Re: CNNIC Root Inclusion
tophits
root certificate as built-in object, CNNIC still can issue a false
gmail.com certificate signed by its CNNIC SSL secondary CA certificate
signed by Entrust.net root CA. The browser will still accept the
forged gmail.com certificate without any warning.
So the inclusion of CNNIC Root CA certificate in Firefox is almost
equivalent to the endorsement by Entrust.net to sign the CNNIC SSL
secondary CA certificate, which CNNIC already acquired years ago.
Thus, it is in fact a serious security design flaw in the way that the
browser handles SSL certificates in the userage scenario. I suggest
the following measures to be taken:
1. Display clear warning message of certificate change, which is
possibly a result of MITM attack with a forged certificate. Firefox
should include the addon Certificate Patrol [1] as a built-in module.
2. Eye-catching display of certificate signing path for HTTPS
connections, e.g. in the address bar or a floating warning bar like
that of an addon installation. Because general non-expert users even
don't know how to check the certificate signing path.
It's a big problem, as you can see the PR China government is actively
involved in cyber attacks against its citizens. Their secret agents
used trojan-horse attacks to intrude gmail and Google services
successfully[2]. They have clear intention to intercept, snoop or
spoof SSL connections. There are successful MITM attack experiments
done on Internet and Tor network, by forging a certificate which the
general public users won't notice at all because the browser silently
accepted it.
It's a real threat to the trust model of PKI. We should have prompt
countermeasures and actions.
References:
[1] Certificate Patrol http://patrol.psyced.org/
https://addons.mozilla.org/en-US/firefox/addon/6415
[2] Kim Zetter: Google Hack Attack Was Ultra Sophisticated, New
Details Show; January 14, 2010, 8:01 pm; http://www.wired.com/threatlevel/2010/01/operation-aurora/
tophits
hope they will be included as core modules in Firefox soon.
Certificate Patrol [1] warns users with pop-up window whenever the
certificate of a website changes. But it's not updated to be
compatible with the newest 3.6 version of Firefox yet.
Perspectives [2] tries to verify the certificate of a website from
various notary sources. It's a good idea, but I tested and found it
not functional or the notary services are not stable enough yet.
At least I think the user interface of Firefox should be improved to
address such security threats of false certificate MITM attack against
SSL. Many Chinese programmers believe (or suspect) that the PRC
government already started to do such MITM attacks. This is why the
inclusion of CNNIC root certificate caused an Internet protest to
remove it from the browser and OS certificate storage. A simple
google search [3] will tell you what most Chinese programmers think
about this. Most of them are discussing how to remove or disable this
newly added root CA! :)
Technically speaking, even if CNNIC root CA is not included as a
builtin object of Firefox, it CAN still issue false certificates with
their legitimate secondary CA certificate signed by Entrust.net, to
intercept SSL connections with websites like gmail.com while the
browse won't show any warning about this. The surprise and opposition
in the Chinese technical community reflects the security concerns of
the Chinese Internet users and showed what a reputation CNNIC has
accumulated with their actual behaviors over the past years. This
even eroded the user trust on Entrust.net and Firefox, because
Entrust.net issued a secondary CA certificate to CNNIC. Many
programmers suggested to remove the root CA certificates of
Entrust.net together.
I agree with some comments here, that the key issue is: A secure
browser should tell the users clearly what they're trusting, and let
them choose whether to trust or not.
Whether a root CA is trustworthy or not, that's the social judgement,
a part of the trust model that a browser should not and can't
determine. The browser should provide an easy and clear UI for the
users to make the decision.
References:
[1] Certificate Patrol https://addons.mozilla.org/en-US/firefox/addon/6415
[2] Perspectives : Firefox Extension http://www.cs.cmu.edu/~perspectives/firefox.html
[3] Google search: CNNIC 证书 http://www.google.com/search?q=CNNIC+%E8%AF%81%E4%B9%A6
>> 苹果下的FIREFOX如何删除CNNIC的根证书 - Jan 27 - [ Translate this page ]
更正:http://www.cnnic.cn/download/crl/CRL1.crl 这里是CNNIC的根证书的证书吊销列表,我不知道如何
创建自己的不信任列表,谁知道创建证书吊销列表? ...
https://www.zuola.com/weblog/?p=1454
如何阻止不信任的CNNIC 证书<< scavin weblog - [ Translate this page ]
2010年1月27日 ... 是的,CNNIC 这个完全不可信任的有关部门,竟然诱惑微软将其列为根证书发布者,这个消息太可怕了。并且
Firefox 也信任了CNNIC 证书,这是疯狂的事情, ...
blog.lzzxt.com/394
玩聚SR | 如何阻止不信任的CNNIC 证书| 52个推荐者- 热文快照 - [ Translate this page ]
《如何阻止不信任的CNNIC 证书》的热文快照: 是的,CNNIC 这个完全不可信任的有关部门,竟然诱惑微软将其列为根证书发布者,这个消息太可
怕了。
sr.ju690.com/meme/item/59498
阻止不信任的CNNIC 证书.docx - 下载- 共享资料 - [ Translate this page ]
阻止不信任的CNNIC 证书.docx,下载,IT资料,解决方案. ... 说明: CNNIC被微软、FireFox加入根证书,这是非常可怕的
事情,所以我们要删除! ...
ishare.iask.sina.com.cn/f/6665520.html
Nabble - GFans - 如何阻止不信任的CNNIC 证书 - [ Translate this page ]
4 posts - 2 authors - Last post: yesterday
如何阻止不信任的CNNIC 证书. 这是非常非常重要的,一定要做好。这比放病毒和流氓软件更加重要! Sent to you by 夜の猫
via Google Reader: 如何阻止 ...
old.nabble.com/如何阻止不信任的-CNNIC-证书-td27342964.html
Firefox和微软已将CNNIC添加到根证书列表中,如何阻止CNNIC 证书 ... - [ Translate this page ]
2010年1月28日 ... SummerWa 写道Microsoft和Firefox已经将CNNIC作为根证书颁发机构添加到证书列表中:
Microsoft | 有关最新互联网资讯的IT博客.
http://www.pcstar.org.ru/main/2010-01/632-firefox-microsoft-cnnic-root-certificates.html
On Jan 29, 10:39 am, Justin Dolske <dol...@mozilla.com> wrote:
> As a related aside...
>
> It would be an interesting experiment to create an addon to crowd-source
> checking for such certs. Not as a CNNIC-specific issue, but any case of
> valid certs for a site coming from an unexpected CA. It could also be
> easily to just store a local record of certs you've encountered, and
> warn you when a site's cert has changed.
>
> Justin
wanghx
1. Is it considered by CNNIC as "service on technology and research" to spread malware with administrative power to spy on Internet users?
2. Is it considered by CNNIC as "service on technology and research" to ban personal website registration in the .cn domain space [1][2][17]?
3. CNNIC banned the DNS resolving of a lot of independent websites, such as bulllog.cn [1][2]. Is this considered by CNNIC as your way of "service" of "registry for Chinese Domain Name"[4]? Is this considered by CNNIC as "the similar role as VeriSign"[4]?
4. Is CNNIC "qualified with the international criteria"[4] as a trustworthy certificate authority?
5. Why did Liu Yan try to mask the real face of the PRC governmental nature of CNNIC [5]? Why did he even tried to hide the application by setting the bug report to "Restricted Visibility"[6] at first?
6. Liu Yan said: "CA is a new operation for CNNIC to protect Internet security"[5]. Is it considered by CNNIC as "operation to protect Internet security" by spreading unremovable malware to spy on users' Internet activities exploiting security flaws of the browsers, as CNNIC did [9][18]?
Liu Yan further claimed that "the WebTrust audit for government is much simpler compared to company"[4].
So do you think CNNIC is a government or not? If CNNIC is controlled by the PRC government, why don't you dare to clearly admit it, but misled the readers by posing as a "just offers service on technology and research" [4]? What's the motivation to hide the real identity of CNNIC? :)
Liu Yan said: "There is no possible for us to monitor the user's actions or do some attacks. I think every technical personnel knows that."[4]
Unfortunately, this is an arrant lie. CNNIC not only DID "monitor the users' actions" with intentionally spreaded malware [9], but also cooperated actively with the PRC government to crack down independent blogs and websites [1][2][17]. It's also highly possible that they may actively cooperate in MITM attacks with such a government which attacked [15][16] its citizens, as well as dozens of companies and many computers of foreign civil organizations and government offices [10][11].
Further, Is PRC government a decent government?
Should a government put all their citizens in an information jail by building a GFW (Great Firewall) [7][8][14] to block their access to Internet?
Should a government enforce news and speech censorship [14] on all the websites including search engines to block criticism on the crimes they committed?
Should a government jail journalists and writers for their free speech [14]?
Should a government kill the college students and citizens with guns, and roll over the bodies of college students with tanks? [19]
Should a government cheat the world by hiding information about SARS and melamine contaminated milk[3] which caused repetitive man-made disasters, and further punish those who told the truth?
Is this PRC government a real government, or is it a maffia group? :)
Liu Yan claimed that the CNNIC is a subordinate of "Chinese Academy of Sciences". Let's take a look at what kind of "research" the "Chinese Academy of Sciences" has done before. :)
The Institute of Acoustics, Chinese Academy of Sciences closely cooperated with the PRC government in Internet censorship. Same as CNNIC which "takes orders from the Ministry of Information Industry (MII)" [26], they developed some natural language machine understanding algorithms for Internet text censorship [25]. The target of their research is to distinguish speeches of the opponents of the government from those of the proponents, which general keyword based filtering can't achieve. Their "research" was already deployed in the censorware "Green Dam"[22][23], which was orderd by the MII to be installed on each new PC in manufacturing process. Although this plan failed, they must have started some other plots to achieve the same goal.
根据“绿坝-花季护航“软件官方网站(http://www.lssw365.net)的介绍:
2008年7月,在工业和信息化部的直接领导下,两家成交供应商项目负责人和主要项目人员共同组成绿色上网过滤软件项目工作组,全面负责“绿坝·花季 护航”绿色软件的研发、推广及相关服务工作。[...]更好的配合第三方监测机构的监测工作,确保绿色上网过滤软件项目的顺利实施。 [20]
According to the official website of "Green Dam - Youth Escort" (http://www.lssw365.net):
In July of 2008, under the direct administration of the Ministory of Industry and Information, the project managers and major staffs of the two chosen suppliers formed a green Internet filtering software project workgroup which was in full charge of development, deployment and relative services of the "Green Dam - Youth Escort" green software. [...] for better cooperation in monitoring the web with third party monitoring organs (of the government) to ensuresuccessful implementation of the green Internet filtering software project. [20]
链接:http://www.ccgp.gov.cn/gzdt/366770.shtml
2008年5月,工信部发布了一份《“绿色上网过滤软件产品一年使用权及相关服务采购”竞争性谈判结果的公告》:
一、采购人:中华人民共和国工业和信息化部
[...]
