Fwd: Re: CNNIC Root Inclusion
Eddy Nigg
-------- Original Message --------
| Subject: | Re: CNNIC Root Inclusion |
|---|---|
| Date: | Sun, 28 Mar 2010 20:12:13 -0700 (PDT) |
| From: | Spencer Velicue <chenmi...@gmail.com> |
| To: | Eddy Nigg <eddy...@startcom.org> |
CNNIC is the official branch of IANA in China, offering DNS services and the others. The remarkable action of this organization includes provide domain names in Chinese characters. However, from the information I have fetched, partially from my friends in China, there are adequate evidences which can prove that the CNNIC has launched a series of actions, including but not limited to installing adware/spyware on user's computers that cannot be removed; hijacking DNS services, constructing phishing sites, tapping on Internet transmissions. Part of these actions are to grab more profit while the others are probably manipulated by Chinese government. The key is that, whatever the motivation is, while becoming an officially recognized CA, the CNNIC will have ability to launch attack to websites which applies SSL encryption, and construct phishing sites that can't be recognized easily. Of course, every organization could do that but if it's a legal and responsible, respected organziation, we can assume that they would use CA in a legal way. Nevertheless, the history of this so-called orgnization has made a great distinction between CNNIC and other trustworthy organizations. Tthe inclusion of an untrustworthy and suspicious organization/company has obviously increased the risk of Internet users, especially users in mainland China. I hope Mozilla can have a more detailed inspection onto CNNIC, to verify if it is really a qualified Certificate Authority. Not all the organizations who request to get CA should be qualified and add to the preference of Mozilla Firefox. Before any conclusion could be made, we shall have more facts and statistics. So I move for suspending CA of CNNIC. I hope my opinion could be understood and endorsed。 -- Regards Spencer Velicue
Gervase Markham
> However, from the information I have fetched, partially from my
> friends in China, there are adequate evidences which can prove that
> the CNNIC has launched a series of actions, including but not limited
> to installing adware/spyware on user's computers that cannot be
> removed; hijacking DNS services, constructing phishing sites, tapping
> on Internet transmissions.
We are, as always, happy to evaluate such evidences when they are provided.
Gerv
Jean-Marc Desperrier
> from the information I have fetched, partially from my
> friends in China, there are adequate evidences which can prove that
> the CNNIC has launched a series of actions, including but not limited
> to installing adware/spyware on user's computers that cannot be
> removed; hijacking DNS services, constructing phishing sites, tapping
> on Internet transmissions.
I hope those who want rejection of CNNIC can understand the only thing
Mozilla wants to see is actual evidence, not any indirect report.
Don't say "there are adequate evidences", just show them.
Those indirect reports, and statement of distrust not backed by evidence
actually *hurt* that cause, instead of helping it.
That's because they reinforce the impression that Mozilla quite
obviously currently has, which is that all those claims are not backed
by anything concrete.
About the adware/spyware installation, I have seen some reports based on
the automatic inspection done by google tools that seemed to have
something in them. So please, develop and build a strong case on that,
just stop the indirect reports.
Actual DNS hijacking proof could be useful also. Maybe I need a better
explanation, but I don't believe that the kind of thing the already
reported incident really shows.
Eddy Nigg
> About the adware/spyware installation, I have seen some reports based
> on the automatic inspection done by google tools that seemed to have
> something in them. So please, develop and build a strong case on that,
> just stop the indirect reports.
I think at least this point was proved to the extend that several
different anti-virus vendors including Microsoft marked software
originating from CNNIC (toolbars and other stuff?) as malware and
harmful. I'm not the one who can judge about its correctness, but this
evidence has been provided.
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
XMPP: star...@startcom.org
Blog: http://blog.startcom.org/
Twitter: http://twitter.com/eddy_nigg
Stephen Schultze
> Actual DNS hijacking proof could be useful also. Maybe I need a better
> explanation, but I don't believe that the kind of thing the already
> reported incident really shows.
I don't know how to parse your last sentence, but it is clear that
China/CNNIC has been hijacking DNS for years:
https://lists.dns-oarc.net/pipermail/dns-operations/2010-March/005270.html
https://lists.dns-oarc.net/pipermail/dns-operations/2010-March/005273.html
The issue is not lack of evidence of what you describe, but the fact
that Mozilla folks will evidently accept only one category of evidence
-- an SSL cert signed by CNNIC for a domain that did not authorize
it. This is a challenging piece of evidence to obtain, not least of
which because Mozilla doesn't provide an easy interface for detecting
and reporting suspicious certs. The question of whether or not CNNIC
is trustworthy in the eyes of the Cert Policy appears to have been
reduced to this single criteria.
Florian Weimer
> I think at least this point was proved to the extend that several
> different anti-virus vendors including Microsoft marked software
> originating from CNNIC (toolbars and other stuff?) as malware and
> harmful. I'm not the one who can judge about its correctness, but this
> evidence has been provided.
Link?
Keep in mind that many organizations who operate Mozilla-accredited
CAs provide services which are related to communications access for
law enforcement. For obvious reasons, this increasingly involves use
of remote forensics software.
(I'm not saying CNNIC is doing any of that. I'm just asking to keep
things in perspective.)
Florian Weimer
> On Mar 29, 8:53 am, Jean-Marc Desperrier <jmd...@gmail.com> wrote:
>> Actual DNS hijacking proof could be useful also. Maybe I need a better
>> explanation, but I don't believe that the kind of thing the already
>> reported incident really shows.
>
> I don't know how to parse your last sentence, but it is clear that
> China/CNNIC has been hijacking DNS for years:
> https://lists.dns-oarc.net/pipermail/dns-operations/2010-March/005270.html
> https://lists.dns-oarc.net/pipermail/dns-operations/2010-March/005273.html
And so what?
Many network providers, including those running Mozilla-accredited
CAs, perform DNS hijacking these days. In fact, the whole
DNS-redirection-for-ad-serving thing was made (un)popular by Verisign,
of all companies.
Eddy Nigg
> Link?
