Mozilla Debates Whether To Trust Chinese CA

At his Freedom to Tinker blog, Ed Felten has a thoughtful, accessible piece on the debate at Mozilla about whether Firefox, by default, should trust a Chinese certificate authority (as it has since October). Felten explains in clear language why this is significant, and therefore controversial. An excerpt: "To see why this is worrisome, let's suppose, just for the sake of argument, that CNNIC were a puppet of the Chinese government. Then CNNIC's status as a trusted CA would give it the technical power to let the Chinese government spy on its citizens' 'secure' web connections. If a Chinese citizen tried to make a secure connection to Gmail, their connection could be directed to an impostor Gmail site run by the Chinese government, and CNNIC could give the impostor a cert saying that the government impostor was the real Gmail site."

Re:Why not change of certifcation notification?

[jhantin]

Have a look at Perspectives [cmu.edu]: an approach to detecting MITM attacks by comparing the keys visible from other vantage points on the net.

Re:Configuration Option

[natehoy]

This already IS a configuration option with a default "no". If a CA does not appear on the list (Options / Advanced / Encryption / View Certificates / Authorities) you will be asked when you first encounter a certificate registered with that CA. You can then choose to "Trust this once", "Trust always", or "Do not trust" (the actual text of the options may vary).

Firefox is debating whether to add it as an entry in a user-configurable list. Obviously, your answer is "no, don't". :)

CAcert ?

[Antiocheian]

I'll ask you the same question I asked CAcert some years ago: "who is going to take responsibility, and what is he going to lose, if your security is compromised ?"

Wow, just wow.

[yttrstein]

The authenticity of certs no longer matter, and I'm frankly astonished that neither mozilla nor slashdot has ever heard of ssl taps, an *enormous number* of which are currently active in Chinese public networks.

It's a man-in-the middle thing, and I run them at work. They're very easy to configure, and if you really know what you're doing, you can "legitimately" fake the identity of any cert you want, and every single byte of your traffic is sniffable to whoever runs the tap.

Re:Well in that case

[boombaard]

And the US government condoned not giving blacks treatment for syphilis even though it was readily available and known to work [wikipedia.org], as well as testing vaccines and seeing how Hepatitis-C infections progressed in on mentally retarded children, [wikipedia.org] sterilized them [wikipedia.org], locked up its Japanese citizens in concentration camps during and after WWII, allowed state-sponsored racism at least until 1964, and is currently feeding Illinois state prisoners a diet that is known to cause organ failure [westonaprice.org]
Isn't this a href= thing fun? I can go on all day. I am, however, saddened, that you call this "some mistakes".

Re:Well in that case

[DeadCatX2]

Finding examples of how China went off the deep end does not justify some of the terrible things that have been perpetrated in the name of the United States by "government" employees, some of which are comparable to some terrible things that China has done, especially if you consider how we treat people of other countries.

No one country has a monopoly on evil psychos. Yes, we're better than them, but still flawed. However, if playing "out of sight, out of mind" helps you sleep at night, then I'm sure any number of examples I could come up with won't affect your opinion.

Tuskegee Syphilis Study. Cornelius Rhoads. The Pellagra Incident. Operation Paperclip. Program F. MKULTRA. CIA LSD experiments, and other parts of the "CIA's Family Jewels". Funding the mujahideen that later grew up to be al-Qaeda. Overthrowing the democratically elected government of Iran in the 50s. Selling Saddam Hussein chemical weapons, knowing full well he would use them on the Iranians. Lying about Iraq's WMD. Dropping bombs on multiple wedding parties in Afghanistan (six the last time I checked). Dropping two nuclear bombs on civilians in Japan.

Re:Well in that case

[DeadCatX2]

Wow, I looked into the claim about killing 30 million of its citizens. I can't believe you'd use this as an example of their evil. From what I read, it looks like they just made some stupid decisions and it lead to widespread famine. Much different than taking 30m citizens out back and putting one between the eyes of each.

Re:Well in that case

[SpaceLifeForm]

That was NSA, not the FBI.

Link [arstechnica.com]

Re:Well in that case

[Anonymous Coward]

I shouldn't even justify this absurdity with a response, but it's my moral duty to make sure people know what's going on in the world.

First the good news, the FBI was not sending US citizens to Guantanamo for voicing opinions during our election. Second, yes I do know because we have free press and unregulated internet access. These are important things for precisely this reason. China has neither.

Third, and most important, the Chinese government does imprison dissidents. There's a whole Wiki list on the subject for chrissake.

http://en.wikipedia.org/wiki/List_of_Chinese_dissidents [wikipedia.org]

Re:Well in that case

[Anonymous Coward]

As long as the Chinese CA only deals with China, I have no problems with it. Any of the certifying agencies could be puppets for anyone.

Ah, Grasshopper, you lack imagination;

        1. You forget that any CA can sign for any web site.
                So that both CA.us and CA.cn can independently sign for https://ebay.com/

        2. You forget that non-security people think defaults are, and always will be,
                your friend; including that CA list in Windows and in your browser.

        3. You forget that the Huawei switch your PC is connected to, behind your
                proxy/firewall, is just as capable of presenting a CA.cn signed ebay.com
                cert to MITM your connection, from the US to the US, with your trust left
                completely in tact.

Re:Well in that case

[theshowmecanuck]

And I forgot to add that I disagree with the OP's sig that patriotism is bigotry. While I am not a big fan of deGaulle (let's just say I would have preferred we left him in Dunkirk [wikipedia.org] when the Germans arrived), proving the "exception to the rule" rule, he said one smart thing:

"Patriotism is when love of your own people comes first; nationalism, when hate for people other than your own comes first." -deGaulle

Nationalism is bigotry. Nationalism leads to ethnic cleansing, even in the form of language [www.ctv.ca] laws [wikipedia.org]. The statement is true even though it is completely at odds with his bullshit behaviour in Quebec in 1967 where he supported nationalism (and stuck his nose in Canada's affairs... and pissed off enough people that he had to fly home early leaving the ship he came in to sail home without him... and earning him the status of "rectum non grata" in Canada).

Re:Well in that case

[sp3d2orbit]

WTF? Who is justifying the terrible things done in the US. Reread the my post, I specifically said the US has made mistakes.

The Chinese government is less trustworthy than the US government. Hands down. End of story.

Re:It's OSS

[Anonymous Coward]

For Windows builds, the installers are Authenticode signed - you can check the signature from the properties dialog of the file. This pushes the cert you need to trust to the ones Windows trusts.

If you can't trust your OS anyway, then you're already screwed and what certs your browser trusts is irrelevant.