Slashdot Mirror

← Back to Stories (view on slashdot.org)

Chinese Certificate Authority CNNIC Is Dropped From Google Products

Posted by timothy on from the reject-your-reality-and-substitute-our-own dept.

eldavojohn writes A couple weeks ago, Google contacted the CNNIC (China's CA) to alert them of a problem regarding the delegated power of issuing fraudulent certificates for domains (in fact this came to light after fraudulent certificates were issued for Google's domains). Following this, Google decided to remove the CNNIC Root and EV CA as trusted CAs in its Chrome browser and all Google products. Today, the CNNIC responded to Google: "1. The decision that Google has made is unacceptable and unintelligible to CNNIC, and meanwhile CNNIC sincerely urge that Google would take users' rights and interests into full consideration. 2. For the users that CNNIC has already issued the certificates to, we guarantee that your lawful rights and interests will not be affected." Mozilla is waiting to formulate a plan.

11 of 176 comments (clear)

  1. Good. +1 for Google. by Anonymous Coward · · Score: 5, Insightful

    If a CA clearly can't be trusted, then it has absolutely no business being trusted. This is a good thing, and despite the upheaval it will cause for people requiring new certs (if you want chrome to like the site), it will only improve security by making CA's aware that if they mess about, or don't vet properly, then their business is basically gone.

    Of course, the only really secure way is to drop all CA's everywhere, and directly exchange certs with whoever you deal with (banks, etc, etc by going into a branch. Hugely impractical though).

    1. Re:Good. +1 for Google. by Richard_at_work · · Score: 4, Insightful

      So, with the third party out of the equation, how does one know that the security certificate you receive from random-site.com is the one that random-site.com intended you to receive? This is where going to two entity encryption fails, because the web has no inbuilt ability to verify the communication with the website is as secure as intended without going to a third party.

      Just allowing self signed certs won't solve anything, because most people who use the web won't bother with any independent verification (which you would have to do offline or on a different internet connection for it to mean anything anyway) - fuck, do you remember how long it took to beat "look for the padlock symbol" into people in the first place? All it will do is what people have been bitching about for similar other approaches for years now - people will get so many pop ups, they will stop caring and just click OK.

      The CA system isn't the best solution in the world, but its better than most suggestions, including allowing self signed certs for general communication.

    2. Re:Good. +1 for Google. by mlts · · Score: 3, Insightful

      Even worse is that certificates can't be removed on some devices. For example, if a CA is broken on iOS, there is no way to mark that CA as untrusted until Apple gets around to pushing out a set of new root certs. Android, it is easier, but still onerous going through every unwanted CA and unchecking it.

      The CA system is a subset of a WoT system. It was placed originally because CAs used to be meticulous about who they signed certs for. Now, especially after the fiascos a few years back, no so much.

      The fix? Part of it would probably say prompt the user on the device to install the relevant CAs for their geographic region. If on mainland China, having a CA for the HK post office makes sense. Not so in the US, unless one travels abroad or has a lot of business with Chinese sites.

      The second fix is that OS and Web browser makers will need to enforce with sheer brutality the rules they have on how CAs behave. If the CA screws up, they get their cert pulled, no questions, no appeals.

  2. Too bad for CNNIC by Anonymous Coward · · Score: 5, Insightful

    Given the events that transpired, it seems like Google is completely in the right here. It would be best if Mozilla, Microsoft, et. al. followed suit.

    1. Re:Too bad for CNNIC by QuietLagoon · · Score: 4, Insightful

      All that will happen is ...

      If that is what happens, then other measures would need to be taken to assure new CA's are trustworthy.

      .
      If the same problem continues to recur and nothing is done to prevent it, then the whole web of trust will fail.

    2. Re:Too bad for CNNIC by Anonymous Coward · · Score: 2, Insightful

      The problem is that, while it sends a message, it also seems like the strong message was only sent because it mostly affects some Chinese that do bad things anyway. Had the same strong message been sent if it had been Verisign or DigiCert?

  3. Web of trust cannot survive politics by sinij · · Score: 4, Insightful

    Web of trust cannot survive politics, if we tolerate any bad behavior from any trusted parties, then nobody could be trusted and whole construct falls apart.

  4. Re:Lawful rights and interests? by gstoddart · · Score: 5, Insightful

    Ever read any other press releases coming out of China?

    They very often miss the point, and just fall back to "this is true because we say it is".

    The "rights and interests" of users is to not be spoofed. The users in China don't have a "right" to use a google product which has been hacked, and the CNNIC doesn't have a "right" to issue fake certificates.

    Some of it is swagger, but from people who are used to being able to wave their collective dicks around and have that influence reality. Now, they've come up against an entity who says "we simply don't care what you want to claim, this is what's happening".

    --
    Lost at C:>. Found at C.
  5. Re:What is trust these days? by MightyYar · · Score: 3, Insightful

    Obtaining actual physical goods for IOUs is a pretty good deal IMHO.

    --
    W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
  6. No excuses by ZorinLynx · · Score: 4, Insightful

    This is kind of equivalent to hiring a locksmith, then noticing that he copied one of your keys and it's on his personal keychain.

    There is no reason to ever trust this locksmith again. Some institutions, like certificate authorities and locksmiths, are sacred. The whole POINT of their existence is to be an entity you can trust to keep things secure. If they are irresponsible and let this happen, then there's no reason to trust them.

    Ever again.

  7. Re:Firefox response by drinkypoo · · Score: 5, Insightful

    Now that is fascinating. FTFN[ewspost]:

    The current incident falls into this category:
    "Problem: CA mis-issued a small number of intermediate certificates that they can enumerate

    Uh, no. No, that is not the problem. The problem is that the CA has been demonstrated to use untrustworthy practices. They are fundamentally untrustworthy, and Google did the Only Right Thing(tm) while Mozilla is failing, and hard.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"