Mozilla Accepts Chinese CNNIC Root CA Certificate 256
Josh Triplett writes "Last October, Mozilla accepted the China Internet Network Information Center as a trusted CA root (Bugzilla entry). This affects Firefox, Thunderbird, and other products built on Mozilla technologies. The standard period for discussion passed without comment, and Mozilla accepted CNNIC based on the results of a formal audit. Commenters in the bug report and the associated discussion have presented evidence that the Chinese government controls CNNIC, and surfaced claims of malware production and distribution and previous man-in-the-middle attacks in China via their secondary CA root from Entrust. As usual, please refrain from blindly chiming into the discussion without supporting evidence. Since Mozilla has already accepted CNNIC as a trusted root CA, the burden rests with those who argue for its removal."
As usual, please refrain from blindly chiming in? (Score:5, Funny)
Wow, youre so new here, youre still dripping wet and covered in placenta.
Re: As usual, please refrain from blindly chiming (Score:5, Insightful)
I take issue to the next phrase: "Since Mozilla has already accepted CNNIC as a trusted root CA, the burden rests with those who argue for its removal."
Are you saying "should Mozilla remove it?" Then the answer is probably no, becuase Mozillia is not an omni-beneficent entity. It probably helps them in some way to include it.
The question is, should individual users remove it? And yes, by the link that you provided indicating it's role in the distribution of malware. Why should I let Mozilla, a large group with contradictory desires and many masters, control whether I delist it as a trusted root?
Re: (Score:2)
Exactly. The spoon and the knife are already laid out.
Re: As usual, please refrain from blindly chiming (Score:5, Insightful)
At issue here is the ability of the Chinese government to run MiTH attacks on their citizens (and others) (who may have no computer security experience) and to arrest political dissidents. Nobody's saying you should wait to remove it. The question is, should it be removed for the safety of others?
The whole point of root certs is trust. We trust them to sign certificates which will be used, in turn, to keep our conversations private. Should CNNIC be trusted to keep conversations private? That is the question. Organizations like Mozilla put their own reputations on the line when choosing which root certs to include. Any abuse by CNNIC will be seen as a security flaw in Mozilla software. That is the issue. That is why Mozilla should care. (even if they disagree)
Re: (Score:3, Funny)
What's a MiTH attack? Man in ..?
Re: (Score:3, Funny)
What's a MiTH attack? Man in ..?
Man in The Hat [xkcd.com]
Re: (Score:2)
Re: (Score:2)
What's a MiTH attack? Man in ..?
It's an attack that doesn't actually exist, e.g., one that is "mithical". Of course, a mith is as good as a mile anyways.
Re: (Score:3, Interesting)
They can only do so by replacing the key with something new, which probably generates a big security warning, and then they have to reencrypt it with the old key, so they do have to intercept communication and not just listen in.
I don't know if you should be concerned about that
Re: As usual, please refrain from blindly chiming (Score:4, Interesting)
Re: As usual, please refrain from blindly chiming (Score:4, Insightful)
If only we had the luxury of knowing which certificates to remove if you didn't trust the NSA. Guess MITM is a game for big players.
Our instructions for setting up VPN include a recommended step where you disable all root certificates but one for the connection. From a security standpoint, the whole web should work the same.
It's very annoying how Firefox insists on making self-signed certificates the biggest pain in the ass possible to accept, knowing you can't really trust the 'trusted' signers in the first place. For forums and the likes, just permanently storing the certificate so you can be sure you're getting an encrypted connection to the same entity each time would be sufficient.
Re: (Score:2)
All of them. The Chinese one might be the safest to retain.
Re: (Score:2, Interesting)
Why should I let Mozilla, a large group with contradictory desires and many masters, control whether I delist it as a trusted root?
Because Mozilla is capable of doing it and most computer users are (effectively) not.
Because we care about what happens to the internet.
Because it's going to be our mom's machine, and we'll have to fix it.
