Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Mozilla Security Technology Your Rights Online

Mozilla Accepts Chinese CNNIC Root CA Certificate 256

Josh Triplett writes "Last October, Mozilla accepted the China Internet Network Information Center as a trusted CA root (Bugzilla entry). This affects Firefox, Thunderbird, and other products built on Mozilla technologies. The standard period for discussion passed without comment, and Mozilla accepted CNNIC based on the results of a formal audit. Commenters in the bug report and the associated discussion have presented evidence that the Chinese government controls CNNIC, and surfaced claims of malware production and distribution and previous man-in-the-middle attacks in China via their secondary CA root from Entrust. As usual, please refrain from blindly chiming into the discussion without supporting evidence. Since Mozilla has already accepted CNNIC as a trusted root CA, the burden rests with those who argue for its removal."
This discussion has been archived. No new comments can be posted.

Mozilla Accepts Chinese CNNIC Root CA Certificate

Comments Filter:
  • by gad_zuki! ( 70830 ) on Tuesday February 02, 2010 @05:44PM (#31002258)

    Wow, youre so new here, youre still dripping wet and covered in placenta.

    • by Actually, I do RTFA ( 1058596 ) on Tuesday February 02, 2010 @06:11PM (#31002534)

      I take issue to the next phrase: "Since Mozilla has already accepted CNNIC as a trusted root CA, the burden rests with those who argue for its removal."

      Are you saying "should Mozilla remove it?" Then the answer is probably no, becuase Mozillia is not an omni-beneficent entity. It probably helps them in some way to include it.

      The question is, should individual users remove it? And yes, by the link that you provided indicating it's role in the distribution of malware. Why should I let Mozilla, a large group with contradictory desires and many masters, control whether I delist it as a trusted root?

      • Exactly. The spoon and the knife are already laid out.

      • by gd2shoe ( 747932 ) on Tuesday February 02, 2010 @06:23PM (#31002652) Journal

        At issue here is the ability of the Chinese government to run MiTH attacks on their citizens (and others) (who may have no computer security experience) and to arrest political dissidents. Nobody's saying you should wait to remove it. The question is, should it be removed for the safety of others?

        The whole point of root certs is trust. We trust them to sign certificates which will be used, in turn, to keep our conversations private. Should CNNIC be trusted to keep conversations private? That is the question. Organizations like Mozilla put their own reputations on the line when choosing which root certs to include. Any abuse by CNNIC will be seen as a security flaw in Mozilla software. That is the issue. That is why Mozilla should care. (even if they disagree)

        • Re: (Score:3, Funny)

          by Cederic ( 9623 )

          What's a MiTH attack? Man in ..?

          • Re: (Score:3, Funny)

            by Anonymous Coward

            What's a MiTH attack? Man in ..?

            Man in The Hat [xkcd.com]

          • What's a MiTH attack? Man in ..?

            It's an attack that doesn't actually exist, e.g., one that is "mithical". Of course, a mith is as good as a mile anyways.

        • Re: (Score:3, Interesting)

          by kestasjk ( 933987 ) *
          Doesn't Firefox warn you if a key for a certain domain suddenly changes to something different? Remember these guys sign keys, they say "this guy is who he says he is", does that really give them the power to listen in on people?
          They can only do so by replacing the key with something new, which probably generates a big security warning, and then they have to reencrypt it with the old key, so they do have to intercept communication and not just listen in.

          I don't know if you should be concerned about that
          • by u38cg ( 607297 ) <calum@callingthetune.co.uk> on Wednesday February 03, 2010 @03:52AM (#31007376) Homepage
            Not if it continues to be signed back to a root, which is the point. A previous employer of mine had its own root cert in our (IE6) browsers and I only noticed after a similar, related discussion on Slashdot caused me to look. I removed it temporarily and yep, all https traffic was being MITM'd. Given the nature of the organisation, it was understandable that they had to be able to audit such traffic, but that doesn't excuse them not talking about it. I later mentioned it to a 2nd line tech who was doing something unrelated and it was news to him, too.
      • by Anonymous Coward on Tuesday February 02, 2010 @06:42PM (#31002874)

        If only we had the luxury of knowing which certificates to remove if you didn't trust the NSA. Guess MITM is a game for big players.
        Our instructions for setting up VPN include a recommended step where you disable all root certificates but one for the connection. From a security standpoint, the whole web should work the same.

