
Google pulling China CNNIC CA from its products - tptacek
http://googleonlinesecurity.blogspot.com/2015/03/maintaining-digital-certificate-security.html?m=1
======
eyeareque
This is what should happen when a CA does something insecure. Kick them out
and make an example out of them. If you don't the whole system is worthless.

Ex:
[http://en.wikipedia.org/wiki/Comodo_Group#2011_breach_incide...](http://en.wikipedia.org/wiki/Comodo_Group#2011_breach_incident)
Nothing happened after this breach, which was a shame.

~~~
scotty79
> If you don't the whole system is worthless.

The whole system is worthless and it should be replaced with something more
like bitcoin. I don't really trust any certificate issuer more than I trust
self issued certificate.

~~~
coderdude
>it should be replaced with something more like bitcoin.

What does that even mean?

~~~
scotty79
Basically it means that I think that hierarchical trust doesn't work for me.
Instead of bank buying certificate from some authority I'm supposed to trust
I'd rather infer that this certificate is associated with this domain because
it's written in some form of blockchain, unalterable and verified by multiple
parties.

Honestly I have no idea how the current system is purported to work. And I
just don't know what certificate is supposed to prove? That someone at some
point in time had 100$ to spend on a cert? How's that more secure than self
signed cert?

Why browser warns about self-signed and not about others? All thing seems to
me to be more of a security theatre and money making scheme than actual trust
system that reflects reality in any way.

~~~
Xylakant
because web-of-trust-models worked so great for PGP/GPG. In theory that's
great, but how can I confirm that the cert in the chain is indeed for
google.com. Because it's trusted by chrome which I downloaded from google.com
(or at least a machine pretending to be google.com) or because my computer-
illiterate friends trust it? Or because my OS trusts that cert?

I agree that the current system is broken, but I fail to see how a distributed
system magically fixes this, most notably the issue of bootstrapping trust. I
foresee that the distributed model moves to a more centralized model where we
trust apple, microsoft, ubuntu.

~~~
flatline
There's lots of newer research on trust-based systems that could be applicable
here, e.g. a game-theoretic approach where entities are gauged based on
ratings over repeated transactions. Think iterated prisoner's dilemma crossed
with PageRank, which effectively wards against many types of collusion
including simple sybil attacks. Most of it hasn't been validated in the real
world on any scale, but I believe it is possible to do quite a bit better than
we have seen - the only web-of-trust stuff I've seen in practice is ancient
compared to the state of research.

One outstanding problem that comes to mind is certificate revocation when you
have lost control of the private keys. I think a multi-sig solution could
probably mitigate this to a fair extent, so you still have some level of
pseudo-trust between entities and a way to effectively call someone up and
say, "hey, I screwed up and need to kill this thing".

------
tptacek
It's a short update, but I can make it shorter:

After a short, limited grace period, Google won't honor the recently
compromised Chinese CNNIC CA cert anymore, and won't reconsider until they
implement Certificate Transparency.

------
kijin
Good riddance.

We really need a "zero tolerance" system for CAs: As soon as you fuck up,
you're out. There has been too much forgiveness and too little enforcement so
far. Browser vendors, especially those with deep pockets such as Google,
Apple, and Microsoft, should not be afraid to leverage their influence to make
rogue CAs go out of business. Seriously, there are too many CAs already. 90%
of them need to go bankrupt asap.

We also need some way to restrict what certificates "less trustworthy" CAs can
sign. Even if CNNIC is one day reinstated, I wouldn't want them to sign any
certificate for any domain that doesn't end with .cn. Ditto for various other
government-sponsored CAs, which my browser also seems to trust for whatever
reason. Even if TLS as we know it has no mechanism to enforce such
restrictions, nothing stops browsers from doing it on their own.

~~~
korzun
> As soon as you fuck up, you're out.

You would have no CA's then. I love when people criticize others without
offering a anything in return.

~~~
pooper
No, GP actually has a point. Once you do things like this, you're out. Once
you're out, you become a nobody.

Of course, you can reapply to get in (haha, good luck getting a response from
Mozilla before a couple of years) but you have to start from scratch all over
again. This puts a tangible cost to shenanigans. I highly doubt Verisign would
be caught making the mistake these guys did.

