
CNNIC's response to Google - paradite
http://www1.cnnic.cn/AU/MediaC/Announcement/201504/t20150402_52049.htm
======
bigiain
This is going to be interesting.

My gut feel is that "rogue root CAs" need to have the fear of having their
entire business shut down if they're caught out acting badly, and that CNNIC
is the ideal opportunity for US-centric technology companies to take a stand
without treading on too many profitable toes. If Microsoft and Apple joined in
solidarity and announce they're taking CNNIC out of trusted roots (and, to a
lesser extent, Mozilla), then it will be clear that the threats to CA's
business/profit have some teeth.

If they let this slide - it'll pretty much be open season for root trusted
MITM certs to anyone with a few kilo or mega bucks to spare. It won't stop
state-level actors from doing state-level bad-stuff(tm), but it might at least
stop them from selling that ability to random big-corps as well.

(And surely the opportunity to stand up to the Chinese Government with broad
internet-community backing, especially in the face of the recent Github DDOS -
the timing is about as perfect as it's ever likely to get, right?)

~~~
nickysielicki
How far away are we from being able to kill this ridiculous system? I'm sick
of trusting a bunch of certs that are deemed acceptable. Forget security
concerns, I'm just appalled that to acceptably do encryption today I need to
pay some company! That's wrong.

Okay, so the question isn't actually "how we're going to kill it". It's going
to die when there's a better alternative. So the question is really, "What can
we do to build a strong web-of-trust system while continuing to use the broken
one?"

I see no reason we can't make some browser plugins, get some activism going in
the tech community, and start building it. Just report back what cert was
served to you.

With that being said, there needs to be a selling point other than building a
better internet, otherwise no one will use this plugin. I think there is one,
though, and that's security. When your browser comes across a cert that
differs, alert the user. You might not get grandma to use it, but it's
something.

There are issues with this. I want to anonymously report what cert a website
serves me, rather than giving anyone curious my entire browsing history. And
also poisoning. But the latter is fixed by using this both the existing CA
model and the WoT.

So yes, there are some problems. But c'mon, it's 2015, let's fix this already.

~~~
geofft
> Forget security concerns, I'm just appalled that to acceptably do encryption
> today I need to pay some company! That's wrong.

Well, you don't need to pay anyone to do encryption. You do need to do pay
people to do _identity verification_. That's a more-than-pedantic difference,
even though encryption without identity verification is generally meaningless.

First off, you're _already_ paying someone to have a domain name. I sorta
understand the distaste on principle, but I've never really understood, as a
practical matter, why paying $10+/year for a domain name is totally fine, but
paying $5/year on top of that for SSL isn't. (And yes, the race-to-the-bottom
has hit $5, see ssls.com. This isn't even counting StartCom and the future
Let's Encrypt.)

Second, and related to that, what you're paying them for is the human element
in key continuity. If you ever lose your key, you're going to want to be able
to regain a key for the same website that you've already published everywhere,
that everyone already has localStorage for, etc. And be careful about saying
that you don't care: Crypto.cat (which, at this point, definitely knows what
they're doing) managed to lock themselves out from SSL by requesting a
hardcoded public-key pin and then losing all the public keys they'd pinned.
This isn't really a risk that you think is realistic until disaster strikes,
and the last thing you want in the middle of a disaster is to have to rename
your website and convince everyone that they should use the new site.

And the process of maintaining infrastructure to re-provision certificates to
people costs money. It's possible that it could be funded in different ways
(just like, e.g., all of the work that goes into the browsers themselves is
funded in ways that don't involve charging website owners or users). But there
is a thing there that involves humans, there are advantages to it involving
humans, and humans need to be paid.

~~~
shawabawa3
> And yes, the race-to-the-bottom has hit $5, see ssls.com

What's the race to the bottom for wildcard certs though? Looks like $80+/year,
which is frankly completely ridiculous seeing as it's exactly the same amount
of work for the CA.

The whole thing's a racket, we would honestly be better off using self-signed
certs and certificate pinning (perhaps with a global list of cert pins stored
in the browser/a server the browser implicitly trusts)

I mean, we have to trust the browser anyway, might as well make it handle all
the security

