Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Mozilla Accepts Chinese CNNIC Root CA Certificate

kdawson posted more than 4 years ago | from the who-do-you-trust dept.

Mozilla 256

Josh Triplett writes "Last October, Mozilla accepted the China Internet Network Information Center as a trusted CA root (Bugzilla entry). This affects Firefox, Thunderbird, and other products built on Mozilla technologies. The standard period for discussion passed without comment, and Mozilla accepted CNNIC based on the results of a formal audit. Commenters in the bug report and the associated discussion have presented evidence that the Chinese government controls CNNIC, and surfaced claims of malware production and distribution and previous man-in-the-middle attacks in China via their secondary CA root from Entrust. As usual, please refrain from blindly chiming into the discussion without supporting evidence. Since Mozilla has already accepted CNNIC as a trusted root CA, the burden rests with those who argue for its removal."

Sorry! There are no comments related to the filter you selected.

As usual, please refrain from blindly chiming in? (5, Funny)

gad_zuki! (70830) | more than 4 years ago | (#31002258)

Wow, youre so new here, youre still dripping wet and covered in placenta.

Re: As usual, please refrain from blindly chiming (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#31002444)

Well, I'm glad I switched to Chromium.

Re: As usual, please refrain from blindly chiming (0, Offtopic)

clang_jangle (975789) | more than 4 years ago | (#31002464)

Glad I use lynx (and opera)!

Re: As usual, please refrain from blindly chiming (4, Informative)

TSHTF (953742) | more than 4 years ago | (#31002536)

Opera [opera.com] trusts CNNIC also.

Re: As usual, please refrain from blindly chiming (1)

clang_jangle (975789) | more than 4 years ago | (#31002612)

Don't think so. I just checked and I do not have CNNIC listed at all in my copy of Opera v10.10.

Re: As usual, please refrain from blindly chiming (1)

Lunix Nutcase (1092239) | more than 4 years ago | (#31002626)

Then you're apparently illiterate. To quote the link

We have now added the following Roots to the repository:

Buypass, a Norwegian CA. This CA has been provisionally EV enabled, please see below. Testsites 1, 2, EV.
CNNIC, China Internet Network Information Centre. Testsite. Note: Currently we are missing a HTTP CRL for the intermediate certificate for this site, so the site will unfortunately not show a padlock. We are working with CNNIC to resolve the problem, which may include adding a CRL override.
Secom (a Japanese CA) has issue a new SHA-256 Root, as part of many CAs transition to more secure certificate signatures: Testsite

Re: As usual, please refrain from blindly chiming (0)

Anonymous Coward | more than 4 years ago | (#31002692)

Erm, speaking of illiterate -- What part of "I do not have CNNIC listed at all in my copy of Opera v10.10" was unclear to you?

Re: As usual, please refrain from blindly chiming (1)

shird (566377) | more than 4 years ago | (#31002984)

I saw the same thing in my copy of Opera 10.5.x

However, after visiting the test site : https://www.enum.cn/en/ [www.enum.cn]

I can now see the cert. My guess is Opera does not come preloaded with all root certs, but perhaps fetches them on demand from an online repository.

Re: As usual, please refrain from blindly chiming (1)

Lunix Nutcase (1092239) | more than 4 years ago | (#31003006)

Except you tried to claim that the GP was wrong about Opera trusting CNNIC which is patently false based on Opera's own posting from last September.

Re: As usual, please refrain from blindly chiming (1)

clang_jangle (975789) | more than 4 years ago | (#31003224)

Actually, you're apparently referring to me (I didn't post the AC comment to which you're replying). But what I said was, "don't think so" which is to say I doubted it. I certainly did not "try to claim that the GP was wrong", but rather merely expressed doubt that he was correct (the provided link is, after all, older than my version of Opera). So anyway, I went to the CNNIC site, got the authority listed, then set opera to warn me. Wasn't hard, no big deal. Maybe you should consider cutting down on the caffeine? These discussions aren't exactly a matter of life and death, and people are certainly free to doubt.

Re: As usual, please refrain from blindly chiming (2, Informative)

GrievousMistake (880829) | more than 4 years ago | (#31003012)

Visit the test site [www.enum.cn] and look again.

Re: As usual, please refrain from blindly chiming (5, Insightful)

Actually, I do RTFA (1058596) | more than 4 years ago | (#31002534)

I take issue to the next phrase: "Since Mozilla has already accepted CNNIC as a trusted root CA, the burden rests with those who argue for its removal."

Are you saying "should Mozilla remove it?" Then the answer is probably no, becuase Mozillia is not an omni-beneficent entity. It probably helps them in some way to include it.

The question is, should individual users remove it? And yes, by the link that you provided indicating it's role in the distribution of malware. Why should I let Mozilla, a large group with contradictory desires and many masters, control whether I delist it as a trusted root?

