Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
Mozilla Security Technology Your Rights Online

Mozilla Accepts Chinese CNNIC Root CA Certificate 256

Posted by kdawson
from the who-do-you-trust dept.
Josh Triplett writes "Last October, Mozilla accepted the China Internet Network Information Center as a trusted CA root (Bugzilla entry). This affects Firefox, Thunderbird, and other products built on Mozilla technologies. The standard period for discussion passed without comment, and Mozilla accepted CNNIC based on the results of a formal audit. Commenters in the bug report and the associated discussion have presented evidence that the Chinese government controls CNNIC, and surfaced claims of malware production and distribution and previous man-in-the-middle attacks in China via their secondary CA root from Entrust. As usual, please refrain from blindly chiming into the discussion without supporting evidence. Since Mozilla has already accepted CNNIC as a trusted root CA, the burden rests with those who argue for its removal."
This discussion has been archived. No new comments can be posted.

Mozilla Accepts Chinese CNNIC Root CA Certificate

Comments Filter:
  • by sethstorm (512897) * on Tuesday February 02, 2010 @05:51PM (#31002342) Homepage

    Removing it is fine until an update/reinstall brings it back. Telling the browser to not trust that entity at all is what I'm talking about.

  • by micheas (231635) on Tuesday February 02, 2010 @05:56PM (#31002390) Homepage Journal

    Removing it is fine until an update/reinstall brings it back. Telling the browser to not trust that entity at all is what I'm talking about.

    As long as the update does not delete your local preferences it should work.

  • by Actually, I do RTFA (1058596) on Tuesday February 02, 2010 @06:11PM (#31002534)

    I take issue to the next phrase: "Since Mozilla has already accepted CNNIC as a trusted root CA, the burden rests with those who argue for its removal."

    Are you saying "should Mozilla remove it?" Then the answer is probably no, becuase Mozillia is not an omni-beneficent entity. It probably helps them in some way to include it.

    The question is, should individual users remove it? And yes, by the link that you provided indicating it's role in the distribution of malware. Why should I let Mozilla, a large group with contradictory desires and many masters, control whether I delist it as a trusted root?

  • by Anonymous Coward on Tuesday February 02, 2010 @06:12PM (#31002550)

    I have nothing against additional certificate authorities; it makes sense in most situations not to give all the power to a single party.

    Nonetheless, the large number of accepted authorities raises serious questions about another aspect of browser security:

    Why are self-signed certificates viewed with such relative suspicion?

    It only takes a single compromised or misled CA to bypass the entire trust system. The more CAs we have, the easier it is to compromise the system.

    Why, then, do we make it so difficult for sites to implement security against passive plaintext snooping (which is arguably much more of a threat in most situations, discounting targeted attacks)? Why do browsers make this basic security effectively unavailable unless you pay a toll to a CA? (And it is effectively unavailable, since the inconvenience and fear-of-the-unknown related to accepting self-signed certificates makes the use of them a self-defeating act.)

    As CAs proliferate, it becomes more and more meaningless to view self-signed certificates with such suspicion -- since they become relatively less and less of a risk, as we add more CAs and thus more individual points where the system may be compromised.

  • by gd2shoe (747932) on Tuesday February 02, 2010 @06:23PM (#31002652) Journal

    At issue here is the ability of the Chinese government to run MiTH attacks on their citizens (and others) (who may have no computer security experience) and to arrest political dissidents. Nobody's saying you should wait to remove it. The question is, should it be removed for the safety of others?

    The whole point of root certs is trust. We trust them to sign certificates which will be used, in turn, to keep our conversations private. Should CNNIC be trusted to keep conversations private? That is the question. Organizations like Mozilla put their own reputations on the line when choosing which root certs to include. Any abuse by CNNIC will be seen as a security flaw in Mozilla software. That is the issue. That is why Mozilla should care. (even if they disagree)

  • Evidence (Score:5, Insightful)

    by Spy Hunter (317220) on Tuesday February 02, 2010 @06:27PM (#31002690) Journal

    It would be easy enough to prove that CNNIC is performing man-in-the-middle attacks. To perform a man-in-the-middle attack on (for example) gmail, CNNIC would have to send a fraudulent certificate to users. That certificate would be ironclad evidence that CNNIC can't be trusted, so all someone has to do is present one.

  • by couchslug (175151) on Tuesday February 02, 2010 @06:32PM (#31002752)

    "Telling the browser to not trust that entity at all is what I'm talking about."

    Looks like time for a convenient extension.

  • by Anonymous Coward on Tuesday February 02, 2010 @06:42PM (#31002874)

    If only we had the luxury of knowing which certificates to remove if you didn't trust the NSA. Guess MITM is a game for big players.
    Our instructions for setting up VPN include a recommended step where you disable all root certificates but one for the connection. From a security standpoint, the whole web should work the same.

    It's very annoying how Firefox insists on making self-signed certificates the biggest pain in the ass possible to accept, knowing you can't really trust the 'trusted' signers in the first place. For forums and the likes, just permanently storing the certificate so you can be sure you're getting an encrypted connection to the same entity each time would be sufficient.

  • by Anonymous Coward on Tuesday February 02, 2010 @06:44PM (#31002900)

    I fully expect that the US government can get access to appropriate certs needed for MitM attacks when they want. It isn't hard for them to pressure US based companies to do that.
    For the unwashed masses worried about commerce, I doubt the Chinese government has any more interest in messing with that than the US government. For people that are worried about being spied on, they shouldn't be trusting any of those certs on machines used for doing whatever it is that they think might get them in trouble.