四、成交供应商:郑州金惠计算机系统工程有限公司、北京大正语言知识处理科技有限公司 [...]
北京大正语言知识处理科技有限公司成交19,900,000元整(大写:壹仟玖佰玖拾万元)。[21]
Link: http://www.ccgp.gov.cn/gzdt/366770.shtml
In May 2008, The Ministry of Industry and Information issued an "Announcement of Competitive Negotiation Results for '[Governmental] Purchase of One Year Usage Licence and Related Services of Green Internet Filtering Software Product'"
A. Purchaser: Ministry of Industry and Information, PRC
[...]
D. Chosen Supplier: Jinhui Computer System Engineering Inc., Zhengzhou City. Beijing Dazheng Language and Knowledge Processing Technology Inc. [...]
Beijing Dazheng Language and Knowledge Processing Tech. Inc. got a project valued 19,900,000 CNY (About 2.9 million USD). [21]
[...] 与中科院声学所合作注册成立了北京大正语言知识处理研究院 [20][21]
[...] established the Beijing Dazheng Language and Knowledge Processing Tech. Inc. together with the Institute of Acoustics, Chinese Academy of Sciences. [20[21]
@gonewater: 绿坝软件两开发商之一北京大正的董事长陈小盟,[...]其在中科院声学所主持开发的HNC网络信息过滤器,2003年实现了语义分析与过滤,并被率先运用在反轮子战线上 #greendam [21][24]
@gonewater [a twitter user]: As the chairman of the board of Beijing Dazheng company which is one of the two developers of the "Green Dam" software, he was in charge of the development of HNC Internet Information Filter at the Institute of Acoustics, Chinese Academy of Sciences. The filter achieved semantic analysis and filtering in 2003 and was used primarily in the battle against the Falungong [27]. [21][24]
郑州金惠计算机系统工程有限公司和北京大正语言知识处理有限公司,他们是该软件的联合开发者,前者主要负责图像过滤,后者主要负责文字过滤。[21] - 南方周末记者 胡贲 实习生 郭仕鹏 2009-06-10 23:45:12
Zhengzhou Jinhui Computer System Engineering Inc. and Beijing Dazheng Language and Knowledge Processing Tech. Inc. teamed up in the development of the filtering software. The former one was responsible for the image filtering part, while the later one was responsible for the text filtering part. [21] - Report on the newspaper "Southern Weekend" by Ben Hu, 10 June 2009.
中国科学院声学研究所HNC研究团队集多年从事自然语言理解处理的核心技术,成功研发出具有语义理解特点的“网络不良信息检测系统”,将为净化网络世界的 内容做出贡献。目前这一系统主要针对网络上出现的色情、反动、低俗等不良信息,根据指定的网站自动进行内容下载、检测并给检测报告。不同于以往的基于关键 字词的检测系统,能够区分出不良信息和批判不良信息的网页内容,对不能做出判断的内容还能提出警告,供人工判别。[25]
The HNC research team of the Institute of Acoustics, Chinese Academy of Sciences combined the core techniques they acquired through many years of research they did on natural language understanding and processing and successfully developed a "Internet Bad Information Detection System" featuring semantic understanding capabilities. It will contribute to the clean-up of the content in the Internet world. Currently this system is primarily targeted at erotic, counter-revolutionary and vulgar information appeared on the Internet. It can download content automatically from specified websites, detect and present reports. Deferent from previous keyword based detection systems, it can distinguish web pages of bad information from criticisms against bad information. For those pages that it fails to judge, it can raise a warning message for human judgement. [25]
References:
[1] Bullog.cn http://en.wikipedia.org/wiki/Bullog.cn
[2] 牛博网 http://zh.wikipedia.org/wiki/%E7%89%9B%E5%8D%9A%E7%BD%91
[3] 2008 Chinese milk scandal / Censorship http://en.wikipedia.org/wiki/2008_Chinese_milk_scandal#Censorship
[4] Liu Yan: Every technical personnel knows that; 2010-01-28 17:40:47 PST; https://bugzilla.mozilla.org/show_bug.cgi?id=476766#c29
[5] Liu Yan: CNNIC is not a Chinese Government organization; 2009-02-15 23:01:59 PST; https://bugzilla.mozilla.org/show_bug.cgi?id=476766#c5
[6] Kathleen Wilson: This bug is set for Restricted Visibility; 2009-02-11 11:43:10 PST; https://bugzilla.mozilla.org/show_bug.cgi?id=476766#c4
[7] Golden Shield Project http://en.wikipedia.org/wiki/Golden_Shield_Project
[8] 金盾工程 http://zh.wikipedia.org/wiki/%E9%87%91%E7%9B%BE%E5%B7%A5%E7%A8%8B
[9] China Internet Network Information Center; / Malware Production And Distribution; http://en.wikipedia.org/wiki/CNNIC#Malware_Production_And_Distribution
[10] GhostNet; http://en.wikipedia.org/wiki/Ghostnet
[11] 幽灵网; http://zh.wikipedia.org/wiki/%E5%B9%BD%E7%81%B5%E7%BD%91
[12] David Drummond, SVP, Corporate Development and Chief Legal Officer: A new approach to China; http://www.webcitation.org/5n92WuwKT = http://googleblog.blogspot.com/2010/01/new-approach-to-china.html
[13] 中华人民共和国网络审查; http://zh.wikipedia.org/zh-cn/%E4%B8%AD%E5%8D%8E%E4%BA%BA%E6%B0%91%E5%85%B1%E5%92%8C%E5%9B%BD%E7%BD%91%E7%BB%9C%E5%AE%A1%E6%9F%A5
[14] Internet censorship in the People's Republic of China; http://en.wikipedia.org/wiki/Internet_censorship_in_the_People's_Republic_of_China
[15] 极光行动; http://zh.wikipedia.org/wiki/%E6%9E%81%E5%85%89%E8%A1%8C%E5%8A%A8
[16] Operation Aurora; http://en.wikipedia.org/wiki/Operation_Aurora
[17] CNNIC Halts Website Domain Name Registration For Individuals In China;
December 15, 2009; http://www.chinatechnews.com/2009/12/15/11208-cnnic-halts-website-domain-name-registration-for-individuals-in-china
[18] 中国互联网络信息中心; http://zh.wikipedia.org/wiki/%E4%B8%AD%E5%9C%8B%E4%BA%92%E8%81%AF%E7%B6%B2%E7%B5%A1%E4%BF%A1%E6%81%AF%E4%B8%AD%E5%BF%83#.E7.88.AD.E8.AD.B0
[19] Tiananmen Square protests of 1989; http://en.wikipedia.org/wiki/Tiananmen_Square_protests_of_1989
[20] Reports about Green Dam; https://groups.google.com/group/lihlii/msg/cff76953d4508ad7
[21] Analysis of the Green Dam Censorware System; https://groups.google.com/group/lihlii/msg/64b28befc01f8394
[22] Green Dam Youth Escort; http://en.wikipedia.org/wiki/Green_Dam
[23] 绿坝·花季护航; http://zh.wikipedia.org/zh-cn/%E7%B6%A0%E5%A3%A9%C2%B7%E8%8A%B1%E5%AD%A3%E8%AD%B7%E8%88%AA
[24] 中科院声学所主持开发的HNC网络信息过滤器,2003年实现了语义分析与过滤,并被率先运用在反轮子战线上; http://twitter.com/rmack/statuses/2090288450
[25] jiangzuyu: 中科院声学所成功研发网络不良信息检测系统; 网脉e代社区论坛; 2009-2-12 10:43; http://www.webcitation.org/5n9L4Z4mq = http://community.wm360.cn/space/index.php/viewthread-67157.html
[26] CNNIC takes orders from the Ministry of Information Industry (MII) to conduct daily business; https://bugzilla.mozilla.org/show_bug.cgi?id=476766#c14
[27] Falun Gong / Continued protests and statewide suppression; http://en.wikipedia.org/wiki/Falun_Gong#Continued_protests_and_statewide_suppression
wanghx
6. Liu Yan said: "CA is a new operation for CNNIC to protect Internet security"[5]. Is it considered by CNNIC as "operation to protect Internet security" by spreading unremovable malware to spy on users' Internet activities exploiting security flaws of the browsers, as CNNIC did [9][18]?
So do you think CNNIC is a government or not? If CNNIC is controlled by the PRC government, why don't you dare to clearly admit it, but misled the readers by posing as a "just offers service on technology and research" [4]? What's the motivation to hide the real identity of CNNIC? :)
@gonewater [a twitter user]: As the chairman of the board of Beijing Dazheng company which is one of the two developers of the "Green Dam" software,
developed a "Internet Bad Information Detection System" featuring semantic understanding capabilities. It will contribute to the clean-up of the content in the Internet world.
Currently this system is primarily targeted at erotic, counter-revolutionary and vulgar information appeared on the Internet.
tophits
Do you think certificates from liars should be included in Firefox? :)
> Jonathan: might well yank trust for any CA that was complicit in MitM attacks.
Does the word "was" mean that until the MitM attack happened, any
organizations
can put their root CA certificates in Firefox provided that they can
buy
endorsement "services" from accountant companies like Ernst&Young [1]
to
acquire "trust" from webtrust.org?
The real concern of many Chinese programmers is not about "was", but
"may", as
CNNIC already "DID" quite some dirty things before! Now it's a new
capability
that the inclusion of root certificate of CNNIC will grant to the PRC
government.
Anyway, since they already got secondary CA certificate issued by
Entrust.net,
adding CNNIC as root CA is not introducing more problems. But this
discussion
is an alert on the trust model of PKI when we face a rogue government
and their
minion organizations.
We should improve the browser to ask for permissions from the end
users to
grant trust to each root CA when it's used in each session (not only
at the
first time), clearly display the certificate signing path, and warn
them of any
change in certificates (to be alert of a MitM attack). This seems
paranoiac
but it's because we're facing real threats of attacks from a powerful
rogue
government, from which even big companies like Google and well
equipped
government offices suffered.
The security model of SSL was practically in danger because of the
design flaws
of the browser to place blind trust on root CAs without consent from
the
users. Since the CA certificates of rogue government agencies were
added, we
should consider Firefox as a rogue government controlled browser in
the default
configuration.