Re: As usual, please refrain from blindly chiming (1)

Monkeedude1212 (1560403) | more than 4 years ago | (#31002574)

Exactly. The spoon and the knife are already laid out.

Re: As usual, please refrain from blindly chiming (5, Insightful)

gd2shoe (747932) | more than 4 years ago | (#31002652)

At issue here is the ability of the Chinese government to run MiTH attacks on their citizens (and others) (who may have no computer security experience) and to arrest political dissidents. Nobody's saying you should wait to remove it. The question is, should it be removed for the safety of others?

The whole point of root certs is trust. We trust them to sign certificates which will be used, in turn, to keep our conversations private. Should CNNIC be trusted to keep conversations private? That is the question. Organizations like Mozilla put their own reputations on the line when choosing which root certs to include. Any abuse by CNNIC will be seen as a security flaw in Mozilla software. That is the issue. That is why Mozilla should care. (even if they disagree)

Re: As usual, please refrain from blindly chiming (2, Funny)

Cederic (9623) | more than 4 years ago | (#31003020)

What's a MiTH attack? Man in ..?

Re: As usual, please refrain from blindly chiming (3, Funny)

Anonymous Coward | more than 4 years ago | (#31003210)

What's a MiTH attack? Man in ..?

Man in The Hat [xkcd.com]

Re: As usual, please refrain from blindly chiming (1)

gd2shoe (747932) | more than 4 years ago | (#31003540)

As always, one small typo gets blown way out of proportion. Oh well. Have fun with it.

Re: As usual, please refrain from blindly chiming (0)

Anonymous Coward | more than 4 years ago | (#31003270)

men in tiny hats

Re: As usual, please refrain from blindly chiming (1)

garfi5h (1130099) | more than 4 years ago | (#31003288)

Man in the
1. Half?
2. Halfway?
3. Halftime?
4. Half-court?
5. Hmiddle (silent H)?

Cheers! :-)

Re: As usual, please refrain from blindly chiming (0)

Anonymous Coward | more than 4 years ago | (#31003342)

Man In The Hat.

The issue is that most people wear hats to try and hide some type of malicious secret. Thus, we don't trust men who wear hats.

Re: As usual, please refrain from blindly chiming (1)

ScrewMaster (602015) | more than 4 years ago | (#31003472)

What's a MiTH attack? Man in ..?

It's an attack that doesn't actually exist, e.g., one that is "mithical". Of course, a mith is as good as a mile anyways.

No Criminals Should Be Granting Certificates (-1, Flamebait)

mrcaseyj (902945) | more than 4 years ago | (#31003516)

The Chinese government is blatantly and extensively violating the almost universally recognized standards for human rights. Even the Chinese government itself recognizes the rights it violates. The Chinese government are murdering thieving criminals, so it is absurd to grant certificate issuing privileges to them or any other entity in a country without freedom of speech or a reasonable approximation of democracy. Some would try to argue that political philosophy is all relative, and that governments like the US are criminal as well. But while no country is perfect, there is a HUGE difference between flawed democratic countries like the US and countries who blatantly massively violate freedom of speech and who's democracy isn't even roughly legitimate. There is a large gulf between approximately-just and blatantly-criminal governments, which can be identified by a single feature: freedom of speech. If the people can openly debate their government, then the people will bring the government approximately into the control of the people. Sometimes it is said that we should let other countries run their country the way they want to. But if there is no democracy and freedom of speech, then how does anyone know how "they" (the people) want to run their country? If there is no democracy then all we know is how "they" (the criminal government) wants to run their country.

DON'T GIVE MURDERING THIEVES THE KEYS TO YOUR SECURITY!

Re: As usual, please refrain from blindly chiming (4, Insightful)

Anonymous Coward | more than 4 years ago | (#31002874)

If only we had the luxury of knowing which certificates to remove if you didn't trust the NSA. Guess MITM is a game for big players.
Our instructions for setting up VPN include a recommended step where you disable all root certificates but one for the connection. From a security standpoint, the whole web should work the same.

It's very annoying how Firefox insists on making self-signed certificates the biggest pain in the ass possible to accept, knowing you can't really trust the 'trusted' signers in the first place. For forums and the likes, just permanently storing the certificate so you can be sure you're getting an encrypted connection to the same entity each time would be sufficient.

Re: As usual, please refrain from blindly chiming (2, Interesting)

jcoy42 (412359) | more than 4 years ago | (#31003058)

Why should I let Mozilla, a large group with contradictory desires and many masters, control whether I delist it as a trusted root?

Because Mozilla is capable of doing it and most computer users are (effectively) not.

Because we care about what happens to the internet.

