There are several related addons for Firefox for similar purposes.  I
hope they will be included as core modules in Firefox soon.

Certificate Patrol [1]  warns users with pop-up window whenever the
certificate of a website changes.  But it's not updated to be
compatible with the newest 3.6 version of Firefox yet.

Perspectives [2] tries to verify the certificate of a website from
various notary sources.  It's a good idea, but I tested and found it
not functional or the notary services are not stable enough yet.

At least I think the user interface of Firefox should be improved to
address such security threats of false certificate MITM attack against
SSL.  Many Chinese programmers believe (or suspect) that the PRC
government already started to do such MITM attacks.  This is why the
inclusion of CNNIC root certificate caused an Internet protest to
remove it from the browser and OS certificate storage.  A simple
google search [3] will tell you what most Chinese programmers think
about this.  Most of them are discussing how to remove or disable this
newly added root CA! :)

Technically speaking, even if CNNIC root CA is not included as a
builtin object of Firefox, it CAN still issue false certificates with
their legitimate secondary CA certificate signed by Entrust.net, to
intercept SSL connections with websites like gmail.com while the
browse won't show any warning about this.  The surprise and opposition
in the Chinese technical community reflects the security concerns of
the Chinese Internet users and showed what a reputation CNNIC has
accumulated with their actual behaviors over the past years.  This
even eroded the user trust on Entrust.net and Firefox, because
Entrust.net issued a secondary CA certificate to CNNIC.  Many
programmers suggested to remove the root CA certificates of
Entrust.net together.

I agree with some comments here, that the key issue is:  A secure
browser should tell the users clearly what they're trusting, and let
them choose whether to trust or not.

Whether a root CA is trustworthy or not, that's the social judgement,
a part of the trust model that a browser should not and can't
determine.  The browser should provide an easy and clear UI for the
users to make the decision.

References:

[1] Certificate Patrol https://addons.mozilla.org/en-US/firefox/addon/6415
[2] Perspectives : Firefox Extension http://www.cs.cmu.edu/~perspectives/firefox.html
[3] Google search: CNNIC 证书 http://www.google.com/search?q=CNNIC+%E8%AF%81%E4%B9%A6

更正：http://www.cnnic.cn/download/crl/CRL1.crl 这里是CNNIC的根证书的证书吊销列表，我不知道如何
创建自己的不信任列表，谁知道创建证书吊销列表？ ...
https://www.zuola.com/weblog/?p=1454

如何阻止不信任的CNNIC 证书<< scavin weblog - [ Translate this page ]
2010年1月27日 ... 是的，CNNIC 这个完全不可信任的有关部门，竟然诱惑微软将其列为根证书发布者，这个消息太可怕了。并且
Firefox 也信任了CNNIC 证书，这是疯狂的事情， ...
blog.lzzxt.com/394

玩聚SR | 如何阻止不信任的CNNIC 证书| 52个推荐者- 热文快照 - [ Translate this page ]
《如何阻止不信任的CNNIC 证书》的热文快照: 是的，CNNIC 这个完全不可信任的有关部门，竟然诱惑微软将其列为根证书发布者，这个消息太可
怕了。
sr.ju690.com/meme/item/59498

阻止不信任的CNNIC 证书.docx - 下载- 共享资料 - [ Translate this page ]
阻止不信任的CNNIC 证书.docx,下载,IT资料,解决方案. ... 说明： CNNIC被微软、FireFox加入根证书，这是非常可怕的
事情，所以我们要删除！ ...
ishare.iask.sina.com.cn/f/6665520.html

Nabble - GFans - 如何阻止不信任的CNNIC 证书 - [ Translate this page ]
4 posts - 2 authors - Last post: yesterday
如何阻止不信任的CNNIC 证书. 这是非常非常重要的，一定要做好。这比放病毒和流氓软件更加重要！ Sent to you by 夜の猫
via Google Reader: 如何阻止 ...
old.nabble.com/如何阻止不信任的-CNNIC-证书-td27342964.html

Firefox和微软已将CNNIC添加到根证书列表中,如何阻止CNNIC 证书 ... - [ Translate this page ]
2010年1月28日 ... SummerWa 写道Microsoft和Firefox已经将CNNIC作为根证书颁发机构添加到证书列表中：
Microsoft | 有关最新互联网资讯的IT博客.
http://www.pcstar.org.ru/main/2010-01/632-firefox-microsoft-cnnic-roo...