        It's very annoying how Firefox insists on making self-signed certificates the biggest pain in the ass possible to accept, knowing you can't really trust the 'trusted' signers in the first place. For forums and the likes, just permanently storing the certificate so you can be sure you're getting an encrypted connection to the same entity each time would be sufficient.

        • If only we had the luxury of knowing which certificates to remove if you didn't trust the NSA.

          All of them. The Chinese one might be the safest to retain.

      • Re: (Score:2, Interesting)

        by jcoy42 ( 412359 )

        Why should I let Mozilla, a large group with contradictory desires and many masters, control whether I delist it as a trusted root?

        Because Mozilla is capable of doing it and most computer users are (effectively) not.

        Because we care about what happens to the internet.

        Because it's going to be our mom's machine, and we'll have to fix it.

    • by bill_mcgonigle ( 4333 ) * on Tuesday February 02, 2010 @07:09PM (#31003188) Homepage Journal

      He means, "please don't spam the Bugzilla comments unless you have something constructive to add." BMO used to block all slashdot referers at one point...

    • Re: (Score:3, Funny)

      by eclectro ( 227083 )

      Wow, youre so new here, youre still dripping wet and covered in placenta.

      And a Chinese, heavy metal laden one, at that.

  • by sethstorm ( 512897 ) * on Tuesday February 02, 2010 @05:44PM (#31002260) Homepage

    ...is there a straightforward way to mark CNNIC as untrusted?

    • Marking as untrusted (Score:5, Informative)

      by Saishuuheiki ( 1657565 ) on Tuesday February 02, 2010 @05:46PM (#31002298)

      Taken from comments section of article:

      Individual CAs can be removed via the "advanced" preferences panel. It's instructive, actually, to look at the list - there's a lot of entries there.

      One could switch to another browser, but it's worth thinking about how open that browser's CA inclusion process is first.

      • by sethstorm ( 512897 ) * on Tuesday February 02, 2010 @05:51PM (#31002342) Homepage

        Removing it is fine until an update/reinstall brings it back. Telling the browser to not trust that entity at all is what I'm talking about.

        • by micheas ( 231635 ) on Tuesday February 02, 2010 @05:56PM (#31002390) Homepage Journal

          Removing it is fine until an update/reinstall brings it back. Telling the browser to not trust that entity at all is what I'm talking about.

          As long as the update does not delete your local preferences it should work.

        • Re: (Score:3, Insightful)

          by couchslug ( 175151 )

          "Telling the browser to not trust that entity at all is what I'm talking about."

          Looks like time for a convenient extension.

          • by Sir_Lewk ( 967686 ) <sirlewk@nosPam.gmail.com> on Tuesday February 02, 2010 @06:46PM (#31002936)

            Ah, but how do we know we are actually getting the right extension? Normally that process is secured by ssl but now.... The Chinese government could man in the middle anyone who tries to install any particular extension, and feed them a crippled one instead. Implausible sure, but possible.

          • If it were IE, people would be saying it's time for a new browser. If security is that big of a deal, why fight a working browser with a built-in security flaw when you can switch browsers?
        • Re: (Score:3, Interesting)

          by mlts ( 1038732 ) *

          What is ironic is that I can do this in IE with no problems. I drag a certificate to the untrusted store, either systemwide or as a user, and even if root certs are updated, that cert remains untrusted.

          • Re: (Score:2, Informative)

            by maxume ( 22995 )

            If I have it right, it is actually a simple thing to do, the UI is just awkward. Edits to the trust settings of the certificate will disable it and persist (another post indicates that deleting the certificate also marks it as untrusted, so even if the certificate gets added back to the system, it won't be trusted).

          • by Minwee ( 522556 ) <dcr@neverwhen.org> on Tuesday February 02, 2010 @08:54PM (#31004194) Homepage

            Select "Tools", then "Options".

            Click "Advanced", "Encryption" and "View Certificates".

            Scroll down to "CNNIC" and select the "CNNIC Root" certificate.

            Finally click "Edit", uncheck "This certificate can identify web sites" and press OK until all the little windows go away.

            Now even if the root certs are updated, that cert remains untrusted.

            In IE you have to select "Tools", "Internet Options", "Content", "Certificates", "Trusted Root Certification Authorities", select the certificate you want, then click "Advanced", uncheck the "Server Authentication" role and then click "Ok", "Close", and "OK" again to finally make your change stick.

