Slashdot Mirror
Apple Leaves Chinese CNNIC Root In OS X and iOS Trusted Stores
Trailrunner7 writes When it was revealed late last month that a Chinese certificate authority had allowed an intermediate CA to issue unauthorized certificates for some Google domains, both Google and Mozilla reacted quickly and dropped trust in CNNIC altogether. Apple on Wednesday released major security upgrades for both of its operating systems, and the root certificate for CNNIC, the Chinese CA at the heart of the controversy, remains in the trusted stores for iOS and OS X. The company has not made any public statements on the incident or the continued inclusion of CNNIC's certificates in the trusted stores.
Hey, they weren't spying on our SSLed services today, so we still totally trust them! Also, have you seen how lucrative the Chinese market could be?
Well, there's Applejack, Apple Bloom, Big McIntosh, and Granny Smith.
Get free satoshi (Bitcoin) and Dogecoins
Remember that unlike Google, Apple has deep manufacturing and retail ties into the Chinese market, which is seen as a key strategic part of cost management and future market/revenue expansion.
Even though CNNIC is very cozy with the Chinese MSS and the variety of PLA workforces associated with externally focused compromise, it is an organ of the Chinese government, which works differently from many others. If you were to offend the quasi-governmental agencies that deal IPs and such things in the US, you might not get "favorable" treatment, but the US FTC and others aren't exactly likely to swoop in and close you down either.
China has shown with Google and Twitter and others that if you aren't willing to play ball with their government, they have enough control over everything that they can effectively disadvantage you in the market. They can arbitrarily sieze assets, justice is somewhat malleable, and the Great Firewall means no matter how big you are, entire segments of you traffic base can be reduced because the average person isn't going to work hard to get around the censors.
The last thing Apple needs right now is to create another "front" to wrestle with a government on in such a strategic market. Even if the truth is that CNNIC probably isn't really the most trustworthy "root" in the world. But its also hard to blame them when the Snowden revelations have revealed that certain types of exported hardware devices could be diverted in the shipping process, etc, etc.
CNNIC was found to have provided fake certs for popular sites, seemingly to aid with spying. So the answer is yes, this does affect people outside of China.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
China's vociferous response to Google removing CNNIC's root certificate authority is the reason Apple is not taking action. Apple is a very principled company until those principles start costing them money.
No. Any root CA (or anyone holding an intermediate CA cert with a trust chain back to a root) can sign a certificate for any domain at all.
That's right; the Belgian Government can sign for www.yoursite.com and the person who holds the key for that CSR can MITM anyone who visits www.yoursite.com with no certificate warnings raised.
This confirms the absolute uselessness of this whole 'certificate' thing, except for tracking purposes of course.
“He’s not deformed, he’s just drunk!”
Open Keychain Access, find the System Roots keychain (left side), look for "China Internet Network Information Centre EV Certificates Root" on the right side, double-click on that. In the window this opens, expand the "Trust" arrow and change "When using this certificate" to "Never Trust".
Do the same for the "CNNIC Root" certificate.
"For a successful technology, reality must take precedence over public relations, for Nature cannot be fooled"