Slashdot Mirror

← Back to Stories (view on slashdot.org)

Chinese Certificate Authority CNNIC Is Dropped From Google Products

Posted by timothy on from the reject-your-reality-and-substitute-our-own dept.

eldavojohn writes A couple weeks ago, Google contacted the CNNIC (China's CA) to alert them of a problem regarding the delegated power of issuing fraudulent certificates for domains (in fact this came to light after fraudulent certificates were issued for Google's domains). Following this, Google decided to remove the CNNIC Root and EV CA as trusted CAs in its Chrome browser and all Google products. Today, the CNNIC responded to Google: "1. The decision that Google has made is unacceptable and unintelligible to CNNIC, and meanwhile CNNIC sincerely urge that Google would take users' rights and interests into full consideration. 2. For the users that CNNIC has already issued the certificates to, we guarantee that your lawful rights and interests will not be affected." Mozilla is waiting to formulate a plan.

39 of 176 comments (clear)

  1. Good. +1 for Google. by Anonymous Coward · · Score: 5, Insightful

    If a CA clearly can't be trusted, then it has absolutely no business being trusted. This is a good thing, and despite the upheaval it will cause for people requiring new certs (if you want chrome to like the site), it will only improve security by making CA's aware that if they mess about, or don't vet properly, then their business is basically gone.

    Of course, the only really secure way is to drop all CA's everywhere, and directly exchange certs with whoever you deal with (banks, etc, etc by going into a branch. Hugely impractical though).

    1. Re:Good. +1 for Google. by Dutch+Gun · · Score: 5, Interesting

      The fact that ANY root CA can issue Google domain certificate (or whatever domain they want) is bonkers. Nowadays, there are simply too many root CAs to be able to trust them all, if we ever really could. There used to be just a handful. Have you looked at your local CA store? There's hundreds of them nowadays! Did you know the Hong Kong Post Office is a root CA (Hongkong Post Root CA 1)? Doesn't that make you feel warm, fuzzy, and secure, knowing that the fine folks at that establishment could issue a fraudulent certificate for any website in the world?

      This system needs to be fixed, or at least seriously updated. It just hasn't scaled well in the reality of today's world. I don't think we need to go to the extreme of exchanging private certs. Let's face it, that will never, ever happen anyhow. But we do need more assurances than we have now.

      --
      Irony: Agile development has too much intertia to be abandoned now.
    2. Re:Good. +1 for Google. by Richard_at_work · · Score: 4, Insightful

      So, with the third party out of the equation, how does one know that the security certificate you receive from random-site.com is the one that random-site.com intended you to receive? This is where going to two entity encryption fails, because the web has no inbuilt ability to verify the communication with the website is as secure as intended without going to a third party.

      Just allowing self signed certs won't solve anything, because most people who use the web won't bother with any independent verification (which you would have to do offline or on a different internet connection for it to mean anything anyway) - fuck, do you remember how long it took to beat "look for the padlock symbol" into people in the first place? All it will do is what people have been bitching about for similar other approaches for years now - people will get so many pop ups, they will stop caring and just click OK.

      The CA system isn't the best solution in the world, but its better than most suggestions, including allowing self signed certs for general communication.

    3. Re:Good. +1 for Google. by Anonymous Coward · · Score: 2, Informative

      And what CA do you think will be listed on the cert that you get from the site pretending to be that site?

    4. Re:Good. +1 for Google. by VGPowerlord · · Score: 2

      I was under the impression that the CA only gets used for verification *if* the site's cert claims to be from that CA.

      How often do you stop and look at which CA signed the certificate for the HTTPS site you're using?

      As long as the certificate is signed by a CA certificate the browser has in its CA store, the browser won't show any warnings. Browser makers are also notoriously bad at checking if certificates are on Certificate Revocation Lists (CRLs), of which each CA has (at least?) one.

      --
      GLaDOS for President 2016! "Well here we are again. It's always such a pleasure." -- GLaDOS, 2011
    5. Re: Good. +1 for Google. by pla · · Score: 2

      Hong Kong is special administrative region of China. It has different laws, open culture, democracy, and freedoms, unlike mainland China. Don't put Hong Kong with the dictatorship of the China.

