Even though this is mostly a technical forum, Mozilla might have an opinion in this respect. Kathleen, could you please follow up at the appropriate channels regarding the claims made as it might affect the Mozilla CA policy section 4 and 6, maybe also others.
> Even though this is mostly a technical forum, Mozilla might have an > opinion in this respect. Kathleen, could you please follow up at the > appropriate channels regarding the claims made as it might affect the > Mozilla CA policy section 4 and 6, maybe also others.
Unfortunately this is some disturbing evidence regarding some of the claims:
> > Even though this is mostly a technical forum, Mozilla might have an > > opinion in this respect. Kathleen, could you please follow up at the > > appropriate channels regarding the claims made as it might affect the > > Mozilla CA policy section 4 and 6, maybe also others.
> Unfortunately this is some disturbing evidence regarding some of the claims:
Chinese users have started removing CNNIC from root certificates now. pls see here: https://twitter.com/search?q=CNNIC .This is really a SECURITY issue. It's for Mozilla's policy #4 $6 #7 #10
I konw what Liu Yan cares. You can except instructions to remove CNNIC blocked or removed in China very soon.
> On 01/27/2010 04:14 PM, Eddy Nigg: >> I was made aware of some controversial issues regarding the inclusion >> of the CNNIC Root. Please see comments >> https://bugzilla.mozilla.org/show_bug.cgi?id=476766#c18 and the item >> thereafter.
>> Even though this is mostly a technical forum,
It is?
I've seen MANY rants in past years from people who got infected by signed malware. They were under the mistaken impression that signed software is software that has been certified by the CA to be virus-free. Of course, as we know, that's not what a code signing cert means at all. It merely provides trustworthy identification of the source of the software, and does not attest to the quality of the software.
I've also seen a lot of confusion in the past over who is the source if signed software. A lot of people assume that the certificate issuer, rather than the certificate subject, is the source of the signed software.
Now, we come to the immediate cases to which Eddy provided links:
I cannot determine, from the information presented on those pages, if CNNIC was itself the source (the signer) of the signed software, or was merely the issuer of certificates that were used by other subjects to sign malware. The middle of those 3 links says that CNNIC had links to another site, tech.sina.com.cn, which on its face seems to be another organization. This doesn't seem inconsistent with CNNIC's role as a CA.
I think we need to be very careful to avoid getting caught in the trap of thinking of certificates as attestations of morality or competence, and thinking of CAs as judges of morality or competence. If we allow the role of CAs to become defined as being those judges, they will CERTAINLY FAIL. So, let's define their role as doing something at which they can succeed, namely attesting to binding of keys to vetted identities.
Technical in the sense of policies and CA practices. It's not a political forum...
> I've seen MANY rants in past years from people who got infected by signed > malware. They were under the mistaken impression that signed software is > software that has been certified by the CA to be virus-free. Of course, > as we know, that's not what a code signing cert means at all. It merely > provides trustworthy identification of the source of the software, and > does not attest to the quality of the software.
Sure, I think that the issues mentioned are a bit broader and haven't much to do with code signing certificates per se. Distribution of malware usually starts at a web site, and this is what the links below say.
> I cannot determine, from the information presented on those pages, if CNNIC > was itself the source (the signer) of the signed software,
I nowhere seen anything about signed software, this is your (wrong) assumption.
> I think we need to be very careful to avoid getting caught in the trap of > thinking of certificates as attestations of morality or competence, and > thinking of CAs as judges of morality or competence. If we allow the role > of CAs to become defined as being those judges, they will CERTAINLY FAIL. > So, let's define their role as doing something at which they can succeed, > namely attesting to binding of keys to vetted identities.
That's why I requested to have this handled at the proper channels. Though I think a discussion specially by the affected parties might be interesting to have in order to understand more about it. And obviously there might be members willing to voice their opinion what should be done...
> >>> Even though this is mostly a technical forum,
> > It is?
> Technical in the sense of policies and CA practices. It's not a > political forum...
> > I've seen MANY rants in past years from people who got infected by signed > > malware. They were under the mistaken impression that signed software is > > software that has been certified by the CA to be virus-free. Of course, > > as we know, that's not what a code signing cert means at all. It merely > > provides trustworthy identification of the source of the software, and > > does not attest to the quality of the software.
> Sure, I think that the issues mentioned are a bit broader and haven't > much to do with code signing certificates per se. Distribution of > malware usually starts at a web site, and this is what the links below say.
