Mozilla Accepts Chinese CNNIC Root CA Certificate 256
Josh Triplett writes "Last October, Mozilla accepted the China Internet Network Information Center as a trusted CA root (Bugzilla entry). This affects Firefox, Thunderbird, and other products built on Mozilla technologies. The standard period for discussion passed without comment, and Mozilla accepted CNNIC based on the results of a formal audit. Commenters in the bug report and the associated discussion have presented evidence that the Chinese government controls CNNIC, and surfaced claims of malware production and distribution and previous man-in-the-middle attacks in China via their secondary CA root from Entrust. As usual, please refrain from blindly chiming into the discussion without supporting evidence. Since Mozilla has already accepted CNNIC as a trusted root CA, the burden rests with those who argue for its removal."
Was pointing towards something like a CRL. (Score:4, Insightful)
Removing it is fine until an update/reinstall brings it back. Telling the browser to not trust that entity at all is what I'm talking about.
Re:Was pointing towards something like a CRL. (Score:4, Insightful)
Removing it is fine until an update/reinstall brings it back. Telling the browser to not trust that entity at all is what I'm talking about.
As long as the update does not delete your local preferences it should work.
Re: As usual, please refrain from blindly chiming (Score:5, Insightful)
I take issue to the next phrase: "Since Mozilla has already accepted CNNIC as a trusted root CA, the burden rests with those who argue for its removal."
Are you saying "should Mozilla remove it?" Then the answer is probably no, becuase Mozillia is not an omni-beneficent entity. It probably helps them in some way to include it.
The question is, should individual users remove it? And yes, by the link that you provided indicating it's role in the distribution of malware. Why should I let Mozilla, a large group with contradictory desires and many masters, control whether I delist it as a trusted root?
Relative security of self-signed certificates (Score:4, Insightful)
I have nothing against additional certificate authorities; it makes sense in most situations not to give all the power to a single party.
Nonetheless, the large number of accepted authorities raises serious questions about another aspect of browser security:
Why are self-signed certificates viewed with such relative suspicion?
It only takes a single compromised or misled CA to bypass the entire trust system. The more CAs we have, the easier it is to compromise the system.
Why, then, do we make it so difficult for sites to implement security against passive plaintext snooping (which is arguably much more of a threat in most situations, discounting targeted attacks)? Why do browsers make this basic security effectively unavailable unless you pay a toll to a CA? (And it is effectively unavailable, since the inconvenience and fear-of-the-unknown related to accepting self-signed certificates makes the use of them a self-defeating act.)
As CAs proliferate, it becomes more and more meaningless to view self-signed certificates with such suspicion -- since they become relatively less and less of a risk, as we add more CAs and thus more individual points where the system may be compromised.
Re: As usual, please refrain from blindly chiming (Score:5, Insightful)
At issue here is the ability of the Chinese government to run MiTH attacks on their citizens (and others) (who may have no computer security experience) and to arrest political dissidents. Nobody's saying you should wait to remove it. The question is, should it be removed for the safety of others?
The whole point of root certs is trust. We trust them to sign certificates which will be used, in turn, to keep our conversations private. Should CNNIC be trusted to keep conversations private? That is the question. Organizations like Mozilla put their own reputations on the line when choosing which root certs to include. Any abuse by CNNIC will be seen as a security flaw in Mozilla software. That is the issue. That is why Mozilla should care. (even if they disagree)
Evidence (Score:5, Insightful)
It would be easy enough to prove that CNNIC is performing man-in-the-middle attacks. To perform a man-in-the-middle attack on (for example) gmail, CNNIC would have to send a fraudulent certificate to users. That certificate would be ironclad evidence that CNNIC can't be trusted, so all someone has to do is present one.
Re:Was pointing towards something like a CRL. (Score:3, Insightful)
"Telling the browser to not trust that entity at all is what I'm talking about."
Looks like time for a convenient extension.
Re: As usual, please refrain from blindly chiming (Score:4, Insightful)
If only we had the luxury of knowing which certificates to remove if you didn't trust the NSA. Guess MITM is a game for big players.
Our instructions for setting up VPN include a recommended step where you disable all root certificates but one for the connection. From a security standpoint, the whole web should work the same.
It's very annoying how Firefox insists on making self-signed certificates the biggest pain in the ass possible to accept, knowing you can't really trust the 'trusted' signers in the first place. For forums and the likes, just permanently storing the certificate so you can be sure you're getting an encrypted connection to the same entity each time would be sufficient.
So how is this different than the US based certs? (Score:1, Insightful)
I fully expect that the US government can get access to appropriate certs needed for MitM attacks when they want. It isn't hard for them to pressure US based companies to do that.
For the unwashed masses worried about commerce, I doubt the Chinese government has any more interest in messing with that than the US government. For people that are worried about being spied on, they shouldn't be trusting any of those certs on machines used for doing whatever it is that they think might get them in trouble.
