Mozilla Debates Whether To Trust Chinese CA 276
At his Freedom to Tinker blog, Ed Felten has a thoughtful, accessible piece on the debate at Mozilla about whether Firefox, by default, should trust a Chinese certificate authority (as it has since October). Felten explains in clear language why this is significant, and therefore controversial. An excerpt: "To see why this is worrisome, let's suppose, just for the sake of argument, that CNNIC were a puppet of the Chinese government. Then CNNIC's status as a trusted CA would give it the technical power to let the Chinese government spy on its citizens' 'secure' web connections. If a Chinese citizen tried to make a secure connection to Gmail, their connection could be directed to an impostor Gmail site run by the Chinese government, and CNNIC could give the impostor a cert saying that the government impostor was the real Gmail site."
Well in that case (Score:4, Insightful)
Maybe I shouldn't trust the North American Certificates either, since I don't want my government spying on me either.
As long as the Chinese CA only deals with China, I have no problems with it. Any of the certifying agencies could be puppets for anyone.
Re:Well in that case (Score:5, Insightful)
Maybe I shouldn't trust the North American Certificates either, since I don't want my government spying on me either.
As long as the Chinese CA only deals with China, I have no problems with it. Any of the certifying agencies could be puppets for anyone.
I guess this is true, although considering the amount of malware coming out of China, and China's human rights record as compared to north american countries, I think there is reason not to equivocate about this.
Re:Well in that case (Score:4, Insightful)
People throw around accusations of "hate" too lightly these days. Please try not to inject hyperbole into a reasonable disagreement.
Re: (Score:2, Interesting)
You're right, I forgot how kindly a nation China is. They use slave labour to manufacture our crap (one of my former co-worker's parents were slaves in an iPod factory). They poison our kids with lead, melamine, and cadmium. It is a nation that we should cut off all trade ties with. Nothing good comes from China.
Google should have responded to their attacks with
"Did you mean "Tiananmen Square?"
for every answer and turned off SafeSearch.
At least someone else remembers Tiananmen (Score:4, Insightful)
Well, Beardo, it's good to see one other sane person on the boards.
Current leader Hu Jintao was among those who ordered the Massacre at Tiananmen Square. As someone who saw Tiananmen live on CNN, it's disturbing to me to hear how many other people think "Well, it's been 20 years since those men killed three thousand kids. I'm sure they're trustworthy by now..."
Can you imagine if Osama Bin Laden were a major trading partner of ours in 2020? It'd be a roughly analogous situation.
Re: (Score:3, Insightful)
Not it wouldn't be roughly analogous. Tienanmen Square didn't see thousands of Americans die and wasn't an explicit attack on America.
Osama Bin Laden being a major trading partner of America in 2020 would be more like America and Japan or Germany being major trading partners in the 1960s.
Jack the Ripper didn't kill any Americans... (Score:4, Insightful)
...so it's OK to hire him as a babysitter here?
We didn't do business with Nazi Germany or Imperial Japan in 1960. We utterly dismantled those countries, hung their leaders and rebuilt them from scratch before the first dollar changed hands.
Now, if that's what you're proposing for the current murderous regime in China, I could get behind that...
Here's how you know... (Score:4, Insightful)
...your moral compass has broken. When you can propose a plan of action that's "cold and uncaring," and you plan to do it anyway; that's when you know your conscience has went down for the count.
No, it does not matter to me in the least that it was just a bunch of foreigners that died. I've spent too much of my life abroad to believe that only American lives count. Perhaps the fact that my children carry dual citizenship has something to do with that.
As for this being a "matter of internal security" to the Chinese, I would have thought a denizen of Slashdot would know their Star Trek better than to accept that.
As for how we would feel if the shoe were on the other foot, I would HOPE that other nations would boycott us if it turned out that, for instance, President Obama had personally ordered those men to fire at Kent State. If we found out that President McCain had personally led Charlie Company during the My Lai Massacre, then I would HOPE we would be ostracized.
As for Japan and Germany not trading with us -- Have you been to those countries? They DON'T trade with us until they know they've got the better end of the bargain. Germany and Japan are a hell of a lot smarter than we are about trade. I can personally assure you from long experience that Japan doesn't let go of a single yen without absolute proof it's a better deal for them than the other guy.
I yearn for the day that my country is as smart about trade as Japan is.
Re:Well in that case (Score:4, Insightful)
Maybe you should start by not going to WalMart and buying anything made in China or having a part made in China.