On Jan 29, 10:39 am, Justin Dolske <dol...@mozilla.com> wrote:

On 1/29/2010 4:28 AM, Eddy Nigg wrote:

But the applicant (Liu Yan) asserted in comment #5 of bug #476766:
"CNNIC is not a Chinese Government organization."

This is the point of my earlier response in this thread.

--

David E. Ross
<http://www.rossde.com/>.

Anyone who thinks government owns a monopoly on inefficient, obstructive
bureaucracy has obviously never worked for a large corporation. © 1997

Liu Yan said [4][5], "obviously CNNIC is not a government", but "just
offers service on technology and research"[4].

1. Is it considered by CNNIC as "service on technology and research"
to spread malware with administrative power to spy on Internet users?

2. Is it considered by CNNIC as "service on technology and research"
to ban personal website registration in the .cn domain space [1][2]
[17]?

3. CNNIC banned the DNS resolving of a lot of independent websites,
such as bulllog.cn [1][2].  Is this considered by CNNIC as your way of
"service" of "registry for Chinese Domain Name"[4]?  Is this
considered by CNNIC as "the similar role as VeriSign"[4]?

4. Is CNNIC "qualified with the international criteria"[4] as a
trustworthy certificate authority?

5. Why did Liu Yan try to mask the real face of the PRC governmental
nature of CNNIC [5]?  Why did he even tried to hide the application by
setting the bug report to "Restricted Visibility"[6] at first?

6. Liu Yan said: "CA is a new operation for CNNIC to protect Internet
security"[5].  Is it considered by CNNIC as "operation to protect
Internet security" by spreading unremovable malware to spy on users'
Internet activities exploiting security flaws of the browsers, as
CNNIC did [9][18]?

Liu Yan further claimed that "the WebTrust audit for government is
much simpler compared to company"[4].

So do you think CNNIC is a government or not?  If CNNIC is controlled
by the PRC government, why don't you dare to clearly admit it, but
misled the readers by posing as a "just offers service on technology
and research" [4]?  What's the motivation to hide the real identity of
CNNIC? :)

Liu Yan said: "There is no possible for us to monitor the user's
actions or do some attacks. I think every technical personnel knows
that."[4]

Unfortunately, this is an arrant lie.  CNNIC not only DID "monitor the
users' actions" with intentionally spreaded malware [9], but also
cooperated actively with the PRC government to crack down independent
blogs and websites [1][2][17].  It's also highly possible that they
may actively cooperate in MITM attacks with such a government which
attacked [15][16] its citizens, as well as dozens of companies and
many computers of foreign civil organizations and government offices
[10][11].

Further, Is PRC government a decent government?

Should a government put all their citizens in an information jail by
building a GFW (Great Firewall) [7][8][14] to block their access to
Internet?
Should a government enforce news and speech censorship [14] on all the
websites including search engines to block criticism on the crimes
they committed?
Should a government jail journalists and writers for their free speech
[14]?
Should a government kill the college students and citizens with guns,
and roll over the bodies of college students with tanks? [19]
Should a government cheat the world by hiding information about SARS
and melamine contaminated milk[3] which caused repetitive man-made
disasters, and further punish those who told the truth?