~~~
methou
Startssl has wildcard certs if you buy their service at 50$/yr, plus many
other stuff.

~~~
jnky
The $59.90 account only buys you identity verification so that you can get a
cert for your own personal domains. When you want to get certs for a company's
domains, you also have to pay for organisation verification for another
$59.50. In neither case are you allowed to request certificates for domains
owned by other entities, even if you are authorized to do so by the owner
(e.g. as a service provider). See here:
[https://www.startssl.com/policy.pdf](https://www.startssl.com/policy.pdf)

------
mspecter
>"...meanwhile CNNIC sincerely urge that Google would take users’ rights and
interests into full consideration"

And that, ladies and gentlemen, is exactly what they're doing.

~~~
dsl
CNNICs users' rights and interests are not being taken into consideration.
Make no mistake, they are looking to protect their customers, not you and I.

~~~
jsprogrammer
Right, their users are the ones who purchase certs, not browsers.

~~~
bigiain
I think the argument here goes "CNNIC is a government department in China.
Government departments 'customers' are rarely the people from whom they take
money or provide services - their actual 'customers' are other more-powerful
government departments, or the current political powerholders."

------
neumino
With great power comes great responsibility. It's not because there were no
misuse of the certificates this time that it didn't happen or would have not
happen.

I personally have removed their certificates from my system. This is the
responsible move to do if you care about your security or don't want your
computers to be used as part of the DDoS like we've seen against GitHub.

~~~
bigiain
Does anyone know if there's a way yet to do this on unjailbroken iOS devices?

This suggests no: [http://apple.stackexchange.com/questions/23720/how-do-i-
un-t...](http://apple.stackexchange.com/questions/23720/how-do-i-un-trust-or-
remove-blacklisted-root-cas-from-mobile-safari-on-my-iphone)

~~~
ikeboy
It looks like not, but here's a list if it helps
[http://karl.kornel.us/2014/09/an-analysis-of-the-cas-
trusted...](http://karl.kornel.us/2014/09/an-analysis-of-the-cas-trusted-by-
ios-8-0/)

------
cskau
Quite the contrast to Google's response:

    
    
        We applaud CNNIC on their proactive steps, and welcome them to reapply once suitable technical and procedural controls are in place.

------
DigitalSea
Not really much of a response from CNNIC here. Notice how they spin this
situation as Google taking away the rights of others? Google isn't the bad guy
here, they're doing the reasonable thing and CNNIC have a lot of explaining to
do...

~~~
nnrocks
Very true said. Gaining security is always in favor of public and
organizations. Google is a authority, and many people take its statement
seriously rather than others. And this approach may really take internet to
safe side at some point. Nowadays ssl can be found at no price. Letsencrypt is
going to provide at free of cost and vendors (like ssl.com and
cheapsslshop.com ) selling such certs from nominal fee of $4 - $5 per year.
Infact Government organization should shake hand with Google and motivate
people to adopt such security asap.

------
higherpurpose
China's response is kind of funny. But if they have no bad intentions, they
can just implement CT and not have to worry about it. Of course, if you read
between the lines in the last paragraph, you realize that they do have bad
intentions. That last line is quite 1984-ish.

~~~
zenincognito
This will head towards a tit for tat thing. Much like the cold war except this
time its cyber in nature.

------
nickodell
>2\. For the users that CNNIC has already issued the certificates to, we
guarantee that your lawful rights and interests will not be affected.

...