> > I cannot determine, from the information presented on those pages, if CNNIC > > was itself the source (the signer) of the signed software,
> I nowhere seen anything about signed software, this is your (wrong) > assumption.
> > I think we need to be very careful to avoid getting caught in the trap of > > thinking of certificates as attestations of morality or competence, and > > thinking of CAs as judges of morality or competence. If we allow the role > > of CAs to become defined as being those judges, they will CERTAINLY FAIL. > > So, let's define their role as doing something at which they can succeed, > > namely attesting to binding of keys to vetted identities.
> That's why I requested to have this handled at the proper channels. > Though I think a discussion specially by the affected parties might be > interesting to have in order to understand more about it. And obviously > there might be members willing to voice their opinion what should be done...
If we include this cert, PRC government can hijack any SSL session WITHOUT any warming to user. PRC government always monitor online activities of chinese pro- democracy people. You know what Google's happening.
We need to protect the user whether this is political or not.
> I've also seen a lot of confusion in the past over who is the source if > signed software. A lot of people assume that the certificate issuer, > rather than the certificate subject, is the source of the signed software.
> Now, we come to the immediate cases to which Eddy provided links:
> I cannot determine, from the information presented on those pages, if CNNIC > was itself the source (the signer) of the signed software, or was merely the > issuer of certificates that were used by other subjects to sign malware. > The middle of those 3 links says that CNNIC had links to another site, > tech.sina.com.cn, which on its face seems to be another organization. > This doesn't seem inconsistent with CNNIC's role as a CA.
> I think we need to be very careful to avoid getting caught in the trap of > thinking of certificates as attestations of morality or competence, and > thinking of CAs as judges of morality or competence. If we allow the role > of CAs to become defined as being those judges, they will CERTAINLY FAIL. > So, let's define their role as doing something at which they can succeed, > namely attesting to binding of keys to vetted identities.
I agree with Eddy. We are not talking about who signed this software.
I am a Chinese internet user. CNNIC has produced a software called CNNIC_Zhong_Wen_Shang_Wang which is well-known malware software in China. Beside, I remembered that this software is signed by Verisign, need to confirm, because CNNIC is not a trusted root CA at that time.
This software are usually installed by users' mistake activity. After installed, pop-up windows, ADs, force IE homepage and etc. are all coming. And it's very difficult to uninstall.
I don't know whether current verison of this software is still malware. But you can also found some infomation from google by searching "cnnic malware" (without quotes), or you can found some Chinese people around you to search "CNNIC 中文上网" ( http://www.google.com/search?hl=en&source=hp&q=CNNIC+%E4%B8%AD%E6%96%... ). Almost all results are relative to "How can I uninstall the d*mn CNNIC_Zhong_Wen_Shang_Wang".
I don't know whether this certificate will be used for phishing SSL session in future. But I think the worries are reasonable, because of the internet censorship in China and GFW project. Given this organization's past behavior, I personally untrust this certificate.
> On Jan 28, 1:11 am, Nelson Bolyard <NOnelsonS...@NObolyardSPAM.me> > wrote:
> > On 2010-01-27 06:18 PST, Eddy Nigg wrote:
> > I've also seen a lot of confusion in the past over who is the source if > > signed software. A lot of people assume that the certificate issuer, > > rather than the certificate subject, is the source of the signed software.
> > Now, we come to the immediate cases to which Eddy provided links:
> > I cannot determine, from the information presented on those pages, if CNNIC > > was itself the source (the signer) of the signed software, or was merely the > > issuer of certificates that were used by other subjects to sign malware. > > The middle of those 3 links says that CNNIC had links to another site, > > tech.sina.com.cn, which on its face seems to be another organization. > > This doesn't seem inconsistent with CNNIC's role as a CA.
> > I think we need to be very careful to avoid getting caught in the trap of > > thinking of certificates as attestations of morality or competence, and > > thinking of CAs as judges of morality or competence. If we allow the role > > of CAs to become defined as being those judges, they will CERTAINLY FAIL. > > So, let's define their role as doing something at which they can succeed, > > namely attesting to binding of keys to vetted identities.
> I agree with Eddy. We are not talking about who signed this software.
> I am a Chinese internet user. CNNIC has produced a software called > CNNIC_Zhong_Wen_Shang_Wang which is well-known malware software in > China. Beside, I remembered that this software is signed by Verisign, > need to confirm, because CNNIC is not a trusted root CA at that time.