      SARs exist only by staying in the good graces of the PRC. Hong Kong and Macau could lose their special status tomorrow and would have zero say in the matter.

      Of course, China currently enjoys playing both sides of the "capitalism" fence, so that almost certainly wouldn't happen; but if Beijing says "Hey, you like all that freedom you have? Yeah, we need you to make something to happen ASAP - Reeeal shame if we reallocated your entire region into a coal ash dump"? You'd see how much "independence" China's SARs really have.

    6. Re:Good. +1 for Google. by mlts · · Score: 3, Insightful

      Even worse is that certificates can't be removed on some devices. For example, if a CA is broken on iOS, there is no way to mark that CA as untrusted until Apple gets around to pushing out a set of new root certs. Android, it is easier, but still onerous going through every unwanted CA and unchecking it.

      The CA system is a subset of a WoT system. It was placed originally because CAs used to be meticulous about who they signed certs for. Now, especially after the fiascos a few years back, no so much.

      The fix? Part of it would probably say prompt the user on the device to install the relevant CAs for their geographic region. If on mainland China, having a CA for the HK post office makes sense. Not so in the US, unless one travels abroad or has a lot of business with Chinese sites.

      The second fix is that OS and Web browser makers will need to enforce with sheer brutality the rules they have on how CAs behave. If the CA screws up, they get their cert pulled, no questions, no appeals.

    7. Re:Good. +1 for Google. by mlts · · Score: 4, Informative

      This is why so many variants of adware that sneak their certs into the root CA list and then create a local loopback proxy is so common -- nobody looks at what key is presented. If the lock icon is green... good enough.

    8. Re:Good. +1 for Google. by phayes · · Score: 2

      That any of the "trusted" CAs could issue a cert for any site is why we should all be using the Certificate Patrol or another equivalent plugin that also notifies when ANY certificates change instead of just blindly accepting them. It adds a little admin to browsing the web as I have to accept/reject expired certificates.

      In a number of cases it has alerted me when on client sites that they perform SSL inspection so that I can avoid using anything sensitive like banking.

      --
      Democracy is a sheep and two wolves deciding what to have for lunch. Freedom is a well armed sheep contesting the issue
    9. Re:Good. +1 for Google. by IamTheRealMike · · Score: 4, Informative

      WoT doesn't work anywhere. I know it's a popular idea but it doesn't work, period, end of story.

      Problem: the PGP web of trust is tiny and has fewer than 4 million keys published to the SKS key pool, EVER. That's pathetic. But of those keys, many are not really connected to the WoT at all. The strong set is only 50k keys. The WoT is a failure, numerically. For comparison: "Yo", an app created as an April fools joke which only lets you send the word "yo" to other users, managed to get 3 million users. The WoT's entire existence has been matched by an April fools.

      Problem: the PGP web of trust converts everyone you trust a CA. Unlike real CAs that protect their keys with hardware security modules, are audited, etc, PGP users routinely do things like carrying their private keys through airports on general purpose laptops onto which they install whatever the latest cool toy is. If any of the users you trust are compromised, the entire WoT can be faked through them and your client will accept it. Sure, if you're some kind of crypto guru you can maybe detect this. But most people aren't.

      Problem: the "web of trust" is misleadingly named. The graph edges in it are not indicative of social trust. They are in fact reflecting a trust that is more like, "I trust you to protect your private key and do accurate ID verification" which has nothing to do with the more ordinary, human, every day use of the word trust. In your post you mix up these very different kinds of trust, and this is a very frequent but fundamental error. Protecting private keys and doing accurate ID verification are difficult, skilled tasks, whereas what being trustworthy usually means simply requires loyalty.

      Problem: the primary criticism of the CA system is that CA's could be coerced by governments via legal means. However the same is true for people in the web of trust - any of those people can be served with a a court order forcing them to sign the governments key.

      Problem: the WoT leaks the entire social graph to the entire public. In this day and age, that's unacceptable.

