> So the inclusion of CNNIC Root CA certificate in Firefox is almost
> equivalent to the endorsement by Entrust.net to sign the CNNIC SSL
> secondary CA certificate, which CNNIC already acquired years ago.

> Thus, it is in fact a serious security design flaw in the way that the
> browser handles SSL certificates in the userage scenario.  I suggest
> the following measures to be taken:

> 1. Display clear warning message of certificate change, which is
> possibly a result of MITM attack with a forged certificate.  Firefox
> should include the addon Certificate Patrol [1] as a built-in module.

> 2. Eye-catching display of certificate signing path for HTTPS
> connections, e.g. in the address bar or a floating warning bar like
> that of an addon installation.  Because general non-expert users even
> don't know how to check the certificate signing path.

> It's a big problem, as you can see the PR China government is actively
> involved in cyber attacks against its citizens.  Their secret agents
> used trojan-horse attacks to intrude gmail and Google services
> successfully[2].  They have clear intention to intercept, snoop or
> spoof SSL connections.  There are successful MITM attack experiments
> done on Internet and Tor network, by forging a certificate which the
> general public users won't notice at all because the browser silently
> accepted it.

> It's a real threat to the trust model of PKI. We should have prompt
> countermeasures and actions.

> References:

> [1] Certificate Patrolhttp://patrol.psyced.org/https://addons.mozilla.org/en-US/firefox/add...
> [2]Kim Zetter: Google Hack Attack Was Ultra Sophisticated, New
> Details Show; January 14, 2010, 8:01 pm;http://www.wired.com/threatlevel/2010/01/operation-aurora/