>
Those were provided here at this mailing list and also at the relevant
bug in bugzilla. Some I found:
http://www.siteadvisor.com/sites/cnnic.net.cn
http://cyber.law.harvard.edu/filtering/china/appendix-tech.html#dns
tophits
refuse to read or accept!
What kind of rubbish you are?! Gervase and Jean-Marc?
tophits
On Mar 30, 7:33 am, Florian Weimer <f...@deneb.enyo.de> wrote:
> * Stephen Schultze:
>
> > On Mar 29, 8:53 am, Jean-Marc Desperrier <jmd...@gmail.com> wrote:
> >> Actual DNS hijacking proof could be useful also. Maybe I need a better
> >> explanation, but I don't believe that the kind of thing the already
> >> reported incident really shows.
>
> > I don't know how to parse your last sentence, but it is clear that
> > China/CNNIC has been hijacking DNS for years:
> >https://lists.dns-oarc.net/pipermail/dns-operations/2010-March/005270...
> >https://lists.dns-oarc.net/pipermail/dns-operations/2010-March/005273...
Eddy Nigg
> Fuck you, Forian! What holly shit you are!
>
Please refrain from posting to this list, such statements are not
acceptable and will not be tolerated. Additionally you are hurting your
cause.
Erwann Abalea
> What bullshit! People already provided enough evidences but you guys
> refuse to read or accept!
> What kind of rubbish you are?! Gervase and Jean-Marc?
Please, try to moderate yourself. "Evidence" here has to be taken as an opposite
to "belief".
I'm personally in favor of removing CNNIC Root CA from Mozilla's database, but I
have to admit that rules have to be strictly followed by everybody, including
people who wants to ban CNNIC.
CNNIC Root inclusion process has followed the rules; maybe those were imperfect,
surely those will improve.
I also personally know Jean-Marc (since more than 20 years now), and can tell
he's not any kind of "rubbish". If the right arguments can be advanced, he'll be
conviced. I believe that's also true with a lot of regular contributors.
Clearly, shouting louder than one other doesn't fall into the "right arguments"
category.
--
Erwann
Stephen Schultze
> * Stephen Schultze:
>
> > On Mar 29, 8:53 am, Jean-Marc Desperrier <jmd...@gmail.com> wrote:
> >> Actual DNS hijacking proof could be useful also. Maybe I need a better
> >> explanation, but I don't believe that the kind of thing the already
> >> reported incident really shows.
>
> > I don't know how to parse your last sentence, but it is clear that
> > China/CNNIC has been hijacking DNS for years:
> >https://lists.dns-oarc.net/pipermail/dns-operations/2010-March/005273...
>
> And so what?
>
> Many network providers, including those running Mozilla-accredited
> CAs, perform DNS hijacking these days. In fact, the whole
> DNS-redirection-for-ad-serving thing was made (un)popular by Verisign,
> of all companies.
I linked to those because Jean-Marc evidently wasn't aware of the
widespread hijacking already happening, and seemed to believe that
such evidence would contribute to the case for revocation.
Your response highlights my point: no evidence other than a cert
issued in bad faith is sufficient to revoke a root CA.
The type of hijacking is radically different in the two cases in
question. Verisign was redirecting to an advertising page for un-
registered domains. Although I find this annoying and bad behavior,
it doesn't really seem likely to "cause undue risks to users'
security." On the other hand, CNNIC has been shown to be actively
redirecting to their own IP space well-known sites that gather
personally identifiable information.
tophits
I thank you all for notice for etiquette which surely I know. But
etiquette is only meant for reasonable people, not blindly arrogant
people. This discussion already showed to be meaningless by low-level
repeating of evidences and reasons which are ignored repeatedly. What
the fuck!
Please see what kind of responses the Mozilla security managers
provided to the users. They're not qualified, as I can see.
Don't ask me to follow fucking rules. The guys from Mozilla never
follow their rules.
On Mar 30, 4:19 pm, Erwann Abalea <erwann.aba...@keynectis.com> wrote:
> tophits a crit :
Jean-Marc Desperrier
> I also personally know Jean-Marc (since more than 20 years now), and can tell
> he's not any kind of "rubbish".
Don't worry Erwann, I didn't in the slightest take tophits words personally.
It happened to me also, when you feel both involved and irritated about
something, and express yourself in a foreign language, you tend to use
words that you certainly don't perceive the same as a native speaker
would. And I can imagine the effect is even stronger for Chinese who
speak a language very different from english.
> If the right arguments can be advanced, he'll be
> conviced.
In some ways, I am already convinced CNNIC is "different".
But I think it's very, very important for Mozilla to treat CNNIC case by
following the rules to the letter, and acting on undeniable facts.
Which does not mean letting go and accepting bad behavior.
But finding a way to have a very precise and indisputable definition of
why it's unacceptable.
Eddy Nigg
> But I think it's very, very important for Mozilla to treat CNNIC case
> by following the rules to the letter, and acting on undeniable facts.
>
> Which does not mean letting go and accepting bad behavior.
> But finding a way to have a very precise and indisputable definition
> of why it's unacceptable.
This is correct. I've been requesting a review on the grounds that those
users most affected by this decision were not able to participate, in
addition to not being aware on the process here.
I would insist on creating a platform where those users also can
participate, if that would mean setting up a proxy or something, so be
it. This is the only argument I can provide at the moment which should
be taken into consideration.
Stephen Schultze
> I would insist on creating a platform where those users also can
> participate, if that would mean setting up a proxy or something, so be
> it. This is the only argument I can provide at the moment which should
> be taken into consideration.
What about the argument that CNNIC demonstrates ongoing practices (eg:
hijacking of DNS for active sites) which many would consider an
untrustworthy practice?
What about the documented cases in which CNNIC distributed malware,
thus showing them to be untrustworthy?
Eddy Nigg
> What about the argument that CNNIC demonstrates ongoing practices (eg:
> hijacking of DNS for active sites) which many would consider an
> untrustworthy practice?
>
> What about the documented cases in which CNNIC distributed malware,
> thus showing them to be untrustworthy?