Because it's going to be our mom's machine, and we'll have to fix it.

restricting it to *.cn would make sense (0)

Anonymous Coward | more than 4 years ago | (#31003368)

Seeing as China makes lots of the core internet routers these days (with quickly growing market share) there is every reason to assume we're getting man-in-the-middle pwned.

I'm not in *.cn, and I'm not visiting *.cn, so why in Hell should this certificate apply to me? If suddenly www.adobe.com is signed by China, there sure is a problem!

Re:restricting it to *.cn would make sense (4, Interesting)

ScrewMaster (602015) | more than 4 years ago | (#31003726)

Seeing as China makes lots of the core internet routers these days (with quickly growing market share) there is every reason to assume we're getting man-in-the-middle pwned.

I'm not in *.cn, and I'm not visiting *.cn, so why in Hell should this certificate apply to me? If suddenly www.adobe.com is signed by China, there sure is a problem!

It's funny, you know ... if we were all buying high-end routers from Russia everyone would flipping out about security. But China makes inroads on that market (with the obvious intention of dominating it) and nobody really seems too upset. You have to assume that a hostile totalitarian state might try to exploit that advantage in some way.

Weird. And I always thought denial was a river.

Re: As usual, please refrain from blindly chiming (3, Informative)

bill_mcgonigle (4333) | more than 4 years ago | (#31003188)

He means, "please don't spam the Bugzilla comments unless you have something constructive to add." BMO used to block all slashdot referers at one point...

Given they've bowed to Chinese pressure (4, Interesting)

sethstorm (512897) | more than 4 years ago | (#31002260)

...is there a straightforward way to mark CNNIC as untrusted?

Marking as untrusted (5, Informative)

Saishuuheiki (1657565) | more than 4 years ago | (#31002298)

Taken from comments section of article:

Individual CAs can be removed via the "advanced" preferences panel. It's instructive, actually, to look at the list - there's a lot of entries there.

One could switch to another browser, but it's worth thinking about how open that browser's CA inclusion process is first.

Was pointing towards something like a CRL. (3, Insightful)

sethstorm (512897) | more than 4 years ago | (#31002342)

Removing it is fine until an update/reinstall brings it back. Telling the browser to not trust that entity at all is what I'm talking about.

Re:Was pointing towards something like a CRL. (3, Insightful)

micheas (231635) | more than 4 years ago | (#31002390)

Removing it is fine until an update/reinstall brings it back. Telling the browser to not trust that entity at all is what I'm talking about.

As long as the update does not delete your local preferences it should work.

Re:Was pointing towards something like a CRL. (2, Insightful)

couchslug (175151) | more than 4 years ago | (#31002752)

"Telling the browser to not trust that entity at all is what I'm talking about."

Looks like time for a convenient extension.

Re:Was pointing towards something like a CRL. (3, Insightful)

Sir_Lewk (967686) | more than 4 years ago | (#31002936)

Ah, but how do we know we are actually getting the right extension? Normally that process is secured by ssl but now.... The Chinese government could man in the middle anyone who tries to install any particular extension, and feed them a crippled one instead. Implausible sure, but possible.

Re:Was pointing towards something like a CRL. (1, Interesting)

Anonymous Coward | more than 4 years ago | (#31003194)

No, they can't...at least not if you do the extra leg work necessary to check the certificate yourself. Adding their CA cert to the browser only gives them the ability to generate certificates that are accepted based on that CA cert. You can still view the certificate information to see which CA cert originated the certificate being used to secure your session.

Try it yourself. Got to https://addons.mozilla.com/ [mozilla.com] and examine the cert. You'll see that it was issued by Verisign. Any certificate issued by CNNIC would show up as being issued by CNNIC. If you verify that the certificate that secures the session used to pull the extension originated from a historically-trusted CA rather than this new, suspect, CA, you can be sure that the Chinese government has not used the inclusion of the CNNIC CA certificate to perform a MitM attack on that session.

Re:Was pointing towards something like a CRL. (1)

Sir_Lewk (967686) | more than 4 years ago | (#31003374)

I'm well aware of how certificates work, and I'm sure you are well aware that the vast majority of the population would never think, or even know, to confirm that the certificate is from the correct CA.

Re:Was pointing towards something like a CRL. (1)

AmberBlackCat (829689) | more than 4 years ago | (#31003236)

If it were IE, people would be saying it's time for a new browser. If security is that big of a deal, why fight a working browser with a built-in security flaw when you can switch browsers?

Re:Was pointing towards something like a CRL. (2, Interesting)

mlts (1038732) | more than 4 years ago | (#31003090)

What is ironic is that I can do this in IE with no problems. I drag a certificate to the untrusted store, either systemwide or as a user, and even if root certs are updated, that cert remains untrusted.