[1] https://cert.webtrust.org/SealFile?seal=935&file=pdf
On Jan 28, 5:07 pm, Johnathan Nightingale <john...@mozilla.com> wrote:
> 2) I think, regardless of government ties, we'd carefully review and
> might well yank trust for any CA that was complicit in MitM attacks.
> 3) CNNIC complied with our root addition policy, they are in the
> product presently, so this isn't a question of approval, this is a
> question of whether we should review.
tophits
Please notice the fact that there is no such thing as "law" in PRC.
All that exist are "rules".
Those companies who do evil things in China always say that they need
to comply with local "laws". That's not true.
There is no LAW in PR China, but only RULES determined completely by
the 9-person "Standing Committee of Central Political Bureau" of the
Chinese Communist Party (CCP). There is no legal legislation, but all
rules are determined by the CCP. The "People's Delegation Congress"
is only a "rubber seal" to pretend to pass the "rules" made by the
CCP.
--- Comment #37 from Eddy Nigg (StartCom) <eddy...@startcom.org>
2010-01-29 15:12:13 PST ---
(In reply to comment #36)
> > Jonathan: might well yank trust for any CA that was complicit in MitM attacks.
> >
> > lihlii:
> > Does the word "was" mean that until the MitM attack happened, any organizations
> > can put their root CA certificates in Firefox provided that they can buy
> > endorsement "services" from accountant companies like Ernst&Young [1] to
> > acquire "trust" from webtrust.org?
Again, Bugzilla should not be used for advocacy! Nevertheless a short
reply. I
know Ernst & Young and have performed audits with them myself. Hence
I'm
trusting their attestation.
However it's common for CAs to comply to local laws and there might be
a
problem if the law would allow MITM attacks on its citizens. This
would be
counter to the Mozilla CA policy, even if a notable auditor audited
the CA and
the CA has disclosed its adherence to the local laws correctly.
tophits
we'd carefully review and might well yank trust for any CA that was
complicit in MitM attacks.
L:
The problem is that, CNNIC might have already aided some MitM attacks
with their secondary CA certificate signed by Entrust.net root CA
before CNNIC was added as root CA. Because the MitM attack is
difficult to be carried out on a large scale, the PRC government
mainly targeted at specific users (such as highly sensitive political
dissidents) who often lack of knowledge to check the server
certificate to determine whether it's real.
All we're worried about is "trust". Can we put a CA certificate that
many Chinese programmers don't trust at all into the release package?
What will be the consequences?
The repetitive hijacking of gmail accounts of dissidents by the PRC
government secret agents (Political Defend Police like Starsi of
former East Germany) might be achieved with SSL hijacking, besides
trojan-horse phishing email.
I think it's a detriment to the user trust on Firefox to add CNNIC
(notorious in Chinese programmers community, while powerful enough to
buy whatever certificates they need) root CA. Yet it's not safe by
simply removing it. There should be a way to return the ability and
authority of judging whether to trust a CA to the users, not
unconditionally decided by the browser as it's implemented now.
Currently an experienced user can inspect the certificate signing
chain to check whether the root CA is trustworthy; while layman users
need more help from an improved UI to alert them of possible
vulnerabilities and guide them through steps to check the certificate
chain of the HTTPS session.
Furthermore, some Chinese programmers observed [3] that the
certificates of google.com was modified several times after 18 Nov.
2009.
Three abnormal changes of certificates were observed [2]:
CN: mail.google.com
18 Nov. 2009 from: Thawte SGC CA, valid from 2009/3/25 to 2010/3/25
to: Google Internet Authority, valid from 2009/11/12
to 2010/11/12
18 Nov. 2009 from: Google Internet Authority, valid from 2009/11/12
to 2010/11/12
to: Thawte SGC CA, valid from 2009/3/25 to 2010/3/25
28 Dec. 2009 from: Thawte SGC CA, valid from 2009/3/25 to 2010/3/25
to: Thawte SGC CA, valid from 2009/12/18 to
2011/12/18
CN: *.google.com
19 Jan. 2010 from: Google Internet Authority, valid from 2009/11/12
to 2010/11/12
to: Google Internet Authority, valid from 2009/12/22
to 2010/12/22
Google's announcement[1] declared that "in mid-December [2009], we
detected a highly sophisticated and targeted attack on our corporate
infrastructure originating from China that resulted in the theft of
intellectual property from Google". Taking these strange certificate
changes into consideration together with the Google announcement, we
suspect that the "intellectual property" might include private keys to
sign the google certificates. This might be the answer to why google
changed certificates in an abnormal frequency.
This also alert us of possible cyber attacks making use of CA
certificates and exploiting the inadequate certificate validation in
current browser user interaction. Although the inclusion of an
untrustworthy CNNIC root CA won't make the situation worse, it really
alert us to review the pyramid trust model of PKI and design flaws of
unconditional trust of root CAs in browsers.
The trust model is unreasonable, in that the trust propagates in a
forced, involuntary way: Ernst & Young trusts CNNIC because it trusts
those special paper sheets marked with "In God We Trust" ;P,
webtrust.org trusts CNNIC because it trusts Ernst & Young; Mozilla
Firefox project or Microsoft trust CNNIC because they trust
webtrust.org; the browser users trust CNNIC because the they trust the
browser. But the users in fact don't trust CNNIC at all! The result
is: the users were forced to trust CNNIC silently. Experienced users
take the trouble to remove or disable the CNNIC certificates, while
the majority of non-technical users just don't know they're trusting
CNNIC because of their browser!
References:
[1] David Drummond, SVP, Corporate Development and Chief Legal
Officer: A new approach to China; http://www.webcitation.org/5n92WuwKT
= http://googleblog.blogspot.com/2010/01/new-approach-to-china.html
[2] zuola: 关于GMAIL安全证书的疑问 https://groups.google.com/group/lihlii/browse_frm/thread/92be93b6648af29/
[3] Google 的证书更新了 可能是因为数字证书密钥被窃 警惕假冒数字证书
https://groups.google.com/group/lihlii/browse_frm/thread/5f9dbff575fa9579/
tophits
wrote:
> First, those statements are accusatory in nature. They lack proof.
Lack proof? Or you simply close your eyes and refuse to see the
proves? :)
> CNNIC. Other CAs that Mozilla has admitted to the root list also have
> government ties with their respective governments, IINM, and we have not
> disqualified them.
Other CAs are tied with governments, but CNNIC is tied with a mafia
group, NOT a government. :)
> So, I conclude that the writers of the above comments are people who dislike
> the Chinese government. But like or dislike of the Chinese government is
> not a basis of acceptance nor rejection of CAs under Mozilla policy, is it?
Google also doesn't like the "Chinese government", do they? So they
don't have "basis" of this announcement [1].
> Let's be very careful not to allow this discussion group to become a forum
> for discussion of Chinese government policies. Whether you or I like it or
It IS about policy, trust and security of the whole framework of PKI!
It will not only breach the web security of Chinese users, but also
users worldwide! Be alert of the consequences.
> hate it, the Chinese government's great firewall is no basis for acceptance
> or rejection of any Chinese CA, IMO. If Mozilla decides that it IS, then
The fact is that the acceptance is not based on adequate publicity and
discussion. The information behind is not fully revealed. The end
users especially the Chinese programmers are in effect excluded from
the discussion because only lately they discovered the new certificate
from Microsoft and Firefox updates. This is why we raised this
question against the trust in CNNIC.
> IMO, Mozilla should reject all Chinese CAs, and not consider them one by
> one, because the issue is the action of the government.
In fact we should reject any CA that has bad credit records. Just as
a credit card company won't issue a credit to a person who often
cheats.
> Let's imagine, just for the sake of discussion, that CNNIC is wholly owned
> by the Chinese government. Is that a policy? Is that a business practice?
The Chinese Communist Party government is not qualified as a root CA
administration, because it is building the biggest information jail to
intercept and cheat in DNS resolving, attack citizens all over the
world by trojan-horse phishing email and intrude companies and
governmental computers illegally. It's a criminal group.
> Further, in the PRC, ALL business is done at the pleasure of the government.
> The larger the business, the more far reaching it is in scope, the more
> that government will watch over it to ensure that it doesn't step over the
> unwritten unspoken line. This is known to every citizen in China. It is
CA doesn't need to be a "large business", but a trustworthy business.
That's it. We Chinese know better the Chinese government and CNNIC,
and how the business should be in China. :)
> Why is ANYTHING other than a CAs honesty regarding certification of bindings
> of names to public keys, and its scope being wide enough to be of value to a
CNNIC can't be linked with the word "honest" in the loosest sense.
> This newsgroup is NOT the place for discussion of international politics.
> Discussion of a government's positions on human rights, great firewalls,
> etc. have no place here, IMO. because they are not relevant, IMO, to the
> operation and acceptability of a CA.
They're closely related. It's not only about GFW, but about hijacking
Internet communication, cheating, phishing, trojan-horse attack and
intrusion. These were all done by the CCP government and CNNIC DID
intentionally spread malware that spied on users!
tophits
> The relevance starts, when as a matter of local legislation and law, CAs
> could and would assist to or perform themselves MITM attacks or would
> assist to what we could consider fraudulent and harmful intent and
> knowingly wrongful issuance of certificates. This would be in fact
> clearly against the Mozilla CA policy.
I agree mostly with Eddy. But I must point out that there is no "law"
in PR China. Everything that is called a "law" is in fact "rules"
determined by the CCP officials at their own will and can be broken or
changed at any time they like.
Any statement that talks about "law" in China is in fact based on a
false premise.
> The Chinese Firewall are a matter of local legislation, it's not against
> their laws. However it's still a problematic practice in the view of the
The GFW itself in fact is even NEVER compliant to any Chinese "laws"
made by the CCP government itself! This is why the CCP government
never admitted that its existence! :) Please, please don't say that
GFW is based on "local legislation", it's even against the "rules"
made by the CCP government itself!
The official declaration of the PRC government is: The Internet in
China is completely free. There is no censorship. full stop.
If you can trust such a "government", good luck to you! :)
tophits
There are many evidences that CNNIC is not trustable. It's not a
"hyperbole".
Please do some investigation before you conclude.
There can be a lot of websites signed by CNNIC CA. This says nothing
about whether it's trustable or not.
There are more websites that you can count that carries certain
malware. Is the number a proof that the malware is trustable?
On Feb 1, 11:56 am, Gervase Markham <g...@mozilla.org> wrote:
> On 28/01/10 12:50, crewlay wrote:
>
> > Is also very absurd to directly built such a notorious hated certificate
> > into the widely accepted open-source software in prc, almost everyone
> > are looking for method how to remove it after being aware of the
> > bulletin for either potential ssl hijack or consistent disgusted with
> > cnnic, and it's so simple to prove that either protest poll or something
> > similar.