      Problem: the WoT has fake keys uploaded to it and there's nothing anyone can do about it. This isn't theoretical, it has happened and routinely fools large numbers of people.

      In short, after many years I've come to the conclusion that the web of trust has no redeeming qualities at all. It was a neat sounding idea, it was tried, it has failed. It should be taken out the back and quietly shot, so it can't mislead any more people into thinking it's a good idea.

    10. Re:Good. +1 for Google. by Dutch+Gun · · Score: 2

      Certificate Patrol is worthless for anyone who uses Google services, which mints new certificates and expires old ones on a near daily basis. You're notified nearly every time you visit their site, which eliminates the value of the warning in the first place. Google has apparently decided that it's more secure to have rapidly-expiring certificates in lieu of long-term certificates that may have to be revoked, probably partially because they don't have an effective revocation system in place.

      More critically, any solution that requires a third-party plugin and expecting the user to watch carefully for certificate changes is a complete non-starter for the general public.

      --
      Irony: Agile development has too much intertia to be abandoned now.
  2. Lawful rights and interests? by fuzzyfuzzyfungus · · Score: 2

    What 'rights and interests', exactly is CCIN blathering about? Google has changed absolutely nothing about any certain they have issued, the hierarchy will be precisely as it was, they just decided that 'being untrustworthy' was incompatible with being among the trusted CAs.
    Is this just swagger, or are they attempting the theory that CAs have some sort of right to be trusted?

    1. Re:Lawful rights and interests? by gstoddart · · Score: 5, Insightful

      Ever read any other press releases coming out of China?

      They very often miss the point, and just fall back to "this is true because we say it is".

      The "rights and interests" of users is to not be spoofed. The users in China don't have a "right" to use a google product which has been hacked, and the CNNIC doesn't have a "right" to issue fake certificates.

      Some of it is swagger, but from people who are used to being able to wave their collective dicks around and have that influence reality. Now, they've come up against an entity who says "we simply don't care what you want to claim, this is what's happening".

      --
      Lost at C:>. Found at C.
    2. Re:Lawful rights and interests? by mwvdlee · · Score: 2

      Browser manufactures have a responsibility towards their own customers (users), not towards the victims of some untrustworthy CA.

      --
      Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
  3. Too bad for CNNIC by Anonymous Coward · · Score: 5, Insightful

    Given the events that transpired, it seems like Google is completely in the right here. It would be best if Mozilla, Microsoft, et. al. followed suit.

    1. Re:Too bad for CNNIC by gtall · · Score: 2

      1. All that will happen is that CCIN will disappear and magically pop up again with a new name, different premises, different phone numbers, but with the same slimeballs in charge. The companies will whine, if they find out about it, to the Chinese government. The Chinese government will open an alleged investigation and that will be last anyone will hear the investigation. Meanwhile, the companies will again become frustrated, do to the new entity what they did to CCIN. Go to 1.

    2. Re:Too bad for CNNIC by QuietLagoon · · Score: 4, Insightful

      All that will happen is ...

      If that is what happens, then other measures would need to be taken to assure new CA's are trustworthy.

      .
      If the same problem continues to recur and nothing is done to prevent it, then the whole web of trust will fail.

    3. Re:Too bad for CNNIC by Zocalo · · Score: 5, Interesting

      It's not quite that simple. CNNIC is the Chinese national equivalent of a LIR - they are responsible for all the IP assignments in China, so they can hardly "disappear" like that. Shutting down their CA division and re-opening it as a new shell company might be an option however.

      The main thing here is that this also invalidates all of the certificates issued by CNNIC's intermediaries like MCS that are decended from the soon to be invalidated root certificates, and so on all the way down the chain of trust. That's a *lot* of customers and customers of customers that are going to be looking to push at least some of the costs of sorting this out upstream. Ultimately the buck stops at CNNIC, so they are going to have to make a decision about how much of that costs they are going to bear - get it wrong and there are plenty of other root CAs that intermediate level CAs can go to instead of CNNIC.

