If CNNIC is complicit in a MITM attack there will be a paper trail (namely a certificate signed by them) proving their involvement. To this day nobody has produced a cert signed by CNNIC that was used for a MITM attack. There's no reason to believe that CNNIC is bad/evil/whatever other than their affiliation with the PRC.
Disclosure: I work for Mozilla, but not on security.
Thanks for the reply. Glad to see some guy from Mozilla here!
You are right there's no reason to believe that CNNIC has to be bad/evil/whatever, but we cannot assume CNNIC would never be bad/evil either. We have to look at its history, and what's behind it.
When something turns bad, it won't throw out an announcement beforehand. And we need something that can handle this in time.
I'm thinking about something like this: in addition to the trusted root server list, keep another list, e.g., less trusted root servers; besides normal update program, put a special piece of code in the browser that allows firefox team to delete certain root server from less trusted root servers on the air. By "on the air", I mean not needing a full version update, or restarting the browser. It can warn the user, but it should not be possible to canceled the deletion.
That's something that we've considered doing. I'm not sure what the current state is. I suspect there's a bug somewhere on bugzilla.mozilla.org for implementing a cert blocklist that does not require a full update.
Having been in the internet industry in China for more than 10 years before I decided to move to the US I would say CNNIC is just as evil as any government organization in China if not worse. There are some well known rules regarding CNNIC: don't buy a .cn domain, don't install any software from them and don't trust what they say.
BTW non government organizations are technically banned in China. You need to apply for a permit and you seldom get one.