Is this PRC government a real government, or is it a maffia group? :)

Liu Yan claimed that the CNNIC is a subordinate of "Chinese Academy of
Sciences".  Let's take a look at what kind of "research" the "Chinese
Academy of Sciences" has done before. :)

The Institute of Acoustics, Chinese Academy of Sciences closely
cooperated with the PRC government in Internet censorship.  Same as
CNNIC which "takes orders from the Ministry of Information Industry
(MII)" [26], they developed some natural language machine
understanding algorithms for Internet text censorship [25].  The
target of their research is to distinguish speeches of the opponents
of the government from those of the proponents, which general keyword
based filtering can't achieve.  Their "research" was already deployed
in the censorware "Green Dam"[22][23], which was orderd by the MII to
be installed on each new PC in manufacturing process.  Although this
plan failed, they must have started some other plots to achieve the
same goal.

References:

[1] Bullog.cn http://en.wikipedia.org/wiki/Bullog.cn
[2] 牛博网 http://zh.wikipedia.org/wiki/%E7%89%9B%E5%8D%9A%E7%BD%91
[3] 2008 Chinese milk scandal / Censorship
http://en.wikipedia.org/wiki/2008_Chinese_milk_scandal#Censorship
[4] Liu Yan: Every technical personnel knows that; 2010-01-28 17:40:47
PST; https://bugzilla.mozilla.org/show_bug.cgi?id=476766#c29
[5] Liu Yan: CNNIC is not a Chinese Government organization;
2009-02-15 23:01:59 PST; https://bugzilla.mozilla.org/show_bug.cgi?id=476766#c5
[6] Kathleen Wilson: This bug is set for Restricted Visibility;
2009-02-11 ...

read more »

Some corrections:

by spreading unremovable malware exploiting security flaws of the
browsers to spy on users' Internet activities

by posing as an organization which "just offers service on technology
and research"

Xiaomeng Chen, as the chairman of the board of Beijing Dazheng company
which is one of the two developers of the "Green Dam" software,

developed an "Internet Bad Information Detection System" featuring
semantic understanding capabilities.  It will contribute to the
purification of contents in the Internet world.

Currently this system is primarily targeted at erotic, reactionist
[means anti Communist Party of China] and vulgar information appeared
on the Internet.

On 1月30日, 上午1时28分, tophits <wan...@gmail.com> wrote:

Good point! You've made it so clear to me. *Applaud*

BRs
Wenbo Wang

Dear Johnathan,

Do you think certificates from liars should be included in Firefox? :)

Does the word "was" mean that until the MitM attack happened, any
organizations
can put their root CA certificates in Firefox provided that they can
buy
endorsement "services" from accountant companies like Ernst&Young [1]
to
acquire "trust" from webtrust.org?

The real concern of many Chinese programmers is not about "was", but
"may", as
CNNIC already "DID" quite some dirty things before!  Now it's a new
capability
that the inclusion of root certificate of CNNIC will grant to the PRC
government.

Anyway, since they already got secondary CA certificate issued by
Entrust.net,
adding CNNIC as root CA is not introducing more problems.  But this
discussion
is an alert on the trust model of PKI when we face a rogue government
and their
minion organizations.

We should improve the browser to ask for permissions from the end
users to
grant trust to each root CA when it's used in each session (not only
at the
first time), clearly display the certificate signing path, and warn
them of any
change in certificates (to be alert of a MitM attack).  This seems
paranoiac
but it's because we're facing real threats of attacks from a powerful
rogue
government, from which even big companies like Google and well
equipped
government offices suffered.

The security model of SSL was practically in danger because of the
design flaws
 of the browser to place blind trust on root CAs without consent from
the
users.  Since the CA certificates of rogue government agencies were
added, we
should consider Firefox as a rogue government controlled browser in
the default
configuration.

[1] https://cert.webtrust.org/SealFile?seal=935&file=pdf

On Jan 28, 5:07 pm, Johnathan Nightingale <john...@mozilla.com> wrote:

Dear Eddy,

Please notice the fact that there is no such thing as "law" in PRC.
All that exist are "rules".
Those companies who do evil things in China always say that they need
to comply with local "laws".  That's not true.