Re:Well in that case (Score:5, Insightful)
That way of arguing will get you no-where. Most of the stuff we buy from China are cheaply manufactured consumer goods, made in factories staffed by labourers that comes mainly from the rural northern and central regions of the country. The problem of buying goods from China is not because of human rights, but because of the lack of regulation and protection of labour and the environment in general (and also the devalued currency due to capital controls in China). Why? Because this is what puts goods from the developed countries at a disadvantage. We are in effect exporting pollution and bad treatment of labour through this.
The only way for China to get any resemblance of human-rights that are available in the industrialized nations is for the Chinese people to fight for them. Think back on how long it took for rights to develop in England, for example, from the Magna Carta, to the Bill of Rights, to the development of Universal Suffrage and the Welfare State (no, it's not socialism). Now, when are the conditions right, I'm not so sure. But those in the know would definitely point to Hong Kong and Taiwan as a possible possible catalysts for this. Hong Kong is scheduled for Universal Suffrage in 2017, but many in the territory is trying to speed up the process while Beijing is trying to slow it down (as they fear it is a destabilizing factor to one-party rule in the mainland).
Re: (Score:2)
Nothing good comes from China.
That's not true. Sweet and sour sauce, duck pancakes, soy sauce, kung-po shrimp, sesame seed toast, prawn crackers.. I mean I could go on.
Re: (Score:2)
On the other hand, slavery has not been existence in the USA for the last three generations. Anyone who "owned" a slave has been dead for a century now - so your "point" is moot.
Re: (Score:2)
As with all non personal purely logical decisions it is a matter of trust and risk, big emphasis on 'RISK' assessment. On the trust side until they fail that trust they should be trusted on the risk side extended prison terms for what by far the majority of people upon a global basis, a reasonable right to express their opinion about the nature of their government and corruption with public officials, well, that is a really bug risk.
So real consideration is required, in logical non personal trust and ris
Re: (Score:3, Interesting)
Unless your nation has a track record of spying on its citizens web traffic, then you have a much more unfounded claim.
This should be default off, with an option to enable it. I certainly do not want to visit a site that has a trusted certificate whose root authority resides in China.
Re:Well in that case (Score:4, Insightful)
Unless your nation has a track record of spying on its citizens web traffic, then you have a much more unfounded claim.
You mean, like when the FBI put splitters [wired.com] into AT&T offices to monitor all the internet traffic going through them?
Remember, any authority that can be abused will be abused. I wouldn't trust any certificate authority to protect me against the government.
Re: (Score:2, Interesting)
I don't think you should ever completely trust anyone you don't personally know. Hell, sometimes I even have problems with people I do know.
That said, I'm sorry but the frequency, breadth and (most importantly) consequences of snooping and blocking of internet traffic by the US and Chinese governments on their respective populations are two ENORMOUSLY different things. Finding out that a US cert auth was in collusion with unwarranted snooping on US traffic would be a serious scandal. It'd be more like bu
Re:Well in that case (Score:4, Insightful)
I tend to agree that the U.S. government... the Bush government, and now the Obama government; which doesn't seem to mind what Bush put in place in this regard... has pretty much shot themselves in the foot when it comes to whether we should trust them or not with our privacy. Even going so far as ignoring the constitution.
On the other hand, the Chinese government is still an autocratic entity that frequently jails people for expressing their opinions. As bad as what the FBI has done, I am not convinced that they have abused the spirit of the constitution enough to equal what China frequently does to its own people. My first inclination is that I would say to not trust Chinese CA's. And for those who think they only apply to the Chinese themselves, you have your head in the sand at the Walmart Beach Resort. So much of our stuff comes out of China; and many companies' web sites for support and such are hosted there now. What happens if you log in with https? I think we give China too much already. Granted with all the offshoring scumbag companies out there, my bank account info is probably on servers over there already, but why help more?
Re:Well in that case (Score:5, Informative)
And I forgot to add that I disagree with the OP's sig that patriotism is bigotry. While I am not a big fan of deGaulle (let's just say I would have preferred we left him in Dunkirk [wikipedia.org] when the Germans arrived), proving the "exception to the rule" rule, he said one smart thing:
"Patriotism is when love of your own people comes first; nationalism, when hate for people other than your own comes first." -deGaulle
Nationalism is bigotry. Nationalism leads to ethnic cleansing, even in the form of language [www.ctv.ca] laws [wikipedia.org]. The statement is true even though it is completely at odds with his bullshit behaviour in Quebec in 1967 where he supported nationalism (and stuck his nose in Canada's affairs... and pissed off enough people that he had to fly home early leaving the ship he came in to sail home without him... and earning him the status of "rectum non grata" in Canada).
