Mozilla Debates Whether To Trust Chinese CA 276
At his Freedom to Tinker blog, Ed Felten has a thoughtful, accessible piece on the debate at Mozilla about whether Firefox, by default, should trust a Chinese certificate authority (as it has since October). Felten explains in clear language why this is significant, and therefore controversial. An excerpt: "To see why this is worrisome, let's suppose, just for the sake of argument, that CNNIC were a puppet of the Chinese government. Then CNNIC's status as a trusted CA would give it the technical power to let the Chinese government spy on its citizens' 'secure' web connections. If a Chinese citizen tried to make a secure connection to Gmail, their connection could be directed to an impostor Gmail site run by the Chinese government, and CNNIC could give the impostor a cert saying that the government impostor was the real Gmail site."
I wonder... (Score:2, Interesting)
Seriously, shouldn't all users manage their certificate trust themselves?
If they aren't capable to do so, are they capable to actually _have_ their things secure?
Re:Well in that case (Score:3, Interesting)
Unless your nation has a track record of spying on its citizens web traffic, then you have a much more unfounded claim.
This should be default off, with an option to enable it. I certainly do not want to visit a site that has a trusted certificate whose root authority resides in China.
Re:Well in that case (Score:3, Interesting)
Remember "hackers" got a hold of signed Microsoft.com certs that would be INCREDIBLY useful for a MITM attack? Which registrar let that happen, again? Clearly they didn't do it deliberately..
Also remember back in the early days of the Internet *cough October 2009 cough cough* when certificates could be forged for any browser using MSIE's SSL library [theregister.co.uk]?
If the Chinese registry starts publishing bogus certs we can just blacklist them and it will all be a failed experiment in diplomacy.
Re:Well in that case (Score:5, Interesting)
Precisely. It's not exactly a subtle way of snooping, either. Anyone technically competent could see that the SSL has been changed.
A better way for the browsers to make things like this secure would be to remember the first SSL they received from the site and notify once that changes - similar to SSH. Yes it would be a PITA for them to implement, but once it's done, that's it, security went up a bit.
Re:I wonder... (Score:3, Interesting)
agreed. I'm not in charge of anything so my opinion on what should or should not be computer science isn't considered. Strictly speaking the courses are supposed to be about design or something, but in practice they tend to be a lot of handholding on how to do basic things in excel, photoshop or the like. When you have to teach students how to unzip files from the course webpage, you know you're not starting with the most informed lot.
And ya, those courses attract the computer illiterate, who spend half the class talking to friends on facebook and not learning basic skills. In other words: precisely the sort of person who has a computer, but doesn't know anything about using it safely.
As to the reason we offer those courses. They can attract 2000 students between all the various 'service' courses we offer. Core comp sci, maybe 300 or 400 combined. Enrollment depending on whether other departments make their students take the courses, that's at a first year level.
Re:Well in that case (Score:1, Interesting)
regardless of whether western gov spies on us too or not, there is a fundamental difference.
here we're innocent before proven guilty; there you're guilty, executed and harvested for your organs.
i'm chinese and i !don't trust! communist china in most of the things they do (regardless of how big its sovereign fund is), especially not in privacy matters.
they stole most of their technologies; they stole most of their wealth & savings from their own people producing consumable goods for us in the first world.
yes i'm an anonymous coward and proud of it. vive la liberte.
Re:Well in that case (Score:2, Interesting)
I don't think you should ever completely trust anyone you don't personally know. Hell, sometimes I even have problems with people I do know.
That said, I'm sorry but the frequency, breadth and (most importantly) consequences of snooping and blocking of internet traffic by the US and Chinese governments on their respective populations are two ENORMOUSLY different things. Finding out that a US cert auth was in collusion with unwarranted snooping on US traffic would be a serious scandal. It'd be more like business as usual in China. That makes a debate on the topic completely reasonable.
Put another way, the FBI hasn't put me in a medieval dungeon and disappeared my family for voicing my opinion during our last election.
Have the best of both worlds (Score:1, Interesting)
Why do Certificate Authorities have to be either completely trusted or not trusted at all? It couldn't be a ton of work to enable restrictions to be placed on the domains a CA is authoritative for.
Looks like there's already a thread discussing this for the Mozilla suite [mozilla.org].
Re:Well in that case (Score:2, Interesting)
You're right, I forgot how kindly a nation China is. They use slave labour to manufacture our crap (one of my former co-worker's parents were slaves in an iPod factory). They poison our kids with lead, melamine, and cadmium. It is a nation that we should cut off all trade ties with. Nothing good comes from China.
Google should have responded to their attacks with
"Did you mean "Tiananmen Square?"
for every answer and turned off SafeSearch.
Re:It's OSS (Score:3, Interesting)
SSLed checksums for the binaries... oh, wait, Mozilla doesn't bother publishing those, for some reason.
Why worry about China? (Score:1, Interesting)
My personal opinion is that this goes far beyond China. I actually trust cacert certificates more than any issued by a US corporation. Yes, China is bad, but it is really naive to think that the US government should be trusted more than China.
Trust is a mistake (Score:3, Interesting)
While I can go down the rat hole of an endless paranoia, the fact is that every time you connect to a site, there needs to be a separate path by which you can authenticate certificate for a site with peer review. Perhaps even an old fashioned phone call. Here's my organization's Md5HASH if you don't get the the same number, call for support.
The reality is that we only need a handful of trusted sites, credit card, back accounts, etc. The browser should be able to link a specific cert and authority to a specific site.
I never thought the idea of "corporations" being trusted was a good one
SSL needs to be tied to domain hierarchy. (Score:3, Interesting)
SSL CA authority needs to be tied to domain hierarchy.
This sort of domain-based-CA's should be able to be installed via DNS and DNSSEC [roysdon.net] should be continue to be rolled out, all the way to the client (browsers should have methods to verify root DNSSEC, and follow the chain).
With SSL based on domain hierarchy, you need to know only the root DNS server's DNSSEC key. Everything else flows down from that.
Then CNNIC would only control .CN. The US Gov would theoretically only control .US, .GOV, .EDU. .COM, .NET, .ORG should be run by (as much as I hate to say it) the UN.
I already put SSH key fingerprints [roysdon.net] in my DNS and verify with DNSSEC-enabled openssh/bind-resolvers. SSL and/or SSL fingerprints could easily be done, if not just the entire CA public key.
SHOW User Which Cert's Active! it's incompetent &a (Score:1, Interesting)
Show User which Cert's active: it's incompetent & beyond belief that this took this long to hit the front page...
There are lots of abusive regimes in the world, and given sufficient time, it's inevitable that ANY nation be subject to abusive regime...
The Hidden Authorization mechanism isn't secure, and is guaranteed to cost lives, eventually.
( wouldn't Stalin or Stasi have loved this gift to 'em )
Therefore, MAKE the cert visible, and if I see that my session with "google mail" is authorized by the Government Regime ( any ), then *I* can know I'm being "hit"...
No trust. (Score:2, Interesting)
Are they mad? Forgot to do some research first?
Re:Well in that case (Score:3, Interesting)
Thank you for the very interesting information, I really appreciate it. I wonder, however, if the long term effects of radiation were accounted for. I suppose in the long term it was probably less lethal for the Japanese to be have a nuke dropped on them, but that doesn't make it too much easier to rationalize...