            What is ironic is that when you do that in IE with no problems, it actually takes more mouse clicks than doing the same thing in Firefox.

            • by FreelanceWizard ( 889712 ) on Tuesday February 02, 2010 @09:32PM (#31004520) Homepage

              This will work, but the certificate is still "trusted" in a sense. The best way is, as the parent noted, to use the Certificates snap-in in MMC to move the certificate to the Untrusted store. Doing so permanently removes trust for that certificate and, thus, all of the certificates that chain to it. This approach is also useful in that it blocks trust of the certificate for any purpose by any program that uses the cryptographic functions in Windows for verifying certificate trust.

          • IE uses the OS-provided shared certificate store (so does Chrome, by the way).

    • by Zocalo ( 252965 ) on Tuesday February 02, 2010 @05:51PM (#31002332) Homepage
      You could just delete the certificate yourself. "Edit, Preferences, Advanced, Encryption, View Certificates"[1]. Select the one from CNNIC and hit "Delete".

      [1] "Tools, Options, Advanced, Advanced, View Certificates" if you are on Windows, but if you are on Windows the CNNIC certificate is probably not the most significant of your security worries... :)
      • It's not there... (Score:2, Informative)

        by Anonymous Coward

        Weird thing is, I can't find it in there at all, unless I'm just blind. There's nothing that says CNNIC (or even anything obviously Chinese).

        One addendum to your directions, you have to be in the "Encryption" subtab of the Advanced tab or you won't see the "View Certificates" button.

        • by Cederic ( 9623 )

          Not just you, I don't appear to have it in Firefox 3.5.7 or Windows/IE.

          Unless I have a particular well written rootkit hiding from me that prevents display of that certificate but allows its continued use. I'm kind of guessing not.

    • by klui ( 457783 )

      If you delete the CA when it returns (not sure why it does that) its properties, when you click Edit..., will be all unchecked.

      Tools>Options...; Advanced, Encryption tab, [View Certificates]; Authorities tab, click CNNIC ROOT, [Edit...]/[Delete...].

    • Re: (Score:3, Funny)

      by data2 ( 1382587 )

      Edit -> Preferences -> Advanced -> Encryption -> View Certificates -> Authorities -> ... -> Profit

    • Conversely, is there a way to automate root cert imports into FF across tons of machines?
  • by taoye ( 1456551 ) on Tuesday February 02, 2010 @06:05PM (#31002484)
    Just wait while I go infiltrate the Chinese government to determine if they are doing bad things through CNNIC, so I can come back with evidence. While I'm at it, I'll be travelling through West Africa and I have the sum of $1,000,000,000 USD of money stashed there and I need your help to get it out of the country. I will give you 10% guaranteed.....
  • by Jane Q. Public ( 1010737 ) on Tuesday February 02, 2010 @06:08PM (#31002502)
    "Since Mozilla has already accepted CNNIC as a trusted root CA, the burden rests with those who argue for its removal."

    I am not sure I agree with this. When accepting something that is very controversial, like for example accepting CNNIC as a neutral authority, or backing a perpetual-motion technology, the burden may very well be on the actor to defend its actions.
    • If the thing is done, the actor doesn't have to do anything additional. It doesn't have to be done again, or done more. The only possible change is to undo it. Those who wish to undo it must justify undoing it, because they are the only ones who have need of an affirmative action to be taken.

      • Re: (Score:2, Informative)

        by travd ( 608286 )
        Why does there have be hysteresis to the process? That is, why does the burden of proof change once Mozilla has accepted the certificate? If you see how the process worked, it was basically the case that by the time it became relatively common knowledge that the CNNIC certificate was going be added, the time for comments had passed (not many people make the habit of trolling through Bugzilla entries or the Mozilla "RFC" page to find things they may want to comment on). If, once it became common knowledge
  • by Onymous Coward ( 97719 ) on Tuesday February 02, 2010 @06:10PM (#31002524) Homepage

    Did you notice how many CAs are in the list? How do you feel about each?

    I might recommend encouraging technologies like Perspectives [cmu.edu] to provide defense in depth.

  • by Anonymous Coward on Tuesday February 02, 2010 @06:12PM (#31002550)

    I have nothing against additional certificate authorities; it makes sense in most situations not to give all the power to a single party.

    Nonetheless, the large number of accepted authorities raises serious questions about another aspect of browser security:

    Why are self-signed certificates viewed with such relative suspicion?