Re: (Score:3, Informative)
Link [arstechnica.com]
Those splitters aren't for spying (Score:2)
Jeepers...talk about paranoia. Those splitters weren't put in for spying on U.S. citizens; they're only there to intercept the results from electronic voting machines and modify them according to specifications from a@#$$$R6a54@##
Re: (Score:3, Insightful)
When did I compare the US government to China? You said the US government has made mistakes. "We're not as bad as China" does not excuse those mistakes.
Personally, I care more about the abuses of the US government than those of China because I live here. Those abuses directly affect me. I'm glad we're not China, but without eternal vigilance, someday we could be.
Re:Well in that case (Score:4, Insightful)
I've re-read your post and it still seems to me that you are equating FBI wire tapping with Chinese wire tapping.
When did I say those mistakes were excused?
Re: (Score:2)
Yes, wiretapping is wiretapping. Wiretapping is not murder. I'm not sure why you brought it up.
Re: (Score:2)
In an article about China I'm not sure why you would bring up the US.
Re: (Score:2)
It was Monkeedude1212 (1560403) brought up [slashdot.org] North American governments. Then an AC implied that NA governments didn't have a track record of wiretapping, which I corrected. All standard back and forth fare for /.
Re: (Score:3, Insightful)
> I've re-read your post and it still seems to me that you are equating FBI wire tapping with Chinese wire tapping.
Well, for one, I thought it was the NSA that put in the splitters, not the FBI. And, to my knowledge, the differences between the American wiretapping and the Chinese wiretapping are thus:
* Americans ostensibly are looking for terrorists. They apparently compile reports that talk about terrorist "chatter" indicating some kind of crazy keyword-mining system. This may include an analysis of
Re: (Score:2)
You do the exact same thing as the original poster. You lump the US and China together in "all goverments".
True, you shouldn't blindly trust ANY government, but some governments are way more deserving of trust than others. Copy and paste my post here for the reasons the Chinese government is less trustworthy than the US.
Re: (Score:3, Informative)
Finding examples of how China went off the deep end does not justify some of the terrible things that have been perpetrated in the name of the United States by "government" employees, some of which are comparable to some terrible things that China has done, especially if you consider how we treat people of other countries.
No one country has a monopoly on evil psychos. Yes, we're better than them, but still flawed. However, if playing "out of sight, out of mind" helps you sleep at night, then I'm sure any
Re: (Score:3, Informative)
WTF? Who is justifying the terrible things done in the US. Reread the my post, I specifically said the US has made mistakes.
The Chinese government is less trustworthy than the US government. Hands down. End of story.
Re: (Score:3, Interesting)
Thank you for the very interesting information, I really appreciate it. I wonder, however, if the long term effects of radiation were accounted for. I suppose in the long term it was probably less lethal for the Japanese to be have a nuke dropped on them, but that doesn't make it too much easier to rationalize...
Re: (Score:3, Informative)
Wow, I looked into the claim about killing 30 million of its citizens. I can't believe you'd use this as an example of their evil. From what I read, it looks like they just made some stupid decisions and it lead to widespread famine. Much different than taking 30m citizens out back and putting one between the eyes of each.
Re: (Score:3, Insightful)
Re: (Score:2)
The famine was an obvious and inevitable consequence.
Now it is.
Re: (Score:2)
Note, for reference, that when Stalin did exactly the same thing in the '30s, he got the same result - famine and the deaths of rather more than 10,000,000 of his own people.
Which suggests that the Chinese government had more than enough information to predict that repeating Stalin's actions might, just possibly, cause the deaths of tens of millions of Chinese.
Re: (Score:2)
Isn't this a href= thing fun? I can go on all day. I am, however, saddened, that you call this "some mistakes".
Not to bait flames: And here you are as well as sp3d2orbit, typing this for all to see without (much) fear that the (Dutch? American?) gov't will knock on your door for disturbing the peace of the population.
Isn't this free speech thing fun, even if spotty? I guess a Chinese citizen with average Internet skills couldn't get away with that for long, much less if he can't even fully trust that "secure connection" icon in his browser.
