
China Internet Network Information Center accepted as a Mozilla root CA - jeffreyg
http://lwn.net/Articles/372264/
======
AndrewHampton
To remove it

Firefox: Tools > Options > Advanced > Encryption > View Certificates >
Authorities > find and delete the CNNIC entry

IE: Tools > Internet Options > Content > Publishers > Trusted Root
Certification Authorities > find and delete the CNNIC entry

Chrome: Wrench > Options > Under the Hood > Manage Certificates > Trusted Root
Certification Authorities > find and delete the CNNIC entry

Note, removing it from either Chrome or IE will remove it from both.

[Edit: added instructions for Chrome and IE]

~~~
defen
I followed your deletion instructions on Firefox on OS X, but it keeps coming
back like some sort of zombie totalitarian (Hitler?) Even after restarting
Firefox, if I go back to the dialog, CNNIC is back.

~~~
AndrewHampton
Ha, this caught me off guard too, but even though it's still listed after
restarting Firefox, the permissions have been removed. If you select the cert
and click edit, you can see the permission boxes are no longer checked where
they were before. See <https://bugzilla.mozilla.org/show_bug.cgi?id=173729>
for details.

[Edit: At least this is the case on Windows. File a bug report as sandGorgon
suggested if that's not the case.]

------
sern
<https://bugzilla.mozilla.org/show_bug.cgi?id=542689>: "CNNIC is an evil
organization. Reproducible: Always"

------
cperciva
This is hardly the first SSL certificate authority to be under the thumb of a
nation-state actor, but maybe people will listen this time: Don't trust SSL
unless you can't avoid it.

~~~
mbreese
Although, how many of those are root CAs in Firefox?

I'm more than a little leery about this, but at least if there is a security
breach due to this, it should be traceable, right? I mean, if a CA signs a
faulty certificate, their signature is part of the certificate, so it should
be traceable. So, without any evidence of wrongdoing, how are they any worse
than Verisign? Or any of the cheap SSL certificate providers? It's not like
the CNNIC is going out of business anytime soon.

~~~
cperciva
There will be documentary evidence if a nation-state actor uses a bogus SSL
certificate, yes. Whether anyone will _keep_ said evidence -- do you keep
long-term copies of every SSL certificate you see for www.google.com? -- is a
different matter, especially since a smart attacker (which we presume nation-
state actors are) is likely to be selective in their targets.

~~~
__david__
It would be nice if Firefox kept track of certs and notified you of changes
(like ssh) regardless of them being signed by a CA or not. Especially if
servers made their certs continuous (ie, signing the new one with the old
one), in which case it would only warn on discontinuous cert changes.

~~~
insulanus
Yes, this tool should be on by default:

<https://addons.mozilla.org/en-US/firefox/addon/6415>

------
mbreese
Does anyone know how many other browsers have the CNNIC as a root CA?

Given the demographic of Firefox users, I think that this could end up being a
huge PR problem for Mozilla.

Edit: After some checking, CNNIC is a root CA in both Windows and Mac, so I
don't think that there was much avoiding this for Firefox.

~~~
sern
Snow Leopard

------
fierarul
So now Google needs to become a SSL CA and at least self-sign certificates for
its own domains.

~~~
pasbesoin
Actually, in paying attention to the certificate chain active in my Gmail
sessions, I've noticed that, since last fall, early winter, they may be moving
in this direction.

------
tarkin2
Could someone please explain how CINIC could enact a man in the middle act
with this inclusion?

I am vaguely aware of MITM attacks: that someone sends you their public key
while pretending to be someone else. And this means the data you send is
encrypted in a way that the MITM can see.

However, I'm unsure how CINIC's inclusion in Firefox's root certificates
facilitates this. Perhaps I'm not the only one?

~~~
tarkin2
On thinking about it a little more, I guess when you visit a site with SSL,
and that site subsequently sends you its public key, which in turns allows you
to send it encrypted data, Firefox will only accept public keys signed
(authorised) by those companies in your root certificate list.

This means if, unknown to you, CINIC impersonates a domain which uses SSL, and
you visit that domain and assume your SSL connection will be safe from prying
Chinese officials, you're incorrect. Incorrect because Chinese officials could
have created that bogus SSL certificate, and it would be accepted by Firefox
because Firefox now accept CINIC as a root authority.

Any confirmation, in case I'm spreading inaccuracies, would be appreciated.

~~~
AndrewHampton
Does anyone know if the Chinese gov't could use information gathered by CNNIC
for issuing the certificate to decrypt traffic it intercepts encrypted by the
public key?

~~~
tarkin2
CNNIC would only ever see the public key, and you can't decrypt encrypted data
using the public key--you must use the private key to decrypt the data,
something CNNIC would not see--so no.

As mentioned, CNNIC's inclusion only allows a Man In The Middle Attack. That
is, CNNIC, i.e. the Chinese government, pretending to be a site they're not,
and using their status as a Firefox (and other) -authorised root certificate
provider to further trick the user into accepting the bogus SSL certificate as
originating from the hijacked domain.

~~~
AndrewHampton
OK, thanks for the explanation.

------
louislouis
Quite a lot of drama involving China in recent weeks. I wonder what's next?
Chinese made laptops contains trojans? Chinese made iPhones contain spy chips?
Chinese made clothes stitched with wiretapping chips?

~~~
megaduck
I hate sounding paranoid, but all of these things are possible. Given the
tight relationship between Chinese companies and the Chinese government, such
shenanigans would be trivially easy.

For anyone looking to do manufacturing in China, this is something to
consider.

------
wmf
Has anyone proposed limits on what certs could be issued by root CAs? e.g.
What if Firefox only accepted CNNIC certs for .cn names?

------
barrkel
One of the problems with CAs and chains of trust is that the decision is
binary; if you want a more nuanced view of the trust one should have in a
connection, the best you can do is examine the signing chain manually, through
the nested dialogs.

~~~
pasbesoin
This is part of my set of gripes, that the chain is buried. Put it up front.
Even "clueless" users will be somewhat likely to notice when it changes,
especially if the popular media nudge them in this direction.

Mathematics aside, the basic concepts are not that difficult. (E.g. chain of
trust) Let the users know what's behind the padlock icon; they'll pick it up.

(Oh, and stop making https calls from http pages that ask for security
information. The paradigm of "look for https in the address bar" and "the
closed padlock icon" was a good start. Then everyone went and started breaking
it.)

------
briansmith
Mozilla is so idealistic about the H.264 video codec but couldn't care less
about something like this that actually has serious consequences for end-
users.