Re:restricting it to *.cn would make sense (Score:5, Interesting)
Seeing as China makes lots of the core internet routers these days (with quickly growing market share) there is every reason to assume we're getting man-in-the-middle pwned.
I'm not in *.cn, and I'm not visiting *.cn, so why in Hell should this certificate apply to me? If suddenly www.adobe.com is signed by China, there sure is a problem!
It's funny, you know ... if we were all buying high-end routers from Russia everyone would flipping out about security. But China makes inroads on that market (with the obvious intention of dominating it) and nobody really seems too upset. You have to assume that a hostile totalitarian state might try to exploit that advantage in some way.
Weird. And I always thought denial was a river.
Re: As usual, please refrain from blindly chiming (Score:4, Informative)
He means, "please don't spam the Bugzilla comments unless you have something constructive to add." BMO used to block all slashdot referers at one point...
Re: (Score:3, Funny)
Wow, youre so new here, youre still dripping wet and covered in placenta.
And a Chinese, heavy metal laden one, at that.
Re: (Score:2)
Because you can trust Google so much more than China.
Re: As usual, please refrain from blindly chiming (Score:5, Informative)
Re: (Score:2)
Re: As usual, please refrain from blindly chiming (Score:4, Insightful)
Not only do I not trust CNNIC, I don't trust Verisign either. Nor any of the dozens of CAs which are installed by default.
In other words, the whole CA concept is flawed.
Re: (Score:2)
I saw the same thing in my copy of Opera 10.5.x
However, after visiting the test site : https://www.enum.cn/en/ [www.enum.cn]
I can now see the cert. My guess is Opera does not come preloaded with all root certs, but perhaps fetches them on demand from an online repository.
Re: (Score:2)
That would be interesting to find out, also whether or not the session used to retrieve the root certs is itself secure...
Re: (Score:2, Interesting)
Re: (Score:2, Informative)
Visit the test site [www.enum.cn] and look again.
Re: (Score:2)
Re: (Score:2)
Saying that you "don't think so" because you actually took a real world look at the product in hand seems like a pretty reasonable response, and doesn't need a 'you must be illiterate because I read a statement put out months ago'. Perhaps that's since been revoked? Or perhaps they made a typo. Or perhaps they never got around to actually implementing it.
Turns out they do trust it, just Opera downloads certs on demand.
But I wouldn't go around saying it was "patently false" just because of some blog post and
Given they've bowed to Chinese pressure (Score:5, Interesting)
...is there a straightforward way to mark CNNIC as untrusted?
Marking as untrusted (Score:5, Informative)
Taken from comments section of article:
Individual CAs can be removed via the "advanced" preferences panel. It's instructive, actually, to look at the list - there's a lot of entries there.
One could switch to another browser, but it's worth thinking about how open that browser's CA inclusion process is first.
Was pointing towards something like a CRL. (Score:4, Insightful)
Removing it is fine until an update/reinstall brings it back. Telling the browser to not trust that entity at all is what I'm talking about.
Re:Was pointing towards something like a CRL. (Score:4, Insightful)
Removing it is fine until an update/reinstall brings it back. Telling the browser to not trust that entity at all is what I'm talking about.
As long as the update does not delete your local preferences it should work.
Re: (Score:3, Insightful)
"Telling the browser to not trust that entity at all is what I'm talking about."
Looks like time for a convenient extension.
Re:Was pointing towards something like a CRL. (Score:4, Insightful)
Ah, but how do we know we are actually getting the right extension? Normally that process is secured by ssl but now.... The Chinese government could man in the middle anyone who tries to install any particular extension, and feed them a crippled one instead. Implausible sure, but possible.
Re: (Score:2)
I'm well aware of how certificates work, and I'm sure you are well aware that the vast majority of the population would never think, or even know, to confirm that the certificate is from the correct CA.
Re: (Score:2)
Re: (Score:3, Interesting)
What is ironic is that I can do this in IE with no problems. I drag a certificate to the untrusted store, either systemwide or as a user, and even if root certs are updated, that cert remains untrusted.
