Mozilla Debates Whether To Trust Chinese CA 276
At his Freedom to Tinker blog, Ed Felten has a thoughtful, accessible piece on the debate at Mozilla about whether Firefox, by default, should trust a Chinese certificate authority (as it has since October). Felten explains in clear language why this is significant, and therefore controversial. An excerpt: "To see why this is worrisome, let's suppose, just for the sake of argument, that CNNIC were a puppet of the Chinese government. Then CNNIC's status as a trusted CA would give it the technical power to let the Chinese government spy on its citizens' 'secure' web connections. If a Chinese citizen tried to make a secure connection to Gmail, their connection could be directed to an impostor Gmail site run by the Chinese government, and CNNIC could give the impostor a cert saying that the government impostor was the real Gmail site."
Well in that case (Score:4, Insightful)
Maybe I shouldn't trust the North American Certificates either, since I don't want my government spying on me either.
As long as the Chinese CA only deals with China, I have no problems with it. Any of the certifying agencies could be puppets for anyone.
It's OSS (Score:5, Insightful)
Firefox is Open Source. Let the Chinese build their own version of Firefox and see who trusts them to use it.
No. HELL No. (Score:5, Insightful)
Why should Mozilla take a chance at this? If someone wants this CA, it is trivial to manually add it to Mozilla's certificates. However, including it will mean that Mozilla's rep is now tied to the Chinese government, and should someone misuse the CA key, it will mean that if China starts another offensive on compromising Western systems, the Mozilla foundation is guilty of espionage by proxy.
Physical car analogy: A car dealership giving a master key to every vehicle to a group of people who have been noted in the past for car theft.
Configuration Option (Score:4, Insightful)
Just make it a configuration option, default NO.
Yeah, its not the most elegant solution, but welcome to the real world guys.
On the other hand... (Score:4, Insightful)
If the Chinese CA were stupid enough to actually perform this attack, it would be easy to gain incontrovertible evidence of their spying, as the hijacked responses would all be digitally signed with their signature.
Re:Well in that case (Score:5, Insightful)
Maybe I shouldn't trust the North American Certificates either, since I don't want my government spying on me either.
As long as the Chinese CA only deals with China, I have no problems with it. Any of the certifying agencies could be puppets for anyone.
I guess this is true, although considering the amount of malware coming out of China, and China's human rights record as compared to north american countries, I think there is reason not to equivocate about this.
Re:I wonder... (Score:5, Insightful)
no they aren't. Which is the problem. The average user probably doesn't know what a security certificate is, let alone when you should, or should not trust one. That's why we have experts debating which ones to actually trust on their behalf.
Half the first year students we have in computer science courses can't navigate to a directory (note that these are generally not core comp sci students, but taking a course on say how to use photoshop), let alone figure out what a security certificate is. That's why we need experts to design systems which are inherently as secure as is legally possible in the first place.
Re:Ask the user (Score:4, Insightful)
Actually, this debate is about the default option. You can add and delete trusted certificate authorities all you want once you install Firefox.
Options / Encryption / Advanced / View Certificates / Authorities.
Personally, I think the Chinese CAs should be unlisted in Firefox by default, and those users that want to trust them can simply say "always trust this CA" when Firefox asks. Then again, I think every CA should be treated that way. Why does Firefox automatically trust TurkTrust, Dell, the Japanese government, and the Netherlands (to randomly pick four out of the hundreds of trusted CAs in the default list)?
Actually, that has a simple answer. A nontechnical segment of the population is simply going to do exactly what they do every time you ask a security question - answer YES, ALLOW, or whatever button is stopping them from seeing the cute video of the cat puking up noodles or the boobage behind the prompt box. Bombarding them with more security questions isn't really going to increase security, it's just going to increase frustration. So you add the (hopefully!) truly trustworthy CAs to the default list, then if a user ever encounters a CA warning box it'll be unusual enough that they might pause a few seconds before pressing ALLOW, and maybe even call a neighborhood 12-year-old to check to see if it's a really good idea.
The "hopefully!" part is important. If you're making decisions for your users in the form of shipped defaults, they'd better be well-thought-out.