> This software are usually installed by users' mistake activity. After > installed, pop-up windows, ADs, force IE homepage and etc. are all > coming. And it's very difficult to uninstall.
> I don't know whether current verison of this software is still > malware. But you can also found some infomation from google by > searching "cnnic malware" (without quotes), or you can found some > Chinese people around you to search "CNNIC 中文上网" (http://www.google.com/search?hl=en&source=hp&q=CNNIC+%E4%B8%AD%E6%96%... > ). Almost all results are relative to "How can I uninstall the d*mn > CNNIC_Zhong_Wen_Shang_Wang".
> I don't know whether this certificate will be used for phishing SSL > session in future. But I think the worries are reasonable, because of > the internet censorship in China and GFW project. > Given this organization's past behavior, I personally untrust this > certificate.
CAs issues certificates to bring people trust, how can people trust websites signed by a non-trusted CA issuer? Some say it's about politic, and yes, it can and eventually will be used by government for censorship. CNNIC is directly controlled by PRC government, that's make no sense that CNNIC can issue with justice.
What can be a nightmare is one day I figure out that Gmail's certificate is issued by CNNIC and my browser trusts it. THAT SHOULD NEVER EVER HAPPEN.
So please checkout what people are saying about CNNIC on twitter. A not trusted organization should never be trust by browsers.
> On 01/27/2010 07:11 PM, Nelson Bolyard: >> On 2010-01-27 06:18 PST, Eddy Nigg wrote: > I think that the issues mentioned are a bit broader and haven't > much to do with code signing certificates per se. Distribution of > malware usually starts at a web site, and this is what the links below say. >>> http://safebrowsing.clients.google.com/safebrowsing/diagnostic?client...
>> I cannot determine, from the information presented on those pages, if CNNIC >> was itself the source (the signer) of the signed software,
> I nowhere seen anything about signed software, this is your (wrong) > assumption.
Well, if that's the case, then the protests being lodged against CNNIC as an issuer of SSL server certs are all the more absurd. The issuance of an SSL server cert doesn't attest to the morality or competence of the business dealings of the operator of the SSL server. It only attests to the pairing or "binding" of the certified name to the certified public key.
>> I think we need to be very careful to avoid getting caught in the trap of >> thinking of certificates as attestations of morality or competence, and >> thinking of CAs as judges of morality or competence. If we allow the role >> of CAs to become defined as being those judges, they will CERTAINLY FAIL. >> So, let's define their role as doing something at which they can succeed, >> namely attesting to binding of keys to vetted identities.
> That's why I requested to have this handled at the proper channels. > Though I think a discussion specially by the affected parties might be > interesting to have in order to understand more about it. And obviously > there might be members willing to voice their opinion what should be done...
But my point is that any arguments that are based on the presence of malware are irrelevant and should not be considered in whether or not the CA acted properly as a CA. If the CA's cert properly indicated the name of the party who should be held responsible for the malware, then IMO the CA did its job admirably and should not be punished for the job it did as a CA.
> Even though this is mostly a technical forum, Mozilla might have an > opinion in this respect. Kathleen, could you please follow up at the > appropriate channels regarding the claims made as it might affect the > Mozilla CA policy section 4 and 6, maybe also others.
> Well, if that's the case, then the protests being lodged against CNNIC as > an issuer of SSL server certs are all the more absurd.
Nelson, before commenting I suggest to read the concerns which were raised at the comments posted at the bugs in order to understand what they are. Those are starting from:
> But my point is that any arguments that are based on the presence of malware > are irrelevant and should not be considered in whether or not > the CA acted properly as a CA.
This is not the issue, but it was provided by the concerned parties as part of their "evidence" to confirm those concerns. The claims are raised in the bug entries and at other places such as twitter and I believe Mozilla and the community should at least listen to them and consider if and how they are relevant regarding the root inclusion here. Apparently there might be issues with the inclusion of this CA root which we haven't considered here (because nobody raised any concern at that time).
If the claims are correct, than this might be a serious cause for concern and which might affect Mozilla policy requirements directly. However I asked Kathleen to find the appropriate channels regarding these claims because it's not something we've ever dealt with here.
> Even though this is mostly a technical forum, Mozilla might have an > opinion in this respect. Kathleen, could you please follow up at the > appropriate channels regarding the claims made as it might affect the > Mozilla CA policy section 4 and 6, maybe also others.
NOnelsonS...@nobolyardspam.me> wrote: > On 2010-01-27 09:28 PST, Eddy Nigg wrote: > > On 01/27/2010 07:11 PM, Nelson Bolyard: > >> On 2010-01-27 06:18 PST, Eddy Nigg wrote: > > I think that the issues mentioned are a bit broader and haven't > > much to do with code signing certificates per se. Distribution of > > malware usually starts at a web site, and this is what the links below > say.
> >> I cannot determine, from the information presented on those pages, if > CNNIC > >> was itself the source (the signer) of the signed software,
> > I nowhere seen anything about signed software, this is your (wrong) > > assumption.
> Well, if that's the case, then the protests being lodged against CNNIC as > an issuer of SSL server certs are all the more absurd. The issuance of > an SSL server cert doesn't attest to the morality or competence of the > business dealings of the operator of the SSL server. It only attests > to the pairing or "binding" of the certified name to the certified public > key.
Is also very absurd to directly built such a notorious hated certificate into the widely accepted open-source software in prc, almost everyone are looking for method how to remove it after being aware of the bulletin for either potential ssl hijack or consistent disgusted with cnnic, and it's so simple to prove that either protest poll or something similar.
> >> I think we need to be very careful to avoid getting caught in the trap > of > >> thinking of certificates as attestations of morality or competence, and > >> thinking of CAs as judges of morality or competence. If we allow the > role > >> of CAs to become defined as being those judges, they will CERTAINLY > FAIL. > >> So, let's define their role as doing something at which they can > succeed, > >> namely attesting to binding of keys to vetted identities.
> > That's why I requested to have this handled at the proper channels. > > Though I think a discussion specially by the affected parties might be > > interesting to have in order to understand more about it. And obviously > > there might be members willing to voice their opinion what should be > done...
> But my point is that any arguments that are based on the presence of > malware > are irrelevant and should not be considered in whether or not > the CA acted properly as a CA. If the CA's cert properly indicated the > name of the party who should be held responsible for the malware, then > IMO the CA did its job admirably and should not be punished for the job > it did as a CA.
> Even though this is mostly a technical forum, Mozilla might have an > opinion in this respect. Kathleen, could you please follow up at the > appropriate channels regarding the claims made as it might affect > the Mozilla CA policy section 4 and 6, maybe also others.
So, I have a couple reactions here:
1) We have never claimed as a matter of policy that our PKI decisions can protect people from malicious governments. It's just not a plausible promise for us to make. 2) I think, regardless of government ties, we'd carefully review and might well yank trust for any CA that was complicit in MitM attacks. 3) CNNIC complied with our root addition policy, they are in the product presently, so this isn't a question of approval, this is a question of whether we should review.
It feels to me like that makes our next step clear, here. It won't help to tally up the complainants (there will be many), and it won't help to demand assurances from CNNIC (since the alleged governmental pressure would trump those anyhow). It certainly won't help to cite wikipedia.
If there's truth to the allegation, here, then it should be possible to produce a cert. It should be possible to produce a certificate, signed by CNNIC, which impersonates a site known to have some other issuer. A live MitM attack, a paypal cert issued by CNNIC for example. If anyone in a position to produce such a thing needs help understanding the mechanics of doing so, I'm sure this forum will help them.
SSL makes tampering visible to its victims. The certificate has to actually make it to my client before I can decide to trust it. By all means, let's arm people with the knowledge to detect and record such instances. But I don't see any clear step we can take until then.
Does that seem dismissive? I really hope not. I really don't want us to trust CAs that we can't actually trust, but I don't want our root program choosing favourites in political debates either.
J
--- Johnathan Nightingale Human Shield john...@mozilla.com
As a Chinese citizen, let me elaborate two reasons why I do not trust CNNIC Root.
1. CNNIC do evil. Because CNNIC did much evil before, including spreading the malware mentioned above.
It is apparently pointless for to trust CNNIC.
2. CNNIC cannot do their job well. A few weeks ago, CNNIC announced that .cn suffix (which is under administration of CNNIC) is not longer available to individuals. Soon after CNNIC attained a sharp decrease of .cn domain names, and had to revoke the preposterous decision.
CNNIC so easily scewed up its primary duty, it might fail in other duties.
So it's a Root CA with an incompetent and (potentially) wicked organization named CNNIC behind. Why would we Chinese bother to believe in it?
There is no political points above, right? It's all about common sense/ feelings. I did not read Mozilla CA policies, however, if it conflicts with what I addressed, I would suggest that those policies be reviewed.
> As a Chinese citizen, let me elaborate two reasons why I do not trust > CNNIC Root.
> 1. CNNIC do evil. > Because CNNIC did much evil before, including spreading the malware > mentioned above.
> It is apparently pointless for to trust CNNIC.
> 2. CNNIC cannot do their job well. > A few weeks ago, CNNIC announced that .cn suffix (which is under > administration of CNNIC) is not longer available to individuals. > Soon after CNNIC attained a sharp decrease of .cndomain names, and > had to revoke the preposterous decision.
> CNNIC so easily scewed up its primary duty, it might fail in other > duties.
> So it's a Root CA with an incompetent and (potentially) wicked > organization named CNNIC behind. > Why would we Chinese bother to believe in it?
> There is no political points above, right? It's all about common sense/ > feelings. > I did not read Mozilla CA policies, however, if it conflicts with what > I addressed, I would suggest that those policies be reviewed.
As you may all know, I or anyone in mainland China uses proxy network, probably "traveled around the world" to get around the GFW, and finally get here in the mailing list. So I think the Firefox people should understand how painful it is for us to live in the shadow of GFW, and why people are so upset about CNNIC's root cert getting trusted.
I'm not sure whether it is a smart move to get involve into political debates as Johnathan said. But I'm sure getting rid of CNNIC's cert from the trust list is the right thing to do. Millons of Chinese Firefox users will thank Firefox for its justice. Google stood out, I thank them! We thank them! We think they are great! If firefox can remove CNNIC from the trust list, we will thank you too!
Is there anyone who agree with me? Come on, give me some love.
After a second thought, I found that even if Firefox didn't add CNNIC root certificate as built-in object, CNNIC still can issue a false gmail.com certificate signed by its CNNIC SSL secondary CA certificate signed by Entrust.net root CA. The browser will still accept the forged gmail.com certificate without any warning.
So the inclusion of CNNIC Root CA certificate in Firefox is almost equivalent to the endorsement by Entrust.net to sign the CNNIC SSL secondary CA certificate, which CNNIC already acquired years ago.
Thus, it is in fact a serious security design flaw in the way that the browser handles SSL certificates in the userage scenario. I suggest the following measures to be taken:
1. Display clear warning message of certificate change, which is possibly a result of MITM attack with a forged certificate. Firefox should include the addon Certificate Patrol [1] as a built-in module.
2. Eye-catching display of certificate signing path for HTTPS connections, e.g. in the address bar or a floating warning bar like that of an addon installation. Because general non-expert users even don't know how to check the certificate signing path.
It's a big problem, as you can see the PR China government is actively involved in cyber attacks against its citizens. Their secret agents used trojan-horse attacks to intrude gmail and Google services successfully[2]. They have clear intention to intercept, snoop or spoof SSL connections. There are successful MITM attack experiments done on Internet and Tor network, by forging a certificate which the general public users won't notice at all because the browser silently accepted it.
It's a real threat to the trust model of PKI. We should have prompt countermeasures and actions.
> After a second thought, I found that even if Firefox didn't add CNNIC > root certificate as built-in object, CNNIC still can issue a false > gmail.com certificate signed by its CNNIC SSL secondary CA certificate > signed by Entrust.net root CA. The browser will still accept the > forged gmail.com certificate without any warning.
> So the inclusion of CNNIC Root CA certificate in Firefox is almost > equivalent to the endorsement by Entrust.net to sign the CNNIC SSL > secondary CA certificate, which CNNIC already acquired years ago.
> Thus, it is in fact a serious security design flaw in the way that the > browser handles SSL certificates in the userage scenario. I suggest > the following measures to be taken:
> 1. Display clear warning message of certificate change, which is > possibly a result of MITM attack with a forged certificate. Firefox > should include the addon Certificate Patrol [1] as a built-in module.
> 2. Eye-catching display of certificate signing path for HTTPS > connections, e.g. in the address bar or a floating warning bar like > that of an addon installation. Because general non-expert users even > don't know how to check the certificate signing path.
> It's a big problem, as you can see the PR China government is actively > involved in cyber attacks against its citizens. Their secret agents > used trojan-horse attacks to intrude gmail and Google services > successfully[2]. They have clear intention to intercept, snoop or > spoof SSL connections. There are successful MITM attack experiments > done on Internet and Tor network, by forging a certificate which the > general public users won't notice at all because the browser silently > accepted it.
> It's a real threat to the trust model of PKI. We should have prompt > countermeasures and actions.
