Mozilla Accepts Chinese CNNIC Root CA Certificate 256
Josh Triplett writes "Last October, Mozilla accepted the China Internet Network Information Center as a trusted CA root (Bugzilla entry). This affects Firefox, Thunderbird, and other products built on Mozilla technologies. The standard period for discussion passed without comment, and Mozilla accepted CNNIC based on the results of a formal audit. Commenters in the bug report and the associated discussion have presented evidence that the Chinese government controls CNNIC, and surfaced claims of malware production and distribution and previous man-in-the-middle attacks in China via their secondary CA root from Entrust. As usual, please refrain from blindly chiming into the discussion without supporting evidence. Since Mozilla has already accepted CNNIC as a trusted root CA, the burden rests with those who argue for its removal."
Given they've bowed to Chinese pressure (Score:5, Interesting)
...is there a straightforward way to mark CNNIC as untrusted?
Disagree with the premise. (Score:5, Interesting)
I am not sure I agree with this. When accepting something that is very controversial, like for example accepting CNNIC as a neutral authority, or backing a perpetual-motion technology, the burden may very well be on the actor to defend its actions.
Something more substantial than Wikipedia ? (Score:5, Interesting)
"surfaced claims of malware production and distribution"
This claim cites Wikipedia and in particular this unverifiable, POV-ridden paragraph:
"CNNIC produces one of the best-known malwares in China: the Chinese-Language-Surfing Official Edition(). The software is frequently bundled with other adware/sharewares. It was declared malware by Beijing Network Industry Association() and San Ji Wu Xian Co Ltd., the company behind 360 Safeguard(360), an anti-virus software. San Ji Wu Xian was sued by CNNIC for 150,000 RMB and the court ruled out favorably towards CNNIC."
Which libels CNNIC for connections with malware while the only case against CNNIC was actually ruled towards their favor.
Why is CNNIC untrustworthy ? In plain English please.
Re:Something more substantial than Wikipedia ? (Score:4, Interesting)
Are you saying the court system in China is (A) open, fair, and impartial, particularly when it judges a case involving (B) the Chinese Govt vs a defendant anti-spyware company?
Re: As usual, please refrain from blindly chiming (Score:2, Interesting)
Why should I let Mozilla, a large group with contradictory desires and many masters, control whether I delist it as a trusted root?
Because Mozilla is capable of doing it and most computer users are (effectively) not.
Because we care about what happens to the internet.
Because it's going to be our mom's machine, and we'll have to fix it.
Re:Was pointing towards something like a CRL. (Score:3, Interesting)
What is ironic is that I can do this in IE with no problems. I drag a certificate to the untrusted store, either systemwide or as a user, and even if root certs are updated, that cert remains untrusted.
Re:Was pointing towards something like a CRL. (Score:1, Interesting)
No, they can't...at least not if you do the extra leg work necessary to check the certificate yourself. Adding their CA cert to the browser only gives them the ability to generate certificates that are accepted based on that CA cert. You can still view the certificate information to see which CA cert originated the certificate being used to secure your session.
Try it yourself. Got to https://addons.mozilla.com/ [mozilla.com] and examine the cert. You'll see that it was issued by Verisign. Any certificate issued by CNNIC would show up as being issued by CNNIC. If you verify that the certificate that secures the session used to pull the extension originated from a historically-trusted CA rather than this new, suspect, CA, you can be sure that the Chinese government has not used the inclusion of the CNNIC CA certificate to perform a MitM attack on that session.
Re:Does anyone notable *not* support CNNIC? (Score:1, Interesting)
Chrome does not.
This looks wrong. On my install of Chrome 4.0.249.78 on Windows XP, under:
Customize and control Google Chome -> Options -> Under the Hood -> Manage certificates -> Trusted Root Certification Authorities
I see in the alphabetized list:
CNNIC ROOT / CNNIC ROOT / 4/15/2027 / CNNIC Root
Is this a Windows or Chrome thing?
Something strange about the entry: Under the "Advanced..." button all thirty or so purposes except "Client Authentication" and "Secure Email" are enabled. However, clicking on the "View" button show a shorter list of purposes but that shorter list includes "Protects e-mail messages" and "Secure Email". Which list is right?
Re:restricting it to *.cn would make sense (Score:5, Interesting)
Seeing as China makes lots of the core internet routers these days (with quickly growing market share) there is every reason to assume we're getting man-in-the-middle pwned.