>
> If you wish to create and publicise a web page which details how to
> disable roots in Firefox in general, and CNNIC's root in particular,
> then you have every freedom to do that.
>
> Without evidence of wrongdoing, there is nothing to provoke us to
> action. I'm sure you'd want a similar standard of proof to be applied if
> you were accused of something.
>
> Also, I think "notorious hated certificate" is hyperbole. The latest
> NetCraft statistics show CNNIC has signed the certs of 30 websites - a
> tiny fraction. Of course, NetCraft's coverage may be incomplete.
>
> Gerv
tophits
of the level of danger that the inclusion of a rogue CA will cause to
the users. Let them ruin the reputation of Firefox. Let them pretend
that it's not a problem. :)
It's more efficient to start trying to make Certificate Patrol or
something alike into a better addon for the defective certificate
manager of Firefox. At least we can help those prudent people who
treasure their privacy and security.
The new addon should help the users to remove rogue CAs and immune the
browser from accepting them in the future.
Surely the immunity list should be editable by the user. Let's bring
full control of trust back to the users.
tophits
installations:
https://spreadsheets.google.com/viewform?formkey=dGctTVY0Y3VxX3lrXzZoeG90WDFBVXc6MA
And here is the vote result:
https://spreadsheets.google.com/pub?key=tg-MV4cuq_yk_6hxotX1AUw&output=html
Currently,
376 users don't trust CNNIC.
4 users don't know whether to trust CNNIC.
3 users trust CNNIC.
If you can read Chinese and do a simple google search of "CNNIC 根证书
(root certificate in Chinese)" and you will see how the Chinese users
react to this new addition. If you can't read Chinese, Google
translate can help to understand more or less the content.
Please read this machine translation of some Chinese blogs to evaluate
the possible consequences of adding CNNIC as root CA:
When network security mechanisms encountered in the core of rogue
government
http://translate.google.com/translate?js=y&prev=_t&hl=en&ie=UTF-8&layout=1&eotf=1&u=http://oogami.name/799/&sl=zh-CN&tl=en
CNNIC CA: far the most the most serious safety warning!
http://translate.google.com/translate?js=y&prev=_t&hl=en&ie=UTF-8&layout=1&eotf=1&u=http://autoproxy.org/zh-CN/node/66&sl=zh-CN&tl=en
CNNIC, I do not trust you! - Drive CNNIC out of "trusted root
certificate"
http://translate.google.com/translate?js=y&prev=_t&hl=en&ie=UTF-8&layout=1&eotf=1&u=http://felixcat.net/2010/01/throw-out-cnnic/&sl=zh-CN&tl=en
fire alarm, theft prevention, anti-CNNIC, remove the root certificate
CNNIC way!
http://translate.google.com/translate?hl=en&sl=zh-CN&tl=en&u=http://www.google.com/search%3Frlz%3D1C1GPCK_en___NL364%26sourceid%3Dchrome%26ie%3DUTF-8%26q%3D%25E9%2598%25B2%25E7%2581%25AB%25E9%2598%25B2%25E7%259B%2597%25E9%2598%25B2%25E7%259B%2591%25E6%258E%25A7%25E9%2598%25B2CNNIC,%25E5%2588%25A0%25E9%2599%25A4CNNIC%25E6%25A0%25B9%25E8%25AF%2581%25E4%25B9%25A6%25E7%259A%2584%25E6%2596%25B9%25E6%25B3%2595%25EF%25BC%2581
Chinese netizens launched action against the root certificate CNNIC
http://translate.google.com/translate?hl=en&sl=zh-CN&tl=en&u=http://www.rfa.org/mandarin/yataibaodao/CNNIC-01292010114844.html
Why Internet users do not trust the root certificate of CNNIC
http://translate.google.com/translate?hl=en&sl=zh-CN&tl=en&u=http://allinfa.com/cnnic-root-certification.html
how to remove the root certificate of CNNIC under FIREFOX Apple
http://translate.google.com/translate?hl=en&sl=zh-CN&tl=en&u=http://www.zuola.com/weblog/%3Fp%3D1454
Treated the same as the Green Dam [1], the CNNIC root certificate from
your computer to expel
http://translate.google.com/translate?hl=en&sl=zh-CN&tl=en&u=http://hi.baidu.com/litiejun/blog/item/8c6d38d8409a3f3e32fa1c73.html
[1] Green Dam Youth Escort http://en.wikipedia.org/wiki/Green_Dam_Youth_Escort
How to prevent a CNNIC not trusted certificate
http://translate.google.com/translate?hl=en&sl=zh-CN&tl=en&u=http://blog.lzzxt.com/394
On Feb 1, 11:50 am, Gervase Markham <g...@mozilla.org> wrote:
> Anyone who is concerned about government surveillance of their
> activities needs to take rather more care about the security of their
> software than the average person. The default configuration of any
wanghx
You can also try to access the mozilla.dev.security.policy group through the usenet news server news.mozilla.org. You can configure your news client (Thunderbird, Outlook Express, Windows Live Mail, MS Office Outlook, etc.) to access usenet newsgroups. But seems messages posted through the googlegroups is not synchronized to news.mozilla.org yet.
[1] https://groups.google.com/group/mozilla.dev.security.policy/
[2] https://lists.mozilla.org/listinfo/dev-security-policy
[3] http://www.mozilla.org/community/developer-forums.html
https://bugzilla.mozilla.org/show_bug.cgi?id=476766
Please remove this root CA! We Chinese users don't trust CNNIC. Liu Yan said: 2)CNNIC is not a Chinese Government organization. He is cheating! CNNIC is an infamous organ of the Chinese Communist government to monitor and control the Internet in China. For secrete reasons they even distributed spyware by making advantage of their administration privilege: http://en.wikipedia.org/wiki/China_Internet_Network_Information_Center#Malware_Production_And_Distribution They're one of the tools used by the CCP government to censor the Internet users. If CNNIC root certificate is added by default as Builtin Object, they can forge verified gmail certificates to cheat the Chinese users by using MITM attack against the SSL protocol. Please be alert of CCP government agents. We object the adding of such untrusty CA to the Firefox Project! Please see the reaction of the users: https://twitter.com/#search?q=CNNIC
From McAfee siteadvisor about cnnic.net.cn: ... When we tested this site we found links to tech.sina.com.cn, which we found to be a distributor of downloads some people consider adware, spyware or other potentially unwanted programs. ... http://www.siteadvisor.com/sites/cnnic.net.cn
I've posted a message to the mozilla.dev.security.policy mailing list under the title CNNIC Root Inclusion. Please join and add your comments there. Unfortunately you are bit late - a public discussion was held at that mailing list according to the processes of CA root inclusions of Mozilla. Your concerns could have been heard at that time and addressed accordingly.
If we include this cert, PRC government can hijack any SSL session WITHOUT any warming to user. PRC government always monitor online activities of chinese pro-democracy people. You know what's Google happening. We need to protect the user whether it is political or not.
I DO NOT trust CNNIC. Most of the Chinese INTRANET(behind GFW) users know that CNNIC is full of UNREMOVABLE IE toolbars and lies.
As a Shanghai resident, I totally agree with lihlii in Comment 18 and Yuki Sea in Comment 21, CNNIC is infamous in China and it has a lot of connections with the government and GFW, I think there's no need to provide more evidence as we all know what GFW is, and the recent incident happened to Google China says its all. Seriously, please take CNNIC out of the trusted Root CA list. This bug should be reopen as rejected and the changes should be rollback. Thanks
Mozilla should really reconsider the decision or most Chinese users will no longer use Mozilla products. Being a former Chinese resident, I still remembered years ago CNNIC automatically installed their UNREMOVABLE system drivers to our systems by using IE 6 bugs. CNNIC is really a gangster. It has very closed tie with Chinese government and CPC (or CCP). I'm seriously worried that CNNIC will use this to help Chinese government to hijack SSL seesions to monitor user activities.
It is incredible that CNNIC is taken as "authority". I just cannot trust in an organization who spreads unwanted adwares. Who can guarantee CNNIC . Almost everyone I know who concerns computer network and security is against this update.
Excuse me, I meant, who can guarantee CNNIC would not certificate gmaiI.com as gmail.com and phish my gmail password? Also, please be reminded that discussion is going on here, though I cannot access in the GFW: http://www.mozilla.org/community/developer-forums.html#dev-security-policy
You can use Google Groups at http://groups.google.com/group/mozilla.dev.security.policy/browse_thread/thread/17be3bd7e0b33e8c# (doesn't this work for you?)
It doesn't work, while other groups work.
First, I want to thank everyone paying so much attention on CNNIC and CNNIC CA. As one of the employers of CNNIC, I want to make some explanations. CNNIC is an organization, which is administrated by Computer Network Information Center of Chinese Academy of Sciences. It means that CNNIC just offers service on technology and research. CNNIC is the registry for Chinese Domain Name, the similar role as VeriSign which is responsible for .com’s registration. So obviously CNNIC is not a government. And as I know the WebTrust audit for government is much simpler compared to company. In addition, CNNIC only offers server certificate now. The technology and authentication of issuing certificates is qualified with the international criteria. There is no possible for us to monitor the user's actions or do some attacks. I think every technical personnel knows that.
Liu Yan, are you kidding? On CNNIC website, it's clearly stated that CNNIC is directly administrated by both "Ministry of Industry and Information Technology of the PRC" and Chinese Academy of Sciences (budget controlled by the government). You are right, CNNIC is not a government, but it's directly managed by the government and did everything that Chinese government asked it to do. We don't care whether CNNIC is going to hijack SSL sessions directly for the agents or not. The problem is when government order CNNIC to issue dodgy certificates to play the MITM games, CNNIC simply can't say no.
Folks. Bugzilla isn't a place for advocacy, this discussion belongs in the mozilla.dev.security.policy newsgroup, as Eddy mentions. Having said that - I am very sensitive to the concern here. In my latest posting to that newsgroup, I said, in part: 1) We have never claimed as a matter of policy that our PKI decisions can protect people from malicious governments. It's just not a plausible promise for us to make. 2) I think, regardless of government ties, we'd carefully review and might well yank trust for any CA that was complicit in MitM attacks. 3) CNNIC complied with our root addition policy, they are in the product presently, so this isn't a question of approval, this is a question of whether we should review. It feels to me like that makes our next step clear, here. It won't help to tally up the complainants (there will be many), and it won't help to demand assurances from CNNIC (since the alleged governmental pressure would trump those anyhow). It certainly won't help to cite wikipedia. If there's truth to the allegation, here, then it should be possible to produce a cert. It should be possible to produce a certificate, signed by CNNIC, which impersonates a site known to have some other issuer. A live MitM attack, a paypal cert issued by CNNIC for example. If anyone in a position to produce such a thing needs help understanding the mechanics of doing so, I'm sure this forum will help them. SSL makes tampering visible to its victims. The certificate has to actually make it to my client before I can decide to trust it. By all means, let's arm people with the knowledge to detect and record such instances. But I don't see any clear step we can take until then. More comments in this bug will not help. Information of the type I described would be helpful in bug 542689, but more advocacy will not help there, either.