>
Exactly this should be discussed during such a review.
Nelson Bolyard
ISP issues are out of scope. Mozilla doesn't have an ISP policy.
Mozilla is concerned with what the part of CNNIC that acts as a CA does,
not with the part that acts as an ISP. The issue here is: are they are
trustworthy CERTIFICATE AUTHORITY? That is the only issue to be
considered here. And the only evidence that is in scope is evidence
that directly reflects on activities performed as a CERTIFICATE AUTHORITY.
Eddy Nigg
Well, I wouldn't argue that exclusively - it's a matter of trust and I
would expect a certain behavior by an organization claiming to be a
certification authority. Even though different departments may indeed
follow the different policies to the letter, I'm personally troubled by
that.
I'm not sure if we would have recommended an inclusion based on the
complains and evidences that do exists today. There may be a breach of
trust under certain circumstances, even if it's not directly related to
the CA operations. Certain patters of behavior and breach of trust in
other areas certainly don't contribute to trust a certification
authority run by the same organization.
It was argued previously that ISPs shouldn't be certification
authorities and we have decided that it doesn't matter. I think yourself
voiced such concerns about your own ISP at that time. CNNIC might not
affect you in the same way, but just remember that you were in a similar
situation, whereas the evidences with that ISP were way less serious IIRC.
Stephen Schultze
wrote:
To be sure, what we care about in this context is their
trustworthiness as a certificate authority. But actions performed by
the same organization in a different capacity can have bearing on
their trustworthiness in the certificate authority role... in two
ways:
1. Overall trustworthiness of the organization
2. Trustworthiness in analogous situations
CNNIC's willingness to act on behalf of the Chinese government in
order to expose personal information of individuals speaks to #1.
Distributing malware speaks to #1, and to the extent that the CA
threat model includes snooping it speaks to #2 as well.
DNS hijacking is a highly analogous situation. An organization with
the authority to assert proper mapping of identifier to an entity
decides to abuse end-users' trust. The risk is also parallel... third
party surveillance.
"...including a CA certificate (or setting its "trust bits" in a
particular way) would cause undue risks to users' security..." does
not exclude evidence of non-CA actions that have bearing on
trustworthiness in the CA capacity.
David E. Ross
I strongly disagree. When an organization behaves very badly in a major
way in one area, the entire organization is not trustworthy in all areas.
--
David E. Ross
<http://www.rossde.com/>.
Anyone who thinks government owns a monopoly on inefficient, obstructive
bureaucracy has obviously never worked for a large corporation. © 1997
FCK gfw
Gerv, Eddy and all,,
I have been watching this discussion only a little while. And I just
noticed that you are quite a man with principles. Of such concept as
"cornerstone to justice" and "the most vote", these are indeed the
principles in an open society. But we must face the truth that the
most number of people who use those CAs everyday doesn't even notice
their functionality and potential risks. And "to remove the CA" is
quite a tec for many people. So I think many people just can't come
here and vote, don't mention that google groups are block by GFW in
China. I just cross the Great Fire Wall to comment here.
Also, let's don't forget that even if you are in an open society,
proper education is still needed to let the people know they have
rights.So they could make their own decisions to vote for their
rights. But in China, don't need me to explain you may know how the
everyday brainwash goes through school education and media, or should
we say "traditional media". So, to expect most of the "nomal" firefox
user to have a fully scale vote is not realistic.
CNNIC is not an independent organization, it is only a tool of the
party and gov, like the traditional medias.
You may say I am talking about international politics. But in my
opinion, despite the realistic truth and evil history of the
organization to wait for the evidence of its "evil" behavior on the
Root CA is a criminal ommission itself. For me, it is not involved
into politics, it is to keep a faith and spirit of the universal
value, also may be part of the value of Mozilla.
You may have tolerance on this organization. You don't want to punish
them by their unfinished evil (may be only on the CA part, for other
part, it is already proved). But they never have any tolerance on
people who have principles and integrity like you. A very famous human
rights activist was sentenced 11 years in prison with the crime of
writing and speaking in the end of 2009. By law, he can't be
sentenced. But the rulers don't have this kind of principle and
integrity. They can fake accusation, they are not reasonable people.
Personally I believe the theories of Sir Karl Raimund Popper, in "The
Open Society and Its Enemies", he claimed that,
"Unlimited tolerance must lead to the disappearance of tolerance. If
we extend unlimited tolerance even to those who are intolerant, if we
are not prepared to defend a tolerant society against the onslaught of
the intolerant, then the tolerant will be destroyed, and tolerance
with them. In this formulation, I do not imply, for instance, that we
should always suppress the utterance of intolerant philosophies; as
long as we can counter them by rational argument and keep them in
check by public opinion, suppression would certainly be most unwise.
But we should claim the right to suppress them if necessary even by
force; for it may easily turn out that they are not prepared to meet
us on the level of rational argument, but begin by denouncing all
argument; they may forbid their followers to listen to rational
argument, because it is deceptive , and teach them to answer arguments
by the use of their fists or pistols. We should therefore claim, in
the name of tolerance, the right not to tolerate the intolerant. We
should claim that any movement preaching intolerance places itself
outside the law, and we should consider incitement to intolerance and
persecution as criminal, in the same way as we should consider
incitement to murder, or to kidnapping, or to the revival of the slave
trade, as criminal."
By removing the CNNIC CAs, we are not breaking the rules of justice,
or Mozilla's. We are trying to protect our reputation as a creditable
open organization. And to spread the spirit of open of trust.
Until now, you may think I talk like Jesus ;-)
I am only an IT technician who would like to watch the technology
making our world and life better, away from suffering.
Yours sincerely,
Moudrick M. Dadashov
turn now. If you are accepting all that is said here (no comments?),
then it's not "hearsay" anymore.
Thank you.
M.D.
cell: +370-699-26662
> _______________________________________________
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
Matt McCutchen
> ok, I just wonder if anybody from CNNIC is reading this? Hey, it is your
> turn now. If you are accepting all that is said here (no comments?),
> then it's not "hearsay" anymore.