Re:Well in that case (Score:5, Insightful)
You know what? We already know. We're all blind, we're all evil, we're all hypocrites. Including you. The world is not a comic book. It is a big messy mural in progress, with scenes of horrifying savagery and outstanding beauty. Those of us without personality issues to nurse choose to roll up our sleeves and improve the world one brushstroke at a time, rather than sit back in a battered beanbag of self-satisfaction and fling feces at the easiest targets.
Re: (Score:3, Insightful)
How can you compare these incidents to the murder of 30 million?
No one said the US is perfect, but China has a long way to go before it can claim the same level of "imperfection".
Re: (Score:2)
> How can you compare these incidents to the murder of 30 million?
In their defense, they have over 4 times the population of the USA, so you should round it down to 7 million for a fair comparison. :p
Re: (Score:2)
Except that the FBI and NSA can't do a MITM with your encrypted communications like CNNIC theoretically can.
How do you know that?
Re: (Score:2)
Unless your nation has a track record of spying on its citizens web traffic
Who did you have in mind that doesn't fit that description? I'm having a hard time thinking of anyone.
The original point was valid. Perhaps it's time to change the cert infrastructure so that two geographically and politically disparate authorities must sign them.
Or, maybe get rid of "authorities" altogether, and move to a global "web of trust," a la GPG. Forget that, I don't think I want to trust a cert just because it's accepted by 1,400,000,000 Chinese.
Re: (Score:3, Interesting)
Remember "hackers" got a hold of signed Microsoft.com certs that would be INCREDIBLY useful for a MITM attack? Which registrar let that happen, again? Clearly they didn't do it deliberately..
Also remember back in the early days of the Internet *cough October 2009 cough cough* when certificates could be forged for any browser using MSIE's SSL library [theregister.co.uk]?
If the Chinese registry starts publishing bogus certs we can just blacklist them and it will all be a failed experiment in diplomacy.
Re:Well in that case (Score:5, Interesting)
Precisely. It's not exactly a subtle way of snooping, either. Anyone technically competent could see that the SSL has been changed.
A better way for the browsers to make things like this secure would be to remember the first SSL they received from the site and notify once that changes - similar to SSH. Yes it would be a PITA for them to implement, but once it's done, that's it, security went up a bit.
Re: (Score:3, Insightful)
A better way for the browsers to make things like this secure would be to remember the first SSL they received from the site and notify once that changes - similar to SSH.
Good idea, but it won't help much, overall. You'd either have users complaining that "My favourite site just broke!" (when it didn't) every one to three years (on average -- when the current certificate expires), or you'd have to implement it in such an unobtrusive way that the average user wouldn't even notice.
If it did what Firefox currently does for an invalid certificate, for example, it would confuse and scare users to have them load up PayPal this coming April 1st (yes, that's really the expiry date f
Re: (Score:2)
Re:Well in that case (Score:5, Insightful)
As long as the Chinese CA only deals with China, I have no problems with it.
And you know that, how?
With built-in root certificates, they are automatically trusted. Unless you're examining the entire cert chain of every SSL/TLS site you access, you have no idea which trusted root signed the vendor's certificate.
subvert the dominant paradigm (Score:2)
Here's another idea: Defense in depth. Make CAs just one part of the whole picture. Another big part could be stability of certificate:
Perspectives [cmu.edu]
The idea might be quickly conveyed by the images on their web demo [cmu.edu].
They've even got a Firefox plug-in [cmu.edu].
I wonder... (Score:2, Interesting)
Seriously, shouldn't all users manage their certificate trust themselves?
If they aren't capable to do so, are they capable to actually _have_ their things secure?
Re:I wonder... (Score:5, Insightful)
no they aren't. Which is the problem. The average user probably doesn't know what a security certificate is, let alone when you should, or should not trust one. That's why we have experts debating which ones to actually trust on their behalf.
Half the first year students we have in computer science courses can't navigate to a directory (note that these are generally not core comp sci students, but taking a course on say how to use photoshop), let alone figure out what a security certificate is. That's why we need experts to design systems which are inherently as secure as is legally possible in the first place.
Re: (Score:2)
design systems which are inherently as secure as is possible
Fixed that for ya.
Re: (Score:3, Interesting)
agreed. I'm not in charge of anything so my opinion on what should or should not be computer science isn't considered. Strictly speaking the courses are supposed to be about design or something, but in practice they tend to be a lot of handholding on how to do basic things in excel, photoshop or the like. When you have to teach students how to unzip files from the course webpage, you know you're not starting with the most informed lot.