      That sends a pretty strong message to other CAs that might be considering something similar, or to governments looking to strong arm a CA into doing it on their behalf. Break the chain of trust (whether through imcompetence, negligence or deliberate intent being immaterial), and you can expect to face very public, and potentially very expensive, consequences. Given that this also has implications for everyone's privacy, absolutely Apple, Microsoft, Mozilla et. al ought to follow suit and take at least some form of punitive action. Following on from DigiNotar I'm actually expecting to see them publishing some form of formalised policies about this in the near future, and hopefully no more exceptions (like TrustWave) are going to be made.

      --
      UNIX? They're not even circumcised! Savages!
    4. Re:Too bad for CNNIC by Anonymous Coward · · Score: 2, Insightful

      The problem is that, while it sends a message, it also seems like the strong message was only sent because it mostly affects some Chinese that do bad things anyway. Had the same strong message been sent if it had been Verisign or DigiCert?

    5. Re:Too bad for CNNIC by Zocalo · · Score: 4, Interesting

      That's the big question, isn't it? Like CNNIC, the Turkish DigiNotar got the boot also, yet the US-based TrustWave was let off. It's probably worth pointing out that TrustWave's problems occurred pre-Snowden so people were a little more complacent even before you consider the "local US company" vs. "country with poor reputation for civil rights" issues. I'd like to hope that in today's climate TrustWave would meet a similar fate to DigiNotar and CNNIC/MCS, but without a clear no-exceptions policy from the application and OS vendors there's no real way to be sure. Even if there were such a policy, I doubt anyone would be willing to unilaterally revoke a compromised root certificate from one of the *really* major players in the CA game without a mutually agreed grace period to migrate users to replacement certificates.

      --
      UNIX? They're not even circumcised! Savages!
  4. Firefox response by Lennie · · Score: 2

    Judging by the discussions on the Mozilla mailinglists I wouldn't be surprised if Firefox will include a whilelist of currently certificates issues by CCNIC and make it so no new certificates issues by CCNIC will be valid.

    At least as long as they CCNIC doesn't adhere to the proper rules. Maybe CCNIC will even get stricter rules applied to them.

    --
    New things are always on the horizon
    1. Re:Firefox response by Lennie · · Score: 5, Informative

      Here is a link to the latest Mozilla statement on the mailinglist/newsgroup:
      https://groups.google.com/d/ms...

      --
      New things are always on the horizon
    2. Re:Firefox response by drinkypoo · · Score: 5, Insightful

      Now that is fascinating. FTFN[ewspost]:

      The current incident falls into this category:
      "Problem: CA mis-issued a small number of intermediate certificates that they can enumerate

      Uh, no. No, that is not the problem. The problem is that the CA has been demonstrated to use untrustworthy practices. They are fundamentally untrustworthy, and Google did the Only Right Thing(tm) while Mozilla is failing, and hard.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  5. Mozilla formulating a plan? by wezelboy · · Score: 2

    This plan does not need to be formulated. Drop their root CA ASAP.

    1. Re:Mozilla formulating a plan? by Anonymous Coward · · Score: 5, Informative

      You know you can do this yourself in Firefox and Thunderbird.

      Options -> Advanced -> Certificates -> View Certificates -> Authorities -> Delete or Distrust...

    2. Re:Mozilla formulating a plan? by Archwyrm · · Score: 2

      Multiply by the number of browser profiles you care about and on friends' and relatives' computers. And, yeah.. I'd prefer this change to come as part of regular browser updates.

      --
      Fascism should more properly be called corporatism because it is the merger of state and corporate power. -- Mussolini
    3. Re:Mozilla formulating a plan? by phayes · · Score: 3, Informative

      Unless this has changed, deleting the ingrown CAs in chrome & Firefox has little effect as they reappear if you quit & relaunch the application. It's why I installed the Certificate Patrol plugin which at least lets me see when certificates change.

      --
      Democracy is a sheep and two wolves deciding what to have for lunch. Freedom is a well armed sheep contesting the issue
  6. Important note: this is potentially not permanent by kav2k · · Score: 4, Informative

    What this summary neglects to say is that Google is open to the idea of adding them back. Quote (link mine):

    [...] CNNIC will be working to prevent any future incidents. CNNIC will implement Certificate Transparency for all of their certificates prior to any request for reinclusion. We applaud CNNIC on their proactive steps, and welcome them to reapply once suitable technical and procedural controls are in place.