Come now, that's absurd. Failure to deny an allegation does not equate
confirming it.
--
Matt
Kyle Hamilton
I disagree. Completely. This violates the most basic, simple
accounting principle of "separation of powers". Don't let the person
accepting the payment and entering it into the customer's account be
the one to enter it into the bank account ledger -- it's too easy for
theft to occur. The same principle applies to "name-to-address
lookups" and "name-to-organization lookups". The DNS tells you what
the IP address is. The certificate tells you that someone else has
reviewed the entity that owns the name associated with the IP address
and determined that it is accurate.
Verisign ran both the only root accepted by Netscape Navigator
pre-1.0, but also at that time held the root zones (though the root
zones were run under a US government contract and thus had at least a
plausibly-different oversight). They had an interest in not spying on
people, so (AFAICT) they never operated the Verisign CA under
government oversight (the closest they came to it was an audit).
As a Certificate Authority, no entity can be trusted to run any part
of the public DNS recursion infrastructure (root-servers.net,
gtld-servers.net, .cn, anything). It's too easy for Trent to become
Mallory -- and that's the argument that doomed the Clipper Chip (and
Fortezza) in 1995. And that was for the *US government*, not even a
government which has been shown to have repeatedly committed heinous
human rights violations.
I move that CNNIC be limited to authenticating sites ending with .cn
and email addresses ending in .cn only. Either that or a huge warning
"THIS CERTIFICATE HAS BEEN SIGNED BY A CA WHICH HAS HAD SERIOUS DOUBTS
CAST ON ITS INTEGRITY". Since we all know that the latter's not going
to happen, the former is something that the Mozilla CA group *can* act
on.
Otherwise, CAs have no relevance, because nobody can trust any of them
because they can't be distinguished in the chrome.
-Kyle H
Moudrick M. Dadashov
----- Original message -----
Sorry, wrong. This is not a chat room.
We have an applicant here and the forum is questioning his credibility. It is the obligation of applicant to respond. Obviously they even have a choice to comment directly here or send their answers to Mozilla. If they fail to do so that means there is no dialog between them and Mozilla. And as a result Mozilla probably could keep this application on hold.
Kathleen, do you have any feedback/comments from the applicant concerning the issues raised during the review process?
Thanks,
M.D.
Cell: +370-699-26662
Eddy Nigg
> Kathleen, do you have any feedback/comments from the applicant concerning the issues raised during the review process?
>
It would perhaps also be useful to receive an assessment and feedback
form Entrust which cross-signed the CNNIC root. I believe that the
concerns raised should be addressed in an appropriate manner.
David E. Ross
>
> Sorry, wrong. This is not a chat room.
>
> We have an applicant here and the forum is questioning his credibility. It is the obligation of applicant to respond. Obviously they even have a choice to comment directly here or send their answers to Mozilla. If they fail to do so that means there is no dialog between them and Mozilla. And as a result Mozilla probably could keep this application on hold.
>
> Kathleen, do you have any feedback/comments from the applicant concerning the issues raised during the review process?
>
Unfortunately, the root certificate in question has already been
installed and delivered to users. I see it in both SeaMonkey 2.0.4 and
Thunderbird 3.0.4. I have turned off all trust bits in both applications.
Nelson B
> We have an applicant here and the forum is questioning his credibility.
> It is the obligation of applicant to respond. Obviously they even have a
> choice to comment directly here or send their answers to Mozilla. If
> they fail to do so that means there is no dialog between them and
> Mozilla. And as a result Mozilla probably could keep this application on
> hold.
I don't think the applicant is obliged to answer lots of accusation for
which no evidence is presented. But I do agree that he/she would be
obliged to respond if real evidence was presented.
That is why I keep asking the accusers for real evidence. The fact that
they never produce any, and instead keep making more unfounded accusations,
and making statements that suggest that they do not understand the
difference between evidence and accusation, only weakens their case.
This process has a finite lifetime. Mozilla won't hold the application
indefinitely while people continue to bring nothing but accusations without
evidence.
So to all the accusers out there, stop ignoring the advice to come up with
evidence.
> This is not a chat room.
That's right, so let's keep unbounded amounts of unfounded and/or
irrelevant accusation out of this forum.
Moudrick M. Dadashov
Stephen Schultze
> This process has a finite lifetime. Mozilla won't hold the application
> indefinitely while people continue to bring nothing but accusations without
> evidence.
The application hasn't been held at all. That's part of the problem.
> So to all the accusers out there, stop ignoring the advice to come up with
> evidence.
Please go back in this thread and reply to the messages from me and
Eddy explaining why your notion of what constitutes evidence is overly
narrow, and please review the evidence provided in those posts. Until
you've done that, your claims that people are ignoring your advice
will ring hollow.
tophits
> > dev-security-pol...@lists.mozilla.org
> >https://lists.mozilla.org/listinfo/dev-security-policy
Kurt Seifried
I have to wonder, is this an actual Chinese protester, or someone
trying to cement the idea that the protesters are all rabid lunatics
who should be ignored because.. well they're rabid lunatics. Sadly I
suspect stupidity explains this one and not malice. tophits: you
realize you have made it that much harder for a future person to
complain/provide evidence about CNNIC behaving badly (in other words
you've really screwed yourself, or alternatively, mission accomplished
and bravo if you're one of the bad guys). Wouldn't be the first time
Chinese people have astro turfed/hacked/censored/etc. for the Chinese
government.
Food for thought anyways.
-Kurt
Eddy Nigg
> Food for thought anyways.
>
Luckily we have brains in our heads and know to filter out anything
irrelevant. It doesn't make any concern more or
less....errr...concerning :-)
Michael Ströder
I agree with Stephan here. It's a matter of establishing ultimate trust to
CNNIC for all Mozilla users world-wide. We're not taking CNNIC to court. IMHO
the requirements for evidence are lower to decide on this root CA cert.
Why not put the application on hold and let's what they have to say?
Ciao, Michael.
Stephen Schultze
> Why not put the application on hold and let's what they have to say?
