Mozilla Accepts Chinese CNNIC Root CA Certificate 256
Josh Triplett writes "Last October, Mozilla accepted the China Internet Network Information Center as a trusted CA root (Bugzilla entry). This affects Firefox, Thunderbird, and other products built on Mozilla technologies. The standard period for discussion passed without comment, and Mozilla accepted CNNIC based on the results of a formal audit. Commenters in the bug report and the associated discussion have presented evidence that the Chinese government controls CNNIC, and surfaced claims of malware production and distribution and previous man-in-the-middle attacks in China via their secondary CA root from Entrust. As usual, please refrain from blindly chiming into the discussion without supporting evidence. Since Mozilla has already accepted CNNIC as a trusted root CA, the burden rests with those who argue for its removal."
Marking as untrusted (Score:5, Informative)
Taken from comments section of article:
Individual CAs can be removed via the "advanced" preferences panel. It's instructive, actually, to look at the list - there's a lot of entries there.
One could switch to another browser, but it's worth thinking about how open that browser's CA inclusion process is first.
Re:Given they've bowed to Chinese pressure (Score:5, Informative)
[1] "Tools, Options, Advanced, Advanced, View Certificates" if you are on Windows, but if you are on Windows the CNNIC certificate is probably not the most significant of your security worries...
delete cert? finger in dike (Score:5, Informative)
Did you notice how many CAs are in the list? How do you feel about each?
I might recommend encouraging technologies like Perspectives [cmu.edu] to provide defense in depth.
Re: As usual, please refrain from blindly chiming (Score:5, Informative)
Does anyone notable *not* support CNNIC? (Score:5, Informative)
I just checked, and both MacOS X and Windows 7 seem to trust the CNNIC root...
If this is really a problem, and I haven't the slightest idea if it is, then it extends way beyond firefox.
Re:Does anyone notable *not* support CNNIC? (Score:4, Informative)
Re:delete cert? finger in dike (Score:5, Informative)
It's not there... (Score:2, Informative)
Weird thing is, I can't find it in there at all, unless I'm just blind. There's nothing that says CNNIC (or even anything obviously Chinese).
One addendum to your directions, you have to be in the "Encryption" subtab of the Advanced tab or you won't see the "View Certificates" button.
Re: As usual, please refrain from blindly chiming (Score:2, Informative)
Visit the test site [www.enum.cn] and look again.
Re: As usual, please refrain from blindly chiming (Score:4, Informative)
He means, "please don't spam the Bugzilla comments unless you have something constructive to add." BMO used to block all slashdot referers at one point...
Re:Was pointing towards something like a CRL. (Score:2, Informative)
If I have it right, it is actually a simple thing to do, the UI is just awkward. Edits to the trust settings of the certificate will disable it and persist (another post indicates that deleting the certificate also marks it as untrusted, so even if the certificate gets added back to the system, it won't be trusted).
Re:Does anyone notable *not* support CNNIC? (Score:3, Informative)
Re:Was pointing towards something like a CRL. (Score:4, Informative)
Select "Tools", then "Options".
Click "Advanced", "Encryption" and "View Certificates".
Scroll down to "CNNIC" and select the "CNNIC Root" certificate.
Finally click "Edit", uncheck "This certificate can identify web sites" and press OK until all the little windows go away.
Now even if the root certs are updated, that cert remains untrusted.
In IE you have to select "Tools", "Internet Options", "Content", "Certificates", "Trusted Root Certification Authorities", select the certificate you want, then click "Advanced", uncheck the "Server Authentication" role and then click "Ok", "Close", and "OK" again to finally make your change stick.
What is ironic is that when you do that in IE with no problems, it actually takes more mouse clicks than doing the same thing in Firefox.
Re:Sorry, what? (Score:2, Informative)
Re:delete cert? finger in dike (Score:5, Informative)
They've got a Firefox extension, too: http://www.cs.cmu.edu/~perspectives/firefox.html#install [cmu.edu]
And this conveys the idea quickly and visually... the web demo: http://moo.cmcl.cs.cmu.edu/perspectives/ [cmu.edu]
They're also looking for developers to take the project. This could be a great tool for everyone.
Parent Post Hit By Moderator Abuse (Score:3, Informative)
Re:Why bother, there's always opera (Score:4, Informative)
Of course Opera also trusts this CA. But yes, there's always Opera. ;)
Re:Given they've bowed to Chinese pressure (Score:1, Informative)
Deleting it does no good for ones that are marked "Builtin Object Token" -- they will come back when you restart. Instead "Edit" it and uncheck the trust boxes. The (lack of) trust settings are stored in your profile so updating Firefox will not affect it.
To those who don't see it, that's because you are not running Firefox 3.6, the first browser version released since CNNIC was added. The next 3.5. update will probably include it too.