Slashdot Mirror
Apple Leaves Chinese CNNIC Root In OS X and iOS Trusted Stores
Trailrunner7 writes When it was revealed late last month that a Chinese certificate authority had allowed an intermediate CA to issue unauthorized certificates for some Google domains, both Google and Mozilla reacted quickly and dropped trust in CNNIC altogether. Apple on Wednesday released major security upgrades for both of its operating systems, and the root certificate for CNNIC, the Chinese CA at the heart of the controversy, remains in the trusted stores for iOS and OS X. The company has not made any public statements on the incident or the continued inclusion of CNNIC's certificates in the trusted stores.
Hey, they weren't spying on our SSLed services today, so we still totally trust them! Also, have you seen how lucrative the Chinese market could be?
Apple is worried that doing the right thing will make them loose market share in China.
For fuck's sake is it really that hard to at least proofread the headline? "Apples Leaves Chinese CNNIC Root In OS X and iOS Trusted Stores"
It only takes one bad "Apples" to spoil the whole headline.
XML is like violence. If it doesn't solve your problem, you're not using enough of it. --AC
Well, there's Applejack, Apple Bloom, Big McIntosh, and Granny Smith.
Get free satoshi (Bitcoin) and Dogecoins
Remember that unlike Google, Apple has deep manufacturing and retail ties into the Chinese market, which is seen as a key strategic part of cost management and future market/revenue expansion.
Even though CNNIC is very cozy with the Chinese MSS and the variety of PLA workforces associated with externally focused compromise, it is an organ of the Chinese government, which works differently from many others. If you were to offend the quasi-governmental agencies that deal IPs and such things in the US, you might not get "favorable" treatment, but the US FTC and others aren't exactly likely to swoop in and close you down either.
China has shown with Google and Twitter and others that if you aren't willing to play ball with their government, they have enough control over everything that they can effectively disadvantage you in the market. They can arbitrarily sieze assets, justice is somewhat malleable, and the Great Firewall means no matter how big you are, entire segments of you traffic base can be reduced because the average person isn't going to work hard to get around the censors.
The last thing Apple needs right now is to create another "front" to wrestle with a government on in such a strategic market. Even if the truth is that CNNIC probably isn't really the most trustworthy "root" in the world. But its also hard to blame them when the Snowden revelations have revealed that certain types of exported hardware devices could be diverted in the shipping process, etc, etc.
CNNIC was found to have provided fake certs for popular sites, seemingly to aid with spying. So the answer is yes, this does affect people outside of China.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
China's vociferous response to Google removing CNNIC's root certificate authority is the reason Apple is not taking action. Apple is a very principled company until those principles start costing them money.
Anyone know if I can remove the CA myself?
No. Any root CA (or anyone holding an intermediate CA cert with a trust chain back to a root) can sign a certificate for any domain at all.
That's right; the Belgian Government can sign for www.yoursite.com and the person who holds the key for that CSR can MITM anyone who visits www.yoursite.com with no certificate warnings raised.
TFA calls it "an unusually severe punishment by both Google and Mozilla." Presumably there are many, many people relying on perfectly valid CNNIC certificates and typically the actions of one rogue intermediate CA doesn't require burning things to the ground (of course if it happens again, then you can no longer call it a mistake). TFA also notes in the very last line Microsoft didn't pull CNNIC either, but the headline and 99% of the article makes no mention of that.
We are talking apple users here, not Linux users. All three Apple users who know these steps have probably already done so. The other several hundred million are fucked, and Apple has now publicly taken a stance that they plan to hang those millions out to dry.
Ironically, I was going to buy an apple laptop for sheer convenience (and to run more recent versions of scrivener), but now I most certainly won't. Time to research good Linux laptop alternatives instead (ideally with high-end graphics capabilities that support blender's cycles module ... wonder how well Optimus is supported these days). Oh well, it will probably be cheaper anyway. Maybe I can treat myself a 4k monitor with the money saved.
The Future of Human Evolution: Autonomy
This confirms the absolute uselessness of this whole 'certificate' thing, except for tracking purposes of course.
“He’s not deformed, he’s just drunk!”