There is no LAW in PR China, but only RULES determined completely by
the 9-person "Standing Committee of Central Political Bureau" of the
Chinese Communist Party (CCP).  There is no legal legislation, but all
rules are determined by the CCP.  The "People's Delegation Congress"
is only a "rubber seal" to pretend to pass the "rules" made by the
CCP.

--- Comment #37 from Eddy Nigg (StartCom) <eddy_n...@startcom.org>
2010-01-29 15:12:13 PST ---
(In reply to comment #36)

Again, Bugzilla should not be used for advocacy! Nevertheless a short
reply. I
know Ernst & Young and have performed audits with them myself. Hence
I'm
trusting their attestation.

However it's common for CAs to comply to local laws and there might be
a
problem if the law would allow MITM attacks on its citizens. This
would be
counter to the Mozilla CA policy, even if a notable auditor audited
the CA and
the CA has disclosed its adherence to the local laws correctly.

J:
we'd carefully review and might well yank trust for any CA that was
complicit in MitM attacks.

L:
The problem is that, CNNIC might have already aided some MitM attacks
with their secondary CA certificate signed by Entrust.net root CA
before CNNIC was added as root CA.  Because the MitM attack is
difficult to be carried out on a large scale, the PRC government
mainly targeted at specific users (such as highly sensitive political
dissidents) who often lack of knowledge to check the server
certificate to determine whether it's real.

All we're worried about is "trust".  Can we put a CA certificate that
many Chinese programmers don't trust at all into the release package?
What will be the consequences?

The repetitive hijacking of gmail accounts of dissidents by the PRC
government secret agents (Political Defend Police like Starsi of
former East Germany) might be achieved with SSL hijacking, besides
trojan-horse phishing email.

I think it's a detriment to the user trust on Firefox to add CNNIC
(notorious in Chinese programmers community, while powerful enough to
buy whatever certificates they need) root CA.  Yet it's not safe by
simply removing it.  There should be a way to return the ability and
authority of judging whether to trust a CA to the users, not
unconditionally decided by the browser as it's implemented now.
Currently an experienced user can inspect the certificate signing
chain to check whether the root CA is trustworthy; while layman users
need more help from an improved UI to alert them of possible
vulnerabilities and guide them through steps to check the certificate
chain of the HTTPS session.

Furthermore, some Chinese programmers observed [3] that the
certificates of google.com was modified several times after 18 Nov.
2009.
Three abnormal changes of certificates were observed [2]:

CN: mail.google.com
18 Nov. 2009   from: Thawte SGC CA, valid from 2009/3/25 to 2010/3/25
               to:   Google Internet Authority, valid from 2009/11/12
to 2010/11/12

18 Nov. 2009   from: Google Internet Authority, valid from 2009/11/12
to 2010/11/12
               to:   Thawte SGC CA, valid from 2009/3/25 to 2010/3/25

28 Dec. 2009   from: Thawte SGC CA, valid from 2009/3/25 to 2010/3/25
               to:   Thawte SGC CA, valid from 2009/12/18 to
2011/12/18

CN: *.google.com
19 Jan. 2010   from: Google Internet Authority, valid from 2009/11/12
to 2010/11/12
               to:   Google Internet Authority, valid from 2009/12/22
to 2010/12/22

Google's announcement[1] declared that "in mid-December [2009], we
detected a highly sophisticated and targeted attack on our corporate
infrastructure originating from China that resulted in the theft of
intellectual property from Google".  Taking these strange certificate
changes into consideration together with the Google announcement, we
suspect that the "intellectual property" might include private keys to
sign the google certificates.  This might be the answer to why google
changed certificates in an abnormal frequency.