And ya, those courses attract the computer illiterate, who spend half
How? (Score:2)
How do I know that the server on the other end is who they say they are? Without a trusted authority, I would need to manually verify (via some other trusted form of communication) each certificate.
As long as I rely on *any* central authority, I'm dependent on that authority to remain neutral.
Re: (Score:2, Insightful)
No. They're not capable of securing their own things. I'm not talking about the 'average' user, who may be somewhat competent, but the 'below average' user who falls for phishing schemes and virus attacks. If a 'below average' or even an 'average' user somehow learns that they need to add CA's to their browser to view certain sites then SSL will be completely and thoroughly broken and useless. Incidentally, clicking on a link to a .pem file makes it worryingly easy to add a CA in FireFox.
But that doesn'
CAcert ? (Score:2, Informative)
I'll ask you the same question I asked CAcert some years ago: "who is going to take responsibility, and what is he going to lose, if your security is compromised ?"
It's OSS (Score:5, Insightful)
Firefox is Open Source. Let the Chinese build their own version of Firefox and see who trusts them to use it.
Re:It's OSS (Score:4, Insightful)
Re: (Score:3, Interesting)
SSLed checksums for the binaries... oh, wait, Mozilla doesn't bother publishing those, for some reason.
Re:It's OSS (Score:5, Funny)
Oh they do, they just don't appear on your browser because China MITM'ed your http session and changed the website.
No. HELL No. (Score:5, Insightful)
Why should Mozilla take a chance at this? If someone wants this CA, it is trivial to manually add it to Mozilla's certificates. However, including it will mean that Mozilla's rep is now tied to the Chinese government, and should someone misuse the CA key, it will mean that if China starts another offensive on compromising Western systems, the Mozilla foundation is guilty of espionage by proxy.
Physical car analogy: A car dealership giving a master key to every vehicle to a group of people who have been noted in the past for car theft.
Re: (Score:2)
However, including it will mean that Mozilla's rep is now tied to the Chinese government, and should someone misuse the CA key, it will mean that if China starts another offensive on compromising Western systems, the Mozilla foundation is guilty of espionage by proxy.
I'm sorry, but Mozilla trusting any given CA does not make them guilty of a single thing, let alone espionage.
Physical car analogy: A car dealership giving a master key to every vehicle to a group of people who have been noted in the past for car theft.
Yeah, you wouldn't be able to say that the dealership is guilty of theft if the people they gave the key to steal the cars. The people stealing the cars are the ones who are guilty.
Re: (Score:2)
You could say the same about any certificate authority. What reason do we have to believe that any CA is not compromised by the NSA?
If you want to protect yourself against the government, you cannot trust any third party. Exchange your keys manually, in person.
Re: (Score:2)
this is true of any and all CAs.
Re: (Score:2)
Agreed, besides governments are not all created equal. If you want to buy a government bond for instance, you check its credit rating first. Countries/States/Counties/Cities all have them. As a professional, it's your duty to do your due diligence if other people are relying on your decision to make their decision.
In the case of China, it's not really a big deal anyway. If they really want to use their own certificates, they'll just mirror the source from mozilla/firefox, and distribute their slightly dif
Configuration Option (Score:4, Insightful)
Just make it a configuration option, default NO.
Yeah, its not the most elegant solution, but welcome to the real world guys.
Re:Configuration Option (Score:5, Insightful)
While we're at it, can we get a paranoid install option that disables ALL CAs by default, and requires you to enable each in turn? Maybe I don't trust Verisign, and would like to pass/fail all certs on an individual basis.
Re:Configuration Option (Score:4, Funny)
All you have to do is click your heels together three times, and repeat after me.
There's no place like Options / Advanced / Encryption / View Certificates / Authorities / (use mouse to select all) / DELETE. ...
There's no place like Options / Advanced / Encryption / View Certificates / Authorities / (use mouse to select all) / DELETE.
There's no place like Options / Advanced / Encryption / View Certificates / Authorities / (use mouse to select all) / DELETE.
Re: (Score:2)
Re: (Score:3, Informative)
This already IS a configuration option with a default "no". If a CA does not appear on the list (Options / Advanced / Encryption / View Certificates / Authorities) you will be asked when you first encounter a certificate registered with that CA. You can then choose to "Trust this once", "Trust always", or "Do not trust" (the actual text of the options may vary).