Re:Was pointing towards something like a CRL. (2, Informative)

maxume (22995) | more than 4 years ago | (#31003328)

If I have it right, it is actually a simple thing to do, the UI is just awkward. Edits to the trust settings of the certificate will disable it and persist (another post indicates that deleting the certificate also marks it as untrusted, so even if the certificate gets added back to the system, it won't be trusted).

Re:Given they've bowed to Chinese pressure (4, Informative)

Zocalo (252965) | more than 4 years ago | (#31002332)

You could just delete the certificate yourself. "Edit, Preferences, Advanced, Encryption, View Certificates"[1]. Select the one from CNNIC and hit "Delete".

[1] "Tools, Options, Advanced, Advanced, View Certificates" if you are on Windows, but if you are on Windows the CNNIC certificate is probably not the most significant of your security worries... :)

It's not there... (2, Informative)

Anonymous Coward | more than 4 years ago | (#31002968)

Weird thing is, I can't find it in there at all, unless I'm just blind. There's nothing that says CNNIC (or even anything obviously Chinese).

One addendum to your directions, you have to be in the "Encryption" subtab of the Advanced tab or you won't see the "View Certificates" button.

Re:It's not there... (1)

Cederic (9623) | more than 4 years ago | (#31003168)

Not just you, I don't appear to have it in Firefox 3.5.7 or Windows/IE.

Unless I have a particular well written rootkit hiding from me that prevents display of that certificate but allows its continued use. I'm kind of guessing not.

Re:Given they've bowed to Chinese pressure (1)

klui (457783) | more than 4 years ago | (#31002366)

If you delete the CA when it returns (not sure why it does that) its properties, when you click Edit..., will be all unchecked.

Tools>Options...; Advanced, Encryption tab, [View Certificates]; Authorities tab, click CNNIC ROOT, [Edit...]/[Delete...].

Re:Given they've bowed to Chinese pressure (3, Funny)

data2 (1382587) | more than 4 years ago | (#31002384)

Edit -> Preferences -> Advanced -> Encryption -> View Certificates -> Authorities -> ... -> Profit

Re:Given they've bowed to Chinese pressure (0)

Anonymous Coward | more than 4 years ago | (#31002584)

lol at least this one is original.

Re:Given they've bowed to Chinese pressure (1)

chris_uvic (1708538) | more than 4 years ago | (#31002958)

One way: Go to Firefox's Certificate Manager. (Tools -> Options -> Advanced -> Encryption -> View Certificates), click the "Authorities" tab, scroll down to "CNNIC ROOT", select it, click edit, uncheck the "trust settings".

Re:Given they've bowed to Chinese pressure (0)

Anonymous Coward | more than 4 years ago | (#31003178)

I'm running FF3.5.7 and I don't appear to have the CNNIC ROOT certificate in the authorities tab of Firefox. Is that the only place I need to look?

Anonymous Coward (0)

Anonymous Coward | more than 4 years ago | (#31002278)

Now at last we can have signed Firefox Add-ons!

As usual? (-1, Troll)

Anonymous Coward | more than 4 years ago | (#31002306)

As usual, please refrain from blindly chiming into the discussion without supporting evidence

HAHAHAHAHAHAHAHAHAHAHAHAHAHA

You're stupid.

Evidence as cited.

Obligatory (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#31002468)

Me chinese me play joke me put peepee in your coke.

Thanks For The Heads Up... (0)

Anonymous Coward | more than 4 years ago | (#31002470)

Deleting it as we speak....

You're kidding, right? (5, Funny)

taoye (1456551) | more than 4 years ago | (#31002484)

Just wait while I go infiltrate the Chinese government to determine if they are doing bad things through CNNIC, so I can come back with evidence. While I'm at it, I'll be travelling through West Africa and I have the sum of $1,000,000,000 USD of money stashed there and I need your help to get it out of the country. I will give you 10% guaranteed.....

NOW you DICKHEADS are p0wned by them for real (-1, Flamebait)

Anonymous Coward | more than 4 years ago | (#31002490)

Stupid stupid eurotrash idiots! Don't trust COMMIES, PERIOD!

Disagree with the premise. (5, Interesting)

Jane Q. Public (1010737) | more than 4 years ago | (#31002502)

"Since Mozilla has already accepted CNNIC as a trusted root CA, the burden rests with those who argue for its removal."

I am not sure I agree with this. When accepting something that is very controversial, like for example accepting CNNIC as a neutral authority, or backing a perpetual-motion technology, the burden may very well be on the actor to defend its actions.

Sorry, what? (1)

xant (99438) | more than 4 years ago | (#31003700)

If the thing is done, the actor doesn't have to do anything additional. It doesn't have to be done again, or done more. The only possible change is to undo it. Those who wish to undo it must justify undoing it, because they are the only ones who have need of an affirmative action to be taken.

delete cert? finger in dike (4, Informative)

Onymous Coward (97719) | more than 4 years ago | (#31002524)

Did you notice how many CAs are in the list? How do you feel about each?