Re: (Score:2, Informative)
If I have it right, it is actually a simple thing to do, the UI is just awkward. Edits to the trust settings of the certificate will disable it and persist (another post indicates that deleting the certificate also marks it as untrusted, so even if the certificate gets added back to the system, it won't be trusted).
Re:Was pointing towards something like a CRL. (Score:4, Informative)
Select "Tools", then "Options".
Click "Advanced", "Encryption" and "View Certificates".
Scroll down to "CNNIC" and select the "CNNIC Root" certificate.
Finally click "Edit", uncheck "This certificate can identify web sites" and press OK until all the little windows go away.
Now even if the root certs are updated, that cert remains untrusted.
In IE you have to select "Tools", "Internet Options", "Content", "Certificates", "Trusted Root Certification Authorities", select the certificate you want, then click "Advanced", uncheck the "Server Authentication" role and then click "Ok", "Close", and "OK" again to finally make your change stick.
What is ironic is that when you do that in IE with no problems, it actually takes more mouse clicks than doing the same thing in Firefox.
Re:Was pointing towards something like a CRL. (Score:4, Interesting)
This will work, but the certificate is still "trusted" in a sense. The best way is, as the parent noted, to use the Certificates snap-in in MMC to move the certificate to the Untrusted store. Doing so permanently removes trust for that certificate and, thus, all of the certificates that chain to it. This approach is also useful in that it blocks trust of the certificate for any purpose by any program that uses the cryptographic functions in Windows for verifying certificate trust.
Re: (Score:2)
IE uses the OS-provided shared certificate store (so does Chrome, by the way).
Re:Given they've bowed to Chinese pressure (Score:5, Informative)
[1] "Tools, Options, Advanced, Advanced, View Certificates" if you are on Windows, but if you are on Windows the CNNIC certificate is probably not the most significant of your security worries...
It's not there... (Score:2, Informative)
Weird thing is, I can't find it in there at all, unless I'm just blind. There's nothing that says CNNIC (or even anything obviously Chinese).
One addendum to your directions, you have to be in the "Encryption" subtab of the Advanced tab or you won't see the "View Certificates" button.
Re: (Score:2)
Not just you, I don't appear to have it in Firefox 3.5.7 or Windows/IE.
Unless I have a particular well written rootkit hiding from me that prevents display of that certificate but allows its continued use. I'm kind of guessing not.
Re: (Score:2)
If you delete the CA when it returns (not sure why it does that) its properties, when you click Edit..., will be all unchecked.
Tools>Options...; Advanced, Encryption tab, [View Certificates]; Authorities tab, click CNNIC ROOT, [Edit...]/[Delete...].
Re: (Score:3, Funny)
Edit -> Preferences -> Advanced -> Encryption -> View Certificates -> Authorities -> ... -> Profit
Re: (Score:2)
You're kidding, right? (Score:5, Funny)
Disagree with the premise. (Score:5, Interesting)
I am not sure I agree with this. When accepting something that is very controversial, like for example accepting CNNIC as a neutral authority, or backing a perpetual-motion technology, the burden may very well be on the actor to defend its actions.
Sorry, what? (Score:2)
If the thing is done, the actor doesn't have to do anything additional. It doesn't have to be done again, or done more. The only possible change is to undo it. Those who wish to undo it must justify undoing it, because they are the only ones who have need of an affirmative action to be taken.
Re: (Score:2, Informative)
delete cert? finger in dike (Score:5, Informative)
Did you notice how many CAs are in the list? How do you feel about each?
I might recommend encouraging technologies like Perspectives [cmu.edu] to provide defense in depth.
Re:delete cert? finger in dike (Score:5, Informative)
Re:delete cert? finger in dike (Score:5, Informative)
They've got a Firefox extension, too: http://www.cs.cmu.edu/~perspectives/firefox.html#install [cmu.edu]
And this conveys the idea quickly and visually... the web demo: http://moo.cmcl.cs.cmu.edu/perspectives/ [cmu.edu]
They're also looking for developers to take the project. This could be a great tool for everyone.