Unfortunately, the application was approved before the majority of
scrutiny happened. We are now in the uncharted domain of post-grant
review... which doesn't have a great track record of being effective
(check out the Comodo threads from awhile back).
That's not to say that meaningful review couldn't happen... it just
hasn't been facilitated by our facilitators to date.
David E. Ross
>
> Why not put the application on hold and let's what they have to say?
It's too late! The CNNIC root certificate was installed with
Thunderbird 3.0.4 and SeaMonkey 2.0.4, if not in earlier versions.
tophits
definition of a "rabid lunatics". :)
Fuck you! Kurt! :)
If I've made it harder for you "to complain/provide evidence about
CNNIC behaving badly", I'll make it even harder to fuck you all! :)
Eddy Nigg
> A person who says "rabid lunatics" is not a "rabid lunatics" by
> definition of a "rabid lunatics". :)
> Fuck you! Kurt! :)
>
> If I've made it harder for you "to complain/provide evidence about
> CNNIC behaving badly", I'll make it even harder to fuck you all! :)
>
I don't know about Chinese customs, but in the Western hemisphere and
English language "fuck you" is considered an insult, even if accompanied
with a smiley - for your consideration, just in case you want to keep
using it. :-)
Stephen Schultze
> I don't know about Chinese customs, but in the Western hemisphere and
> English language "fuck you" is considered an insult, even if accompanied
> with a smiley - for your consideration, just in case you want to keep
> using it. :-)
In the spirit of this sub-thread, I post a link to this classic Jay-Z
track!
http://www.youtube.com/watch?v=MUN9giYJhew
Are we officially off-topic?
FCK gfw
wrote:
> On Apr 8, 10:28 pm, Eddy Nigg <eddy_n...@startcom.org> wrote:
>
> > I don't know about Chinese customs, but in the Western hemisphere and
> > English language "fuck you" is considered an insult, even if accompanied
> > with a smiley - for your consideration, just in case you want to keep
> > using it. :-)
>
> In the spirit of this sub-thread, I post a link to this classic Jay-Z
>
> Are we officially off-topic?
Hello tophits,
talking like this will not help.
Hello all,
First I must appologize for tophits's rough words. But as a Chinese, I
understand him. All the people who still has a heart here don't have a
good temper. Even if in the beginning the temper is good after years
of unfair and suffering any true man will grow a bad temper. Mine
either.
Please I suggest you to watch two documentaries to understand that if
you have interests.
Both of them are produced by westerners
1.
The_Gate_of_Heavenly_Peace_(documentary)
http://video.google.com/videoplay?docid=1778400318380119130&ei=P7QsSr2XMpCewgP62u3WAw&q=%E5%A4%A9%E5%AE%89%E9%96%80&dur=3#
Maybe you will say this one is about international politics. Then ok,
forget this one.
2.
china's unnatural disaster the tears of sichuan province
http://www.hbo.com/documentaries/chinas-unnatural-disaster-tears-of-sichuan-province/index.html
Maybe it is a little off-topic, then I ask you, If we provide many to
suggest that one organization has done evils on the internet, isn't it
enough for you to doubt their integrity?
For CNNIC's malicious plugins, please if anybody say you don't believe
it, we will try to find one copy to send it to your mailbox to let you
check yourself.
This is like a man who open a store to sell fake goods to customer, he
hasn't be punished because he has background. Powerless people can't.
And one day he went to join an international chain store to sell other
goods, he said, "I haven't cheat in your region yet. Even more, when
your region's people come to ours, we treat them as honorable guests.
What? a few of my country's people are protesting here? those lowly
people? don't believe what they said, because they are all lunatics.
insane, and can't be reasonable."
Will you give your license to him to start the chain store?
Mr. Hamilton also indicate that one organization who owns both the DNS
and root CA can cheat people too easily without been noticed. Don't
anyone believe CNNIC take part in the DNS cache poisoning. Oh yes, do
you know that in China, articles about China involved into DNS cache
poisoning are all deleted, all comments are not able to see. Check
this one,
http://webcache.googleusercontent.com/search?q=cache:Yron-HLSg9AJ:bbs.chinaunix.net/thread-1682290-1-1.html+DNS+%E6%B1%A1%E6%9F%93+%E7%BB%B4%E5%9F%BA&cd=3&hl=en&ct=clnk
try to read the original article, what happened?
How deep evidences do you need to start to doubt? When they start to
MITM to cause another one suffering in prison? And until then maybe
you still can find something to challenge, because we bleed, we die,
we suffer, not you!
We are just powerless shitizen (shit + citizen, a new English word in
China). We don't have the resource to get the direct evidence from
inside of CNNIC. We can at most provide are what they have already
done here, even this will be incomplete because they control almost
all the resources. You know, when the ruthless system is at their
side, how powerless we are.
To commit your concept of evidence, we need to pay more than you.
Sometimes, it is people's life.
By doing this, we are only trying to make firefox as trustable as
google. We don't want to loose a good browser.
Refers to google, they don't admit they attacked google. They describe
it as some random personal behavior.
On this case, your gov also can't provide enough "evidence" to prove
they are behind. But your gov knows that what it means to utilize a
countries' resource could do. So she supports google, even if the
"evidence" is not firmly enough. All they can tell are also just
"complicated", "highly preciously" attack which "suppose" cannot be
done by individuals.
Maybe you will not take our suggestions, but that's ok, for some of
us, it is just a little more care when using browsers. If you let them
do what they want, after they get even more power, which can influence
your life, you will know. If that happens, don't say us Chinese are
all "rabid lunatics" like 60 years ago.
At least I try to persuade you, don't I? From now on, I will not come
here to comment any more. Doing this will not bring me any benefit, it
will only put me in danger, while doing evil by CNNIC will definitely
bring them benefit. All I loose is only a browser.
This time, you gave them power.
Moudrick M. Dadashov
thanks for your feedback. I personally know your situation not from
books or media, half of my life went under similar totalitarian regime.
As you understand this is not international tribunal, discussions in
this forum result either with 'green light' or action items.