My Grandmother (she is 85) has an Intel based Core Duo Macbook and Apple has stopped providing security updates [...] When we bought the machine (new) I thought the macbook would be more usable for her than a Linux laptop. While it has been a good machine, being orphaned on security updates is bad form by Apple.
It's not too late:
http://www.odi.ch/prog/macbook...
http://www.codingepiphany.com/...
The Future of Human Evolution: Autonomy
How do I remove this CA from my macbook?
Don't forget the profits!
sudo security find-certificate -a -Z -c "CNNIC ROOT" /System/Library/Keychains/SystemRootCertificates.keychain | grep SHA-1 /System/Library/Keychains/SystemRootCertificates.keychain
sudo security delete-certificate -t -Z 8BAF4C9B1DF02A92F7DA128EB91BACF498604B6F
When I was looking at trying to get back into creative writing, I looked at Scrivener. It's a nice app, but I already had online services I liked for notes and research, mainly Evernote and Trello, and it didn't seem to have good options for integrating with them.
Turns out, Emacs does all that stuff. All it costs is your sanity an assload of time to learn.
Also, Optimus is kinda-sorta okay. There's a utility called Bumblebee that handles turning the Nvidia chip on and off, and you basically end up running a second X session on the Nvidia with the output piped into the normal session. It's done by launching any app you want to be on the GPU with a wrapper app like Optirun.
What does this button d$#%* NO CARRIER
Open Keychain Access, find the System Roots keychain (left side), look for "China Internet Network Information Centre EV Certificates Root" on the right side, double-click on that. In the window this opens, expand the "Trust" arrow and change "When using this certificate" to "Never Trust".
Do the same for the "CNNIC Root" certificate.
"For a successful technology, reality must take precedence over public relations, for Nature cannot be fooled"
Except, the way SSL works, you have to remove the CA until the CA revokes the Intermediate CA's authority, or people are open to MITM attacks. Google did absolutely the correct thing, and MS and Apple are failing at security. There is no other right thing here. Once the intermediate is blocked, then you can say Google is in the wrong if they don't reinstate the CA's cert.
APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
Are you sure? Have you performed a double blind study to determine that is performs better than placebo, and how much better to determine that it is the best?
APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
Apple will surely be updating shortly to close the loophole that has people installing PopcornTime on their iPhones...
Link
I'm surprised this isn't bigger news.
I'm on the fence as to whether my next laptop will be a Macbook. I'm not up on messing with security certificates. It took me about 10 seconds to get from Anonymous Coward's tip to a blocked CNNIC certificate. I think that it's within the scope of regular users. My cousin just did it, and she runs a modeling agency and was trained in, well, modeling. Macs do have a pretty easy interface. Say what you will, but that allowed me to do my little thing and get back to wasting time on the internet instead of grading papers.
This confirms the absolute uselessness of this whole 'certificate' thing, except for tracking purposes of course.
It's not useless, but it's only half of the equation.
The cert says, "we trust that this site belongs to this entity". That's one-way.
What needs to happen is that sites need to publish in their DNS(SEC) that they trust the same CA(s). That completes the mutual agreement on trust, which is currently missing. There are a few competing RFC's on the best way to lay this out, but what CNNIC shows is that we need to stop bickering and deploy this yesterday, accepting that "good enough" may not be perfect but it's *way* better than nothing. 'Better' is what version 2 is for.
May we engineers save us from ourselves.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
If Apple's recent stream of security failures has not convinced you to switch to Linux or BSD, you are basically hopeless.
Oh, I've been running Linux for years and years. I was going to dual-boot an apple laptop with osx+linux, but now I have no interest in having osx any more than I do windows. I'll take a look at the new dell.
The Future of Human Evolution: Autonomy
Nice, thanks for the info. Nvidia would be nice, as I want to run blender. Is there a good comparison site for various laptops with high-end graphics and CPUs you know of? I've been poking around online for a while, but determining what the best supported higher-end laptops are for Linux is far from easy.
The Future of Human Evolution: Autonomy
Plain DNS is useless, a MITM could fake the results.
DNSSEC just replaces a competitive market of certificate authorities with a different, less competitive system of new CA's called registrars. It's hardly a positive.