Firefox is debating whether to add it as an entry in a user-configurable list. Obviously, your answer is "no, don't". :)
Re: (Score:2)
That's not a practical option.
What would be reasonable would be to dedicate more screen space to certificate information. Make sure the users see exactly who signed a cert, and exactly which site the certificate is assigned to.
Re: (Score:2)
On the other hand... (Score:4, Insightful)
If the Chinese CA were stupid enough to actually perform this attack, it would be easy to gain incontrovertible evidence of their spying, as the hijacked responses would all be digitally signed with their signature.
Re: (Score:2)
Re: (Score:3, Insightful)
Even worse for the CA (and that is imho the main reason we can trust a CA, Chinese or American or where-ever it is from) is that if this trust is breached it is breached forever. There is a lot to lose by losing that trust, and little to gain (in the long term).
Re: (Score:2)
its just that microsoft will be more than happy to trust the chinese ca
If I am reading correctly, internet explorer has included CNNIC's cert since 2007.
Yeah that is a problem (Score:2)
Now if only there was a way for anybody to start a certificate authority and to issue certificates, and for the users to decide for themselves which certificate authorities they trust.
Re: (Score:2)
China (Score:3, Insightful)
If they have done some stuff that is damning enough for companies like Google and Firefox to risk alienating such a huge market, then how can you trust anything that comes from them?
Re: (Score:3, Insightful)
As I see i
The whole CA concept is horribly broken (Score:3, Insightful)
There is no good definition of exactly what you're trusting them with, no good independent verification that their trustworthiness is deserved, and as far as I know, no legal recourse if it isn't.
I consider the whole CA system to be fundamentally broken. But a new system would be so significantly different in both character and detail that I don't know how it could ever happen. UIs would have to be redesigned. Crypto geeks would have to start thinking about usability. I think the world would have to end first.
But I consider this to be one of the reasons the concept is broken.
In my opinion, as a half-baked measure that moves a little in the right direction, browsers would do better to just download the certificate from the website, and then warn you if the certificate ever changed when you went back to a website that claimed the same identity. Then you'd have to trust a CA at most once.
Re: (Score:2)
> In my opinion, as a half-baked measure that moves a little in the right direction, browsers would do better to just
> download the certificate from the website, and then warn you if the certificate ever changed when you went back to a
> website that claimed the same identity. Then you'd have to trust a CA at most once.
This is indeed hte correct approach. Though I'd also apprecaite an option for "I don't care" in the current mozilla, when I jus twant to read a page that won't let me access it throug
Re: (Score:2)
Aren't certificates normally not-permanent? So wouldn't this usually occur? I suppose you could just do it within the life of the original cert...
OTOH, if you are willing to assume that your initial connection is secure and that you trust t
Forgive me for belaboring the obvious... (Score:5, Insightful)
...but maybe the takeaway lesson from this whole affair is that it is impossible to remain ethical while knowingly doing business with an entity you know to be deeply corrupt. Sooner or later, you will find yourself faced with situations in which you directly or indirectly become party to unethical acts.
This is hardly limited to Google. We all help pay the salaries of the oppressive Chinese regime from the politburo on down to the prison camp guards every time we buy Chinese goods.
No CA should be trusted by default (Score:2, Insightful)
To me, its simple. Trust is something that should be granted by the user. A browser distribution may well include certificates for various CA's as a convenience, but generally shouldn't include any of them as trusted by default. There should be an option for the user to designate bundled CA certs (or ones obtained elsewhere) as trusted, and installers could even include option to enable them in the install procedure.
Re: (Score:2)
A browser distribution may well include certificates for various CA's as a convenience
Mozilla gets finicky if you toy with Firefox too much and still call it Firefox. If Linux distros did that, they'd risk being forced to move to Iceweasel. Not a HUGE deal, but nonetheless - they can't technically do as you propose. Security-focused distros may want to do so, however.
More relevant, however, is the fact that most Firefox users don't use "distros" but get the raw executable installer from the website (or a friend's usb holding the same file, etc). The vast, vast majority of these users
Wow, just wow. (Score:2, Informative)
It's a man-in-the middle thing, and I run them at work. They're very easy to configure, and if you really know what you're doing, you can "legitimately" fake the identity of any cert you want, and every single byte of your traffic is sniffable to whoever runs the tap.