    It only takes a single compromised or misled CA to bypass the entire trust system. The more CAs we have, the easier it is to compromise the system.

    Why, then, do we make it so difficult for sites to implement security against passive plaintext snooping (which is arguably much more of a threat in most situations, discounting targeted attacks)? Why do browsers make this basic security effectively unavailable unless you pay a toll to a CA? (And it is effectively unavailable, since the inconvenience and fear-of-the-unknown related to accepting self-signed certificates makes the use of them a self-defeating act.)

    As CAs proliferate, it becomes more and more meaningless to view self-signed certificates with such suspicion -- since they become relatively less and less of a risk, as we add more CAs and thus more individual points where the system may be compromised.

    • Why are self-signed certificates viewed with such relative suspicion?

      Because the communications channel that carries the self-signed certificate is exactly the same as the one that has potentially been compromised.

      • So don't give users the lock icon, and just pretend it's an unencrypted website.

        Self-signed certificates provide no protection against MITM attacks, but they do provide protection against passive snooping which is what the parent is talking about. There is zero disadvantage to using them. You can argue the lack of some advantages all you want, but throwing tons of warnings at users for using them is ridiculous, when regular unencrypted HTTP traffic is let through fine. I am particularly annoyed at the obnox

      • by zonky ( 1153039 )
        To be honest, set your favicon to look a SSL padlock, and most people can't tell the difference anyway. Much easier to MITM http...
      • by David Jao ( 2759 )

        Why are self-signed certificates viewed with such relative suspicion?

        Because the communications channel that carries the self-signed certificate is exactly the same as the one that has potentially been compromised.

        This is far from being true, especially in modern times with the proliferation of wireless access technologies.

        In this day and age, it is extremely common for even average non-technical users to access a web site at different times using different and entirely independent communications channels. You might use a wired connection at home, a wireless hotspot in a coffee shop, 3G mobile broadband when on the road, and so on. Web browsers have always had the capability (rarely used) to cache a self-signed cer

    • by mlts ( 1038732 ) *

      Perhaps merging a PGP-like web of trust interlink with SSL security. So, if a close friend trusts foo.com as a CA, then the Web browser would assume that. If a friend dislikes blarf.com, the Web browser will pop up something saying that the CA isn't that liked among friends.

      Problem is that for /. readers, a system like this would make perfect sense. However, most people seem to just want to connect to a site, see a little padlock icon and assume that they can log into their bank safely. They don't care

    • For my personal use, I don't have a problem with the suspicion of self-signed certs. I don't intend any visitors to my https service other than the ones I personally invite, and I can guide them through the security exception process. Obviously, I'm not running a business.

      I disagree with the parent regarding the proliferation of CAs. It's true that added CAs add to the points of potential compromise. But, they're a drop in the bucket compared to the flood of self-signs we'd be dealing with. Then we'd really

  • by RalphBNumbers ( 655475 ) on Tuesday February 02, 2010 @06:21PM (#31002628)

    I just checked, and both MacOS X and Windows 7 seem to trust the CNNIC root...

    If this is really a problem, and I haven't the slightest idea if it is, then it extends way beyond firefox.

    • by iammani ( 1392285 ) on Tuesday February 02, 2010 @06:36PM (#31002790)
      Chrome does not.
      • by brennz ( 715237 )
        More evidence of the Google - China fight!
      • Re: (Score:3, Informative)

        Not true. Chrome on Mac OS X does (it uses certificates from OS X store which does contain CNNIC Root).
        • Sorry, looks like I concluded too early. I tested only on Linux and it did not have CNNIC Root installed.

          Mmm strange that it does not maintain its own list of certifictes,
    • by dunng808 ( 448849 ) <garydunnhi&gmail,com> on Tuesday February 02, 2010 @07:18PM (#31003298) Journal

      > ... it extends way beyond firefox.

      And it extends way beyond China. I see this as simply another example of "yellow peril" thinking. What about the Brits, who want to monitor everything? What about the French, who want to kick people off the net for misbehaving? What about Iran, who wants to kick out everyone? Do you really think the USA looks like the good guys to the rest of the 'net? Who gave the world Microsoft, and the RIAA, and the MPAA? All this "evil Chinese" stuff is getting tiresome.

      • by maugle ( 1369813 )

        What about the Brits, who want to monitor everything? What about the French, who want to kick people off the net for misbehaving? What about Iran, who wants to kick out everyone? Do you really think the USA looks like the good guys to the rest of the 'net? Who gave the world Microsoft, and the RIAA, and the MPAA?