Re:I wonder... (Score:2, Insightful)
No. They're not capable of securing their own things. I'm not talking about the 'average' user, who may be somewhat competent, but the 'below average' user who falls for phishing schemes and virus attacks. If a 'below average' or even an 'average' user somehow learns that they need to add CA's to their browser to view certain sites then SSL will be completely and thoroughly broken and useless. Incidentally, clicking on a link to a .pem file makes it worryingly easy to add a CA in FireFox.
But that doesn't mean that web browsers shouldn't give users a better idea of how SSL works. Users have no idea they are relying on third party CA's to prove that the site they're connecting to is the right site, and hasn't been tampered with.
The most sensible option would be to include all the CAs by default, but mark some as "iffy". CACert.org could for example be included. If you browse to an 'iffy' website for the first time a window will pop explaining that your connection is verified by a certain organization, and you can 'always trust' this organization, 'trust but warn' with a *small and less-obnoxious* dialog box, or 'never trust'. Maybe they should just do this for all CAs. This is really the only way to make the user understand that they are implicitly trusting some organization, whether it be VeriSign, a non-profit CA, or a company that might be under the control of the Chinese government.
Re:Configuration Option (Score:5, Insightful)
While we're at it, can we get a paranoid install option that disables ALL CAs by default, and requires you to enable each in turn? Maybe I don't trust Verisign, and would like to pass/fail all certs on an individual basis.
China (Score:3, Insightful)
If they have done some stuff that is damning enough for companies like Google and Firefox to risk alienating such a huge market, then how can you trust anything that comes from them?
Re:Well in that case (Score:4, Insightful)
Unless your nation has a track record of spying on its citizens web traffic, then you have a much more unfounded claim.
You mean, like when the FBI put splitters [wired.com] into AT&T offices to monitor all the internet traffic going through them?
Remember, any authority that can be abused will be abused. I wouldn't trust any certificate authority to protect me against the government.
The whole CA concept is horribly broken (Score:3, Insightful)
There is no good definition of exactly what you're trusting them with, no good independent verification that their trustworthiness is deserved, and as far as I know, no legal recourse if it isn't.
I consider the whole CA system to be fundamentally broken. But a new system would be so significantly different in both character and detail that I don't know how it could ever happen. UIs would have to be redesigned. Crypto geeks would have to start thinking about usability. I think the world would have to end first.
But I consider this to be one of the reasons the concept is broken.
In my opinion, as a half-baked measure that moves a little in the right direction, browsers would do better to just download the certificate from the website, and then warn you if the certificate ever changed when you went back to a website that claimed the same identity. Then you'd have to trust a CA at most once.
Forgive me for belaboring the obvious... (Score:5, Insightful)
...but maybe the takeaway lesson from this whole affair is that it is impossible to remain ethical while knowingly doing business with an entity you know to be deeply corrupt. Sooner or later, you will find yourself faced with situations in which you directly or indirectly become party to unethical acts.
This is hardly limited to Google. We all help pay the salaries of the oppressive Chinese regime from the politburo on down to the prison camp guards every time we buy Chinese goods.
Re:Well in that case (Score:5, Insightful)
As long as the Chinese CA only deals with China, I have no problems with it.
And you know that, how?
With built-in root certificates, they are automatically trusted. Unless you're examining the entire cert chain of every SSL/TLS site you access, you have no idea which trusted root signed the vendor's certificate.
No CA should be trusted by default (Score:2, Insightful)
To me, its simple. Trust is something that should be granted by the user. A browser distribution may well include certificates for various CA's as a convenience, but generally shouldn't include any of them as trusted by default. There should be an option for the user to designate bundled CA certs (or ones obtained elsewhere) as trusted, and installers could even include option to enable them in the install procedure.
Re:Well in that case (Score:3, Insightful)
When did I compare the US government to China? You said the US government has made mistakes. "We're not as bad as China" does not excuse those mistakes.
Personally, I care more about the abuses of the US government than those of China because I live here. Those abuses directly affect me. I'm glad we're not China, but without eternal vigilance, someday we could be.
Re:Well in that case (Score:4, Insightful)
People throw around accusations of "hate" too lightly these days. Please try not to inject hyperbole into a reasonable disagreement.
Re:It's OSS (Score:4, Insightful)
Re:Well in that case (Score:4, Insightful)
I've re-read your post and it still seems to me that you are equating FBI wire tapping with Chinese wire tapping.