I'd suggest you focus on formulating concrete action items and try to
collect as many supporters as you can. As some colleagues already noted
Mozilla can't refuse CNIIC root inclusion just because many people think
they are "bad guys". I understand your frustration because providing
evidences is a serious professional work. But producing some action
items that would *require* some response/feedback from CNIIC is a much
more realistic task.
All the best,
M.D.
cell: +370-699-26662
tophits
Moudrick M. Dadashov
You will notice that quite often 'action item' is produced from the concrete inconsistencies between the CA's CP/CPS and its real actions. However sometimes an 'action item' doesn't need any evidences, if states some public concerns that the CA has to address.
There are very experienced folks on this list, hopefully they can help you to properly present your specific cases.
M.D.
Cell: +370-699-26662
cindy
> ok, I just wonder if anybody fromCNNICis reading this? Hey, it is your
> turn now. If you are accepting all that is said here (no comments?),
> then it's not "hearsay" anymore.
>
> Thank you.
> M.D.
> cell: +370-699-26662
>
The comments are not the truth.
1. In China, the classification of government, company, organization
is different with US or other countries. CNNIC doesn't belong to
government, but definitely will be ordered by Chinese government.
However, which company will not affected by the local government?
2. Someone said CNNIC spread malware or unloaded IE toolbar. This is
not the truth. CNNIC had offered a tool called "zhongwenshangwang" to
help Chinese people to get to the website they want with Chinese
easily fot them to remember. This tool is not a malware and this had
been confirmed by the Court. CNNIC has the official judgment.
3. CNNIC never hijacking the internet user's information or password
or account. CNNIC is responsible for the registration and management
of .cn. They didn't use any tool or software to hijacking someone's
computer. The web server certificates issued by CNNIC are followed CPS
and CP, and the whole procedures are audited by the third party. It is
the website manager decides whether to use CNNIC certificate or not.
CNNIC don't force people to use our certificate. So how can they bring
the users risks?
4. In China, DNS service is not only offered by CNNIC, but also many
ISPs, including China Telecom and many big companies. It is not
possible for CNNIC to hijacking all users' DNS. And as an organization
of the Chinese domain name's provider, CNNIC has responsibilities to
maintain and control the internet order. CNNIC is the Secretariat of
APAC (Anti-Phishing Alliance of China). When CNNIC receive the user's
allegation on phishing website, thet will immediately investigate. And
will soon close it if it is a phishing website. So far, CNNIC has
closed many phishing websites. Why they forge a certificate or make a
MITM attack?
tophits
can find many concrete evidences that you need.
tophits
makrober
...
> As a Certificate Authority, no entity can be trusted to run any part
> of the public DNS recursion infrastructure (root-servers.net,
> gtld-servers.net, .cn, anything). It's too easy for Trent to become
> Mallory -- and that's the argument that doomed the Clipper Chip (and
> Fortezza) in 1995. And that was for the *US government*, not even a
> government which has been shown to have repeatedly committed heinous
> human rights violations.
This discussion has been going in circles, I propose, because it tends
to revolve too much around the moral profile of specific governments
and our likes or dislikes for those that pose a danger to them.
Instead, we should accept a simple fact: current SSL implementation
model, in which a software vendor decides on behalf of *all* of its
users who is and who is not a *universally trusted third party" is not
fitting the circumstances of real world adequately. There is nothing
special happening here: since the beginning of the computer system
building, the reality that the system must model changes over time,
and the system must be periodically revised if it is to remain useful.
It is time to change SSL implementation model so that an individual
user, instead of the software vendor, can manage the trust with an
adequate understanding, ease and granularity.
> I move that CNNIC be limited to authenticating sites ending with .cn
> and email addresses ending in .cn only...
A very reasonable motion, but let's stop and think for a moment: is the
process by which CNNIC has been singled out in the above, something that
a software vendor should be involved in?
MacRober
sjschultze
> This discussion has been going in circles, I propose, because it tends
> to revolve too much around the moral profile of specific governments
> and our likes or dislikes for those that pose a danger to them.
There are a few accusations which are very specific to CNNIC
practices, and these should be considered.
There are also more broadly applicable points about whether
authentication should be placed in the hands of entities in
jurisdictions that do not have strong rule of law or judicial
oversight with respect to wiretapping and the like.
> It is time to change SSL implementation model so that an individual
> user, instead of the software vendor, can manage the trust with an
> adequate understanding, ease and granularity.
That would be great, but it doesn't change our current circumstances.
We have to deal with the issues in front of us right now in addition
to working on better systems.
> > I move that CNNIC be limited to authenticating sites ending with .cn
> > and email addresses ending in .cn only...
>
> A very reasonable motion, but let's stop and think for a moment: is the
> process by which CNNIC has been singled out in the above, something that
> a software vendor should be involved in?
For the time being, "should" is a moot point. Mozilla *is* involved.
The only way to stop being involved would be to grant everything or
deny everything.
However, given that there is no good technical solution for
implementing domain name constraints at the moment:
http://groups.google.com/group/mozilla.dev.security.policy/browse_thread/thread/eea04805fbd98045/b8a4c53f34f55ce9#bd49c9faf7447501
I suggest instead that we consider this revocation request seriously,
and that we also consider the Sub-CA disclosure requirements I've been
pushing for over here:
http://groups.google.com/group/mozilla.dev.security.policy/browse_thread/thread/9782ec0b32460edc#
Stephen Schultze
> 1. In China, the classification of government, company, organization
> is different with US or other countries. CNNIC doesn't belong to
> government, but definitely will be ordered by Chinese government.
> However, which company will not affected by the local government?
Great argument for why no CAs should be located in China (or similar
jurisdictions with poor judicial oversight and rule of law on these
issues).
I am assuming everyone else reading can see the ways in which the
remaining points in that post are either inaccurate or misleading. If
not, I am happy to to debunk line by line.
Eddy Nigg
> It is time to change SSL implementation model so that an individual
> user, instead of the software vendor, can manage the trust with an
> adequate understanding, ease and granularity.