  7. Lotsa butthurt by FatherDale · · Score: 2, Interesting

    "The unauthorized certificates were issued by Egypt-based MCS Holdings, an intermediate certificate authority that operated under the authority of CNNIC. MCS used the certificates in a man-in-the-middle proxy, a device that intercepts secure connections by masquerading as the intended destination" Looks like Google and CNNIC have already agreed that if CNNIC are good boys for the next few weeks they wont turn them off. Wonder how closely MCS Holdings works with the Chinese gov?

  8. Link to the announcement by YA_Python_dev · · Score: 4, Informative

    Google announced the decision in an update at the bottom of https://googleonlinesecurity.blogspot.com/2015/03/maintaining-digital-certificate-security.html. I'm happy they did: certification authorities need to understand that there are consequences to gross negligence or worse.

    --
    There's a hidden treasure in Python 3.x: __prepare__()
  9. Re:Important note: this is potentially not permane by ledow · · Score: 4, Informative

    "Fix your shit once-and-for-all and we might deal with you again."

    That's not really an endorsement, any way you look at it.

  10. Web of trust cannot survive politics by sinij · · Score: 4, Insightful

    Web of trust cannot survive politics, if we tolerate any bad behavior from any trusted parties, then nobody could be trusted and whole construct falls apart.

  11. tough nuts by slashmydots · · Score: 2

    In China anyone can rip off or scam anyone, make a fake product, clone something, lie about specs, sell defective gear, etc.
    "The decision that Google has made is unacceptable and unintelligible"
    WELCOME TO AMERICA. We don't put up with that shit.

    1. Re:tough nuts by Tokolosh · · Score: 2

      In this case Google has done something. What has the US or any other government done?

      --
      Prove anything by multiplying Huge Number times Tiny Number
  12. Re:What is trust these days? by MightyYar · · Score: 3, Insightful

    Obtaining actual physical goods for IOUs is a pretty good deal IMHO.

    --
    W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
  13. Re:Internet Explorer by Zocalo · · Score: 4, Informative

    Microsoft have decided that the buck stops with MCS Holdings and will be revoking all of their certificates, but letting CNNIC and their other customers off the hook. I suspect the update will go out as part of the regular patch batch on April 14th.

    --
    UNIX? They're not even circumcised! Savages!
  14. No excuses by ZorinLynx · · Score: 4, Insightful

    This is kind of equivalent to hiring a locksmith, then noticing that he copied one of your keys and it's on his personal keychain.

    There is no reason to ever trust this locksmith again. Some institutions, like certificate authorities and locksmiths, are sacred. The whole POINT of their existence is to be an entity you can trust to keep things secure. If they are irresponsible and let this happen, then there's no reason to trust them.

    Ever again.

  15. DANE by chihowa · · Score: 2

    Until we come up with a better fix for the whole CA system, browser support for DANE would be a huge step in the right direction. Especially, the type 2 (Trust anchor assertion) records would be helpful. So Google could say that only certificates issued by their own CA are legitimate. Or any site owner could publicly restrict trust to the CA that they actually get their certs from (or just specify a particular cert).

    --
    If you want a vision of the future, imagine a youtube comments section scrolling - forever.
  16. Re:What is trust these days? by ScentCone · · Score: 3, Funny

    Going to war with Iran would be like going to war with Maryland.

    You've never been to Maryland, have you? You'd never win such a war. There's too much paperwork involved in even establishing a war in Maryland. Just the recurring fees and annual compliance filings with the state would be enough to crush the fighting will of any invading army. Not to mention the tax rates on any pillaged loot seized during said invasion, especially in certain Maryland counties, would be enough to make the whole thing completely unprofitable. Just don't bother. Invade nearby Virginia, or maybe Delaware or Pennsylvania, instead. They're much easier to deal with.

    --
    Don't disappoint your bird dog. Go to the range.