This also alert us of possible cyber attacks making use of CA
certificates and exploiting the inadequate certificate validation in
current browser user interaction.  Although the inclusion of an
untrustworthy CNNIC root CA won't make the situation worse, it really
alert us to review the pyramid trust model of PKI and design flaws of
unconditional trust of root CAs in browsers.

The trust model is unreasonable, in that the trust propagates in a
forced, involuntary way:  Ernst & Young trusts CNNIC because it trusts
those special paper sheets marked with "In God We Trust" ;P,
webtrust.org trusts CNNIC because it trusts Ernst & Young; Mozilla
Firefox project or Microsoft trust CNNIC because they trust
webtrust.org; the browser users trust CNNIC because the they trust the
browser.  But the users in fact don't trust CNNIC at all!  The result
is: the users were forced to trust CNNIC silently.  Experienced users
take the trouble to remove or disable the CNNIC certificates, while
the majority of non-technical users just don't know they're trusting
CNNIC because of their browser!

References:

[1] David Drummond, SVP, Corporate Development and Chief Legal
Officer: A new approach to China; http://www.webcitation.org/5n92WuwKT
=     http://googleblog.blogspot.com/2010/01/new-approach-to-china.html
[2] zuola: 关于GMAIL安全证书的疑问 https://groups.google.com/group/lihlii/browse_frm/thread/92be93b6648a...
[3] Google 的证书更新了 可能是因为数字证书密钥被窃 警惕假冒数字证书
https://groups.google.com/group/lihlii/browse_frm/thread/5f9dbff575fa...

On 2010-01-28 19:11 PST, David E. Ross wrote:

First, those statements are accusatory in nature.  They lack proof.
Second, even if true, it's not clear that those statements disqualify
CNNIC.  Other CAs that Mozilla has admitted to the root list also have
government ties with their respective governments, IINM, and we have not
disqualified them.

So, I conclude that the writers of the above comments are people who dislike
the Chinese government.  But like or dislike of the Chinese government is
not a basis of acceptance nor rejection of CAs under Mozilla policy, is it?

Let's be very careful not to allow this discussion group to become a forum
for discussion of Chinese government policies.   Whether you or I like it or
hate it, the Chinese government's great firewall is no basis for acceptance
or rejection of any Chinese CA, IMO.  If Mozilla decides that it IS, then
IMO, Mozilla should reject all Chinese CAs, and not consider them one by
one, because the issue is the action of the government.

I'm not so sure.

Let's imagine, just for the sake of discussion, that CNNIC is wholly owned
by the Chinese government.  Is that a policy?  Is that a business practice?

I disagree that it is necessarily a policy or practice.

Further, in the PRC, ALL business is done at the pleasure of the government.
The larger the business, the more far reaching it is in scope, the more
that government will watch over it to ensure that it doesn't step over the
unwritten unspoken line.  This is known to every citizen in China.  It is
not written as a business policy anywhere, anymore than it is written that
all employees must breathe.

Why are those things related?

Why is ANYTHING other than a CAs honesty regarding certification of bindings
of names to public keys, and its scope being wide enough to be of value to a
significant part of Mozilla's user base, at issue in determining it
acceptability?

This newsgroup is NOT the place for discussion of international politics.
Discussion of a government's positions on human rights, great firewalls,
etc. have no place here, IMO. because they are not relevant, IMO, to the
operation and acceptability of a CA.

On 01/30/2010 09:05 PM, Nelson Bolyard:

Correct.

The relevance starts, when as a matter of local legislation and law, CAs
could and would assist to or perform themselves MITM attacks or would
assist to what we could consider fraudulent and harmful intent and
knowingly wrongful issuance of certificates. This would be in fact
clearly against the Mozilla CA policy.

What some reporters try to say is, that the known politics and alleged
behavior of the Chinese government and associated organizations and
tools are used for various purposes which could fall under the above
mentioned. I can understand that facts are hard to come by, specially
because of the nature of government.