I'm not in *.cn, and I'm not visiting *.cn, so why in Hell should this certificate apply to me? If suddenly www.adobe.com is signed by China, there sure is a problem!
It's funny, you know ... if we were all buying high-end routers from Russia everyone would flipping out about security. But China makes inroads on that market (with the obvious intention of dominating it) and nobody really seems too upset. You have to assume that a hostile totalitarian state might try to exploit that advantage in some way.
Weird. And I always thought denial was a river.
Re:Centralized key distribution hierarchy failure. (Score:3, Interesting)
There are different failure modes.
If you know that the victim has not visited a given site before you can MITM them undetectably, but the attack doesn't scale. On the other hand the centralized key distribution hierarchy is vulnerable to widespread undetected MITM attacks if the hierarchy is compromised, where the SSH model would produce a large number of suspicious reports in that scenario... leading to the unmasking of the perpetrator.
Re:Centralized key distribution hierarchy failure. (Score:1, Interesting)
Firstly, SSH requires out-of-band key exchanges. You know, like over a USB stick or something. There is no secure certificate exchange. So, in other words, no-one could ever get the certificates for 99.9% of websites.
Secondly, keys *do* change all the time; as they should. No matter how many bits you use, your certificate shouldn't go more than a few years without being renewed, or you put the key at risk of attack.
Thirdly, there would be no mechanism for revoking a certificate once compromised.
In short, no. Put more thought into what the systems you are proposing are actually trying to achieve.
Re:The role of SSL/TLS (Score:3, Interesting)
Uh, no. It guarantees against eavesdropping as well.
No. They can now put anything on the web _as any name they like_ and verify that the authorized user of that name did so. For instance, they can put up their own "www.gmail.com" site that verifies as real; it can even say the certificate was issued to Google.
Re: As usual, please refrain from blindly chiming (Score:2, Interesting)
Re:Was pointing towards something like a CRL. (Score:4, Interesting)
This will work, but the certificate is still "trusted" in a sense. The best way is, as the parent noted, to use the Certificates snap-in in MMC to move the certificate to the Untrusted store. Doing so permanently removes trust for that certificate and, thus, all of the certificates that chain to it. This approach is also useful in that it blocks trust of the certificate for any purpose by any program that uses the cryptographic functions in Windows for verifying certificate trust.
Re: As usual, please refrain from blindly chiming (Score:3, Interesting)
They can only do so by replacing the key with something new, which probably generates a big security warning, and then they have to reencrypt it with the old key, so they do have to intercept communication and not just listen in.
I don't know if you should be concerned about that yet, unless you're Chinese (in which case what is the alternative? only trust American businesses with American CAs?)
Re: As usual, please refrain from blindly chiming (Score:4, Interesting)
Re:Something more substantial than Wikipedia ? (Score:3, Interesting)
Agreed--I'd like to see some real evidence too (Chinese language is fine). As far as I can tell, this is the story: CNNIC does have a "Chinese Language Surfing [cnnic.net.cn]" product, which enables the use of Chinese domain names, among other things. (ICANN approved non-ASCII ccTLDs late last year, but the Chinese have been using browser plugins and the like to get the same effect for years. This probably isn't the best article about it, but it was what came up when I tried to search for an article that explained it: China's New Domain Names: Lost in Translation [circleid.com].)
AFAICT, "Chinese Language Surfing" isn't malware--it does what it says it does. However, it does seem unusually protective of itself once installed--but not to the point that the uninstaller doesn't work. Also, while CNNIC doesn't endorse this, apparently "Chinese Language Surfing" gets automatically installed (without user consent) by other programs. This has led to some antimalware-software vendors listing it as malware. E.g., MS calls it BrowserModifier:Win32/CNNIC [microsoft.com], and has this to say about it:
FWIW, I tried installing CNNIC's product in a virtual machine while running Sysinternals' ProcMon, and didn't spot anything super-suspicious--it did install a driver as MS said, which did seem excessive. And it did add a menu item to IE, but it didn't cause me to get any more popup ads. Seemed well-behaved, as far as I could tell (not that I spent much time with it). I then uninstalled it, and it seemed to remove itself cleanly, including the driver.
Personally, I would definitely be annoyed if it got installed without my consent, but the program itself does not meet my definition of "malware". Now if anyone has evidence that it's secretly nefarious and does more than what it claims to, please post the details.