This is something which will work for you and even then most likely to a
very limited extend. How may CA policies did you read so far? What audit
criterion did you study to know what it entails? Or on what should one
of the many millions of users, base their decision on? Perhaps that
"VeriSign" is a nice name and that "StartCom" is cute logo? Or that
"Comodo" has an interesting Firewall and that SwissSign is in
Switzerland? And even this little information will be probably not known
to anybody knowing anything about this industry.
> A very reasonable motion, but let's stop and think for a moment: is the
> process by which CNNIC has been singled out in the above, something that
> a software vendor should be involved in?
No, limitations for regional CAs have been discussed in the past and
pending implementation issues at the software level probably something
that ought to be eventually implemented for some CAs where it makes sense.
Eddy Nigg
> 1. In China, the classification of government, company, organization
> is different with US or other countries. CNNIC doesn't belong to
> government, but definitely will be ordered by Chinese government.
> However, which company will not affected by the local government?
>
I can tell you some CAs which are not.
> 2. Someone said CNNIC spread malware or unloaded IE toolbar. This is
> not the truth. CNNIC had offered a tool called "zhongwenshangwang" to
> help Chinese people to get to the website they want with Chinese
> easily fot them to remember. This tool is not a malware and this had
> been confirmed by the Court.
What court is that? Who was the judge?
> CNNIC has the official judgment.
>
But Microsoft and some anti-virus vendors think differently.
> 3. CNNIC never hijacking the internet user's information or password
> or account. CNNIC is responsible for the registration and management
> of .cn. They didn't use any tool or software to hijacking someone's
> computer. The web server certificates issued by CNNIC are followed CPS
> and CP, and the whole procedures are audited by the third party.
This is what we all hope and want to believe, correct.
> It is
> the website manager decides whether to use CNNIC certificate or not.
>
Yes, except in case a certificate would be used in fraudulent way. Than
it's the intercepting party deciding where or if to use such a
certificate :-)
> CNNIC don't force people to use our certificate. So how can they bring
> the users risks?
>
The browser trusts the certificates issued by the CA and the relying
party can not decide. The users are at risk, not the web site operator
(maybe too, but that's another story). I believe you haven't understand
the problem and basic PKI at all.
> 4. In China, DNS service is not only offered by CNNIC, but also many
> ISPs, including China Telecom and many big companies. It is not
> possible for CNNIC to hijacking all users' DNS.
But recent events have shown that Chinese routers can create havoc to
the entire Internet. Certainly at a local level it's entirely possible,
where I believe the China Telecom is as independent as CNNIC, right?
> And as an organization
> of the Chinese domain name's provider, CNNIC has responsibilities to
> maintain and control the internet order. CNNIC is the Secretariat of
> APAC (Anti-Phishing Alliance of China). When CNNIC receive the user's
> allegation on phishing website, thet will immediately investigate. And
> will soon close it if it is a phishing website. So far, CNNIC has
> closed many phishing websites.
Yes, I've seen the recent efforts and new requirements by CNNIC (the
domain registrar). I think this is a good sign despite what some others
think. We certainly don't want to promote fraudulent use of the
Internet, whatever it is.
> Why they forge a certificate or make a
> MITM attack?
>
The concern is that the Chinese government and political apparatus might
want it.
Eddy Nigg
On 04/12/2010 01:36 PM, makrober:
It is time to change SSL implementation model so that an individual
user, instead of the software vendor, can manage the trust with an
adequate understanding, ease and granularity.
This is something which will work for you and even then most likely to a very limited extend. How may CA policies did you read so far? What audit criterion did you study to know what it entails? Or on what should one of the many millions of users, base their decision on? Perhaps that "VeriSign" is a nice name and that "StartCom" is cute logo? Or that "Comodo" has an interesting Firewall and that SwissSign is in Switzerland? And even this little information will be probably not known to anybody knowing anything about this industry.
Obviously it's "How many CA policies" and "StartCom has a cute logo"....Hope I didn't missed any others...
tophits
> The comments are not the truth.
>
> 1. In China, the classification of government, company, organization
> is different with US or other countries. CNNIC doesn't belong to
> government, but definitely will be ordered by Chinese government.
> However, which company will not affected by the local government?
> 2. Someone said CNNIC spread malware or unloaded IE toolbar. This is
> not the truth. CNNIC had offered a tool called "zhongwenshangwang" to
> help Chinese people to get to the website they want with Chinese
> easily fot them to remember. This tool is not a malware and this had
> been confirmed by the Court. CNNIC has the official judgment.
This cindy spout quite some lies. I don't have time to clear each of
the repetitive lies.
I just came across a webpage related to this point. If you think
CNNIC didn't produce malware, rogue software, please check http://is.gd/bw3ug
This is a translation of Chinese webpage introducing a powerful anti-
rootkit tool to that is capable of revealing the sneaking trace of
CNNIC toolbar. Should a normal software install kernel level drivers
to prevent it being removed?!
Matt McCutchen
> On 04/12/2010 10:44 AM, cindy:
> > 1. In China, the classification of government, company, organization
> > is different with US or other countries. CNNIC doesn't belong to
> > government, but definitely will be ordered by Chinese government.
> > However, which company will not affected by the local government?
>
> I can tell you some CAs which are not.
You could put your money where your mouth is and add something like
the following to the StartCom CPS:
"StartCom intends to use all reasonable legal defenses to avoid being
compelled by a government body or other party to issue certificates in
violation of this CPS."
That would make StartCom rock even more.
--
Matt
Eddy Nigg
> You could put your money where your mouth is and add something like
> the following to the StartCom CPS:
>
> "StartCom intends to use all reasonable legal defenses to avoid being
> compelled by a government body or other party to issue certificates in
> violation of this CPS."
>
> That would make StartCom rock even more.
>
Why? Did you see any disclosure which suggests issuance of certificates
in any other manner than the disclosed ones? What those are, are clearly
defined and disclosed. The above is basically unnecessary in this respect.