~~~
frankydp
Not a good comparison technically, but everyone makes mistakes. And the 2010
event was promulgated by "untrustworthy" employees. The system is risky, and
change will have to come sooner or later.

[http://www.reuters.com/article/2012/02/02/us-hacking-
verisig...](http://www.reuters.com/article/2012/02/02/us-hacking-verisign-
idUSTRE8110Z820120202)

~~~
bdamm
CAs are supposed to be in the business of trust. We are supposed to hold them
to the highest standard of machine trust. If they screw up and fix the error
in a matter of hours or days... alright. But CAs who charge money for making
certificates need to earn our dollars.

Sure, everyone makes mistakes. And if you're in the business of trust, you
find ways to uncover and correct those mistakes. Also, you insure against
those mistakes, and some of that insurance buys another set of eyes.

------
teraflop
CNNIC has responded:
[http://www1.cnnic.cn/AU/MediaC/Announcement/201504/t20150402...](http://www1.cnnic.cn/AU/MediaC/Announcement/201504/t20150402_52049.htm)

> 1\. The decision that Google has made is unacceptable and unintelligible to
> CNNIC, and meanwhile CNNIC sincerely urge that Google would take users’
> rights and interests into full consideration.

> 2\. For the users that CNNIC has already issued the certificates to, we
> guarantee that your lawful rights and interests will not be affected.

~~~
nailer
> The decision that Google has made is unacceptable and unintelligible to
> CNNIC

Deciding to not let a company, with the ability to MITM users worldwide, that
did not have systems in place to avoid misuse, continue to have that ability?

They also seem to be under the conception that they're in a position to accept
or not accept the outcome. That's now this works.

If only CNNIC took being a CA as seriously as they do writing angry press
releases.

~~~
nailer
> That's now this works.

Correcting self: that's /not how/ this works.

------
mrmondo
Glad to see this happening - I removed CNNIC from my machines back in Feb -
[https://github.com/sammcj/delete-unknown-root-
ca](https://github.com/sammcj/delete-unknown-root-ca)

~~~
dredmorbius
Is there a readily accessible list of the CAs you're deleting? Ah, it's in the
shell script itself, and there are just four of them. And this looks to be
specific to Mac OS X only -- /System/Library/Keychains is _not_ a frequently
encountered path on, say, Windows, Linux, or BSD (non-Mac) boxen.

How does this work, e.g., on systems which install root CAs from standard
packages? I think you'll find you'll need to 1) re-run the script and 2) that
you're not getting the benefit of _retaining_ the root but flagging it as
_untrusted_.

I just posted on _flagging_ the CNNIC root as untrusted in Debian. That's
better than _deleting_ the CA, as it should now show as _negative_ trust if
I'm grokkign things properly.

~~~
mrmondo
As the readme says: 'Also removes any user trust settings for each
certificate'.

It's not intended as patch or fix for the CA system which is broken by design
- merely something that I was interested in trying.

------
pilif
This is what I hoped would happen when we learned about the malicious
intermediate:
[https://news.ycombinator.com/item?id=9254899](https://news.ycombinator.com/item?id=9254899)

We need to send CAs a strong signal that the trust (and license to print money
that comes along with it) we put into then hinges on them behaving properly.
Making sure that their intermediaries do the same is obviously part of the
deal.

We must make it very clear to CAs that hiding behind intermediaries is not an
acceptable strategy to escape their responsibilities.

------
Panino
Can't think of a better response than this.

I'm only mildly supportive of Certificate Transparency, but would definitely
like it to "have its day in court." Hopefully CNNIC deploys CT and reapplies
to Google for inclusion, but either way it will be interesting. I love it when
things get put to the test.

~~~
dmix
> Hopefully CNNIC deploys CT

What are the odds they'll do this? I'd bet extremely high.

~~~
haosdent
CNNIC is a joke, don't put any hope to them please.