Re: (Score:2)
tl;dr
Ooooh, how did that feel? You spent all that time and effort writing that up, only to find out we don't give a shit.
Relative security of self-signed certificates (Score:4, Insightful)
I have nothing against additional certificate authorities; it makes sense in most situations not to give all the power to a single party.
Nonetheless, the large number of accepted authorities raises serious questions about another aspect of browser security:
Why are self-signed certificates viewed with such relative suspicion?
It only takes a single compromised or misled CA to bypass the entire trust system. The more CAs we have, the easier it is to compromise the system.
Why, then, do we make it so difficult for sites to implement security against passive plaintext snooping (which is arguably much more of a threat in most situations, discounting targeted attacks)? Why do browsers make this basic security effectively unavailable unless you pay a toll to a CA? (And it is effectively unavailable, since the inconvenience and fear-of-the-unknown related to accepting self-signed certificates makes the use of them a self-defeating act.)
As CAs proliferate, it becomes more and more meaningless to view self-signed certificates with such suspicion -- since they become relatively less and less of a risk, as we add more CAs and thus more individual points where the system may be compromised.
Re: (Score:2)
Because the communications channel that carries the self-signed certificate is exactly the same as the one that has potentially been compromised.
Re: (Score:2)
So don't give users the lock icon, and just pretend it's an unencrypted website.
Self-signed certificates provide no protection against MITM attacks, but they do provide protection against passive snooping which is what the parent is talking about. There is zero disadvantage to using them. You can argue the lack of some advantages all you want, but throwing tons of warnings at users for using them is ridiculous, when regular unencrypted HTTP traffic is let through fine. I am particularly annoyed at the obnox
Re: (Score:2)
Re: (Score:2)
Because the communications channel that carries the self-signed certificate is exactly the same as the one that has potentially been compromised.
This is far from being true, especially in modern times with the proliferation of wireless access technologies.
In this day and age, it is extremely common for even average non-technical users to access a web site at different times using different and entirely independent communications channels. You might use a wired connection at home, a wireless hotspot in a coffee shop, 3G mobile broadband when on the road, and so on. Web browsers have always had the capability (rarely used) to cache a self-signed cer
Re: (Score:3, Insightful)
There's no good reason to make them so inconvenient that one must pay a toll, or have no security whatsoever against passive snooping.
So when Joe Haxor manages to use a cheap DNS exploit to point www.mybank.com to his web server and then hands out a self-signed certificate 'proving' it's www.mybank.com, you really think that not having a padlock icon on the window will stop Joe Average from handing over their passwords and thereby all their money?
That's a bloody great huge reason why any self-signed certificate should require Joe Average to click through six different 'I'm sure that I'm sure that this site is really the one that I want to
Re:Relative security of self-signed certificates (Score:4, Insightful)
Joe Haxor will use a cheap DNS exploit to point www.mybank.com to his web server, which will not support, enable, or redirect to HTTPS. Or do you really believe that Joe Average actually types https://www.mybank.com? You're lucky if they even get the www. part in.
Sorry, self-signed certs are better than than unencrypted HTTP, and unconditional roadblocks to their use are ridiculous when anyone can impersonate anyone over simple unencrypted HTTP. Anyone can argue that they should not be given equivalent security status to CA certificates (and I agree), but actively hindering their use is stupid and actively hurts security by discouraging Joe Web Developer from trivially enabling SSL to at least stop passive snooping.
Re: (Score:2)
Perhaps merging a PGP-like web of trust interlink with SSL security. So, if a close friend trusts foo.com as a CA, then the Web browser would assume that. If a friend dislikes blarf.com, the Web browser will pop up something saying that the CA isn't that liked among friends.
Problem is that for /. readers, a system like this would make perfect sense. However, most people seem to just want to connect to a site, see a little padlock icon and assume that they can log into their bank safely. They don't care
How Many Self-signed Certificates We Talking? (Score:2)
For my personal use, I don't have a problem with the suspicion of self-signed certs. I don't intend any visitors to my https service other than the ones I personally invite, and I can guide them through the security exception process. Obviously, I'm not running a business.
