mirror
Chinese Certificate Authority CNNIC Is Dropped From Google Products
eldavojohn writes A couple weeks ago, Google contacted the CNNIC (China's CA) to alert them of a problem regarding the delegated power of issuing fraudulent certificates for domains (in fact this came to light after fraudulent certificates were issued for Google's domains). Following this, Google decided to remove the CNNIC Root and EV CA as trusted CAs in its Chrome browser and all Google products. Today, the CNNIC responded to Google: "1. The decision that Google has made is unacceptable and unintelligible to CNNIC, and meanwhile CNNIC sincerely urge that Google would take users' rights and interests into full consideration. 2. For the users that CNNIC has already issued the certificates to, we guarantee that your lawful rights and interests will not be affected." Mozilla is waiting to formulate a plan.
What this summary neglects to say is that Google is open to the idea of adding them back. Quote (link mine):
[...] CNNIC will be working to prevent any future incidents. CNNIC will implement Certificate Transparency for all of their certificates prior to any request for reinclusion. We applaud CNNIC on their proactive steps, and welcome them to reapply once suitable technical and procedural controls are in place.
Google announced the decision in an update at the bottom of https://googleonlinesecurity.blogspot.com/2015/03/maintaining-digital-certificate-security.html. I'm happy they did: certification authorities need to understand that there are consequences to gross negligence or worse.
There's a hidden treasure in Python 3.x: __prepare__()
Here is a link to the latest Mozilla statement on the mailinglist/newsgroup:
https://groups.google.com/d/ms...
New things are always on the horizon
"Fix your shit once-and-for-all and we might deal with you again."
That's not really an endorsement, any way you look at it.
You know you can do this yourself in Firefox and Thunderbird.
Options -> Advanced -> Certificates -> View Certificates -> Authorities -> Delete or Distrust...
And what CA do you think will be listed on the cert that you get from the site pretending to be that site?
Microsoft have decided that the buck stops with MCS Holdings and will be revoking all of their certificates, but letting CNNIC and their other customers off the hook. I suspect the update will go out as part of the regular patch batch on April 14th.
UNIX? They're not even circumcised! Savages!
This is why so many variants of adware that sneak their certs into the root CA list and then create a local loopback proxy is so common -- nobody looks at what key is presented. If the lock icon is green... good enough.
Unless this has changed, deleting the ingrown CAs in chrome & Firefox has little effect as they reappear if you quit & relaunch the application. It's why I installed the Certificate Patrol plugin which at least lets me see when certificates change.
Democracy is a sheep and two wolves deciding what to have for lunch. Freedom is a well armed sheep contesting the issue
WoT doesn't work anywhere. I know it's a popular idea but it doesn't work, period, end of story.
Problem: the PGP web of trust is tiny and has fewer than 4 million keys published to the SKS key pool, EVER. That's pathetic. But of those keys, many are not really connected to the WoT at all. The strong set is only 50k keys. The WoT is a failure, numerically. For comparison: "Yo", an app created as an April fools joke which only lets you send the word "yo" to other users, managed to get 3 million users. The WoT's entire existence has been matched by an April fools.
Problem: the PGP web of trust converts everyone you trust a CA. Unlike real CAs that protect their keys with hardware security modules, are audited, etc, PGP users routinely do things like carrying their private keys through airports on general purpose laptops onto which they install whatever the latest cool toy is. If any of the users you trust are compromised, the entire WoT can be faked through them and your client will accept it. Sure, if you're some kind of crypto guru you can maybe detect this. But most people aren't.
Problem: the "web of trust" is misleadingly named. The graph edges in it are not indicative of social trust. They are in fact reflecting a trust that is more like, "I trust you to protect your private key and do accurate ID verification" which has nothing to do with the more ordinary, human, every day use of the word trust. In your post you mix up these very different kinds of trust, and this is a very frequent but fundamental error. Protecting private keys and doing accurate ID verification are difficult, skilled tasks, whereas what being trustworthy usually means simply requires loyalty.
Problem: the primary criticism of the CA system is that CA's could be coerced by governments via legal means. However the same is true for people in the web of trust - any of those people can be served with a a court order forcing them to sign the governments key.
Problem: the WoT leaks the entire social graph to the entire public. In this day and age, that's unacceptable.
Problem: the WoT has fake keys uploaded to it and there's nothing anyone can do about it. This isn't theoretical, it has happened and routinely fools large numbers of people.
In short, after many years I've come to the conclusion that the web of trust has no redeeming qualities at all. It was a neat sounding idea, it was tried, it has failed. It should be taken out the back and quietly shot, so it can't mislead any more people into thinking it's a good idea.