
Mozilla Debates Whether to Trust Chinese CA - mbrubeck
http://www.freedom-to-tinker.com/blog/felten/mozilla-debates-whether-trust-chinese-ca
======
raganwald
I certainly don't trust any CA that has even the _appearance_ of being tied to
the Chinese government.

~~~
mbreese
That CA is already included with Windows and Mac OSX. When you look at the
list, it's quite impressive exactly how many root CA's are actually trusted.
For example, the DOD is also trusted...

For what it's worth, it's not in the default ubuntu list, but you are using
Firefox, it's in there...

~~~
illumin8
Seriously, wtf? DoD managed to get a root CA in our browsers? Surely this
should not be allowed by any sane corporation, and especially the Mozilla
Foundation.

~~~
kijuhygfh
You would prefer that .mil sites were secured by Versign?

~~~
illumin8
.mil can and should create their own Certificate Authority and install their
own root cert on .mil computers. Just don't install their root cert on mine.
I'm going to be checking mine now and removing DoD from there.

If any other government's military got a root cert installed, you better
believe we'd be hearing about it.

------
andrewcooke
is there any kind of technical solution that would help flag abuse?

for example, something like the way ssh records and flags keys, so that you
are warned if the certificate you have received, while validated, has changed
from what you had received previously?

there would be false positives on expiry, but perhaps they could be flagged as
such anyway.

would this help, or am i missing something? obviously it's only going to work
if interception is the exception rather than the rule. and it only addresses
eavesdropping - it doesn't do anything to stop china implementing some kind of
firewall that refuses ssh connections for non-local certs, for example.

~~~
wmf
<http://www.cs.cmu.edu/~perspectives/> should detect and warn about SSL MITMs.

~~~
andrewcooke
cute - same idea but replaces knowledge over time with knowledge over network
paths. requires a lot more infrastructure, but removes the "first visit"
vulnerability.

------
baguasquirrel
That begs the question... if there is a CA on there I _do not_ trust, how do I
remove it? In Chrome I'm having trouble _finding_ the list of root CAs.

~~~
agl
Chrome uses the system certificate store. On Windows, that means it's the same
one as IE, so you can probably Google for instructions. I'm not familiar with
Mac. On Linux, it uses the system NSS library. NSS is built with a set of root
CAs so you would have to see what your distribution chose to include.

~~~
tlrobinson
OS X has "keychain" which can be viewed and modified from the Keychain Access
app.

------
coderdude
>>To see why this is worrisome, [...] giving the Chinese government free run
of the citizen's email archive.

It sounds a bit silly when you put it into words and read it.

~~~
fragmede
My sarcasm meter might be broken, but in case you aren't: Yahoo 'helped jail
China writer' (<http://news.bbc.co.uk/2/hi/4221538.stm>)