Johnath, there appears to be a problem accessing the mailing list. Can somebody look into this?
About the extend of MITM attacks already widely deployed in China, one can refer to the Harvard study "Empirical Analysis of Internet Filtering in China" that repeated documented this: "the authors prepared screenshots documenting the September 2002 redirection of requests for google.com to other search engines." "some newer forms of Chinese filtering -- namely, redirection of a request for a sensitive web site to another web site" "DNS Filtering/Redirection and Its Implications" "For some 1,043 of sites tested, we confirmed that DNS servers in China report a web server other than the official web sever actually designated via each site's authoritative name servers." http://cyber.law.harvard.edu/filtering/china/ http://cyber.law.harvard.edu/filtering/china/appendix-tech.html#dns As mentioned in Comment #30, CNNIC is directly administrated by "Ministry of Industry and Information Technology of the PRC" (budget controlled by the government). So when the government orders CNNIC to issue fake certificates to perfect its MITM attacks, CNNIC simply can't say no. So, if this root certificate crisis is not properly addressed, it's very likely that in a couple years, the relatives of some Tibetan or Falun Gong, or home church followers would sue Microsoft and Mozilla in U.S. for assisting the Chinese Communist regime to steal their email passwords using faked websites and certificates so could login to their real accounts later leading to their imprisonment, just like someone did against yahoo (http://www.rsf.org/Yahoo-settles-lawsuit-by-families.html).
(In reply to comment #31) > If there's truth to the allegation, here, then it should be possible to produce > a cert. It should be possible to produce a certificate, signed by CNNIC, which > impersonates a site known to have some other issuer. A live MitM attack, a > paypal cert issued by CNNIC for example. If anyone in a position to produce > such a thing needs help understanding the mechanics of doing so, I'm sure this > forum will help them. This quotation from Johnath sums things up. I note that there are various extensions such as Certificate Patrol: https://addons.mozilla.org/en-US/firefox/addon/6415 which can tell you when a certificate changes. If the concerned community also want to make an extension which alerts you when a particular CA has signed the cert for the site you are visiting, that is also possible. Firefox is designed exactly to be extended in this way. If and when evidence, rather than allegations, is produced of bad certificate issuance, we will swiftly consider it. Gerv
Gerv: > If and when evidence, rather than allegations, is produced of bad certificate > issuance, we will swiftly consider it. Please consider it seriously. General non-programmer users don't even know there is such a root CA security problem. They don't know their browser trusted a notorious CA. If they knew, they would have reacted by removing it. Most people even don't know there is a Certificate Patrol addon. Please consider make it a built-in function. The web is in danger of a mafia group attacking the people who're not equipped with enough knowledge of protecting themselves. If Firefox will be a safe browser, it should take security considerations serious. Hijacking is done in a national wide scale by the rogue government in PR China. Please never wait until the foreseeable crime happens and some innocent people already harmed by careless decisions of software developers. Then it's too late to react.Gervase Markham [:gerv] 2010-02-01 03:43:21 PSTIf the hijacking is done "on a nationwide scale", then someone should be able to produce some actual evidence of it. Download the bad cert, email us a copy, and we will act. How would you like it if I locked you up or fined you because I thought you were a criminal and didn't want to "wait until the foreseeable crime happens"? CNNIC is innocent until proven guilty - an important cornerstone of justice. If their abuses are as widespread as you say, then producing evidence to prove them guilty should not be difficult. GervJack 2010-02-01 06:56:18 PSTGerv, is MITMing 1,043 sites already "on a nationwide scale"? The widely quoted Harvard study already proved that, see http://cyber.law.harvard.edu/filtering/china/appendix-tech.html#dns . If this happened in UK/US the criminal is already rounded up. But no, this is in China, so the criminal is still "innocent" looking just like you and me, or worse, that criminal now also controls root certificate, ready to complete deadly attack any second. We can wait until word spread that certain cert is faked by CNNIC, but very likely at that time some victims are already tortured and jailed and their relatives filed lawsuit against Mozilla just like in the yahoo case (http://www.rsf.org/Yahoo-settles-lawsuit-by-families.html). Many people do not know how much the never-elected Chinese Communist "government" can do to average citizens. See New York Times report http://www.nytimes.com/2010/01/16/world/asia/16china.html on how they treated Zhisheng Gao, a Christian lawyer, by "more than a month of torture that included jabs with an electric baton and the piercing of his genitals with toothpicks. At the time, he said, his torturers told him he would be killed if he spoke publicly about his treatment in detention." And his "crime"? He "represented members of underground Christian churches and farmers whose land had been appropriated by powerful officials. At one point, he orchestrated a hunger strike by practitioners of Falun Gong." Now armed with full control of MITM and root certificate, the Party just got a more powerful weapon to persecute more people like Gao.Jack: the Harvard study you reference says nothing about CNNIC or certificates. We can't make the Great Firewall go away by removing CNNIC's root from Firefox. As a Christian myself, I am well aware of the persecutions that Christians and others undergo in China, including the case of Zhisheng Gao. However, you are arguing ad misericordiam. Even if other organizations or governments convict people for no crime, we do not. Provide evidence of abuse of the CNNIC root. GervIt'll be too late when we present the "evidence" of bad certificate hijacking to you. At that time, there is no need for you to "swiftly consider" any more, because it's too "swift". :) You're denying the facts that countless evidences have been accumulated. Some are already presented as above, but you keep ignoring them. So there is no good talking with you like this. We can do better things with our precious one-time lives. CNNIC is proven guilty countless times. But for those people who refuse to see, it's always innocent.lihlii 2010-02-01 08:05:55 PSTGerv: Even if other organizations or governments convict people for no crime, we do not. Provide evidence of abuse of the CNNIC root. lihlii: Gerv mixed the concept of a criminal law principle of "innocent before convicted" with security guarding and trust. Do you lock your doors until you lost your property? Please think it over. If Firefox excluded CNNIC Root cert, does it mean that Mozilla Foundation convicted CNNIC as guilty? It's all about trust! But further than that, CNNIC was convicted by the Chinese users as guilty with plenty of evidences, but you refused to see. CNNIC did too many dirty things that it doesn't have the least credit to be a qualified CA.lihlii 2010-02-01 08:09:38 PSTWith security guarding and trust, it's the reverse principle of the criminal law: It's about proof of goodness. If you can't prove you're good, we can't trust you. If we can't prove we're secured enough, we can't be safe. Those who defend a notorious CA using criminal law principles are neither qualified as a criminal law expert, nor as a security expert.Jack 2010-02-01 08:37:53 PSTGerv: > the Harvard study you reference says nothing about CNNIC or certificates. > As a Christian myself, I am well aware of the persecutions that Christians and > others undergo in China, including the case of Zhisheng Gao. Jack: In China in terms of persecutin people there is no distinction between CNNIC, the great firewall, the Communist Party, or the "government", or the "law". Since the Constitution of China said all should follow the leadership of the Chinese Communist Party. Take the Gao's case for example, was it the court who sentenced Gao? No, they couldn't because Gao didn't violate any law. Was it the police who tortured Gao? Yes, although they have no status power on that without sentencing. Did the court sued or sentenced the police who illegally tortured Gao? No, the police are proudly taking interviews. How could all these illegal acts happen, and without consequence? There must be one supreme power at China that supersedes all law or individual institutions, which obviously including the small cake CNNIC.
wanghx
lihlii: We have a set of criteria all CAs must meet before being included: http://www.mozilla.org/projects/security/certs/policy/ Those are the discussed and approved criteria the Mozilla community has come with with for inclusion in our root store. This is our "proof of goodness", if such a thing can ever be measured. If you think CNNIC's inclusion does not meet those criteria (perhaps because of some of the issues you have outlined), please let us know how, and which criterion they do not meet. If they do meet the criteria, they should be included. We are not going to not include them just because some people shout at us. Various Turkish people shouted a lot when we released a Kurdish localization, but we did it anyway. The evidence you cite in comment 39 of "strange certificate changes" doesn't mean anything unless we can see the full certificate chain. If it chains up to CNNIC, that's might make your case. But "Google Internet Authority" is, as far as Googling can tell me, the name of an intermediate CA Google does actually use. And who knows why they switch their certificates around? Their infrastructure is highly complex. I am not arguing that CNNIC is independent of the Chinese government. No CA can be entirely independent of the government of the country in which it operates anyway. This is why johnath rightly said (roughly) that if you want protection from a government, our default settings are probably not for you. If you don't trust CNNIC, that's your choice. Switch the root off. (Edit | Preferences | Advanced | View Certificates... | Authorities tab | Select CNNIC root | click Delete | click OK). Gerv
Does an organization who intentionally spread malware qualify? :) lihlii: We have a set of criteria all CAs must meet before being included: http://www.mozilla.org/projects/security/certs/policy/
Does an organization who intentionally spread malware qualify? :) gerv: > lihlii: We have a set of criteria all CAs must meet before being included: > http://www.mozilla.org/projects/security/certs/policy/ > The evidence you cite in comment 39 of "strange certificate changes" It's not direct evidence that CNNIC did that. It's a suspicion that the PR China government stole the private keys of Google so they were forced to change certificates in an abnormal frequency. Please, please read my messages carefully before you reply. There are already plenty of evidences that you refuse to read!! How can I say more about these rubbish? It's not about "protection from a government", but avoid harm from rogues! Why should you add a rogue in a browser and force the users to accept?!
wanghx
(In reply to comment #53)
> Please, please read my messages carefully before you reply.Please read ours. We don't need 8 paragraph missives, and we don't need copious linkage to tangentially related news stories. No one here is unsympathetic to your concerns, but you are not giving us something we can act on. More of the same won't help, either. When there is specific evidence that CNNIC has abused its position as a CA, or otherwise contravened our certificate policy, please comment here with that specific detail. In the meantime, you are *losing* supporters, not winning them, by continuing to spam this bug.