Thank you Tophits, for supporting us who are under monitor and severely limited regarding internet freedom. I maybe risking my personal freedom to discuss with you here. Freedom is the spirit of Opensource anyway, isn't it? If even the SSL fail to protect us, then we can lose the only privacy or freedom we have left. I guess I can still remove CNNIC and Entrust.net from trust list mannually anyway. But disasters could happen to general users who "accidently" said something the government don't like to hear. It's horrible even thinking about it. People's privacy and freedom of speech is all I concerned about. Displaying warning and signing path sounds like a good idea, better than silently nothing. Thank you again.
> 1) We have never claimed as a matter of policy that our PKI decisions > can protect people from malicious governments. It's just not a > plausible promise for us to make. > 2) I think, regardless of government ties, we'd carefully review and > might well yank trust for any CA that was complicit in MitM attacks. > 3) CNNIC complied with our root addition policy, they are in the > product presently, so this isn't a question of approval, this is a > question of whether we should review.
> It feels to me like that makes our next step clear, here. It won't > help to tally up the complainants (there will be many), and it won't > help to demand assurances from CNNIC (since the alleged governmental > pressure would trump those anyhow). It certainly won't help to cite > wikipedia.
> If there's truth to the allegation, here, then it should be possible > to produce a cert. It should be possible to produce a certificate, > signed by CNNIC, which impersonates a site known to have some other > issuer. A live MitM attack, a paypal cert issued by CNNIC for example. > If anyone in a position to produce such a thing needs help > understanding the mechanics of doing so, I'm sure this forum will help > them.
> SSL makes tampering visible to its victims. The certificate has to > actually make it to my client before I can decide to trust it. By all > means, let's arm people with the knowledge to detect and record such > instances. But I don't see any clear step we can take until then.
> Does that seem dismissive? I really hope not. I really don't want us > to trust CAs that we can't actually trust, but I don't want our root > program choosing favourites in political debates either.
Thanks Johnathan for your response and guidance. I believe there isn't an easy solution unfortunately for those affected and neither for Mozilla. I think it's correct that we should stick to the technical requirements and facts, but act upon them swiftly if any evidence is presented that might infringe on the Mozilla CA policy.
Currently section #4 of the policy come to mind, in particular "knowingly issue certificates that appear to be intended for fraudulent use." If CNNIC is directly branded by anti-virus and other safe-guarding groups as a source for distributing mal-ware, there might be a problem.
Additionally section #6 calls for "provide some service relevant to typical users of our software products", apparently for some this root presents for them a disservice. I don't know how to evaluate that or what to recommend, but I believe it's worth to look at it and listen carefully to complaints.
More disturbing however is, that apparently this news group can't be accessed according to https://bugzilla.mozilla.org/show_bug.cgi?id=476766#c28 This makes participation here difficult and I wonder if this happened on purpose. Such a fact would have made our process and public comments period void of any value and if the allegations are correct we could call for annulling the previous decision taken here. The purpose of the public comments period is to voice amongst others the concerns we are hearing today. If those rights were withheld for a large group affected by this root inclusion and/or the proceedings here were not known to them, it could present a valid reason to reconsider the previously made decision.
> On Jan 28, 1:28 am, Eddy Nigg <eddy_n...@startcom.org> wrote:
> > On 01/27/2010 07:11 PM, Nelson Bolyard:
> > > On 2010-01-27 06:18 PST, Eddy Nigg wrote:
> > >>> Even though this is mostly a technical forum,
> > > It is?
> > Technical in the sense of policies and CA practices. It's not a > > political forum...
> > > I've seen MANY rants in past years from people who got infected by signed > > > malware. They were under the mistaken impression that signed software is > > > software that has been certified by the CA to be virus-free. Of course, > > > as we know, that's not what a code signing cert means at all. It merely > > > provides trustworthy identification of the source of the software, and > > > does not attest to the quality of the software.
> > Sure, I think that the issues mentioned are a bit broader and haven't > > much to do with code signing certificates per se. Distribution of > > malware usually starts at a web site, and this is what the links below say.
> > > I cannot determine, from the information presented on those pages, if CNNIC > > > was itself the source (the signer) of the signed software,
> > I nowhere seen anything about signed software, this is your (wrong) > > assumption.
> > > I think we need to be very careful to avoid getting caught in the trap of > > > thinking of certificates as attestations of morality or competence, and > > > thinking of CAs as judges of morality or competence. If we allow the role > > > of CAs to become defined as being those judges, they will CERTAINLY FAIL. > > > So, let's define their role as doing something at which they can succeed, > > > namely attesting to binding of keys to vetted identities.