Does that mean anything?

~~~
notatoad
It probably means that the CNNIC certs will still be valid in China, as Google
doesn't directly distribute any software there directly and the Chinese
government can tell the Chinese software vendors to trust its cert regardless
of what google thinks.

------
ttflee
Interestingly, I cannot get round of CNNIC, as I am likely to operate some
services for my employer on Windows Azure in China.

[http://www.cnnic.cn/jczyfw/fwqzs/fwqzsdtgg/201403/t20140312_...](http://www.cnnic.cn/jczyfw/fwqzs/fwqzsdtgg/201403/t20140312_46330.htm)

Microsoft is using CNNIC certs for their Windows Azure services in China (,
which of course is independent from Azure services in other regions, and is
jointly operated with Chinese partners).

If I marked CNNIC CA as untrustworthy, I would be expecting some alert in my
Dashboard page, I guess.

------
kijin
Who are the people and companies that use CNNIC-issued certificates?

CNNIC is a relatively recent addition to most browsers' lists of trusted CAs.
Moreover, given the popularity of pirated & never-updated Windows XP in China,
it would have been foolish for any serious Chinese business to use an SSL
certificate from any vendor other than globally recognized ones like Comodo
and Verisign.

~~~
tifan
Did you know most Chinese browser vendors will explicitly disable SSL
certificate validity check?

~~~
ncza
Proof please

~~~
pki
360 browser accepts all certs, incl self signed. no warnings.

also lol: 'high usage numbers are in large part due to the software being very
difficult to uninstall. Furthermore, whenever a user attempts to install
another browser, a warning pop-up claims that the new browser is unsafe and
should not be run'

------
jtokoph
I find it interesting that visiting the https version of cnnic.cn in Chrome
neither displays a lock icon nor a warning, but the certificate is displayed
as valid: [http://i.imgur.com/fTzxpBh.png](http://i.imgur.com/fTzxpBh.png)

~~~
duskwuff
Related to their use of SHA1 on the certificate:
[http://googleonlinesecurity.blogspot.com/2014/09/gradually-s...](http://googleonlinesecurity.blogspot.com/2014/09/gradually-
sunsetting-sha-1.html)

~~~
geofft
Yup, this is it. The cnnic.cn end-entity certificate is SHA-1, which would do
it. (I believe there's some sadness involved like Windows XP being excessively
prevalent in China, or something... I vaguely recall a discussion of this on
the cabforum public list, but I can't find it now.)

If you click on the white page icon and go to the "Connection" tab, it'll say
"This site is using outdated security settings," which generally (always, in
current Chrome versions?) means SHA-1.

------
101914
I know a user who runs her own root CA.

She only has one "customer": herself.

Using the OpenSSL binary the cost is free.

She decides which hosts she wants to trust, obtains their certs and signs
them.

She believes she can trust her own CA more than any commercial, third party
CA.

~~~
peteretep
How does she verify the certs she's getting?

~~~
101914
How do the commercial CA's verify customers before issuing certs?

Perhaps she does what they do.

I imagine for example she knows her banker, her lawyer, etc. and can contact
them by phone or meet with them in person.

Maybe she also uses her friends to help her decide who to trust.

She only has to verify a relatively small number of hosts compared to a
commercial CA.

~~~
sharth
Who could you possibly call at say Capital One to verify that a change in
their certificate was intended instead of malicious?

~~~
101914
Your point is understood.

For something like that, I have always thought they should be disseminating
their cert via some other means besides an untrusted computer network (i.e.,
the internet). Or at least give customers another option.

Perhaps making their cert available at branches (e.g., printed on business
cards), mailing it to customers with an expository cover letter, or even
publishing it in a newspaper or some publicly available printed source.

Maybe these printed copies would be OCR-friendly, maybe not. I think two blobs
of text can be compared to each other for differences without using a
computer, and I can think of a few ways to make that easier. In any event,
this does not seem an insurmoutable problem by any stretch of the imagination,
at least for me, and in my mind the benefit outweighs the cost.

Not sure about others, but I still get plenty of "official" notifications via
postal mail. And with increasing frequency they relate to computer issues.

This makes me wonder why certs "must" to be obtained and verified using (a) an
untrusted computer network (the internet) and (b) why we need the aid of
untrusted third parties often with obvious conflicts of interest to decide for
us who else we can trust.

Are these not the two things that that "SSL" authentication and encryption is
designed to protect against?

------
codert
CNNIC,you deserve it!