Johnathan> you are *losing* supporters I don't need supporters from you. :) I'm already clear enough. Even those who can't distinguish criminal law from qualification for a CA is repeating here, while others who take great effort to post plenty of evidences are regarded as "spam". :P If you won't read but still ask for "evidences", you're talking rubbish. "When there is specific evidence that CNNIC has abused its position as a CA" is the true spamming message repeating rubbish! I don't think it's valuable to ask to remove CNNIC root CA from Firefox now. I think the only conclusion is that some Mozilla developers are standing on ungrounded points while asking others to present "evidences" of possible violation of security. :P All that we keep saying is about high risk! Not a fact. But there are enough facts that CNNIC is not trustable! Risk is not things that you can wait to happen, then "swiftly consider" actions! What kind of security are you doing in Firefox project? I "spam" here because rubbish keeps spam before me. :) Sorry, this is the last post I'll put here. Others go to the newsgroup [1]. People who were blocked from access to usenet newsgroups or mozilla security discussion group [1] can try to subscribe to the mailing list [2], so you can receive and post messages to the same group. You can also try to access the mozilla.dev.security.policy group through the usenet news server news.mozilla.org. You can configure your news client (Thunderbird, Outlook Express, Windows Live Mail, MS Office Outlook, etc.) to access usenet newsgroups. But seems messages posted through the googlegroups is not synchronized to news.mozilla.org yet. [1] https://groups.google.com/group/mozilla.dev.security.policy/
tophits
> is governed by a set of policies which don't particularly care about a
> CA's affiliations, they care about a CAs behaviour.
Dear Johnathan,
1. Do the "policies" include consideration of the previous behaviours
of an application of a CA?
2. Do the "policies" exclude organizations who intentionally spread
unremovable malware, who actively aided to crack down freedom of
speech making use of their control over DNS registration as qualified
root CA?
3. Considering the behaviours that CNNIC did, why do you think they're
qualified but many Chinese users don't think CNNIC is a qualified CA?
What's wrong with the Chinese people [1]?
[1] Chinese users started a vote page here to remove CNNIC CA from
default
installations https://groups.google.com/group/mozilla.dev.security.policy/msg/6fd806b92d1e5eb1
tophits
Now removal of the CNNIC Root CA won't solve the problem, but,
practically, it's about security in the future.
The imaginary crime scene is like this:
Now CNNIC has a secondary CA (CNNIC SSL) issued by Entrust.net, which
is included as root CA in every browser.
If one day CNNIC used its secondary CA to help in a MITM attack, by
luck the victim found out, and by luck he kept an evidence
successfully, which for most of the victims attacked by the PR China
government it's impossible, because they're mostly political
dissidents and human right activists who are not computer experts.
They just see the lock icon on the browser and trust it as "secure
http".
If the victims submit a report to Entrust.net, it might revoke the
secondary CA of CNNIC SSL. Well, it's none of the business of
Firefox, so they're not "provoked" [1] to act either. :)
Then the point comes to explain why CNNIC needs a root CA. They tried
to trick all the browsers to install their root CA. When the PRC
government decided it's the right time to start a new attack on gmail,
they can order CNNIC to forge a gmail certificate with their root CA,
thus unnoticed by most of the users who are not computer experts.
If by luck the victim found out, and by luck he kept an evidence
successfully, he might report to Mozilla project. If the evidence
consists of too many paragraphs, the Mozilla project security managers
might refuse to read such "spams" and the victims will be shamefully
"*losing* supporters" [2]. :) So it's none of the business of
Firefox, thus they're not "provoked" [1] to act again. :)
If the victims gathered the appropriate, precisely the suitable amount
of evidences of attacks CNNIC already DID, and for which we "can act
on"[2], then most of the time the victims already suffered big loss,
even lives. Until then, the security group of Firefox will be
"provoked" to act. :)
If it's not Google that was attacked recently, the public won't know
the range and depth that the PRC government had been involved in cyber
attacks against its citizens and international bodies. Though there
are already plenty of reports before the Google announcement, most
people just don't care because they pretend they're safe from the
attacks which were targeted at certain groups of people like the Jews
in Nazi Germany. Here Gerv also have the similar attitude: these are
not "average person". :)
References:
[1] Gervase Markham: Without evidence of wrongdoing, there is nothing
to provoke us to
action; https://groups.google.com/group/mozilla.dev.security.policy/msg/53f6e132eba7ee1f
[2] Johnathan Nightingale: We don't need 8 paragraph missives, and we
don't need copious linkage to
tangentially related news stories; https://bugzilla.mozilla.org/show_bug.cgi?id=476766#c54
On Feb 1, 6:48 pm, Eddy Nigg <eddy_n...@startcom.org> wrote:
> I left a similar comment at the bughttps://bugzilla.mozilla.org/show_bug.cgi?id=476766#c56
>
> As a member of the team that reviews regularly CA inclusion requests, I
> believe that if the allegations and concerns would have been raised
> during the public discussion, the request to include this CA root would
> have been looked at more into depth and might have been put on ice for a
> while in order to learn more about it and its implications.
>
> Now that we are after the fact of the inclusion, removal of a root
> requires some specific evidence. Additionally it appears that this root
> is also cross-signed by another notable CA, removal of the root wouldn't
> produce the desired result.
>
> I suggest to walk the extra mile and raise the claims and allegations
> made with the CA which cross-signed this root for a better
> understanding. This understanding might help to evaluate and perhaps
> also refute the claims and concerns made for the benefit of all
> parties. Maybe also a statement from that CA would perhaps help to
> understand which controls are in place to prevent actual misuse on part
> of CNNIC.
>
> Special note to Kathleen: I'm a bit surprised to learn that some CA
> roots which are requested to be included are already cross-signed by
> another already trusted CA. I would like to suggest and request to have
> such facts disclosed properly during the information gathering phase.
> Could you make this part of the information you gather before the
> discussion here?
tophits
Inclusion of untrustworthy CNNIC root CA certificate will enhance the
power of the GFW. Then in effect you're the co-builder of the GFW.
Before adding the root CA in each browser, it's difficult for the PR
China government to ban all HTTPS sites that uses international root
CAs.
After adding the CNNIC root CA, one day they can order all websites in
China to use certificates issued by CNNIC root CA, while white list
selected HTTPS websites outside of the GFW. Thus there is less chance
for the Chinese people to penetrate the GFW without notice, just like
what many companies are doing to audit, monitor or ban HTTPS
connections outward.
Now SSL encrypted proxy is the major tool that the Chinese people
depend to penetrate the GFW and join this rubbish spam discussion
after their security was already endangered by the inclusion of a
rogue CA! After the CNNIC root CA is universally deployed, there will
be no voice from real Chinese users to be heard here any more, so you
won't get "spams", and there will never be any "evidences" to reach
your honorable eyes that CNNIC violated the CA policy.
Congratulations!
> Gervase Markham: If you don't trust CNNIC, that's your choice. Switch the root off.
Experienced users take the trouble to remove or disable the CNNIC
certificates, while the majority of non-technical users just don't
know they're trusting CNNIC because of their browser!
What's more, it's especially those who lack of knowledge to remove the
certificates are most susceptible to the MITM attacks from the maffia
group dominating China. If anything bad happened and somebody harmed,
Mozilla Firefox may be a complicity. Be warned.
Why don't you say this? "If you trust CNNIC, that's your choice.
Install their root CA"
In fact, for the previous years, CNNIC distributed malware trying to
control all the Internet users in China. In this malware, it silently
installed their root certificate. You can search on google [3]-[14]
if you know Chinese and see how angrily the users are against CNNIC
for these malware. But it's designed to be hooked in OS kernel
drivers and very difficult to be removed!
Do you think a qualified legal root CA could have tried to deploy
their software using spyware techniques [8] like this?! Are you going
to help them toward success in another way of cheating the users by
hiding their root certificates in a "creditable" opensource browser?
Now I know why CNNIC applied secondary CA certificate from
Entrust.net. It's because Entrust opened local business in China
[15]. Now I think Entrust.net root CA is not trustworthy and I will
also disable it.
References:
[1] Gervase Markham; 2010-02-01 07:09:45 PST;
https://bugzilla.mozilla.org/show_bug.cgi?id=476766#c46
[2] Gervase Markham; 2010-02-01 08:54:09 PST;
https://bugzilla.mozilla.org/show_bug.cgi?id=476766#c51
[3] How do I remove the plug-ins are rogue cnnic-CNNIC;
http://translate.google.com/translate?js=y&prev=_t&hl=en&ie=UTF-8&layout=1&eotf=1&u=http://zhidao.baidu.com/question/29128426.html%3Ffr%3Dqrl%26cid%3D92%26index%3D3%26fr2%3Dquery&sl=zh-CN&tl=en
[4] CNNIC plug-in that the top of a very rogue! Hate it!
http://translate.google.com/translate?hl=en&sl=zh-CN&tl=en&u=http://zhidao.baidu.com/q%3Fword%3D%25C8%25E7%25BA%25CE%25C9%25BE%25B3%25FDcnnic%25A3%25ADCNNIC%25B2%25E5%25BC%25FE%25BA%25DC%25C1%25F7%25C3%25A5%26ct%3D17%26pn%3D0%26tn%3Dikaslist%26rn%3D10%26fr%3Dqrl%26cid%3D87
[5] How can I completely remove the cnnic Chinese Internet rogue
software
http://translate.googleusercontent.com/translate_c?hl=en&sl=zh-CN&tl=en&u=http://zhidao.baidu.com/question/130296199.html%3Fsi%3D7&rurl=translate.google.com&twu=1&usg=ALkJrhgwq_gB9_lYKakl1qlmlw4M4YBfag
[6] Why is the Chinese Internet is a very authoritative CNNIC
published was considered rogue software?
http://translate.googleusercontent.com/translate_c?hl=en&sl=zh-CN&tl=en&u=http://zhidao.baidu.com/question/11828487.html%3Fsi%3D9&rurl=translate.google.com&twu=1&usg=ALkJrhgoco6ZpApeNpmdjViZmm4n48xBCA
[7] CNNIC General website - in Chinese Internet plug-in of the most
rogue of the most shameless plug-in
http://translate.googleusercontent.com/translate_c?hl=en&sl=zh-CN&tl=en&u=http://zhidao.baidu.com/question/6835631.html%3Fsi%3D8&rurl=translate.google.com&twu=1&usg=ALkJrhjSYNXXqjQVmlocwlVLsMQ2622vaw
[8] How do I delete CNNIC Chinese Internet Software
http://translate.google.com/translate?hl=en&sl=zh-CN&tl=en&u=http://zhidao.baidu.com/question/29003437.html%3Ffr%3Dqrl%26cid%3D92%26index%3D4%26fr2%3Dquery
> FSD INLINE HOOK technology, which is a dangerous and powerful hook technology. It is strong because it has a very strong data interception capabilities and hidden the extraordinary ability to make non-specialists find it difficult to existence, and can strongly protect the specified file. The reason is dangerous because of its dependence and complexity of the system are very high, the stability depends entirely on the developer's understanding of the windows operating system kernel, any part of the slightest change can cause a system crash. Because Microsoft did not announce any of the technology interface documentation, and clearly inform the developers to use the regular programming interface, therefore, FSD INLINE HOOK rarely been used in commercial software, is not yet any one of commercial software using this technology. Using this technology, most of them viruses, Trojans, Rootkit programs and other malicious software, such as M...@Rootkit.Drop.gy, I-W...@MM.Trojan.Downloader.zp such as "CNNIC Chinese language Internet" use was mainly FSD INLINE HOOK In order to protect "CNNIC Chinese Internet" will not be unloaded, this low-level, non-public use of technology resulted in an extremely unstable computer users and frequent blue screens, crashes, allowing normal users can not uninstall "CNNIC Chinese Internet" plug-in,
[9] Cnnic (China Internet Network Information Center), Chinese
Internet plug-in is a rogue software? Why are often not carefully
installed, how to prevent it
http://translate.google.com/translate?hl=en&sl=zh-CN&tl=en&u=http://zhidao.baidu.com/question/15465565.html%3Ffr%3Dqrl%26cid%3D87%26index%3D2
> Driven by economic interests of hooliganism, they sell rubbish in the name of the country's flag.