When did I say those mistakes were excused?
Re:Well in that case (Score:4, Insightful)
I tend to agree that the U.S. government... the Bush government, and now the Obama government; which doesn't seem to mind what Bush put in place in this regard... has pretty much shot themselves in the foot when it comes to whether we should trust them or not with our privacy. Even going so far as ignoring the constitution.
On the other hand, the Chinese government is still an autocratic entity that frequently jails people for expressing their opinions. As bad as what the FBI has done, I am not convinced that they have abused the spirit of the constitution enough to equal what China frequently does to its own people. My first inclination is that I would say to not trust Chinese CA's. And for those who think they only apply to the Chinese themselves, you have your head in the sand at the Walmart Beach Resort. So much of our stuff comes out of China; and many companies' web sites for support and such are hosted there now. What happens if you log in with https? I think we give China too much already. Granted with all the offshoring scumbag companies out there, my bank account info is probably on servers over there already, but why help more?
One Should Always Trust (Score:4, Insightful)
Re:Well in that case (Score:1, Insightful)
I am, however, saddened, that you call this "some mistakes".
One difference is that these were/are recognized as mistakes (now). With the Chinese government, they don't think they're doing anything wrong. Another difference is that you can openly criticize them without risk of imprisonment or being shot--you can freely fight to have the wrongs righted.
I don't think anyone is saying the US (or West) is perfect, but in a more open / transparent society there's a measure of self-correction (eventually).
(Of course we're using our own value system to say that these things are "wrong". The citizens of China may themselves have no problem with that the government is doing.)
Re:Well in that case (Score:5, Insightful)
You know what? We already know. We're all blind, we're all evil, we're all hypocrites. Including you. The world is not a comic book. It is a big messy mural in progress, with scenes of horrifying savagery and outstanding beauty. Those of us without personality issues to nurse choose to roll up our sleeves and improve the world one brushstroke at a time, rather than sit back in a battered beanbag of self-satisfaction and fling feces at the easiest targets.
Re:Well in that case (Score:3, Insightful)
Re:Well in that case (Score:3, Insightful)
A better way for the browsers to make things like this secure would be to remember the first SSL they received from the site and notify once that changes - similar to SSH.
Good idea, but it won't help much, overall. You'd either have users complaining that "My favourite site just broke!" (when it didn't) every one to three years (on average -- when the current certificate expires), or you'd have to implement it in such an unobtrusive way that the average user wouldn't even notice.
If it did what Firefox currently does for an invalid certificate, for example, it would confuse and scare users to have them load up PayPal this coming April 1st (yes, that's really the expiry date for their current certificate) and suddenly be presented by the massive, refuses-to-load-the-page warning message. Even a simple dialog box (like many other browsers) wouldn't help much -- the user would either be scared/confused, or would just get (re)trained to click through all warnings.
A slightly better (but still not very good) alternative would be to remember the root certificate in the certificate chain for each site (instead of the SSL certificate for the site itself), and only notify when that changes. It still would present problems if a website ever changed certificate providers, however, going straight back to "My favourite site just broke!".
All in all, the best option is probably still just to pick your SSL roots carefully. I can't comment on whether this Chinese root certificate is safe to include or not, since I'm not very familiar with the situation.
Re:Well in that case (Score:3, Insightful)
> I've re-read your post and it still seems to me that you are equating FBI wire tapping with Chinese wire tapping.
Well, for one, I thought it was the NSA that put in the splitters, not the FBI. And, to my knowledge, the differences between the American wiretapping and the Chinese wiretapping are thus:
* Americans ostensibly are looking for terrorists. They apparently compile reports that talk about terrorist "chatter" indicating some kind of crazy keyword-mining system. This may include an analysis of phone calls, as well. As far as anyone knows, they sniff ALL internet traffic. We know it exists, but the details are all classified and most of the conclusions about its capabilities are based on what little public data there is (e.g. it's guesswork to say that there's keyword mining, but it's hard to understand all those reports about changes in the amount of "terrorist chatter" unless they have something like that). Whatever oversight exists is lax, because even members of Congress didn't know the details when it came to light.