I disagree with the parent regarding the proliferation of CAs. It's true that added CAs add to the points of potential compromise. But, they're a drop in the bucket compared to the flood of self-signs we'd be dealing with. Then we'd really
Does anyone notable *not* support CNNIC? (Score:5, Informative)
I just checked, and both MacOS X and Windows 7 seem to trust the CNNIC root...
If this is really a problem, and I haven't the slightest idea if it is, then it extends way beyond firefox.
Re:Does anyone notable *not* support CNNIC? (Score:4, Informative)
Re: (Score:2)
Re: (Score:3, Informative)
Re: (Score:2)
Mmm strange that it does not maintain its own list of certifictes,
Re:Does anyone notable *not* support CNNIC? (Score:4, Insightful)
> ... it extends way beyond firefox.
And it extends way beyond China. I see this as simply another example of "yellow peril" thinking. What about the Brits, who want to monitor everything? What about the French, who want to kick people off the net for misbehaving? What about Iran, who wants to kick out everyone? Do you really think the USA looks like the good guys to the rest of the 'net? Who gave the world Microsoft, and the RIAA, and the MPAA? All this "evil Chinese" stuff is getting tiresome.
Re: (Score:2)
What about the Brits, who want to monitor everything? What about the French, who want to kick people off the net for misbehaving? What about Iran, who wants to kick out everyone? Do you really think the USA looks like the good guys to the rest of the 'net? Who gave the world Microsoft, and the RIAA, and the MPAA?
You forgot Australia.
Also, our government doesn't obsessively monitor everyone (Brits), attempt to cram a "3-strikes" law down our throats (French), or attempt to track down dissidents and make them "disappear" (Iranians, Chinese). So, yes, we are the good guys here, relatively speaking.
Re: (Score:2)
Ah yes, and the beer! Mmmm. And the platypus. Its all good.
Re:Does anyone notable *not* support CNNIC? (Score:4, Insightful)
> ... it extends way beyond firefox.
And it extends way beyond China. I see this as simply another example of "yellow peril" thinking. What about the Brits, who want to monitor everything? What about the French, who want to kick people off the net for misbehaving? What about Iran, who wants to kick out everyone? Do you really think the USA looks like the good guys to the rest of the 'net? Who gave the world Microsoft, and the RIAA, and the MPAA? All this "evil Chinese" stuff is getting tiresome.
Gagh. Such histrionics. Look, this isn't about all Chinese people being evil. It is about a particular country that happens to be the source of an astounding number of remote attacks, cracks, hacks and exploits on the network infrastructure of other nations. The question is whether or not those nations who are subject to China's self-serving Internet activities should aid in those efforts. Rather a foot-in-self-shoot situation really. Me, I've all but switched to Chrome anyway for most things, and this is just another reason to finish the job.
I know what you're saying when you use the phrase "yellow peril", but there is some truth to it. China is a threat on the world scene, more than at any other point in their history.
Re: (Score:2)
Bear in mind that the certificate store in Windows is shared across multiple applications. I don't have Firefox installed on my fully-patched Windows 7 Professional machine, and I don't have the CNNIC Root certificate in any of my certificate stores. If you have it, you've installed something that's added it or upgraded from a version of the OS that's trusted it. It most definitely isn't something that Windows trusts by default.
My MBP isn't handy, so I can't check and see if OS X has it by default; my MBP h
Evidence (Score:5, Insightful)
It would be easy enough to prove that CNNIC is performing man-in-the-middle attacks. To perform a man-in-the-middle attack on (for example) gmail, CNNIC would have to send a fraudulent certificate to users. That certificate would be ironclad evidence that CNNIC can't be trusted, so all someone has to do is present one.
Re: (Score:2)
Easier said then done. If they were going to use this for evil, they would only do so in very isolated cases for exactly this reason.