        You forgot Australia.

        Also, our government doesn't obsessively monitor everyone (Brits), attempt to cram a "3-strikes" law down our throats (French), or attempt to track down dissidents and make them "disappear" (Iranians, Chinese). So, yes, we are the good guys here, relatively speaking.

      • by ScrewMaster ( 602015 ) * on Tuesday February 02, 2010 @07:53PM (#31003674)

        > ... it extends way beyond firefox.

        And it extends way beyond China. I see this as simply another example of "yellow peril" thinking. What about the Brits, who want to monitor everything? What about the French, who want to kick people off the net for misbehaving? What about Iran, who wants to kick out everyone? Do you really think the USA looks like the good guys to the rest of the 'net? Who gave the world Microsoft, and the RIAA, and the MPAA? All this "evil Chinese" stuff is getting tiresome.

        Gagh. Such histrionics. Look, this isn't about all Chinese people being evil. It is about a particular country that happens to be the source of an astounding number of remote attacks, cracks, hacks and exploits on the network infrastructure of other nations. The question is whether or not those nations who are subject to China's self-serving Internet activities should aid in those efforts. Rather a foot-in-self-shoot situation really. Me, I've all but switched to Chrome anyway for most things, and this is just another reason to finish the job.

        I know what you're saying when you use the phrase "yellow peril", but there is some truth to it. China is a threat on the world scene, more than at any other point in their history.

    • Bear in mind that the certificate store in Windows is shared across multiple applications. I don't have Firefox installed on my fully-patched Windows 7 Professional machine, and I don't have the CNNIC Root certificate in any of my certificate stores. If you have it, you've installed something that's added it or upgraded from a version of the OS that's trusted it. It most definitely isn't something that Windows trusts by default.

      My MBP isn't handy, so I can't check and see if OS X has it by default; my MBP h

  • Evidence (Score:5, Insightful)

    by Spy Hunter ( 317220 ) on Tuesday February 02, 2010 @06:27PM (#31002690) Journal

    It would be easy enough to prove that CNNIC is performing man-in-the-middle attacks. To perform a man-in-the-middle attack on (for example) gmail, CNNIC would have to send a fraudulent certificate to users. That certificate would be ironclad evidence that CNNIC can't be trusted, so all someone has to do is present one.

    • Easier said then done. If they were going to use this for evil, they would only do so in very isolated cases for exactly this reason.

    • Re: (Score:3, Insightful)

      It would be easy enough to prove that CNNIC is performing man-in-the-middle attacks.

      I think the issue here isn't that CNNIC is performing MitM attacks, but that it theoretically can perform one, owning a trusted certificate.

  • by Antiocheian ( 859870 ) on Tuesday February 02, 2010 @06:33PM (#31002770) Journal

    "surfaced claims of malware production and distribution"

    This claim cites Wikipedia and in particular this unverifiable, POV-ridden paragraph:

    "CNNIC produces one of the best-known malwares in China: the Chinese-Language-Surfing Official Edition(). The software is frequently bundled with other adware/sharewares. It was declared malware by Beijing Network Industry Association() and San Ji Wu Xian Co Ltd., the company behind 360 Safeguard(360), an anti-virus software. San Ji Wu Xian was sued by CNNIC for 150,000 RMB and the court ruled out favorably towards CNNIC."

    Which libels CNNIC for connections with malware while the only case against CNNIC was actually ruled towards their favor.

    Why is CNNIC untrustworthy ? In plain English please.

  • I suspect that in practice simply following the SSH model would be pretty much as secure and a lot safer from this kind of attack.

    That's the model where all keys are effectively "self signed", and you don't check whether the key is signed by a trusted authority... instead you check whether the key has changed, and raise an alert if so.

    Using BOTH techniques... alerting people if the key changes whether it's self-signed or centrally signed... seems to be the best solution. That way if CNNIC wants to MITM you

    • Um.... no! The CA model exists precisely because the SSH model is vulnerable to MITM!

      • Re: (Score:3, Interesting)

        by argent ( 18001 )

        There are different failure modes.

        If you know that the victim has not visited a given site before you can MITM them undetectably, but the attack doesn't scale. On the other hand the centralized key distribution hierarchy is vulnerable to widespread undetected MITM attacks if the hierarchy is compromised, where the SSH model would produce a large number of suspicious reports in that scenario... leading to the unmasking of the perpetrator.