* The Chinese are looking for dissidents and attempting to make society more "harmonious" by squelching those who complain. Their system is publicly acknowledged and widely known. The capabilities of the "Great Firewall of China" are well-known (e.g. how it inserts RST packets to disrupt communication with blocked sites). We also know that they monitor and censor communication on an ad hoc basis. They have the "fifty cent party" to post things advocating the government's view online.
Basically, I'd say that wiretapping is wiretapping, but the US has more noble goals and far less oversight. So if you want to decide which one is better or worse, you'd have to know whether the abuse we don't know about (if it exists--and it almost certainly does) is worse than the abuse we don't know about.
Anyhow, it's definitely true that I trust the American government far more than the Chinese government. But all those things (e.g. tank man) have nothing to do with internet censorship, which is the only thing I'm even attempting to compare here. Tank man, as we should all know, was not caught due to internet wiretapping. You don't have to say that you're excusing the retroactively authorized American wiretapping, incidentally. If you come along and derail things by dragging up evil things done by the Chinese government that have nothing to do with internet censorship, you do that whether you intend to or not.
Of course, you still can't simply equate the two, true. And the Chinese government has more openly abused their powers. But I'm not especially comfortable with either case. Some part of me fears where this is heading. I think that we'll eventually have internet "borders" (national firewalls) in the name of protecting ourselves and those will open up all kinds of new issues. You could see things like no longer being able to communicate with Cuba, Iran & co., and yes, there would still be "data smugglers" who let you VPN your way past barriers. The fact that something like that is expensive and ineffective usually means that it's only a matter of time until governments implement it. National firewalls could then block all the sites they hate (e.g. The Pirate Bay). And the minor fact that that would be unconstitutional? Well, we'll just write this amendment allowing them in the name of protecting people from "internet terrorists" ...
So what I'm saying is that we should condemn all such abuses of power. Certainly, China should come under harsh condemnation for what they've done to hurt and defame those who threaten the corrupt. But we can't simply ignore what happens in America, even if it's supposed to protect us from actual bad guys. Mission creep shows us that it will, eventually, expand beyond that, and I already hate the fancy dances they do to get around the Constitutional problems (e.g. we'll use national security to keep you from knowing if we violate your privacy in practice, border search exemptions to give us a plausible cover [even if we appear to search more than just international traffic], and data sharing so that we'll let other countries spy on you on our behalf while we do the same for them).
Go back to Peking (Score:2, Insightful)
Re:Well in that case (Score:3, Insightful)
How can you compare these incidents to the murder of 30 million?
No one said the US is perfect, but China has a long way to go before it can claim the same level of "imperfection".
At least someone else remembers Tiananmen (Score:4, Insightful)
Well, Beardo, it's good to see one other sane person on the boards.
Current leader Hu Jintao was among those who ordered the Massacre at Tiananmen Square. As someone who saw Tiananmen live on CNN, it's disturbing to me to hear how many other people think "Well, it's been 20 years since those men killed three thousand kids. I'm sure they're trustworthy by now..."
Can you imagine if Osama Bin Laden were a major trading partner of ours in 2020? It'd be a roughly analogous situation.
Re:Well in that case (Score:4, Insightful)
Maybe you should start by not going to WalMart and buying anything made in China or having a part made in China.
Re:At least someone else remembers Tiananmen (Score:3, Insightful)
Not it wouldn't be roughly analogous. Tienanmen Square didn't see thousands of Americans die and wasn't an explicit attack on America.
Osama Bin Laden being a major trading partner of America in 2020 would be more like America and Japan or Germany being major trading partners in the 1960s.
Re:Well in that case (Score:5, Insightful)
That way of arguing will get you no-where. Most of the stuff we buy from China are cheaply manufactured consumer goods, made in factories staffed by labourers that comes mainly from the rural northern and central regions of the country. The problem of buying goods from China is not because of human rights, but because of the lack of regulation and protection of labour and the environment in general (and also the devalued currency due to capital controls in China). Why? Because this is what puts goods from the developed countries at a disadvantage. We are in effect exporting pollution and bad treatment of labour through this.
The only way for China to get any resemblance of human-rights that are available in the industrialized nations is for the Chinese people to fight for them. Think back on how long it took for rights to develop in England, for example, from the Magna Carta, to the Bill of Rights, to the development of Universal Suffrage and the Welfare State (no, it's not socialism). Now, when are the conditions right, I'm not so sure. But those in the know would definitely point to Hong Kong and Taiwan as a possible possible catalysts for this. Hong Kong is scheduled for Universal Suffrage in 2017, but many in the territory is trying to speed up the process while Beijing is trying to slow it down (as they fear it is a destabilizing factor to one-party rule in the mainland).