The Chinese Firewall are a matter of local legislation, it's not against
their laws. However it's still a problematic practice in the view of the
Western hemisphere. The recent incidents with Google and many other
American companies might be testimonial and supportive evidence of other
very disturbing practices. Now, if this same establishment and its
legislation runs a CA (by proxy and/or third party), the same local laws
which allows for the former, might allow for MITM attacks and other
fraudulent issuance (in our eyes). This might be a problem directly
affecting the users of Mozilla products and against what the Mozilla
policy calls for (and is intended).

The close relationship between the CA and the political structure in
China could be viewed in itself as problematic! If this is a fact, than
this fact was perhaps not sufficiently disclosed here at the public
discussion and any such relationship was even denied.

(It must be clear that some CAs are more independent from governments
and might have different locations of operations, whereas some are
tightly associated or even operated by governments. For my taste I have
a huge dislike of any association with governments at all. I made that
clear previously at other occasions. But the Mozilla CA policy doesn't
care about this, hence it remains my personal point of view.)

--
Regards

Signer:  Eddy Nigg, StartCom Ltd.
XMPP:    start...@startcom.org
Blog:    http://blog.startcom.org/
Twitter: http://twitter.com/eddy_nigg

On 1月31日, 上午3时05分, Nelson Bolyard <NOnelsonS...@NObolyardSPAM.me>
wrote:

Who cares if all Chinese CAs get rejected. We just hope firefox to be
safer for Chinese users.

If the above is true, then how could anyone but the government itself
know where the line is? Can you smell it? Is it a round shape or a
square shape? No offence, but I mean it could be anything the
government want, whenever they want, however they want. How could
anybody trust anything like that?

Maybe I'm not so familiar with Mozilla's CA acceptance policy, but I
know such kind of CA cannot be trust, and I know it in a tragic
"unwritten unspoken way".
And you know a lot about China, BTW. :)

BRs
Wenbo Wang

While we talking about those, please keep in mind: even Google groups
has been walled( a Chinese internet terminology, means the a website
is blocked by GFW ), and that's why the topic is beginning in
bugzilla. We're all talking behind proxies. Though that protects us
from being jailed with the name of  defaming government - and there
has been many case.
CNNIC said it isn't a government organization, it is a completely
lying. In China, NGOs is never clearly allowed to be exist. All of
them either has to be pretend to be a for-profit corporation, either
has to find a government allowed organization and beg to affiliate
under it, so the government can control it, either by give a tax which
cannot afford( you can google "Xu zhi yong" ), or directly order its
superior to close it.
Let's look at a sample. Dec 2009, when china government decide to
"clear sex information on internet" ( and of course, in the same time
ten of thousands of normal BBS & websites is closed. YOU KNOW WHY),
CNNIC quickly make a statement ".cn domain NEVER allowed personal
registration", while Chinese people has registered hundreds of
thousands of personal dot-cn domains? And after a main while they make
another decision of white-list name resolving?
If that's not government dominated organization, that definition can
be eliminated, I think.

Anonymously,
A Chinese guy

On Jan 29, 11:11 am, "David E. Ross" <nob...@nowhere.invalid> wrote:

On Jan 30, 8:05 pm, Nelson Bolyard <NOnelsonS...@NObolyardSPAM.me>
wrote:

Lack proof?  Or you simply close your eyes and refuse to see the
proves? :)

Other CAs are tied with governments, but CNNIC is tied with a mafia
group, NOT a government. :)

Google also doesn't like the "Chinese government", do they? So they
don't have "basis" of this announcement [1].

It IS about policy, trust and security of the whole framework of PKI!
It will not only breach the web security of Chinese users, but also
users worldwide!  Be alert of the consequences.

The fact is that the acceptance is not based on adequate publicity and
discussion.  The information behind is not fully revealed.  The end
users especially the Chinese programmers are in effect excluded from
the discussion because only lately they discovered the new certificate
from Microsoft and Firefox updates.  This is why we raised this
question against the trust in CNNIC.