Re:Was pointing towards something like a CRL. (Score:4, Insightful)
Ah, but how do we know we are actually getting the right extension? Normally that process is secured by ssl but now.... The Chinese government could man in the middle anyone who tries to install any particular extension, and feed them a crippled one instead. Implausible sure, but possible.
Re:Something more substantial than Wikipedia ? (Score:5, Insightful)
San Ji Wu Xian was sued by CNNIC for 150,000 RMB and the court ruled out favorably towards CNNIC.
Tell me why I should trust a Chinese court. Because the Chinese Communist Party tells me they're trustworthy? Sorry, I'm not sure I should trust the CCP. Can you provide a trustworthy source that will attest to the CCP's ethics?
Re:Does anyone notable *not* support CNNIC? (Score:4, Insightful)
> ... it extends way beyond firefox.
And it extends way beyond China. I see this as simply another example of "yellow peril" thinking. What about the Brits, who want to monitor everything? What about the French, who want to kick people off the net for misbehaving? What about Iran, who wants to kick out everyone? Do you really think the USA looks like the good guys to the rest of the 'net? Who gave the world Microsoft, and the RIAA, and the MPAA? All this "evil Chinese" stuff is getting tiresome.
Re:Relative security of self-signed certificates (Score:3, Insightful)
There's no good reason to make them so inconvenient that one must pay a toll, or have no security whatsoever against passive snooping.
So when Joe Haxor manages to use a cheap DNS exploit to point www.mybank.com to his web server and then hands out a self-signed certificate 'proving' it's www.mybank.com, you really think that not having a padlock icon on the window will stop Joe Average from handing over their passwords and thereby all their money?
That's a bloody great huge reason why any self-signed certificate should require Joe Average to click through six different 'I'm sure that I'm sure that this site is really the one that I want to give my password to' rather than just pretend that it's OK.
Of course it's also true that there are now so many CAs that it's only a matter of time before 'Haxor Security Inc' starts issuing 'trusted' fake certificates for www.mybank.com.
Re:Relative security of self-signed certificates (Score:4, Insightful)
Joe Haxor will use a cheap DNS exploit to point www.mybank.com to his web server, which will not support, enable, or redirect to HTTPS. Or do you really believe that Joe Average actually types https://www.mybank.com? You're lucky if they even get the www. part in.
Sorry, self-signed certs are better than than unencrypted HTTP, and unconditional roadblocks to their use are ridiculous when anyone can impersonate anyone over simple unencrypted HTTP. Anyone can argue that they should not be given equivalent security status to CA certificates (and I agree), but actively hindering their use is stupid and actively hurts security by discouraging Joe Web Developer from trivially enabling SSL to at least stop passive snooping.
Re:Does anyone notable *not* support CNNIC? (Score:4, Insightful)
> ... it extends way beyond firefox.
And it extends way beyond China. I see this as simply another example of "yellow peril" thinking. What about the Brits, who want to monitor everything? What about the French, who want to kick people off the net for misbehaving? What about Iran, who wants to kick out everyone? Do you really think the USA looks like the good guys to the rest of the 'net? Who gave the world Microsoft, and the RIAA, and the MPAA? All this "evil Chinese" stuff is getting tiresome.
Gagh. Such histrionics. Look, this isn't about all Chinese people being evil. It is about a particular country that happens to be the source of an astounding number of remote attacks, cracks, hacks and exploits on the network infrastructure of other nations. The question is whether or not those nations who are subject to China's self-serving Internet activities should aid in those efforts. Rather a foot-in-self-shoot situation really. Me, I've all but switched to Chrome anyway for most things, and this is just another reason to finish the job.
I know what you're saying when you use the phrase "yellow peril", but there is some truth to it. China is a threat on the world scene, more than at any other point in their history.
Re:Evidence (Score:3, Insightful)
It would be easy enough to prove that CNNIC is performing man-in-the-middle attacks.
I think the issue here isn't that CNNIC is performing MitM attacks, but that it theoretically can perform one, owning a trusted certificate.
Re: As usual, please refrain from blindly chiming (Score:4, Insightful)
Not only do I not trust CNNIC, I don't trust Verisign either. Nor any of the dozens of CAs which are installed by default.
In other words, the whole CA concept is flawed.
Re: As usual, please refrain from blindly chiming (Score:2, Insightful)
Re:yes I can (Score:1, Insightful)
Great! This leads to more competition and lower prices for the American consumers. What's the problem with that?
American consumers need MONEY even to purchase cheap clones at lower prices. The fact that western politicians and western companies are selling their souls -and ours- to the China government in exchange for some quick bucks is going to destroy our economies in the long term. And then, everybody will be working in the same conditions most Chinese workers have to endure today. No rights, no unions, no national health systems, no freedoms... . That's slavery for you. Welcome back to the middle ages, comrades. The WIPO and western countries should be trying to fix this situation, instead of pushing secret treaties to protect Hollywood from file sharers. Won't happen, though :( .