I might recommend encouraging technologies like Perspectives [cmu.edu] to provide defense in depth.

Re:delete cert? finger in dike (-1, Troll)

Anonymous Coward | more than 4 years ago | (#31002596)

keep your lesbian fantasies to yourself kkthx. (I have my own to worry about)

Re:delete cert? finger in dike (1, Troll)

Onymous Coward (97719) | more than 4 years ago | (#31002954)

The world is not a better place after your comment, neither more enlightened nor amused.

Please note, everyone, it does not help the world or you to post simply because you have feelings you need to vent. Please make your communication constructive. And vent your feelings to your teddy bear.

Re:delete cert? finger in dike (0)

Anonymous Coward | more than 4 years ago | (#31003160)

Who says we're all trying to help the world? Keep your bigoted alignment bias to yourself Mr. Goody-two-shoes, thank you very much.

Re:delete cert? finger in dike (0)

Anonymous Coward | more than 4 years ago | (#31003746)

In other words:

Mr. AC, what you have just said is one of the most insanely idiotic things I have ever read. At no point in your rambling, incoherent response were you even close to anything that could be considered a rational thought. Everyone in this thread is now dumber for having read it. I award you no points, and may God have mercy on your soul.

Re:delete cert? finger in dike (4, Informative)

zonky (1153039) | more than 4 years ago | (#31002892)

Sound advice. For those new to perspectives, it uses notary servers, and compares the thumbprint of the SSL cert with what 4-5 other points on the internet see. This should at least prevent localised MITM, even with a trusted CA issuing the MITM cert.

Relative security of self-signed certificates (4, Insightful)

Anonymous Coward | more than 4 years ago | (#31002550)

I have nothing against additional certificate authorities; it makes sense in most situations not to give all the power to a single party.

Nonetheless, the large number of accepted authorities raises serious questions about another aspect of browser security:

Why are self-signed certificates viewed with such relative suspicion?

It only takes a single compromised or misled CA to bypass the entire trust system. The more CAs we have, the easier it is to compromise the system.

Why, then, do we make it so difficult for sites to implement security against passive plaintext snooping (which is arguably much more of a threat in most situations, discounting targeted attacks)? Why do browsers make this basic security effectively unavailable unless you pay a toll to a CA? (And it is effectively unavailable, since the inconvenience and fear-of-the-unknown related to accepting self-signed certificates makes the use of them a self-defeating act.)

As CAs proliferate, it becomes more and more meaningless to view self-signed certificates with such suspicion -- since they become relatively less and less of a risk, as we add more CAs and thus more individual points where the system may be compromised.

Re:Relative security of self-signed certificates (1)

Adrian Lopez (2615) | more than 4 years ago | (#31002648)

Why are self-signed certificates viewed with such relative suspicion?

Because the communications channel that carries the self-signed certificate is exactly the same as the one that has potentially been compromised.

Re:Relative security of self-signed certificates (0)

Anonymous Coward | more than 4 years ago | (#31002726)

But why throw out the baby with the bathwater?

Self-signed certificates with SSL will prevent passive snooping. Actively intercepting the channel is much rarer and requires more effort.

I agree that self-signed certificates shouldn't be given the same degree of trust as attested certificates, but this can be handled easily in the user interface (by displaying the SSL status differently, or by presenting at most a single warning to the user).

There's no good reason to make them so inconvenient that one must pay a toll, or have no security whatsoever against passive snooping.

Re:Relative security of self-signed certificates (2, Insightful)

0123456 (636235) | more than 4 years ago | (#31003482)

There's no good reason to make them so inconvenient that one must pay a toll, or have no security whatsoever against passive snooping.

So when Joe Haxor manages to use a cheap DNS exploit to point www.mybank.com to his web server and then hands out a self-signed certificate 'proving' it's www.mybank.com, you really think that not having a padlock icon on the window will stop Joe Average from handing over their passwords and thereby all their money?

That's a bloody great huge reason why any self-signed certificate should require Joe Average to click through six different 'I'm sure that I'm sure that this site is really the one that I want to give my password to' rather than just pretend that it's OK.

Of course it's also true that there are now so many CAs that it's only a matter of time before 'Haxor Security Inc' starts issuing 'trusted' fake certificates for www.mybank.com.

Re:Relative security of self-signed certificates (3, Insightful)

marcansoft (727665) | more than 4 years ago | (#31003568)

So when Joe Haxor manages to use a cheap DNS exploit to point www.mybank.com to his web server and then hands out a self-signed certificate 'proving' it's www.mybank.com, you really think that not having a padlock icon on the window will stop Joe Average from handing over their passwords and thereby all their money?

Joe Haxor will use a cheap DNS exploit to point www.mybank.com to his web server, which will not support, enable, or redirect to HTTPS. Or do you really believe that Joe Average actually types https://www.mybank.com? You're lucky if they even get the www. part in.

Sorry, self-signed certs are better than than unencrypted HTTP, and unconditional roadblocks to their use are ridiculous when anyone can impersonate anyone over simple unencrypted HTTP. Anyone can argue that they should not be given equivalent security status to CA certificates (and I agree), but actively hindering their use is stupid and actively hurts security by discouraging Joe Web Developer from trivially enabling SSL to at least stop passive snooping.

Re:Relative security of self-signed certificates (1)

marcansoft (727665) | more than 4 years ago | (#31002794)

So don't give users the lock icon, and just pretend it's an unencrypted website.

Self-signed certificates provide no protection against MITM attacks, but they do provide protection against passive snooping which is what the parent is talking about. There is zero disadvantage to using them. You can argue the lack of some advantages all you want, but throwing tons of warnings at users for using them is ridiculous, when regular unencrypted HTTP traffic is let through fine. I am particularly annoyed at the obnoxious warnings in recent browsers, Firefox included.

I will never understand current SSL warning policy - it's completely retarded. It would be a lot saner to shove the ridiculous warnings into user's faces only when a website previously using CA security downgrades to self-signed or plain HTTP. If you're going to warn for self-signed certs, then you ought to be warning for every single plain HTTP website.

Re:Relative security of self-signed certificates (1)

zonky (1153039) | more than 4 years ago | (#31002928)

To be honest, set your favicon to look a SSL padlock, and most people can't tell the difference anyway. Much easier to MITM http...

Re:Relative security of self-signed certificates (1)

mlts (1038732) | more than 4 years ago | (#31003152)

Perhaps merging a PGP-like web of trust interlink with SSL security. So, if a close friend trusts foo.com as a CA, then the Web browser would assume that. If a friend dislikes blarf.com, the Web browser will pop up something saying that the CA isn't that liked among friends.

Problem is that for /. readers, a system like this would make perfect sense. However, most people seem to just want to connect to a site, see a little padlock icon and assume that they can log into their bank safely. They don't care about CAs, web of trusts, CRLs, SLCs... just that they can access whatever with some reasonable security.

And I thought the burden fell upon... (-1, Flamebait)

carlhaagen (1021273) | more than 4 years ago | (#31002588)

...every damned user of FailFox. You're such a jackass, Josh Triplett.

Re:And I thought the burden fell upon... (1)

macintard (1270416) | more than 4 years ago | (#31002636)

Agreed. I find this submission to be quite arrogant. Thanks for posting this gem, Kdawson. Mod parent up.

How do I mark all CAs in Firefox untrusted? (1)

rimugu (701444) | more than 4 years ago | (#31002600)

How do I mark all CAs in Firefox untrusted?
There has to be a better way than change each one manually.

Re:How do I mark all CAs in Firefox untrusted? (0)

Anonymous Coward | more than 4 years ago | (#31002646)

Is there an add-on that does this automatically?

Re:How do I mark all CAs in Firefox untrusted? (2, Funny)

a whoabot (706122) | more than 4 years ago | (#31002812)

"Is there an add-on that does this automatically?"

There supposedly is, except its certification is provided by CNNIC...

Does anyone notable *not* support CNNIC? (4, Informative)

RalphBNumbers (655475) | more than 4 years ago | (#31002628)

I just checked, and both MacOS X and Windows 7 seem to trust the CNNIC root...

If this is really a problem, and I haven't the slightest idea if it is, then it extends way beyond firefox.

Re:Does anyone notable *not* support CNNIC? (3, Informative)

iammani (1392285) | more than 4 years ago | (#31002790)

Chrome does not.

Re:Does anyone notable *not* support CNNIC? (1)

brennz (715237) | more than 4 years ago | (#31002840)

More evidence of the Google - China fight!

Re:Does anyone notable *not* support CNNIC? (1, Interesting)

Anonymous Coward | more than 4 years ago | (#31003636)

Chrome does not.

This looks wrong. On my install of Chrome 4.0.249.78 on Windows XP, under:

    Customize and control Google Chome -> Options -> Under the Hood -> Manage certificates -> Trusted Root Certification Authorities

I see in the alphabetized list:

    CNNIC ROOT / CNNIC ROOT / 4/15/2027 / CNNIC Root

Is this a Windows or Chrome thing?

Something strange about the entry: Under the "Advanced..." button all thirty or so purposes except "Client Authentication" and "Secure Email" are enabled. However, clicking on the "View" button show a shorter list of purposes but that shorter list includes "Protects e-mail messages" and "Secure Email". Which list is right?

Re:Does anyone notable *not* support CNNIC? (2, Informative)

a_ghostwheel (699776) | more than 4 years ago | (#31003698)

Not true. Chrome on Mac OS X does (it uses certificates from OS X store which does contain CNNIC Root).

Re:Does anyone notable *not* support CNNIC? (3, Insightful)

dunng808 (448849) | more than 4 years ago | (#31003298)

> ... it extends way beyond firefox.

And it extends way beyond China. I see this as simply another example of "yellow peril" thinking. What about the Brits, who want to monitor everything? What about the French, who want to kick people off the net for misbehaving? What about Iran, who wants to kick out everyone? Do you really think the USA looks like the good guys to the rest of the 'net? Who gave the world Microsoft, and the RIAA, and the MPAA? All this "evil Chinese" stuff is getting tiresome.

Horsecock (0)

Anonymous Coward | more than 4 years ago | (#31003454)

Sodomy

Re:Does anyone notable *not* support CNNIC? (1)

maugle (1369813) | more than 4 years ago | (#31003534)

What about the Brits, who want to monitor everything? What about the French, who want to kick people off the net for misbehaving? What about Iran, who wants to kick out everyone? Do you really think the USA looks like the good guys to the rest of the 'net? Who gave the world Microsoft, and the RIAA, and the MPAA?

You forgot Australia.

Also, our government doesn't obsessively monitor everyone (Brits), attempt to cram a "3-strikes" law down our throats (French), or attempt to track down dissidents and make them "disappear" (Iranians, Chinese). So, yes, we are the good guys here, relatively speaking.

Re:Does anyone notable *not* support CNNIC? (1)

dunng808 (448849) | more than 4 years ago | (#31003622)

Ah yes, and the beer! Mmmm. And the platypus. Its all good.

Re:Does anyone notable *not* support CNNIC? (3, Insightful)

ScrewMaster (602015) | more than 4 years ago | (#31003674)

> ... it extends way beyond firefox.

And it extends way beyond China. I see this as simply another example of "yellow peril" thinking. What about the Brits, who want to monitor everything? What about the French, who want to kick people off the net for misbehaving? What about Iran, who wants to kick out everyone? Do you really think the USA looks like the good guys to the rest of the 'net? Who gave the world Microsoft, and the RIAA, and the MPAA? All this "evil Chinese" stuff is getting tiresome.

Gagh. Such histrionics. Look, this isn't about all Chinese people being evil. It is about a particular country that happens to be the source of an astounding number of remote attacks, cracks, hacks and exploits on the network infrastructure of other nations. The question is whether or not those nations who are subject to China's self-serving Internet activities should aid in those efforts. Rather a foot-in-self-shoot situation really. Me, I've all but switched to Chrome anyway for most things, and this is just another reason to finish the job.

I know what you're saying when you use the phrase "yellow peril", but there is some truth to it. China is a threat on the world scene, more than at any other point in their history.

Re:Does anyone notable *not* support CNNIC? (0)

Anonymous Coward | more than 4 years ago | (#31003710)

I'm tired of hearing et tu quoque (http://en.wikipedia.org/wiki/Tu_quoque) arguments every time China is mentioned. Brits want to monitor everything, French want to ban users. That's bad and /. readers get angry about it too. How does that make Chinese information warfare any better?

http://en.wikipedia.org/wiki/And_you_are_lynching_Negroes

Evidence (5, Insightful)

Spy Hunter (317220) | more than 4 years ago | (#31002690)

It would be easy enough to prove that CNNIC is performing man-in-the-middle attacks. To perform a man-in-the-middle attack on (for example) gmail, CNNIC would have to send a fraudulent certificate to users. That certificate would be ironclad evidence that CNNIC can't be trusted, so all someone has to do is present one.

Re:Evidence (1)

Sir_Lewk (967686) | more than 4 years ago | (#31002976)

Easier said then done. If they were going to use this for evil, they would only do so in very isolated cases for exactly this reason.

Something more substantial than Wikipedia ? (5, Interesting)

Antiocheian (859870) | more than 4 years ago | (#31002770)

"surfaced claims of malware production and distribution"

This claim cites Wikipedia and in particular this unverifiable, POV-ridden paragraph:

"CNNIC produces one of the best-known malwares in China: the Chinese-Language-Surfing Official Edition(). The software is frequently bundled with other adware/sharewares. It was declared malware by Beijing Network Industry Association() and San Ji Wu Xian Co Ltd., the company behind 360 Safeguard(360), an anti-virus software. San Ji Wu Xian was sued by CNNIC for 150,000 RMB and the court ruled out favorably towards CNNIC."

Which libels CNNIC for connections with malware while the only case against CNNIC was actually ruled towards their favor.

Why is CNNIC untrustworthy ? In plain English please.

Re:Something more substantial than Wikipedia ? (3, Interesting)

brennz (715237) | more than 4 years ago | (#31002910)

Are you saying the court system in China is (A) open, fair, and impartial, particularly when it judges a case involving (B) the Chinese Govt vs a defendant anti-spyware company?

Re:Something more substantial than Wikipedia ? (4, Insightful)

Jeremy Erwin (2054) | more than 4 years ago | (#31003294)

San Ji Wu Xian was sued by CNNIC for 150,000 RMB and the court ruled out favorably towards CNNIC.

Tell me why I should trust a Chinese court. Because the Chinese Communist Party tells me they're trustworthy? Sorry, I'm not sure I should trust the CCP. Can you provide a trustworthy source that will attest to the CCP's ethics?

I'm sorry sir, the certificate is in Chinese (4, Funny)

syousef (465911) | more than 4 years ago | (#31003770)

Why is CNNIC untrustworthy ? In plain English please.

I'm sorry sir, the certificate is in Chinese.

Bug 542689 - Please remove CNNIC CA root certifi (0)

Anonymous Coward | more than 4 years ago | (#31002850)

https://bugzilla.mozilla.org/show_bug.cgi?id=542689

So how is this different than the US based certs? (1, Insightful)

Anonymous Coward | more than 4 years ago | (#31002900)

I fully expect that the US government can get access to appropriate certs needed for MitM attacks when they want. It isn't hard for them to pressure US based companies to do that.
For the unwashed masses worried about commerce, I doubt the Chinese government has any more interest in messing with that than the US government. For people that are worried about being spied on, they shouldn't be trusting any of those certs on machines used for doing whatever it is that they think might get them in trouble.

Re:So how is this different than the US based cert (0)

Anonymous Coward | more than 4 years ago | (#31003044)

Because the US will not throw me into a hard labor camp and sell my organs on the black market for talking about wounded knee, the war in the Philippines, the fire bombing of Dresden, the nuking of Hiroshima and Nagasaki, or any other genocidal acts by the government.

Re:So how is this different than the US based cert (0)

Anonymous Coward | more than 4 years ago | (#31003222)

I wouldn't say that. Being able to intercept data like passwords doesn't give blackhats info, it gives them access to things. Picture a company that has their finances quietly eavesdropped on, then when it comes time for revenge, it would be trivial to log on, pull money out of accounts and have it look like the corporate officers embezzled funds.

Result: Shareholders sue, corporate officers get tossed into prison, and nobody is the wiser that it was done offshore.

Centralized key distribution hierarchy failure... (1)

argent (18001) | more than 4 years ago | (#31003120)

I suspect that in practice simply following the SSH model would be pretty much as secure and a lot safer from this kind of attack.

That's the model where all keys are effectively "self signed", and you don't check whether the key is signed by a trusted authority... instead you check whether the key has changed, and raise an alert if so.

Using BOTH techniques... alerting people if the key changes whether it's self-signed or centrally signed... seems to be the best solution. That way if CNNIC wants to MITM you they have to be damn sure you haven't already got the real key in hand.

Re:Centralized key distribution hierarchy failure. (1)

Lord Ender (156273) | more than 4 years ago | (#31003790)

Um.... no! The CA model exists precisely because the SSH model is vulnerable to MITM!

Which CA (0)

Anonymous Coward | more than 4 years ago | (#31003268)

"a trusted CA root"

Which CA are we talking abpout here?

Canada ?
California
Computer Associates
Cancer

Or is this a new abbreviation for Chinese Authorities ?

How could CNNIC be any worse than all the others? (0)

Anonymous Coward | more than 4 years ago | (#31003658)

You can already get fake certs you want from other "trusted" CAs. How is this any different? I wish browsers implemented a better way to handle certs. For initial cert check the CA could be ok (better than nothing), but after that browser should remember the cert and alert you if it changes, regardless of how valid the change looks like.

It's time to fight back. (1)

zill (1690130) | more than 4 years ago | (#31003728)

It's great that everyone is removing the CNNIC root CA, but that's just a defensive measure. And a temporary one at that too.

We need to take more progressive steps to solve the problem.We should be going on the offensive here.

Just link to CNNIC in the summary and they will disappear from the Internet forever; or at least get hit with a million dollar bandwidth bill.

easy solution (1)

Lord Ender (156273) | more than 4 years ago | (#31003782)

Write a script that goes to lots of SSL sites and checks the signing certificate. Run one copy from behind the Great Firewall. Run another from the free world. Compare the output to see if CNNIC ever shows up where it shouldn't. Found a hit? Submit it to all the browser publishers and watch the security updates fly, as CNNIC loses all authority over SSL.

Bonus points if you can get Hillary Clinton to send a strongly-worded letter to China.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?