In fact we should reject any CA that has bad credit records.  Just as
a credit card company won't issue a credit to a person who often
cheats.

The Chinese Communist Party government is not qualified as a root CA
administration, because it is building the biggest information jail to
intercept and cheat in DNS resolving, attack citizens all over the
world by trojan-horse phishing email and intrude companies and
governmental computers illegally.  It's a criminal group.

CA doesn't need to be a "large business", but a trustworthy business.
That's it.  We Chinese know better the Chinese government and CNNIC,
and how the business should be in China. :)

CNNIC can't be linked with the word "honest" in the loosest sense.

They're closely related.  It's not only about GFW, but about hijacking
Internet communication, cheating, phishing, trojan-horse attack and
intrusion.  These were all done by the CCP government and CNNIC DID
intentionally spread malware that spied on users!

[1] David Drummond, SVP, Corporate Development and Chief Legal
Officer: A new approach to China; http://www.webcitation.org/5n92WuwKT
=     http://googleblog.blogspot.com/2010/01/new-approach-to-china.html

On Jan 30, 9:42 pm, Eddy Nigg <eddy_n...@startcom.org> wrote:

I agree mostly with Eddy.  But I must point out that there is no "law"
in PR China.  Everything that is called a "law" is in fact "rules"
determined by the CCP officials at their own will and can be broken or
changed at any time they like.

Any statement that talks about "law" in China is in fact based on a
false premise.

The GFW itself in fact is even NEVER compliant to any Chinese "laws"
made by the CCP government itself!  This is why the CCP government
never admitted that its existence!  :)  Please, please don't say that
GFW is based on "local legislation", it's even against the "rules"
made by the CCP government itself!

The official declaration of the PRC government is: The Internet in
China is completely free.  There is no censorship. full stop.

If you can trust such a "government", good luck to you! :)

As many have pointed out above, the trust of root certificate is
immediately jeopardized when MITM attack is waged.  - Unfortunately
MITM attack is already widely deployed in China.  The Harvard study
"Empirical Analysis of Internet Filtering in China" repeated
documented this:

"the authors prepared screenshots documenting the September 2002
redirection of requests for google.com to other search engines."
"some newer forms of Chinese filtering -- namely, redirection of a
request for a sensitive web site to another web site"
"DNS Filtering/Redirection and Its Implications"
"For some 1,043 of sites tested, we confirmed that DNS servers in
China report a web server other than the official web sever actually
designated via each site's authoritative name servers."
http://cyber.law.harvard.edu/filtering/china/
http://cyber.law.harvard.edu/filtering/china/appendix-tech.html#dns

Some "50 cent party" (to save your google trip: it's the thousands of
people Chinese Communist Party pays to defend itself on the internet)
may claim CNNIC is not the same institute who launched these MITM
attacks.  But I trust the Mozilla developers are not so naive to
believe CNNIC can violate the Party's order, or the billion-dollar
Great Firewall involving numerous technical institutes were
accomplished by those institutes voluntarily - and most those
institutes look just like CNNIC.
In fact, the very DNS servers doing MITM attack as documented by the
Harvard study above are either closely related to CNNIC or another
innocent-looking "non-government" institute, because in China all
shiny hats are worn by the same Party.

So, if this root certificate crisis is not properly addressed, it's
very likely that in a couple years, the relatives of some Tibetan or
Falun Gong, or home church followers would sue Microsoft and Mozilla
in U.S. for assisting the Chinese Communist regime to steal their
email passwords using faked websites and certificates so could login
to their real accounts later leading to their imprisonment, just like
someone did against yahoo (http://www.rsf.org/Yahoo-settles-lawsuit-by-
families.html).

On 29/01/10 09:39, Justin Dolske wrote:

It would certainly be interesting to know if a particular site had a
cert from a different issuer depending on where in the world you were.