Jack the Ripper didn't kill any Americans... (Score:4, Insightful)
...so it's OK to hire him as a babysitter here?
We didn't do business with Nazi Germany or Imperial Japan in 1960. We utterly dismantled those countries, hung their leaders and rebuilt them from scratch before the first dollar changed hands.
Now, if that's what you're proposing for the current murderous regime in China, I could get behind that...
Re:Well in that case (Score:2, Insightful)
Right, because real slavery never existed anywhere outside of China, especially not in the US. High safety standards and respect for human rights has always been paramount in the American Industrial Revolution right from the very beginning.
And of course we can say that without a doubt, a massive trade embargo will help the plight of the Chinese citizenry.
So, you are comparing the States from a century and a half ago with modern China? Somehow it doesn't seem fair. The same about safety standards. Following your reasoning, we couldn't be against cannibalism cos some of our ancestors were cannibals once.
And of course we can say that without a doubt, a massive trade embargo will help the plight of the Chinese citizenry.
I can say without a doubt that the present situation is not helping them at all, just giving their government big incentives for enslaving their people, and in the process destroying the economy and worker's rights in the western world
Here's how you know... (Score:4, Insightful)
...your moral compass has broken. When you can propose a plan of action that's "cold and uncaring," and you plan to do it anyway; that's when you know your conscience has went down for the count.
No, it does not matter to me in the least that it was just a bunch of foreigners that died. I've spent too much of my life abroad to believe that only American lives count. Perhaps the fact that my children carry dual citizenship has something to do with that.
As for this being a "matter of internal security" to the Chinese, I would have thought a denizen of Slashdot would know their Star Trek better than to accept that.
As for how we would feel if the shoe were on the other foot, I would HOPE that other nations would boycott us if it turned out that, for instance, President Obama had personally ordered those men to fire at Kent State. If we found out that President McCain had personally led Charlie Company during the My Lai Massacre, then I would HOPE we would be ostracized.
As for Japan and Germany not trading with us -- Have you been to those countries? They DON'T trade with us until they know they've got the better end of the bargain. Germany and Japan are a hell of a lot smarter than we are about trade. I can personally assure you from long experience that Japan doesn't let go of a single yen without absolute proof it's a better deal for them than the other guy.
I yearn for the day that my country is as smart about trade as Japan is.
Re:On the other hand... (Score:3, Insightful)
Even worse for the CA (and that is imho the main reason we can trust a CA, Chinese or American or where-ever it is from) is that if this trust is breached it is breached forever. There is a lot to lose by losing that trust, and little to gain (in the long term).
Re:Well in that case (Score:1, Insightful)
Maybe I shouldn't trust the North American Certificates either, since I don't want my government spying on me either.
As long as the Chinese CA only deals with China, I have no problems with it. Any of the certifying agencies could be puppets for anyone.
I guess this is true, although considering the amount of malware coming out of China, and China's human rights record as compared to north american countries, I think there is reason not to equivocate about this.
There are many, many countries and non-white people the world over who have a thing or two to say about "north american countries"'s records on "human rights".
Pssst, your bias is showing.
Re:Well in that case (Score:2, Insightful)
Sorry, but I just don't buy the "dropping the nukes saved lives" idea. It's hind-sight speculation. Why didn't they at least try dropping them on a naval fleet first? If it didn't work, then perhaps move on to dropping them on a civilian population.
Re:No trust. (Score:2, Insightful)
They are not mad, they just don't have a process for dealing with entities that lie in their application and have immense resources to make those lies appear as truth.
As a related rant, this is an universal problem in US and other western countries. You have never seen a really evil government in your lives, and you can't begin to imagine what it looks like. You think Obama/Bush/whoever is evil, when they are just misguided, dishonest or stupid. A really evil government does not bother about trying to answer, they just send the troops to make questions go away.
Re:China (Score:3, Insightful)
As I see it, judging China by Tiananmen Square and the Google hacks is like judging the U.S. by Vietnam and the Patriot Act.