  • by Sir_Lewk (967686) <sirlewk@NospAm.gmail.com> on Tuesday February 02, 2010 @06:46PM (#31002936)

    Ah, but how do we know we are actually getting the right extension? Normally that process is secured by ssl but now.... The Chinese government could man in the middle anyone who tries to install any particular extension, and feed them a crippled one instead. Implausible sure, but possible.

  • by Jeremy Erwin (2054) on Tuesday February 02, 2010 @07:18PM (#31003294) Journal

    San Ji Wu Xian was sued by CNNIC for 150,000 RMB and the court ruled out favorably towards CNNIC.

    Tell me why I should trust a Chinese court. Because the Chinese Communist Party tells me they're trustworthy? Sorry, I'm not sure I should trust the CCP. Can you provide a trustworthy source that will attest to the CCP's ethics?

  • by dunng808 (448849) <osp@aloh a . c om> on Tuesday February 02, 2010 @07:18PM (#31003298) Homepage Journal

    > ... it extends way beyond firefox.

    And it extends way beyond China. I see this as simply another example of "yellow peril" thinking. What about the Brits, who want to monitor everything? What about the French, who want to kick people off the net for misbehaving? What about Iran, who wants to kick out everyone? Do you really think the USA looks like the good guys to the rest of the 'net? Who gave the world Microsoft, and the RIAA, and the MPAA? All this "evil Chinese" stuff is getting tiresome.

  • by 0123456 (636235) on Tuesday February 02, 2010 @07:35PM (#31003482)

    There's no good reason to make them so inconvenient that one must pay a toll, or have no security whatsoever against passive snooping.

    So when Joe Haxor manages to use a cheap DNS exploit to point www.mybank.com to his web server and then hands out a self-signed certificate 'proving' it's www.mybank.com, you really think that not having a padlock icon on the window will stop Joe Average from handing over their passwords and thereby all their money?

    That's a bloody great huge reason why any self-signed certificate should require Joe Average to click through six different 'I'm sure that I'm sure that this site is really the one that I want to give my password to' rather than just pretend that it's OK.

    Of course it's also true that there are now so many CAs that it's only a matter of time before 'Haxor Security Inc' starts issuing 'trusted' fake certificates for www.mybank.com.

  • So when Joe Haxor manages to use a cheap DNS exploit to point www.mybank.com to his web server and then hands out a self-signed certificate 'proving' it's www.mybank.com, you really think that not having a padlock icon on the window will stop Joe Average from handing over their passwords and thereby all their money?

    Joe Haxor will use a cheap DNS exploit to point www.mybank.com to his web server, which will not support, enable, or redirect to HTTPS. Or do you really believe that Joe Average actually types https://www.mybank.com? You're lucky if they even get the www. part in.

    Sorry, self-signed certs are better than than unencrypted HTTP, and unconditional roadblocks to their use are ridiculous when anyone can impersonate anyone over simple unencrypted HTTP. Anyone can argue that they should not be given equivalent security status to CA certificates (and I agree), but actively hindering their use is stupid and actively hurts security by discouraging Joe Web Developer from trivially enabling SSL to at least stop passive snooping.

  • by ScrewMaster (602015) * on Tuesday February 02, 2010 @07:53PM (#31003674)

    > ... it extends way beyond firefox.

    And it extends way beyond China. I see this as simply another example of "yellow peril" thinking. What about the Brits, who want to monitor everything? What about the French, who want to kick people off the net for misbehaving? What about Iran, who wants to kick out everyone? Do you really think the USA looks like the good guys to the rest of the 'net? Who gave the world Microsoft, and the RIAA, and the MPAA? All this "evil Chinese" stuff is getting tiresome.

    Gagh. Such histrionics. Look, this isn't about all Chinese people being evil. It is about a particular country that happens to be the source of an astounding number of remote attacks, cracks, hacks and exploits on the network infrastructure of other nations. The question is whether or not those nations who are subject to China's self-serving Internet activities should aid in those efforts. Rather a foot-in-self-shoot situation really. Me, I've all but switched to Chrome anyway for most things, and this is just another reason to finish the job.

    I know what you're saying when you use the phrase "yellow peril", but there is some truth to it. China is a threat on the world scene, more than at any other point in their history.

  • Re:Evidence (Score:3, Insightful)

    by shutdown -p now (807394) on Tuesday February 02, 2010 @10:13PM (#31004944) Journal

    It would be easy enough to prove that CNNIC is performing man-in-the-middle attacks.

    I think the issue here isn't that CNNIC is performing MitM attacks, but that it theoretically can perform one, owning a trusted certificate.

  • by elronxenu (117773) on Wednesday February 03, 2010 @02:35AM (#31006916) Homepage

    Not only do I not trust CNNIC, I don't trust Verisign either. Nor any of the dozens of CAs which are installed by default.

    In other words, the whole CA concept is flawed.

  • by fatphil (181876) on Wednesday February 03, 2010 @03:47AM (#31007356) Homepage
    Already posted (saying roughly the same thing), so I have one modpoint left that I now can't use here. It needs to be repeated. "Trusted" seems to simply means "money changed hands".
  • Re:yes I can (Score:1, Insightful)

    by Mephistro (1248898) on Wednesday February 03, 2010 @06:50AM (#31008244)

    Great! This leads to more competition and lower prices for the American consumers. What's the problem with that?

    American consumers need MONEY even to purchase cheap clones at lower prices. The fact that western politicians and western companies are selling their souls -and ours- to the China government in exchange for some quick bucks is going to destroy our economies in the long term. And then, everybody will be working in the same conditions most Chinese workers have to endure today. No rights, no unions, no national health systems, no freedoms... . That's slavery for you. Welcome back to the middle ages, comrades. The WIPO and western countries should be trying to fix this situation, instead of pushing secret treaties to protect Hollywood from file sharers. Won't happen, though :( .

: is not an identifier

Working...