[10] My machine did not know what they are loaded with the software
installed CNNIC every time
http://translate.google.com/translate?hl=en&sl=zh-CN&tl=en&u=http://zhidao.baidu.com/question/13089112.html%3Ffr%3Dqrl%26cid%3D87%26index%3D4
[11] CNNIC! Out of my way!
http://translate.google.com/translate?hl=en&sl=zh-CN&tl=en&u=http://reizhi.cn/2010/01/cnnic-out-of-my-way/
[12] No matter how much trust do Microsoft, firefox, apple, Google
have on CNNIC, I dare not trust, and now what I have to do is to
completely remove CNNIC from trusted root certificate of my computer.
http://translate.google.com/translate?hl=en&sl=zh-CN&tl=en&u=http://blog.zdnet.com.cn/index.php%3Fuid/313976/action/viewspace/itemid/2887306/php/1
[13] User reaction was, "CNNIC Chinese Internet" promulgated software
which has many features in line with the definition of malicious
software by Internet Society of China;
http://translate.google.com/translate?hl=en&sl=zh-CN&tl=en&u=http://article.pchome.net/content-157081.html
[14] CNNIC(中国互联网络信息中心)强制推广中文.cn域名插件 http://www.esuzhou.com/ShowInfoDetail.asp?id=328
> CNNIC chanted against rogue software, while the launch of its rogue software "Chinese domain names, plug-ins." In fact the plug-in by the CNNIC launched the domestic domain plug-in, and among the China's top ten out of the rogue software. The plug-in has a mandatory install (no prompts before installation, the installation process without selection), can not be completely uninstalled after installation characteristics. And has slow down the system speed, rape and user address stopped (forced move of its own search page), automatic plug-in shielding another domain name, forced to modify the system default domain name suffix functions.
[15] http://www.entrust.com.cn/
tophits
> formidable opponent that technological measures are unlikely to be
> sufficient on their own, and, on the other hand, that our CA program
Is this the technical problem that you must bundle a rogue CA that so
many end users don't trust in your program? :)
tophits
> [This mid-aired a few hours ago and I only just noticed.]
>
> All new participants here should take note of the fact that there are some
> behaviours expected of Bugzilla commenters:
> https://bugzilla.mozilla.org/page.cgi?id=etiquette.html
> Failure to respect these could result in your account being disabled.
You threat with privilege means nothing to me. I even don't mind the
mighty PRC government, how should I fear your threats to remove my
account? :)
> (In reply to comment #53)
> > Does an organization who intentionally spread malware qualify? :)
>
> As Nelson has said in the newsgroup, a code-signing certificate is not an
> indication of the "goodness" of the code, it is a way to determine who the
> creator of the code is. CAs do not, and never have, done code reviews of all
> code they sign.
Please check the fact carefully! Don't speak blindly! It's not that
CNNIC signed some malware,
but they developed and distributed malware for themselves!!
Why don't you read those pages that I included English translation?
Though they're written in Chinese, the google translate does help you
to understand what it's mainly about.
If you can't read Chinese, why don't you listen to what the Chinese
users' judgement?!
> Do remember that I can't read Chinese, so your references were mostly opaque to
> me.
Why don't you read those pages that I included English translation?
Though they're written in Chinese, the google translate does help you
to understand what it's mainly about.
> You say yourself that "the inclusion of an untrustworthy CNNIC root CA won't
> make the situation worse". So I fail to see how this evidence is relevant to
> their inclusion or not.
That's because itt's already the worst. :) But removing CNNIC root CA
can avoid future bigger disaster.
> I've commented on at least two bits of the evidence you have quoted in this
> bug, and I have set out in detail what evidence we would accept for your
The "evidence" you understood is not what I meant. You never read the
evidence carefully! I feel so tired talking with you like this!
tophits
Correction: I remember once read about this, but can't confirm it with
evidences. So remove this sentence.
tophits
It's totally a waste of time to talk with those who ignore "evidences"
that you presented, but keeps speaking in their own imagination, such
as "code signing certificate" bullshit.
I think if Firefox is not going to improve, people can improve it.
It's not easy to maintain a trunk code, but it's easy to maintain and
improve some good addons for security, such as Certificate Patrol.
I think my time is more valuable to contribute to improve the code of
Certificate Patrol than talking in vain. :)
wanghx
anyway we have to stop this crazy action.
But as anyone knows, mirosoft trusted cnnic. How can we solve this problem? There are no bugzilla open to us.
I will help by contributing an convincing article about this problem in English.
As Campus Ambessador of Mozilla Online, branch of Mozilla Foundation in China, I am extremely disappointed about the community, as well as the company I served for.
tophits
Trust: 17
Unknow: 26
Don't trust: 1573
On Feb 1, 4:24 pm, tophits <wan...@gmail.com> wrote:
> Chinese users started a vote page here to remove CNNIC CA from default
> installations:https://spreadsheets.google.com/viewform?formkey=dGctTVY0Y3VxX3lrXzZo...
>
> And here is the vote result:https://spreadsheets.google.com/pub?key=tg-MV4cuq_yk_6hxotX1AUw&outpu...
tophits
Root CA certificate. After this blog post got some publicity, their
server suffered DDoS attack and was forced offline.
One popular Chinese blog writer and Internet technology critic William
Long commented on this event: CNNIC begins to
play with the black hands.
These programmers are authors of a Firefox addon Autoproxy which helps
the Chinese users “clime over the Great Firewall of PR China, an
information Berlin Wall.
http://twitter.com/williamlong/status/8530905676
RT @WCM: 同学们,AutoProxy 官网因为 CNNIC 一文被 DDOS 服务器下线,以下是存档: http://tinyurl.com/y8gy3d7
放弃版权,欢迎传播。 //CNNIC开始玩黑的了!
about 5 hours ago from Echofon
tophits
from NSS
https://bugzilla.mozilla.org/show_bug.cgi?id=542689
https://bugzilla.mozilla.org/show_bug.cgi?id=476766#c60
Jack 2010-02-01 20:28:11 PST
Fact #1: Chinese Communist government has been MITMing at least 1,043
websites.
[1]
Fact #2: Chinese Communist government has tortured and imposed ten-
year
imprisonment to netizens for peaceful online speech [2]
Fact #3: Chinese Communist government is the boss of CNNIC [Comment
#30]
The Mozilla CA Certificate Policy (Version 1.2) [3] states that CA
certificate
can be revoked if "we believe that including a CA certificate (or
setting its
"trust bits" in a particular way) would cause undue risks to users'
security".
Now, if Chinese Communist government want to have root certificate
itself, the
above Mozilla policy will directly apply, since Chinese Communist
government
does massive MITM and tortures and jails people for peaceful online
speech.
Now the question is whether that Mozilla policy applies to CNNIC, an
agency
that Chinese Communist government directly directs and fully controls.
[1] http://cyber.law.harvard.edu/filtering/china/appendix-tech.html#dns
[2] http://www.rsf.org/Yahoo-settles-lawsuit-by-families.html
[3] http://www.mozilla.org/projects/security/certs/policy/
tophits
> organized manner. I also believe that the Mozilla CA policy is sensitive
> enough that it doesn't require hard and explicit evidence of MITM
> attacks and forged certificates to prevent the inclusion of a CA root -
> something which is in any case hard to come by. Therefore I'm not
I agree with Eddy on this point. All we were debating by repeated
nonsenses (of me) are focused on this point.
Dear Johnathan,
In your 2008 conference speech [1], you stated:
> The single most important thing
> you can do is find ways to
> capture expensive knowledge so
> that you never pay for the same
> lesson twice
It's well said. The mozilla users worldwide can't risk their security
with a rogue organization of a rogue government which had very bad
history and ultimately no credit. We paid heavy price before. We
can't afford to repeat these lessons.
But in your message [2], you said:
> I don't need news articles about the Chinese government. I don't need long
> essays talking about CNNICs involvement with the government (we have several
> government-based CAs in the product). I *certainly* don't need 500 more "me
> too" comments.
Why don't you say, "I don't need talking about what CNNIC did and is
continuing to do by spreading malware to spy on users, crack down
independent blog websites to suppress free speech on Internet"?
Why don't say that "I don't need talking about the DNS hijacking that
the PR China government is doing on a routine base and CNNIC stated
that it 'takes orders from' such a rogue 'government'"?
Why do you intentionally omit these key evidences which proved that
CNNIC is not trustworthy and not qualified to be a root CA? Do you
know how difficult the Chinese people are trying to be heard in this
discussion because of heavy censorship and state terror to crack down
free speech? Do they feel their anger against the threat of the rogue
government and its minion organs like CNNIC?
As pointed by Jack [3]:
> The Mozilla CA Certificate Policy (Version 1.2) [3] states that CA certificate
> can be revoked if "we believe that including a CA certificate (or setting its
> "trust bits" in a particular way) would cause undue risks to users' security".
Why do you repeatedly insist that there must be an evidence of forged
certificate for Mozilla to decide to take actions?
What's your understanding of the phrase "would cause undue risk"?
Should the policy be changed by you into "have caused undue problem
and captured on scene with evidences of a forged certificate"?