A lot of people hear "some company I never heard of can sign for my site" and immediately conclude the whole system is broken. But that's ridiculous. Why should people be locked into one or two CAs based on where they are in the world? I live in Switzerland. There is a local CA called SwissSign. Like everything Switzerland their EV certificates are more than double the price of what DigiCert charges (based in Utah). So I go to a foreign CA and get my cheaper certs. That's called globalisation.
Likewise, if someone in America wants to pay a Belgian CA for a certificate for whatever reason, why shouldn't they?
Yeah. Because it's SOOO hard to use Firefox, or Chrome, instead of Safari.
That's really how you do it - if it means that much to you, then you can always use browsers that do not use the OS X security store.
Like Chrome and Firefox. They run great on OS X.
Of course, a big problem is that Apple sells a lot of product in China, so CNNIC is pretty much required otherwise no Chinese user will be able to do anything.
I mean, what about Android? Is CNNIC going to be removed from it?
No. Any root CA (or anyone holding an intermediate CA cert with a trust chain back to a root) can sign a certificate for any domain at all.
Even worse, there is no way to know which certs you need and which you can get rid of. This question has remained open on Super User without a good answer for over half a year:
http://superuser.com/questions...
It is dangerous to be right when the government is wrong.
Meantime, I can run a supported version of Windows on PCs, even laptops, that are 10+ years old. (If I need to, I mean. Linux would be my first choice for performance reasons.)
But if you're rich enough to buy a Mac in the first place, you should be able to afford to replace it every few years, IMO.
IIRC, when Google announced that they were removing the certificate, they referred to specific terms in CNNIC's contract with them that had been violated. Not sure about Mozilla.
Does CNNIC have similar contracts with Apple and Microsoft? Do they have similar terms? It occurs to me that they might not be as rigorous, because they might have been drafted several years earlier than Google's one - seeing as Chrome is a relative newcomer.
fake certs from them. Did Apple do even that?
DNSSEC doesn't tie you to a registrar any more than registering a domain already did. DNSSEC also solves a good chunk of the MITM that can occur with the normal CA system. DNS is a vital part of the internet. The fact that it is so easily spoofed and altered is the root of many security problems.
The argument against DNSSEC is that there is still a root authority, at IANA, that can be corrupted. Which is solvable with DLV (DNSSEC Look-aside Validation) and alternative trust anchors. Even without that, stating the CA (or specific key) you use in DNS only makes the system stronger. At the very least, that's one more party to corrupt and non-targeted attacks would be broadcast across the internet.
If you want a vision of the future, imagine a youtube comments section scrolling - forever.
Even worse, there is no way to know which certs you need and which you can get rid of. This question has remained open on Super User without a good answer for over half a year:
http://superuser.com/questions...
There is a way: start disabling them until stuff starts breaking. Browsers make this maddeningly hard, by failing to load the page but not mentioning the specifics of what failed, but it can be done.
I've disabled all certificates and only enable certificates when sites break. This will be very region-specific, but after two years I'm up to ten root certs enabled. Of course, I don't trust those ten certificate authorities, but there are ten that I need to do my internet business. Reduced attack surface area and all. CNNIC is not one of the enabled certificates!
Is there a way for individual users to remove certs from these browsers without waiting for vendors to do so?
Thanks. I've tried that in Firefox, but there is no way to disable a cert and then reenable it: the option is called Disable/Delete and it does the latter: Delete. There does not seem to be a way to disable certs until they are needed. What region are you in, and which certs do you have enabled. I would like to know just as a starting point. Thank you!
It is dangerous to be right when the government is wrong.
I don't know what certificates he settled on, but if you aren't doing a whole lot of international browsing, you can safely disable any foreign CAs (especially foreign government CAs or anything you can't read). In Firefox, you can get the country of origin by viewing the certificate and looking at Issuer, under the Details tab. "C = " will list the country code. Most of the big CAs are in the US, but there are a few big ones that aren't: Comodo, StartCom, Thawte, AddTrust.
In Firefox, you can disable without deleting, by clicking "Edit Trust...". Even if you delete a root CA, it will show back up on restart with all of its trust disabled. You can't delete them permanently from the UI.
Thanks. I did notice that a deleted CA returned on restart, but I didn't notice that it still had all of its trust disabled.
It is dangerous to be right when the government is wrong.