Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple Leaves Chinese CNNIC Root In OS X and iOS Trusted Stores

Posted by timothy on from the trusted-by-whom dept.

Trailrunner7 writes When it was revealed late last month that a Chinese certificate authority had allowed an intermediate CA to issue unauthorized certificates for some Google domains, both Google and Mozilla reacted quickly and dropped trust in CNNIC altogether. Apple on Wednesday released major security upgrades for both of its operating systems, and the root certificate for CNNIC, the Chinese CA at the heart of the controversy, remains in the trusted stores for iOS and OS X. The company has not made any public statements on the incident or the continued inclusion of CNNIC's certificates in the trusted stores.

6 of 100 comments (clear)

  1. Re:Apples? by ArcadeMan · · Score: 4, Informative

    Well, there's Applejack, Apple Bloom, Big McIntosh, and Granny Smith.

    --
    Get free satoshi (Bitcoin) and Dogecoins
  2. Re:Are non-China users safe? by AmiMoJo · · Score: 4, Informative

    CNNIC was found to have provided fake certs for popular sites, seemingly to aid with spying. So the answer is yes, this does affect people outside of China.

    --
    const int one = 65536; (Silvermoon, Texture.cs)
    SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  3. Re:Are non-China users safe? by Anonymous Coward · · Score: 5, Informative

    No. Any root CA (or anyone holding an intermediate CA cert with a trust chain back to a root) can sign a certificate for any domain at all.

    That's right; the Belgian Government can sign for www.yoursite.com and the person who holds the key for that CSR can MITM anyone who visits www.yoursite.com with no certificate warnings raised.

  4. Re:Follow the money by Anonymous Coward · · Score: 3, Informative

    And, it only takes 3 clicks in Keychain Access to revoke trust in the key. The cost for users is pretty low, if users knew enough to make a difference.

  5. Removing the CNNIC ROOT on OSX by Anonymous Coward · · Score: 1, Informative

    sudo security find-certificate -a -Z -c "CNNIC ROOT" /System/Library/Keychains/SystemRootCertificates.keychain | grep SHA-1
    sudo security delete-certificate -t -Z 8BAF4C9B1DF02A92F7DA128EB91BACF498604B6F /System/Library/Keychains/SystemRootCertificates.keychain

  6. Removing this CA from your macbook by nicolaiplum · · Score: 5, Informative

    Open Keychain Access, find the System Roots keychain (left side), look for "China Internet Network Information Centre EV Certificates Root" on the right side, double-click on that. In the window this opens, expand the "Trust" arrow and change "When using this certificate" to "Never Trust".
    Do the same for the "CNNIC Root" certificate.

    --
    "For a successful technology, reality must take precedence over public relations, for Nature cannot be fooled"