Re: (Score:3, Insightful)
It would be easy enough to prove that CNNIC is performing man-in-the-middle attacks.
I think the issue here isn't that CNNIC is performing MitM attacks, but that it theoretically can perform one, owning a trusted certificate.
Something more substantial than Wikipedia ? (Score:5, Interesting)
"surfaced claims of malware production and distribution"
This claim cites Wikipedia and in particular this unverifiable, POV-ridden paragraph:
"CNNIC produces one of the best-known malwares in China: the Chinese-Language-Surfing Official Edition(). The software is frequently bundled with other adware/sharewares. It was declared malware by Beijing Network Industry Association() and San Ji Wu Xian Co Ltd., the company behind 360 Safeguard(360), an anti-virus software. San Ji Wu Xian was sued by CNNIC for 150,000 RMB and the court ruled out favorably towards CNNIC."
Which libels CNNIC for connections with malware while the only case against CNNIC was actually ruled towards their favor.
Why is CNNIC untrustworthy ? In plain English please.
Re:Something more substantial than Wikipedia ? (Score:4, Interesting)
Are you saying the court system in China is (A) open, fair, and impartial, particularly when it judges a case involving (B) the Chinese Govt vs a defendant anti-spyware company?
Parent Post Hit By Moderator Abuse (Score:3, Informative)
Re:Something more substantial than Wikipedia ? (Score:5, Insightful)
San Ji Wu Xian was sued by CNNIC for 150,000 RMB and the court ruled out favorably towards CNNIC.
Tell me why I should trust a Chinese court. Because the Chinese Communist Party tells me they're trustworthy? Sorry, I'm not sure I should trust the CCP. Can you provide a trustworthy source that will attest to the CCP's ethics?
I'm sorry sir, the certificate is in Chinese (Score:5, Funny)
Why is CNNIC untrustworthy ? In plain English please.
I'm sorry sir, the certificate is in Chinese.
Re: (Score:3, Interesting)
Agreed--I'd like to see some real evidence too (Chinese language is fine). As far as I can tell, this is the story: CNNIC does have a "Chinese Language Surfing [cnnic.net.cn]" product, which enables the use of Chinese domain names, among other things. (ICANN approved non-ASCII ccTLDs late last year, but the Chinese have been using browser plugins and the like to get the same effect for years. This probably isn't the best article about it, but it was what came up when I tried to search for an article that explained it: Chi [circleid.com]
Centralized key distribution hierarchy failure... (Score:2)
I suspect that in practice simply following the SSH model would be pretty much as secure and a lot safer from this kind of attack.
That's the model where all keys are effectively "self signed", and you don't check whether the key is signed by a trusted authority... instead you check whether the key has changed, and raise an alert if so.
Using BOTH techniques... alerting people if the key changes whether it's self-signed or centrally signed... seems to be the best solution. That way if CNNIC wants to MITM you
Re: (Score:2)
Um.... no! The CA model exists precisely because the SSH model is vulnerable to MITM!
Re: (Score:3, Interesting)
There are different failure modes.
If you know that the victim has not visited a given site before you can MITM them undetectably, but the attack doesn't scale. On the other hand the centralized key distribution hierarchy is vulnerable to widespread undetected MITM attacks if the hierarchy is compromised, where the SSH model would produce a large number of suspicious reports in that scenario... leading to the unmasking of the perpetrator.
Re: (Score:2)
No, both models would be detectable. I would notice of my connection to Bank of America says "Signed by China Telecom."
Letting the average user manage keys by himself means both widespread MITM is possible, and users get trained to accept keys.
If you think Grandma shopping online would really be more secure if she managed keys herself, you've never met an end user. SSL MITMs have been fantastically rare, despite extremely widespread use by untrained masses. There's no better proof of SSL's success than tha
Re: (Score:2)
I would notice of my connection to Bank of America says "Signed by China Telecom."
Really? Without looking, can you tell me who your connection to the Bank of America is supposed to be signed by? Do you actually check every time?