> > That's why I requested to have this handled at the proper channels. > > Though I think a discussion specially by the affected parties might be > > interesting to have in order to understand more about it. And obviously > > there might be members willing to voice their opinion what should be done...
> If we include this cert, PRC government can hijack any SSL session > WITHOUT any warming to user. > PRC government always monitor online activities of chinese pro- > democracy people. > You know what Google's happening.
> We need to protect the user whether this is political or not.
>> 1) We have never claimed as a matter of policy that our PKI decisions >> can protect people from malicious governments. It's just not a >> plausible promise for us to make. >> 2) I think, regardless of government ties, we'd carefully review and >> might well yank trust for any CA that was complicit in MitM attacks. >> 3) CNNIC complied with our root addition policy, they are in the >> product presently, so this isn't a question of approval, this is a >> question of whether we should review.
>> It feels to me like that makes our next step clear, here. It won't >> help to tally up the complainants (there will be many), and it won't >> help to demand assurances from CNNIC (since the alleged governmental >> pressure would trump those anyhow). It certainly won't help to cite >> wikipedia.
>> If there's truth to the allegation, here, then it should be possible >> to produce a cert. It should be possible to produce a certificate, >> signed by CNNIC, which impersonates a site known to have some other >> issuer. A live MitM attack, a paypal cert issued by CNNIC for example. >> If anyone in a position to produce such a thing needs help >> understanding the mechanics of doing so, I'm sure this forum will help >> them.
>> SSL makes tampering visible to its victims. The certificate has to >> actually make it to my client before I can decide to trust it. By all >> means, let's arm people with the knowledge to detect and record such >> instances. But I don't see any clear step we can take until then.
>> Does that seem dismissive? I really hope not. I really don't want us >> to trust CAs that we can't actually trust, but I don't want our root >> program choosing favourites in political debates either.
> Thanks Johnathan for your response and guidance. I believe there isn't > an easy solution unfortunately for those affected and neither for > Mozilla. I think it's correct that we should stick to the technical > requirements and facts, but act upon them swiftly if any evidence is > presented that might infringe on the Mozilla CA policy.
> Currently section #4 of the policy come to mind, in particular > "knowingly issue certificates that appear to be intended for fraudulent > use." If CNNIC is directly branded by anti-virus and other safe-guarding > groups as a source for distributing mal-ware, there might be a problem.
> Additionally section #6 calls for "provide some service relevant to > typical users of our software products", apparently for some this root > presents for them a disservice. I don't know how to evaluate that or > what to recommend, but I believe it's worth to look at it and listen > carefully to complaints.
> More disturbing however is, that apparently this news group can't be > accessed according to > https://bugzilla.mozilla.org/show_bug.cgi?id=476766#c28 > This makes participation here difficult and I wonder if this happened on > purpose. Such a fact would have made our process and public comments > period void of any value and if the allegations are correct we could > call for annulling the previous decision taken here. The purpose of the > public comments period is to voice amongst others the concerns we are > hearing today. If those rights were withheld for a large group affected > by this root inclusion and/or the proceedings here were not known to > them, it could present a valid reason to reconsider the previously made > decision.
On reviewing bug #476766, I see in comment #5 Liu Yan's (the applicant) assertion: "CNNIC is not a Chinese Government organization."
However, later comments by users in China seem to indicate the contrary. Comment #18 states: "CNNIC is an infamous organ of the Chinese Communist government to monitor and control the Internet in China." Comment #23 states: "...CNNIC is infamous in China and it has a lot of connections with the government..." Comment #24 states: "It has very closed tie with Chinese government and CPC (or CCP [Chinese Communist Party?])."
If any of these comments are true, then the application violates the second bullet under section 6 of the Mozilla CA Certificate Policy: > We require that all CAs whose certificates are distributed with our software products:
> * publicly disclose information about their policies and business practices
That is, the relationship between CCNIC and the government or political structure of China -- a business practices -- has not been publicly disclosed.
I am further concerned about the fact that individuals inside China are blocked from participating in this discussion, perhaps by the "great firewall". If CCNIC indeed operates independently of the government and political structure of China and is indeed worthy of the trust implied by having its root certificate in the NSS database, then why would anyone object to a discussion of this issue?
> After a second thought, I found that even if Firefox didn't add CNNIC > root certificate as built-in object, CNNIC still can issue a false > gmail.com certificate signed by its CNNIC SSL secondary CA certificate > signed by Entrust.net root CA. The browser will still accept the > forged gmail.com certificate without any warning.
