Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple Leaves Chinese CNNIC Root In OS X and iOS Trusted Stores

Posted by timothy on from the trusted-by-whom dept.

Trailrunner7 writes When it was revealed late last month that a Chinese certificate authority had allowed an intermediate CA to issue unauthorized certificates for some Google domains, both Google and Mozilla reacted quickly and dropped trust in CNNIC altogether. Apple on Wednesday released major security upgrades for both of its operating systems, and the root certificate for CNNIC, the Chinese CA at the heart of the controversy, remains in the trusted stores for iOS and OS X. The company has not made any public statements on the incident or the continued inclusion of CNNIC's certificates in the trusted stores.

5 of 100 comments (clear)

  1. Apple is exposed to China operations by Sandbox-Six-Actual · · Score: 5, Insightful

    Remember that unlike Google, Apple has deep manufacturing and retail ties into the Chinese market, which is seen as a key strategic part of cost management and future market/revenue expansion.

    Even though CNNIC is very cozy with the Chinese MSS and the variety of PLA workforces associated with externally focused compromise, it is an organ of the Chinese government, which works differently from many others. If you were to offend the quasi-governmental agencies that deal IPs and such things in the US, you might not get "favorable" treatment, but the US FTC and others aren't exactly likely to swoop in and close you down either.

    China has shown with Google and Twitter and others that if you aren't willing to play ball with their government, they have enough control over everything that they can effectively disadvantage you in the market. They can arbitrarily sieze assets, justice is somewhat malleable, and the Great Firewall means no matter how big you are, entire segments of you traffic base can be reduced because the average person isn't going to work hard to get around the censors.

    The last thing Apple needs right now is to create another "front" to wrestle with a government on in such a strategic market. Even if the truth is that CNNIC probably isn't really the most trustworthy "root" in the world. But its also hard to blame them when the Snowden revelations have revealed that certain types of exported hardware devices could be diverted in the shipping process, etc, etc.

  2. Follow the money by JoeyRox · · Score: 5, Insightful

    China's vociferous response to Google removing CNNIC's root certificate authority is the reason Apple is not taking action. Apple is a very principled company until those principles start costing them money.

  3. Re:Are non-China users safe? by Anonymous Coward · · Score: 5, Informative

    No. Any root CA (or anyone holding an intermediate CA cert with a trust chain back to a root) can sign a certificate for any domain at all.

    That's right; the Belgian Government can sign for www.yoursite.com and the person who holds the key for that CSR can MITM anyone who visits www.yoursite.com with no certificate warnings raised.

  4. Re:There's a shock... by fuzzyfuzzyfungus · · Score: 5, Funny

    I believe you mean 'enable all Apple devices for socially harmonious lawful remote management'.

  5. Removing this CA from your macbook by nicolaiplum · · Score: 5, Informative

    Open Keychain Access, find the System Roots keychain (left side), look for "China Internet Network Information Centre EV Certificates Root" on the right side, double-click on that. In the window this opens, expand the "Trust" arrow and change "When using this certificate" to "Never Trust".
    Do the same for the "CNNIC Root" certificate.

    --
    "For a successful technology, reality must take precedence over public relations, for Nature cannot be fooled"