I lost faith when they kept the RapidSSL cert. (Score:2)
One Should Always Trust (Score:4, Insightful)
Go back to Peking (Score:2, Insightful)
Trust is a mistake (Score:3, Interesting)
While I can go down the rat hole of an endless paranoia, the fact is that every time you connect to a site, there needs to be a separate path by which you can authenticate certificate for a site with peer review. Perhaps even an old fashioned phone call. Here's my organization's Md5HASH if you don't get the the same number, call for support.
The reality is that we only need a handful of trusted sites, credit card, back accounts, etc. The browser should be able to link a specific cert and authority to a specific site.
I never thought the idea of "corporations" being trusted was a good one
SSL needs to be tied to domain hierarchy. (Score:3, Interesting)
SSL CA authority needs to be tied to domain hierarchy.
This sort of domain-based-CA's should be able to be installed via DNS and DNSSEC [roysdon.net] should be continue to be rolled out, all the way to the client (browsers should have methods to verify root DNSSEC, and follow the chain).
With SSL based on domain hierarchy, you need to know only the root DNS server's DNSSEC key. Everything else flows down from that.
Then CNNIC would only control .CN. The US Gov would theoretically only control .US, .GOV, .EDU. .COM, .NET, .ORG should be run by (as much as I hate to say it) the UN.
I already put SSH key fingerprints [roysdon.net] in my DNS and verify with DNSSEC-enabled openssh/bind-resolvers. SSL and/or SSL fingerprints could easily be done, if not just the entire CA public key.
Re:Ask the user (Score:4, Insightful)
Actually, this debate is about the default option. You can add and delete trusted certificate authorities all you want once you install Firefox.
Options / Encryption / Advanced / View Certificates / Authorities.
Personally, I think the Chinese CAs should be unlisted in Firefox by default, and those users that want to trust them can simply say "always trust this CA" when Firefox asks. Then again, I think every CA should be treated that way. Why does Firefox automatically trust TurkTrust, Dell, the Japanese government, and the Netherlands (to randomly pick four out of the hundreds of trusted CAs in the default list)?
Actually, that has a simple answer. A nontechnical segment of the population is simply going to do exactly what they do every time you ask a security question - answer YES, ALLOW, or whatever button is stopping them from seeing the cute video of the cat puking up noodles or the boobage behind the prompt box. Bombarding them with more security questions isn't really going to increase security, it's just going to increase frustration. So you add the (hopefully!) truly trustworthy CAs to the default list, then if a user ever encounters a CA warning box it'll be unusual enough that they might pause a few seconds before pressing ALLOW, and maybe even call a neighborhood 12-year-old to check to see if it's a really good idea.
The "hopefully!" part is important. If you're making decisions for your users in the form of shipped defaults, they'd better be well-thought-out.
Re: (Score:2)
Good point. Both morocco and turkey have been spying on the Dutch government and especially the Dutch police. Also, turkish online jihadists attack websites worldwide. Why would i trust turktrust and tubitak by default?
Re: (Score:2)
cat puking up noodles or the boobage
I missed a very important "the" in this phrase the first time I read it. o_O
Re: (Score:2)
The double-clicking sound you're hearing is SA's forum regulars firing up Photoshop.
Re: (Score:2)
Bombarding them with more security questions isn't really going to increase security, it's just going to increase frustration.
Marginally related, but this is exactly why Windows Vista security doesn't work. It asks a question for almost everything you do, if an application connects to the internet, if you want to delete a file, if you want to move a shortcut, or if you want to run that suspicious looking program. They all have similar or identical prompts that come up! Everybody gets so used to clicking the big "Allow" button every time they start up their game that if one popped up right now out of nowhere I'd probably instinctiv
Re: (Score:2)
Re:Why not change of certifcation notification? (Score:5, Informative)
Re: (Score:2)
Re: (Score:2)
His proposed solution is essentially how SSH does it. What's wrong with that? Why would I ever need to "rotate" a key. They don't go bad, unless they've been compromised. If they were compromised, I'd like to know about it.
Re: (Score:2)
One "simple" solution would be for the browser to remember which certificate or CA that a page uses, and put up a warning if it ever changed (within the validation period). A warning if the site all of the sudden went http would perhaps also be a good idea.
Yes, people ignore warnings, but it would at least help us in the know.
Well, Firefox is open source...
Re: (Score:2)
Don't you mean "loss of privacy should be opt in"? Opt-out loss of privacy means that unless you opt out of losing privacy you lose your privacy.