> So the inclusion of CNNIC Root CA certificate in Firefox is almost > equivalent to the endorsement by Entrust.net to sign the CNNIC SSL > secondary CA certificate, which CNNIC already acquired years ago.
> Thus, it is in fact a serious security design flaw in the way that the > browser handles SSL certificates in the userage scenario. I suggest > the following measures to be taken:
> 1. Display clear warning message of certificate change, which is > possibly a result of MITM attack with a forged certificate. Firefox > should include the addon Certificate Patrol [1] as a built-in module.
> 2. Eye-catching display of certificate signing path for HTTPS > connections, e.g. in the address bar or a floating warning bar like > that of an addon installation. Because general non-expert users even > don't know how to check the certificate signing path.
> It's a big problem, as you can see the PR China government is actively > involved in cyber attacks against its citizens. Their secret agents > used trojan-horse attacks to intrude gmail and Google services > successfully[2]. They have clear intention to intercept, snoop or > spoof SSL connections. There are successful MITM attack experiments > done on Internet and Tor network, by forging a certificate which the > general public users won't notice at all because the browser silently > accepted it.
> It's a real threat to the trust model of PKI. We should have prompt > countermeasures and actions.
+1,Should use a more compelling way to prompt the user to change any of the relevant certificate CNNIC is a puppet for the PRC Government to provide all facilities, we do not believe CNNIC. I have canceled CNNIC ROOT and the related certificate of trust option, but not everyone know how to do it. Since the issuance of certificates for the CNNIC, I have canceled the trust of Entrust, I would rather give up their certificates and use Entrust on any website, I do not want this list continues to grow. I'm just an ordinary Chinese netizens, the main purpose is to obtain information and knowledge, but the PRC Government do everything possible to intercept them. The SSL certificate is used to attack no one will be surprised, there is a certain web-based Chinese netizens think that this is a matter of course will be happen.
Johnathan Nightingale wrote: > 1) We have never claimed as a matter of policy that our PKI decisions > can protect people from malicious governments. It's just not a plausible > promise for us to make.
With due respect, "never have made the promise" just doesn't cut it in my eyes. To turn it around: never was there any warning to the user base that there is some "special class" of miscreants that Mozilla would not protect the users from. This can be explained (but not excused) by the mindset of those that instituted the process: in their minds, "governments", by definition, can't be miscreants. I and (as that discussion on bugzilla demonstrates) many, many, others do not share this mindset.
Perhaps it is time to review the process. It would be smart to take Mozilla out of the trust business. At the very least, all root certificates that are included should not be trusted until the user explicitly turns those he or she knows and trusts (and needs for his or her transactions) on.
> If there's truth to the allegation, here, then it should be possible to > produce a cert. It should be possible to produce a certificate, signed > by CNNIC, which impersonates a site known to have some other issuer. A > live MitM attack, a paypal cert issued by CNNIC for example. If anyone > in a position to produce such a thing needs help understanding the > mechanics of doing so, I'm sure this forum will help them.
As a related aside...
It would be an interesting experiment to create an addon to crowd-source checking for such certs. Not as a CNNIC-specific issue, but any case of valid certs for a site coming from an unexpected CA. It could also be easily to just store a local record of certs you've encountered, and warn you when a site's cert has changed.
> Johnathan Nightingale wrote: >> 1) We have never claimed as a matter of policy that our PKI decisions >> can protect people from malicious governments. It's just not a >> plausible promise for us to make.
> With due respect, "never have made the promise" just doesn't cut it in > my eyes.
Even though I agree with you that there is an understanding that the security decisions taken at Mozilla, being it by fixing flaws or here at this group with admitting CAs, are made to protect and provide reasonable security to the users, I'm ignoring the rest of your message as a distraction from the problem at hand. If you feel you would like to discuss your idea, lets do so under a different thread.
Having said that, most CAs disclose in their policies compliance to local legislation and law. If those laws allow for MITMs, we obviously should consider this accordingly. In the meantime some more comments have been posted at the various bugs, I'd like to highlight one of them since there is some relevance to the above:
On CNNIC website, it's clearly stated that CNNIC is directly administrated by both "Ministry of Industry and Information Technology of the PRC" and Chinese Academy of Sciences (budget controlled by the government).
You are right, CNNIC is not a government, but it's directly managed by the government and did everything that Chinese government asked it to do.