Re: (Score:2)
Firstly, SSH requires out-of-band key exchanges. You know, like over a USB stick or something.
For client authentication, yes. For server authentication (which is what the server's SSL key is used for), no. I'm talking about the SSH host key, not your personal key.
No matter how many bits you use, your certificate shouldn't go more than a few years without being renewed, or you put the key at risk of attack.
And you can post that ahead of time, and some people will get a little paranoid about it because they d
easy solution (Score:2)
Write a script that goes to lots of SSL sites and checks the signing certificate. Run one copy from behind the Great Firewall. Run another from the free world. Compare the output to see if CNNIC ever shows up where it shouldn't. Found a hit? Submit it to all the browser publishers and watch the security updates fly, as CNNIC loses all authority over SSL.
Bonus points if you can get Hillary Clinton to send a strongly-worded letter to China.
What is trust? (Score:2)
If you never had a chance to look at a root CA list in your browser - now may be the time. Open advanced encryption preferences and look at certificate list. These are, normally, all the CAs that your browser trusts to sign certificates for other sites (or for other signers and so on and so forth). Now - do you know who they are?
FWIW I have never heard of most of these names, and have no reason to trust them or anything they do. The names that I know don't exactly give me the "warm and fuzzy" feeling. Equif
The role of SSL/TLS (Score:2)
I scanned fairly quickly through the comments here but none seems to point out the obvious:
SSL DOES NOT ATTEMPT TO GUARANTEE ANYTHING APART FROM AUTHENTICTY
As it appears, this mob have verified their identity sufficiently for Mozilla to decide they are able to put something on the interweb and verify they put it there.
Should I be worried - no I don't think so.
I've just (skimmed) read the Mozilla bug entry for this and as far as I can tell all was correct.
What exactly is the problem here? SSL is a mechanism
Re: (Score:3, Interesting)
Uh, no. It guarantees against eavesdropping as well.
No. They can now put anything on the web _as any name they like_ and verify that the authorized user of that name did so. For instance, they can put up their own "www.gmail.com" site that verifies as real; it can even say the ce
Re: (Score:2)
I'm not sure how your version of mozilla works, but I have Firefox, and last time I checked, just hovering over the lock tells me which CA signed the ssl cert for the current website I'm visiting. I have to make the effort to go to the key dialog box to find out anything else. It would be fishy if I didn't see Thawte as the CA for google.
Then again, maybe your point was they could fool people in China. They could do that anyway. They are the government, they can do all sorts of things up to and including
Re: (Score:2)
Suppose CNNIC issued themselves a phony intermediate CA certificate labeled Thawte, and then used that to issue their phony gmail certificate. Would Firefox show the inter
Why bother, there's always opera (Score:2)
"Since Mozilla has already accepted CNNIC as a trusted root CA, the burden rests with those who argue for its removal." ...
Yah , sure, whatever
Re:Why bother, there's always opera (Score:4, Informative)
Of course Opera also trusts this CA. But yes, there's always Opera. ;)
my copy of Chrome accepts the CNNIC cert (Score:2)
I'm running version 4.0.249.78 on WinXP. Clicking on "[monkeywrench]/Options" brings up a dialog box. Clicking on the third tab and scrolling to the bottom of the presented list shows a button, "Manage certificates". Clicking on that button brings up the "Trusted Certificates" dialog box. Clicking on the "Trusted Root Certification Authorities" tab reveals a long list of certificates. Scroll down to "CNNIC ROOT" and double-click on its entry to bring up your third dialog box, "Certificate". Click on t
Re: (Score:2)
It's not really about Chrome. Chrome just uses the centralized certificate store provided by the OS where one is available - e.g. Windows, OS X - and both of those have CNNIC as trusted out of the box.
Re: (Score:3, Funny)
"Is there an add-on that does this automatically?"
There supposedly is, except its certification is provided by CNNIC...
Re: (Score:2)
Certificate Authority. Dur.
Re: (Score:2)