Matt McCutchen
> On 04/22/2010 12:52 AM, Matt McCutchen:
> > You could put your money where your mouth is and add something like
> > the following to the StartCom CPS:
>
> > "StartCom intends to use all reasonable legal defenses to avoid being
> > compelled by a government body or other party to issue certificates in
> > violation of this CPS."
>
> > That would make StartCom rock even more.
>
> Why? Did you see any disclosure which suggests issuance of certificates
> in any other manner than the disclosed ones? What those are, are clearly
> defined and disclosed. The above is basically unnecessary in this respect.
I don't buy that. It would be too easy for a less scrupulous CA
operating under your CPS to cooperate with a government wiretapping
program, as AT&T did in the US, and argue that such cooperation is
outside the scope of the CPS. (I'm not saying AT&T made that
argument; I haven't looked into whether their terms might have allowed
the cooperation.) I want to see an affirmative statement that you put
relying parties' interests first.
[Readers, please pardon the use of a specific brand as an example. My
sentiment applies to all CAs.]
--
Matt
Eddy Nigg
> I don't buy that. It would be too easy for a less scrupulous CA
> operating under your CPS
>
Errr, no, that will not happen. As a matter of policy btw. :-)
Matt McCutchen
> On 04/22/2010 07:07 AM, Matt McCutchen:
> > I don't buy that. It would be too easy for a less scrupulous CA
> > operating under your CPS
> >
>
> Errr, no, that will not happen. As a matter of policy btw. :-)
Sorry, I don't follow. Are you objecting to the example or saying that
StartCom would not act as AT&T did (which I believe but would like to
see in the CPS)?
--
Matt
Eddy Nigg
> Sorry, I don't follow. Are you objecting to the example or saying that
> StartCom would not act as AT&T did (which I believe but would like to
> see in the CPS)?
>
I guess the cases are not comparable, besides that AT&T doesn't have a
CA policy :-)
Matt McCutchen
> On 04/22/2010 07:14 AM, Matt McCutchen:
> > Sorry, I don't follow. Are you objecting to the example or saying that
> > StartCom would not act as AT&T did (which I believe but would like to
> > see in the CPS)?
> >
>
> I guess the cases are not comparable,
Why not? Both AT&T and StartCom are service providers with the
technical ability to effect government wiretapping (though for StartCom,
there would be extra steps to gain control of the network in addition to
issuing a certificate).
> besides that AT&T doesn't have a
> CA policy :-)
It has a policy for the protection of its customers' privacy, which
states that it may provide personal information in response to a court
order:
http://www.att.com/gen/privacy-policy?pid=13692
--
Matt
Jean-Marc Desperrier
> It would be too easy for a less scrupulous CA
> operating under your CPS to cooperate with a government wiretapping
> relying parties' interests first. [...]
In most cases, the wiretapping program is an application of the
countries legislation.
Are you waiting for a statement that the CA will break the law by
refusing cooperation with a lawfully ordered interception of data ?
Or are you just waiting for a statement that the CA will dully verified
that any such order is really lawful before executing it ?
(that one is far from being just rhetoric, I remember one case here in
France, where a number of ISPs were required to give the identity of
persons suspected to have pirated a game, one of the ISP complied
immediately, the others didn't, and at the end, the legality of the way
those IP addresses has been collected was so weak they never actually
had to release the data)
Or maybe what you are waiting for is a statement of the jurisdiction (or
list of) the CA operates under and which it has to follow ?
Matt McCutchen
> Matt McCutchen wrote:
> > It would be too easy for a less scrupulous CA
> > operating under your CPS to cooperate with a government wiretapping
> > program, [...] I want to see an affirmative statement that you put
> > relying parties' interests first. [...]
>
> In most cases, the wiretapping program is an application of the
> countries legislation.
Yes, I should have stuck "of dubious legality" in there.
> Are you waiting for a statement that the CA will break the law by
> refusing cooperation with a lawfully ordered interception of data ?
No, I don't think I can ask for that.
> Or are you just waiting for a statement that the CA will dully verified
> that any such order is really lawful before executing it ?
Yes.
> Or maybe what you are waiting for is a statement of the jurisdiction (or
> list of) the CA operates under and which it has to follow ?
That is helpful information, but it is orthogonal to the CA stating
that it will not go beyond what is absolutely required in the
jurisdiction.
--
Matt
Stephen Schultze
> On Thu, 2010-04-22 at 13:34 +0200, Jean-Marc Desperrier wrote:
> > Matt McCutchen wrote:
> > > It would be too easy for a less scrupulous CA
> > > operating under your CPS to cooperate with a government wiretapping
> > > program, [...] I want to see an affirmative statement that you put
> > > relying parties' interests first. [...]
>
> > In most cases, the wiretapping program is an application of the
> > countries legislation.
>
> Yes, I should have stuck "of dubious legality" in there.
Not so. There are many wiretapping activities (or demands for user
information or the like) which are seen as entirely legal in many
jurisdictions. See for example Google's latest summary of demands for
user data worldwide:
http://googleblog.blogspot.com/2010/04/greater-transparency-around-government.html
> > Or maybe what you are waiting for is a statement of the jurisdiction (or
> > list of) the CA operates under and which it has to follow ?
>
> That is helpful information, but it is orthogonal to the CA stating
> that it will not go beyond what is absolutely required in the
> jurisdiction.
I don't think it is entirely orthogonal. The language you provided
doesn't change anything if the jurisdiction requires the CA to
unconditionally obey the government's demands, and if the government
has full latitude in the jurisdiction to demand whatever it wants.
So, it's important to know both.
Matt McCutchen
You're right.
--
Matt
Kurt Seifried
business is operated from and where the certificate signing signing
infrastructure is located. At least this way we can make some
assessment of risk, i.e. a company head quartered and holding it's
infrastructure in Belgium with a satellite office in China is quite
different than the same company with signing infrastructure located in
China.
Letting us know which regulatory and legal framework/jurisdiction that
the company is primarily beholden to would be helpful in giving us a
context to assess risk.
As far as statements about fighting these things/informing us/etc.
those are largely meaningless as this type of legislation often has
secrecy clauses (i.e. the PATRIOT act in America, etc.).
-Kurt