~~~
ttflee
No, it is not a joke. Seriously, it was one of the major manufacturers of
malware (CNNIC中文上网, with rootkit included) in China.

~~~
haosdent
Yes. But don't put hope to CNNIC as don't put hope to China government. They
don't need google accept them because there are a lot companies provide
browsers in China.

------
MichaelGG
From the original part: "MCS Holdings on the basis that MCS would only issue
certificates for domains that they had registered"

I don't understand why this would be allowed. Like, doesn't this break the
entire concept of a CA if the CA will allow third parties to issue certs? I
understand the need for corp MITM but that's best done by pushing out your own
CA. And I understand the desire for a company to have its own self-managed CA
system that's publicly trusted. But that simply cannot require the CA to put
any trust into the other company; there's gotta be technical measures. That's
why I'm confused as to why it matters if an HSM was used or not. Can someone
enlighten me on what's going on?

~~~
anfedorov
It's just an organizational decision. CNNIC is super trustworthy to a lot of
people. It's so many people, in fact, that they can't possibly verify all of
the sites these people want to visit. So instead of burdening CNNIC with
verifying the identity of every single site that wants a cert that their users
will trust, CNNIC will just verify some other CAs as being trustworthy enough
to do the job.

Personally, I think I should trust the hardware or OS manufacturer to pick
exactly who is trustworthy enough to certify websites, since I'm trusting them
that my computer is doing what it looks like it's doing anyway.

~~~
est
> CNNIC is super trustworthy to a lot of people

No, CNNIC is not even trustworthy among Chinese Internet users.

CNNIC invented tons of rootkit adware and spyware. It has a very bad
reputation. Google for 3721 中文网址 if you are interested

Although it claims to be a neutral non-profit organization, it does have
multiple for-profit business lines.

In the past CNNIC belongs to China Academy of Science, but now it's just a
puppet under ruling Party's control[1][2].

[1]:
[http://en.wikipedia.org/wiki/Central_Leading_Group_for_Inter...](http://en.wikipedia.org/wiki/Central_Leading_Group_for_Internet_Security_and_Informatization)

[2]: News in Chinese
[http://tech.gmw.cn/2014-12/27/content_14311910.htm](http://tech.gmw.cn/2014-12/27/content_14311910.htm)

~~~
andreyf
> CNNIC is not even trustworthy among Chinese Internet users.

Oh? Then why did Firefox, Google, Microsoft, Apple, etc. trust their root
certificate? I know hating on China is all the rage, but something isn't
making sense here...

> Google for 3721 中文网址 if you are interested

Just did. Got nothing. Are you referring to [1]? I'm not seeing what that has
to do with CNNIC.

1\.
[https://en.wikipedia.org/wiki/Yahoo!_Assistant](https://en.wikipedia.org/wiki/Yahoo!_Assistant)

~~~
est
> Oh? Then why did Firefox, Google, Microsoft, Apple, etc. trust their root
> certificate?

Mozilla no longer trust CNNIC.

[https://blog.mozilla.org/security/2015/04/02/distrusting-
new...](https://blog.mozilla.org/security/2015/04/02/distrusting-new-cnnic-
certificates/)

~~~
andreyf
Yes, hence my using the past tense. I do not see how "CNNIC is [not
trustworthy]" is compatible with "Firefox, Google, Apple, and Microsoft
trusted their certificates until MCS Holding screwed up some corporate
network's https-interception implementation".

In particular, was there any evidence of any mis-deeds by the CNNIC before
what MCS Holding did? Anything at all aside from "they are a Chinese and that
is bad" FUD? Have they ever issued a certificate used to MITM the
communications of political dissidents, for example?

------
morgante
MCS has a very sloppy response:
[http://www.mcsholding.com/MCSResponse.aspx](http://www.mcsholding.com/MCSResponse.aspx)

~~~
georgemcbay
Sloppy on multiple levels.

The poor English doesn't inspire a lot of confidence in the company. I realize
the company is from an area of the world that is not generally English-
speaking, but geez, to respond to something as serious as this surely you can
run your blog response by at least one native speaker to sanity check it
before posting it.

But worse than that is the story they are seemingly trying to sell is that
this is one random dude's fuckup -- which may very well be true, but that this
could happen as the result of one random dude's fuckup speaks volumes about
lack of much-needed process to deal with this sort of certificate
responsibility.

~~~
rifung
I think the main problem with giving it to someone else to sanity check is
that if your own English isn't good, you'll have a hard time gauging someone
else's English speaking skills.

I wouldn't be surprised if they did give it to someone who they thought spoke
English well.

------
akandiah
Wonder if Mozilla will follow suit:
[https://bugzilla.mozilla.org/show_bug.cgi?id=542689](https://bugzilla.mozilla.org/show_bug.cgi?id=542689)

~~~
bifurcation
The Mozilla root program currently has a similar plan proposed, with a final
decision pending in the next day or so.

[https://groups.google.com/forum/#!topic/mozilla.dev.security...](https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/czwlDNbwHXM)

------
halayli
Why should we trust browser authors with their CA list (google, firefox,
etc...)? PKI should be rethought because in its current form we are relying
heavily on their trust. Sadly to the average user have no clue what's going
on.

~~~
brohee
Read the root certificate inclusion policy of your vendors. In the end it
comes down to how much you trust the vendor to implement the policy faithfully
and whether you agree with the policy itself.

Google [https://www.chromium.org/Home/chromium-security/root-ca-
poli...](https://www.chromium.org/Home/chromium-security/root-ca-policy)

Microsoft
[http://social.technet.microsoft.com/wiki/contents/articles/3...](http://social.technet.microsoft.com/wiki/contents/articles/3281.introduction-
to-the-microsoft-root-certificate-program.aspx)

Apple
[http://www.apple.com/certificateauthority/ca_program.html](http://www.apple.com/certificateauthority/ca_program.html)

Mozilla [https://www.mozilla.org/en-
US/about/governance/policies/secu...](https://www.mozilla.org/en-
US/about/governance/policies/security-group/certs/policy/inclusion/)

From a cursory look Ubuntu seems to mirror Mozilla cert store.

~~~
halayli
I understand. But the fact that I need to trust the vendor and the CAs is a
broken concept.

~~~
brohee
Yet it works with way over five nines confidence. Despite all its faults, the
system works decently.

I would myself prefer DANE being used, because it's IMHO sounder technically,
but we'll possibly have the same issue with registrars doing a sloppy job than
we have with CA, so not sure that it would actually be a win...

~~~
talideon
DANE has its own issues though: by itself, even if you're using DNSSEC with it
(as you ought to be), you're essentially shifting trust from CAs to registry
operators, your DNS service provider, and whoever operates the root zone.

------
bsaul
I just had an epiphany , when thinking about what role are those big companies
playing now in our democracy, in the most general sense.

I think what google is doing there is a kind of "fact checking" ( this text on
this page is really coming from this site), which means they're playing the
role of a media counter power (in the sense of judiciary power, political
power, and media). What's funny is that they don't need google news to play
that role. Only a browser and a security policy is enough.

~~~
justaman
Google is the single most important factor in modern democracy as information
is power. Hence "Don't be evil."

------
dredmorbius
Debian, Ubuntu, and derived systems can flag CNNIC )if they've installed the
'ca-certificates' package) as untrusted themselves using /etc/ca-
certificate.conf:

[https://www.reddit.com/r/debian/comments/3167je/blacklisting...](https://www.reddit.com/r/debian/comments/3167je/blacklisting_ca_certs_cnnic_root_revoked_by_google/)

------
tomjen3
We really need to clean up the CAs. Hopefully once the lets encrypt guys gets
to be operational we can nuke the rest, in a similar way to how Chrome is
sunsetting the old encryption standards.

------
istvan__
This is just an alarming sign that the entire SSL business is broken. It was
exploited so many times by western agencies and also by criminals that it
should be clear to everybody that this workflow is broken. This action from
Google is an example of double standards. There are CAs from three letter
friends in some of the tools we are using today so they can silently mitm
attack your SSL traffic. I don't see Google rushing to fix the underlying
problem and just trying to mess with China.

~~~
ilaksh
Re: 3 letter friends CAs, I believe it. Sort of have to do that, given their
operating goal of being able to read everything at will. Its low-hanging
fruit, and the only real reason to continue with such a centralized authority-
based scheme is to support that type of thing.

~~~
istvan__
Well, I would agree with you if this opportunity could not be exploited by
malicious organizations.

------
sanxiyn
This is the right move. It had to escalate compared to ANSSI case, because
back then the claim was "this is the last time".

~~~
yuhong
Yea, they claimed that they were going to take years to comply with the BRs.
They ended up limiting it to French TLDs. It seems that they are finally
phasing out this CA now.

------
chippy
I've no idea about the business of Certificate Authorities. Are they non-
profits (like other Internet infrastructure organisations, data centers etc)
or corporations?

How much, financially, would this action by Google affect the CNNIC CA?

~~~
joopxiv
They are corporations. Their most important asset is trust, which they need to
keep by not signing certificates that can be used for malicious purposes.

The action by Google will definately impact this CA. As soon as this root
certificate is no longer trusted, all Chrome users will see big warnings as
soon as they visit a website that has a SSL certificate that is signed by
them. I don't know the exact market share of Chrome, but I have no doubt it is
large enough to make current customers of CCNIC switch to a different CA.

------
ArchD
What does this mean: "...nor do we believe the misissued certificates were
used outside the limited scope of MCS Holdings’ test network,..."

If the certificates were used only in a test (private?) network, how did
Google find out?

~~~
MichaelGG
I believe Chrome will report back when it finds an improperly issued
certificate.

~~~
ryan-c
[https://scotthelme.co.uk/hpkp-http-public-key-
pinning/](https://scotthelme.co.uk/hpkp-http-public-key-pinning/)

Chrome also preloads HPKP information for many sites.

It's interesting to note that certificates signed by a locally installed CA
(e.g. an org's MitM proxy CA) will be considered acceptable. If MCS had just
made their own private root CA and deployed it to their machines there
wouldn't have been an issue.

~~~
geofft
They weren't even trying to do that, is the saddest part. They were trying to
be a real CA, but they weren't trying to MITM. (It's common practice for new /
young CAs to chain their CA cert off a more established CA.)

They just, for some reason, decided that they wanted to store their cert on a
Palo Alto Networks device that supported MITMing as a feature, and
accidentally turned on MITM mode and plugged someone's laptop into it.

The intended use case of that feature on that device is in fact to hand it a
private intermediate, not a publicly-trusted intermediate.

~~~
0x0
"accidentally".

Playing loose and fast with a CA key and installing it on random devices like
this speaks volumes about their understanding and respect of the world wide CA
system.

------
codezero
Does this mean Chrome on iOS will reject these certs? It's a bit unclear. I
know they have to use the Safari rendering engine but I'm curious if there are
any other internals at play here.

~~~
geofft
I believe iOS lets you specify your own validation callback. (For instance, I
think best practice is for a random app on iOS, that only connects to its own
servers for an API, to manually pin the public key and a backup public key for
the server or at best a handful of CAs, instead of trusting the entire set of
root CAs.) I don't know how extensively Chrome is using that feature.

------
crazychrome
Well done! I hope Google would do the same when related to NSA and other 3
letters agencies.

when was the last time Google made headline of hn for its technology?

------
akhatri_aus
Does anyone have a list of all typical root CAs and where they are issued
from? Are there any other CAs that can be used in rogue ways?

I see a "Hongkong Post Root CA" which I assume can also be used this way?

------
MarkG509
Thanks for the reminder to recheck my certs. I manually wiped CNNIC (among
others) when the news first broke, and with today's Firefox update, I'll check
again.

~~~
Laforet
You can't just "wipe" a Root CA on Windows - you have to explicitly untrust
it.

~~~
yuhong
Open certmgr.msc and put the certificate into the "Untrusted Certificates"
store.

~~~
zaroth
I don't remember deleting it, but also can't find one that seems to be from
CNNIC.

Does anyone keep a list of ones they personally like to mark as Untrusted,
which doesn't break [too many] sites?

~~~
mike_hearn
Windows downloads root certs just in time.

~~~
zaroth
Yes, of course! So now I need to figure out how I can add a thumbprint to a
Untrusted Cert store...

------
gpvos
China versus Google. Let me get the popcorn.

------
est
what about wosign?

~~~
cynix
I've distrusted the CNNIC roots in my browsers but left WoSign alone for now.
Is there any indication that they should also be distrusted?

~~~
blacktulip
When there is a indication, it would be too late.

~~~
yuhong
WoSign is actually a separate commercial CA though as far as I know.