However, I strongly suspect that any government which was putting
pressure on a CA to issue certs for surveillance purposes would use
those certs only in very limited circumstances - for precisely the
reason Johnath outlines. You have to send the cert to the browser, and
someone is eventually going to notice.

It would be easy. See the "Connection Repeatability" section of this
article:
http://www.gerv.net/security/self-signed-certs/
for my explanation of why it's not a good idea for Firefox to do this by
default.

Gerv

On 29/01/10 07:42, makrober wrote:

Anyone who is concerned about government surveillance of their
activities needs to take rather more care about the security of their
software than the average person. The default configuration of any
mass-market security software is unlikely to be suitable for their
needs. Given that, I don't think it's unreasonable to expect them to
deactivate certs from entities they don't trust. (And this will be a
different set of certs for different people.)

That is an utterly impractical suggestion, and would be
counter-productive - faced with a barrage of "please approve me"
requests, users would either a) click "Yes", "Yes", "Yes" or b) abandon
Firefox for a browser which didn't irritate them nearly so much.

Gerv

On 28/01/10 12:50, crewlay wrote:

If you wish to create and publicise a web page which details how to
disable roots in Firefox in general, and CNNIC's root in particular,
then you have every freedom to do that.

Without evidence of wrongdoing, there is nothing to provoke us to
action. I'm sure you'd want a similar standard of proof to be applied if
you were accused of something.

Also, I think "notorious hated certificate" is hyperbole. The latest
NetCraft statistics show CNNIC has signed the certs of 30 websites - a
tiny fraction. Of course, NetCraft's coverage may be incomplete.

Gerv

For those defining and implementing technical infrastructure of
protection and security, it is worth giving a bit of thought to
the following issues:

1) what defines a "government"?

2) why should such participants be, by definition, exempt from the
the list of potential miscreants?

3) If we allow a certain class of miscreants to be exempt from
the security our software offers, how do we make sure that the
user base understands that there are such exemptions?

MacRober

Dear Gervase,

There are many evidences that CNNIC is not trustable.  It's not a
"hyperbole".
Please do some investigation before you conclude.

There can be a lot of websites signed by CNNIC CA.  This says nothing
about whether it's trustable or not.
There are more websites that you can count that carries certain
malware.  Is the number a proof that the malware is trustable?

On Feb 1, 11:56 am, Gervase Markham <g...@mozilla.org> wrote:

On Feb 1, 11:48 am, Gervase Markham <g...@mozilla.org> wrote:

Gerv, you're missing the case when a rogue government is trying to
intercept public websites like gmail.
Then the users in China might get a different fake certficate of
mail.google.com!

Do you mean this by the Mozilla policy? It's really irresponsible to
talk about user's security like this.

On Feb 1, 11:50 am, Gervase Markham <g...@mozilla.org> wrote:

Now I conclude that it's a waste of time to convince the Mozilla guys
of the level of danger that the inclusion of a rogue CA will cause to
the users.  Let them ruin the reputation of Firefox.  Let them pretend
that it's not a problem. :)

It's more efficient to start trying to make Certificate Patrol or
something alike into a better addon for the defective certificate
manager of Firefox.  At least we can help those prudent people who
treasure their privacy and security.

The new addon should help the users to remove rogue CAs and immune the
browser from accepting them in the future.
Surely the immunity list should be editable by the user.  Let's bring
full control of trust back to the users.

Dear Gervase,

Do you think "average person" can live with malware that is
unremovable from their system once installed, and spy on their web
activities?

If your answer is "yes", then you go with CNNIC. :)

On Feb 1, 11:50 am, Gervase Markham <g...@mozilla.org> wrote:

CNNIC is absolutely an evil.
If firefox trusts CNNIC, then I think the words "We believe that the
internet should be public, open and accessible." should be removed
from mozilla home page.

On Feb 1, 9:54 pm, tophits <wan...@gmail.com> wrote: