Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple Leaves Chinese CNNIC Root In OS X and iOS Trusted Stores

Posted by timothy on from the trusted-by-whom dept.

Trailrunner7 writes When it was revealed late last month that a Chinese certificate authority had allowed an intermediate CA to issue unauthorized certificates for some Google domains, both Google and Mozilla reacted quickly and dropped trust in CNNIC altogether. Apple on Wednesday released major security upgrades for both of its operating systems, and the root certificate for CNNIC, the Chinese CA at the heart of the controversy, remains in the trusted stores for iOS and OS X. The company has not made any public statements on the incident or the continued inclusion of CNNIC's certificates in the trusted stores.

28 of 100 comments (clear)

  1. There's a shock... by fuzzyfuzzyfungus · · Score: 4, Insightful

    Hey, they weren't spying on our SSLed services today, so we still totally trust them! Also, have you seen how lucrative the Chinese market could be?

    1. Re:There's a shock... by Noah+Haders · · Score: 2

      It's probably a condition in apples contract with the CN govt that they have to ruin all Apple devices for security.

    2. Re:There's a shock... by fuzzyfuzzyfungus · · Score: 5, Funny

      I believe you mean 'enable all Apple devices for socially harmonious lawful remote management'.

    3. Re:There's a shock... by mitcheli · · Score: 3

      It somehow doesn't surprise me that Apple is still hosting the exploited CA cert. They released patches to a number of openssl (which OSX does use) that supposedly fix the high level vulnerabilities of late (Security Update 2015-3?) But at the same time, the version that's running is 1.0.1g ... and there have been several high level vulnerabilities such as the down channel exportable encryption bug that still haven't been addressed. Thinking Apple needs to step up their game!

      --
      Select from tblFriends where interesting >= 4;
  2. Chinese market by Anonymous Coward · · Score: 2, Insightful

    Apple is worried that doing the right thing will make them loose market share in China.

    1. Re:Chinese market by NotDrWho · · Score: 2, Insightful

      I doubt any Apple execs know what the phrase "doing the right thing" even means.

      --
      SJW's don't eliminate discrimination. They just expropriate it for themselves.
  3. Fix the headline by rbanzai · · Score: 2

    For fuck's sake is it really that hard to at least proofread the headline? "Apples Leaves Chinese CNNIC Root In OS X and iOS Trusted Stores"

  4. Re:Apples? by taiwanjohn · · Score: 3, Funny

    It only takes one bad "Apples" to spoil the whole headline.

    --
    XML is like violence. If it doesn't solve your problem, you're not using enough of it. --AC
  5. Re:Apples? by ArcadeMan · · Score: 4, Informative

    Well, there's Applejack, Apple Bloom, Big McIntosh, and Granny Smith.

    --
    Get free satoshi (Bitcoin) and Dogecoins
  6. Apple is exposed to China operations by Sandbox-Six-Actual · · Score: 5, Insightful

    Remember that unlike Google, Apple has deep manufacturing and retail ties into the Chinese market, which is seen as a key strategic part of cost management and future market/revenue expansion.

    Even though CNNIC is very cozy with the Chinese MSS and the variety of PLA workforces associated with externally focused compromise, it is an organ of the Chinese government, which works differently from many others. If you were to offend the quasi-governmental agencies that deal IPs and such things in the US, you might not get "favorable" treatment, but the US FTC and others aren't exactly likely to swoop in and close you down either.

    China has shown with Google and Twitter and others that if you aren't willing to play ball with their government, they have enough control over everything that they can effectively disadvantage you in the market. They can arbitrarily sieze assets, justice is somewhat malleable, and the Great Firewall means no matter how big you are, entire segments of you traffic base can be reduced because the average person isn't going to work hard to get around the censors.

    The last thing Apple needs right now is to create another "front" to wrestle with a government on in such a strategic market. Even if the truth is that CNNIC probably isn't really the most trustworthy "root" in the world. But its also hard to blame them when the Snowden revelations have revealed that certain types of exported hardware devices could be diverted in the shipping process, etc, etc.

    1. Re:Apple is exposed to China operations by denis-The-menace · · Score: 2, Insightful

      And we have a winner!

      Sorry, I have no Mod points for you.

      --
      Obama's legacy: (N)othing (S)ecure (A)nywhere and (T)error (S)imulation (A)dministration
    2. Re:Apple is exposed to China operations by Anonymous Coward · · Score: 3, Insightful

      The last thing Apple needs right now is to create another "front" to wrestle with a government on in such a strategic market. Even if the truth is that CNNIC probably isn't really the most trustworthy "root" in the world.

      In other words, Apple has sold out its customers, but hey! They want to make money, so who can blame them for this betrayal.

      But its also hard to blame them when the Snowden revelations have revealed that certain types of exported hardware devices could be diverted in the shipping process, etc, etc.

      So the NSA has behaved badly, and this makes China's misbehavior OK, and Apple's betrayal of its customers, and its assistance of China in undermining network security for all of its users, absolutely OK.

      Got it.

    3. Re:Apple is exposed to China operations by mrchaotica · · Score: 4, Insightful

      Clearly, then, the only choice is for all non-China users to consider Apple to be no longer trusted.

      --

      "[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz

  7. Re:Are non-China users safe? by AmiMoJo · · Score: 4, Informative

    CNNIC was found to have provided fake certs for popular sites, seemingly to aid with spying. So the answer is yes, this does affect people outside of China.

    --
    const int one = 65536; (Silvermoon, Texture.cs)
    SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  8. Follow the money by JoeyRox · · Score: 5, Insightful

    China's vociferous response to Google removing CNNIC's root certificate authority is the reason Apple is not taking action. Apple is a very principled company until those principles start costing them money.

    1. Re:Follow the money by Anonymous Coward · · Score: 3, Informative

      And, it only takes 3 clicks in Keychain Access to revoke trust in the key. The cost for users is pretty low, if users knew enough to make a difference.

  9. Re:Are non-China users safe? by Anonymous Coward · · Score: 5, Informative

    No. Any root CA (or anyone holding an intermediate CA cert with a trust chain back to a root) can sign a certificate for any domain at all.

    That's right; the Belgian Government can sign for www.yoursite.com and the person who holds the key for that CSR can MITM anyone who visits www.yoursite.com with no certificate warnings raised.

  10. "Unusually harsh" by Anonymous Coward · · Score: 2, Interesting

    TFA calls it "an unusually severe punishment by both Google and Mozilla." Presumably there are many, many people relying on perfectly valid CNNIC certificates and typically the actions of one rogue intermediate CA doesn't require burning things to the ground (of course if it happens again, then you can no longer call it a mistake). TFA also notes in the very last line Microsoft didn't pull CNNIC either, but the headline and 99% of the article makes no mention of that.

  11. ...and here I was, about to buy an Apple laptop... by FreeUser · · Score: 2, Insightful

    We are talking apple users here, not Linux users. All three Apple users who know these steps have probably already done so. The other several hundred million are fucked, and Apple has now publicly taken a stance that they plan to hang those millions out to dry.

    Ironically, I was going to buy an apple laptop for sheer convenience (and to run more recent versions of scrivener), but now I most certainly won't. Time to research good Linux laptop alternatives instead (ideally with high-end graphics capabilities that support blender's cycles module ... wonder how well Optimus is supported these days). Oh well, it will probably be cheaper anyway. Maybe I can treat myself a 4k monitor with the money saved.

    --
    The Future of Human Evolution: Autonomy
  12. Re:Are non-China users safe? by fustakrakich · · Score: 4, Insightful

    This confirms the absolute uselessness of this whole 'certificate' thing, except for tracking purposes of course.

    --
    “He’s not deformed, he’s just drunk!”
  13. It's not too late! by FreeUser · · Score: 2

    My Grandmother (she is 85) has an Intel based Core Duo Macbook and Apple has stopped providing security updates [...] When we bought the machine (new) I thought the macbook would be more usable for her than a Linux laptop. While it has been a good machine, being orphaned on security updates is bad form by Apple.

    It's not too late:

    http://www.odi.ch/prog/macbook...
    http://www.codingepiphany.com/...

    --
    The Future of Human Evolution: Autonomy
  14. Re:Removing the CNNIC ROOT on OSX by vanyel · · Score: 2

    They apparently *really* don't want me to get rid of it:

    + grep SHA-1
    + security find-certificate -a -Z -c 'CNNIC ROOT' /System/Library/Keychains/SystemRootCertificates.keychain
    SHA-1 hash: 8BAF4C9B1DF02A92F7DA128EB91BACF498604B6F
    + security delete-certificate -t -Z 8BAF4C9B1DF02A92F7DA128EB91BACF498604B6F /System/Library/Keychains/SystemRootCertificates.keychain
    security: SecTrustSettingsRemoveTrustSettings (user): No Trust Settings were found.
    + security delete-certificate -t -c 'CNNIC ROOT' /System/Library/Keychains/SystemRootCertificates.keychain
    x: line 5: 92884 Segmentation fault security delete-certificate -t -c "CNNIC ROOT" /System/Library/Keychains/SystemRootCertificates.keychain

  15. Removing this CA from your macbook by nicolaiplum · · Score: 5, Informative

    Open Keychain Access, find the System Roots keychain (left side), look for "China Internet Network Information Centre EV Certificates Root" on the right side, double-click on that. In the window this opens, expand the "Trust" arrow and change "When using this certificate" to "Never Trust".
    Do the same for the "CNNIC Root" certificate.

    --
    "For a successful technology, reality must take precedence over public relations, for Nature cannot be fooled"
  16. Re:Google politicking? by Coren22 · · Score: 2

    Except, the way SSL works, you have to remove the CA until the CA revokes the Intermediate CA's authority, or people are open to MITM attacks. Google did absolutely the correct thing, and MS and Apple are failing at security. There is no other right thing here. Once the intermediate is blocked, then you can say Google is in the wrong if they don't reinstate the CA's cert.

    --
    APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
  17. Re:It's true! by Coren22 · · Score: 2

    Are you sure? Have you performed a double blind study to determine that is performs better than placebo, and how much better to determine that it is the best?

    --
    APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
  18. Not for long... new exploit is out by BenJeremy · · Score: 2

    Apple will surely be updating shortly to close the loophole that has people installing PopcornTime on their iPhones...

    Link

    I'm surprised this isn't bigger news.

  19. Re:Are non-China users safe? by bill_mcgonigle · · Score: 2

    This confirms the absolute uselessness of this whole 'certificate' thing, except for tracking purposes of course.

    It's not useless, but it's only half of the equation.

    The cert says, "we trust that this site belongs to this entity". That's one-way.

    What needs to happen is that sites need to publish in their DNS(SEC) that they trust the same CA(s). That completes the mutual agreement on trust, which is currently missing. There are a few competing RFC's on the best way to lay this out, but what CNNIC shows is that we need to stop bickering and deploy this yesterday, accepting that "good enough" may not be perfect but it's *way* better than nothing. 'Better' is what version 2 is for.

    May we engineers save us from ourselves.

    --
    My God, it's Full of Source!
    OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
  20. Re:Are non-China users safe? by dotancohen · · Score: 2

    No. Any root CA (or anyone holding an intermediate CA cert with a trust chain back to a root) can sign a certificate for any domain at all.

    Even worse, there is no way to know which certs you need and which you can get rid of. This question has remained open on Super User without a good answer for over half a year:
    http://superuser.com/questions...

    --
    It is dangerous to be right when the government is wrong.