        • No, both models would be detectable. I would notice of my connection to Bank of America says "Signed by China Telecom."

          Letting the average user manage keys by himself means both widespread MITM is possible, and users get trained to accept keys.

          If you think Grandma shopping online would really be more secure if she managed keys herself, you've never met an end user. SSL MITMs have been fantastically rare, despite extremely widespread use by untrained masses. There's no better proof of SSL's success than tha

          • by argent ( 18001 )

            I would notice of my connection to Bank of America says "Signed by China Telecom."

            Really? Without looking, can you tell me who your connection to the Bank of America is supposed to be signed by? Do you actually check every time?

  • Write a script that goes to lots of SSL sites and checks the signing certificate. Run one copy from behind the Great Firewall. Run another from the free world. Compare the output to see if CNNIC ever shows up where it shouldn't. Found a hit? Submit it to all the browser publishers and watch the security updates fly, as CNNIC loses all authority over SSL.

    Bonus points if you can get Hillary Clinton to send a strongly-worded letter to China.

  • If you never had a chance to look at a root CA list in your browser - now may be the time. Open advanced encryption preferences and look at certificate list. These are, normally, all the CAs that your browser trusts to sign certificates for other sites (or for other signers and so on and so forth). Now - do you know who they are?
    FWIW I have never heard of most of these names, and have no reason to trust them or anything they do. The names that I know don't exactly give me the "warm and fuzzy" feeling. Equif

  • I scanned fairly quickly through the comments here but none seems to point out the obvious:

    SSL DOES NOT ATTEMPT TO GUARANTEE ANYTHING APART FROM AUTHENTICTY

    As it appears, this mob have verified their identity sufficiently for Mozilla to decide they are able to put something on the interweb and verify they put it there.

    Should I be worried - no I don't think so.

    I've just (skimmed) read the Mozilla bug entry for this and as far as I can tell all was correct.

    What exactly is the problem here? SSL is a mechanism

    • Re: (Score:3, Interesting)

      by russotto ( 537200 )

      SSL DOES NOT ATTEMPT TO GUARANTEE ANYTHING APART FROM AUTHENTICTY

      Uh, no. It guarantees against eavesdropping as well.

      As it appears, this mob have verified their identity sufficiently for Mozilla to decide they are able to put something on the interweb and verify they put it there.

      No. They can now put anything on the web _as any name they like_ and verify that the authorized user of that name did so. For instance, they can put up their own "www.gmail.com" site that verifies as real; it can even say the ce

      • by sowth ( 748135 ) *

        I'm not sure how your version of mozilla works, but I have Firefox, and last time I checked, just hovering over the lock tells me which CA signed the ssl cert for the current website I'm visiting. I have to make the effort to go to the key dialog box to find out anything else. It would be fishy if I didn't see Thawte as the CA for google.

        Then again, maybe your point was they could fool people in China. They could do that anyway. They are the government, they can do all sorts of things up to and including

        • I'm not sure how your version of mozilla works, but I have Firefox, and last time I checked, just hovering over the lock tells me which CA signed the ssl cert for the current website I'm visiting. I have to make the effort to go to the key dialog box to find out anything else. It would be fishy if I didn't see Thawte as the CA for google.

          Suppose CNNIC issued themselves a phony intermediate CA certificate labeled Thawte, and then used that to issue their phony gmail certificate. Would Firefox show the inter

  • "Since Mozilla has already accepted CNNIC as a trusted root CA, the burden rests with those who argue for its removal."
    Yah , sure, whatever ...

  • I'm running version 4.0.249.78 on WinXP. Clicking on "[monkeywrench]/Options" brings up a dialog box. Clicking on the third tab and scrolling to the bottom of the presented list shows a button, "Manage certificates". Clicking on that button brings up the "Trusted Certificates" dialog box. Clicking on the "Trusted Root Certification Authorities" tab reveals a long list of certificates. Scroll down to "CNNIC ROOT" and double-click on its entry to bring up your third dialog box, "Certificate". Click on t

    • It's not really about Chrome. Chrome just uses the centralized certificate store provided by the OS where one is available - e.g. Windows, OS X - and both of those have CNNIC as trusted out of the box.

Our OS who art in CPU, UNIX be thy name. Thy programs run, thy syscalls done, In kernel as it is in user!

Working...