Reference:
[1] Johnathan Nightingale: The Most Important Thing - How Mozilla Does
Security and What You Can Steal; http://www.first.org/conference/2008/papers/nightingale-johnathan-slides.pdf
from http://www.first.org/conference/2008/program/speakers.html#Johnathan_Nightingale
[2] Johnathan Nightingale: We need evidence, not advocacy; 2010-02-02
10:56:24 PST; https://bugzilla.mozilla.org/show_bug.cgi?id=476766#c68
[3] Jack: Now the question is whether that Mozilla policy applies to
CNNIC; 2010-02-01 20:28:11 PST; https://bugzilla.mozilla.org/show_bug.cgi?id=476766#c60
tophits
> is a good will to show to Beijing, which is understandable. At least
> it should only be included in Simplified Chinese edition. And it
> should not be installed as default.
Raymond, it's very dangerous to suggest this! If the CNNIC root CA is
only included in the Chinese version, then only the Chinese users are
in danger, thus they will be more easily ignored by the other parts of
the world.
It will be welcomed by the PR China mafia group which is misnamed as
"a government". :P
tophits
> I am from China too, but I do not think removing CNNIC from CA root is
> a good idea.Yes I believe China gov will use this to have MITM
> attack,but I too believe CIA will use the same method to hijack
> someone's email(for example: people form Al Qaeda). So my suggestion
> is to add some default feature to protect firefox users from MITM
> attack,like the SSLGuard(https://addons.mozilla.org/zh-CN/firefox/
> addon/14916), or show strong warning when SSL Cert has changed.
>
> if do nothing,who can know he has suffered a MITM attack,and then how
> to provide the evidence?
I second to your later point that Firefox should aid the users to be
alert of MITM attacks.
But, still it's important to remove CNNIC root CA certificate.
Because the PRC government planned to roll out the CNNIC root CA to
all mainstream browsers and OS, thus they can carry out the further
steps to force all domestic websites to use certificates from this
root CA, thus they can easily revoke the HTTPS certificates of any
websites that is not obedient, just as how they managed the
registration of .cn domain as a weapon to threat the website owners.
Next, because all browsers have the CNNIC root CA, they have reached
the condition to force Chinese websites to switch to CNNIC root CA,
and block all SSL connections without certificates signed by CNNIC
root CA that cross the GFW, except those listed in their whitelist.
This will in effect enable the PRC government to censor all HTTPS
communications and selectively block most of the anti-censorship
software, like Tor. Many users have made such prediction. [1]
Those who can't read Chinese can use translate.google.com to
understand more or less the content of the Chinese references. I
found for most of the time, the English machine translation of google
is good enough to be comprehensible. Google translate is not too bad
compared with mine. :)
[1] 小野大神: 当网络安全核心机制遇到流氓政府; January 30, 2010; http://oogami.name/799/
tophits
to force users to install their certificate using malicious code on
their website and embedded code slips on countless websites in China
to force the users to install their unremovable malware exploiting
vulnerability of browsers.
[1] 类似于禁止3721的方法,怎么禁止不了cnnic安装证书呢? http://www.webcitation.org/5n9u5hWzP
machine translation:
http://translate.google.com/translate?js=y&prev=_t&hl=en&ie=UTF-8&layout=1&eotf=1&u=http://bbs.blueidea.com/thread-1202502-1-1.html&sl=zh-CN&tl=en
tophits
> technology that allows gmail to present Thawte's certificate to users
> at free world, yet present CNNIC's certificate to users from Communist
> China. And no serious website that cares its reputation and business
I agree mostly with Jack. But I think technically it's possible to
present different certificate to client browsers from different
geographic regions depending on client IP address based URL
redirection, DNS allocation for server load balancing, etc.
The universal deployment of CNNIC root cert in major browsers will
facilitate the PRC rogue regime with new capabilities in Internet
censorship, besides the high risk of MITM attack against specific
group of users by the rogue regime.
Based on the historical attempts of the PRC regime to enforce stricter
Internet censorship on user end (Green Dam censorware) and website
servers (Blue Dam censorware), as well as their stronger attack on the
proxy services which provided Chinese users the limited pathes to
bypass the GFW (Great Firewall, the information Berlin Wall of China),
a lot of Chinese technical users believe that the deployment of CNNIC
root CA in major browsers is highly possible a first step to enhance
censorship over all HTTPS and SSL/SSH connections, which is the major
technical tunnel for the Chinese users to break through the GFW.
We know that many companies are censoring HTTPS connections with a
MITM device with the help of embedded certificate of the MITM device
in every employee's work computer. That's exactly the way that the
PRC rogue regime may do with CNNIC root cert.
After the universal deployment of CNNIC root cert, the PRC regime has
the condition to order all websites that communicate with Chinese
users to use CNNIC root CA. Because every browser is already installed
with CNNIC root CA, most users won't feel the difference when the
servers are forced to switch to CNNIC signed certificates, thus there
will be less excuse for the server companies to reject the rule. I
believe most of the international companies will also obey the rule if
their servers communicate with users in China, as they did now. They
won't sacrifice their financial profit for justice or human rights.
For those small number of websites which don't cooperate, the PRC
regime can simply block it off, just as what they have done to
youtube, flickr and facebook, etc.
After that, they can block all those HTTPS/SSL/SSH connections without
CNNIC root CA signed cert, which in effect will block all major tools
to bypass the GFW. You will get a cleaner and quieter world without
angry Chinese users complaining about CNNIC here. Even if there are
MITM attacks happening everyday, you won't hear a word and nobody will
be able to present the evidence to the noble eyes of the Mozilla
security module administrators by spamming the glory bugzilla list of
Mozilla.
On Feb 16, 3:29 pm, Jack <jsmith...@live.com> wrote:
> On Feb 13, 8:33 am, Eddy Nigg <eddy_n...@startcom.org> wrote:
> > It begs the question, is the CNNIC root included with Microsoft? Or is
> > it supported solemnly through the cross-signing by Entrust?
>
> I don't see the point of Firefox to do the same as what Microsoft do,
> especially in security. In fact, the number one reason for people to
> use Firefox over Microsoft, in my opinion, is Firefox handles security
> differently than Microsoft.
>
> Apparently, right now few if any legitimate website uses certificate
> from CNNIC, so including CNNIC root CA gains nothing in usability, yet
> it seriously damages Firefox security, threatening all Firefox users
> inside and outside Communist China, by trusting root CA from a world-
> renowned virus writer whose boss is known to do daily, massive MITM,
> impose decade long sentence for peaceful online speech, regularly
> mounting sophisticated hacking attacks to foreign governments, high
> profile companies, various human rights groups etc.
>
> Even in the worst yet not impossible scenario that CNNIC, aka CNNIC's
> boss orders all possible websites to use certificates from CNNIC,
> consider the following:
>
> 1. as someone pointed out above, it can never order websites outside
> Communist China to use CNNIC's certificate, because there is no known
> technology that allows gmail to present Thawte's certificate to users
> at free world, yet present CNNIC's certificate to users from Communist
> China. And no serious website that cares its reputation and business
> would ever dream of using CNNIC's certificate exclusively for all its
> business.
>
> 2. even if all websites inside Communist China were forced to use
> CNNIC's certificate, ask youself, although there may be millions of
> websites in the world that presents SSL certifcates, how many do YOU
> have to visit? Very few, a couple banks' certificates, employing
> company's free root CA, school's free root CA, and maybe a couple
> project group's certificates. That's it. And chances are, there is
> at least one certificate that's not trusted by Firefox, so you have to
> learn how to add exception anyway. And adding a few more in your
> whole life is not much different than adding one exception. But you
> have the greater security that YOU know exactly what you trust, and
> knowing the certificates you trusted can never fake gmail.com .
>
> So untrust CNNIC by default and requires users to add exception for
> websites they visit sacrifices little usability yet adds significant
> security. And Firefox doesn't have to follow Microsoft on this. In
> fact, if the information mentioned in this discussion is widely
> reported, I would imagine many more users would be driven to use the
> browser that doesn't trust CNNIC.
tophits
Your proposal of the UI improvement to show the country involved in
the certificate signing chain won't help in many cases.
Most websites uses HTTPS as temporary connection for authentication
only, after you click a "login" submit button. For these cases your
improved UI won't help because the encrypted session is switched on
and off very quickly and the user won't know beforehand which
certificate the coming HTTPS login dialog will use. Yes, it's a bad
practice, but common. One such example is the login process of
hotmail.com.
Even if the new UI can help you to capture the certificate for later
inspection, your password might already be tampered.
It's true that CNNIC already have a CA cert signed by Entrust.net
[1]. Technical people suggested the Chinese users to disable the
Entrust.net root CA too. There are a lot of Chinese technical blog
posts about this. But we didn't raise this question because it's too
difficult for Mozilla to do so. In my Firefox, I've already disabled
all Entrust.net root CA.
In fact, Entrust.net root CA is already not safe for Chinese users,
because this company opened subsidiary in China as Entrust.com.cn.
This might be why CNNIC chose a CA root from Entrust because it's also
what they have the power to control.
Although considering that CNNIC CA cert signed by Entrust, the direct
inclusion of CNNIC root CA is nevertheless one big step further to
enable CNNIC with greater power to do harm to Chinese users. This is
because though Entrust was under certain level of control by the
Chinese government, it's still not based in China. If CNNIC aided
MITM attack using the Entrust signed CNNIC cert, Entrust might be
forced by international consensus to revoke the CNNIC cert. Thus the
CNNIC still doesn't feel powerful enough, so they seek for inclusion
of a root CA cert in all major OS and browsers.
[1] it's about security in the future
https://groups.google.com/group/mozilla.dev.security.policy/msg/a84d4c30e1fb9414
On Feb 18, 12:17 pm, Kai Engert <kai.eng...@gmail.com> wrote:
> If I understand correctly, the organization mentioned is also in
> possession of an intermediate CA cert, issued by another trusted root
> CA. I'm referring to a post made by tophits, earlier in this thread.
>
> If that's true, I'm surprised we haven't yet seen requests to drop
> that other CA, too.
>
> My idea, potentially showing multiple flags, would help in both
> scenarios, where country A gets an intermediate cert from a CA
> operating in country B. Users would still know that country A is
> involved.
>
> Kai
tophits
cert:
CN = Entrust.net Secure Server Certification Authority
OU = (c) 1999 Entrust.net Limited
OU = www.entrust.net/CPS incorp. by ref. (limits liab.)
O = Entrust.net
C = US
Serial number: 37 4a d2 43
KeyID: f0 17 62 13 55 3d b3 ff 0a 00 6b fb 50 84 97 f3 ed 62 d0 1a
SHA1 thumbprint: 99 a6 9b e6 1a fe 88 6b 4d 2b 82 00 7c b8 54 fc 31 7e
15 39
On Feb 18, 5:54 pm, "David E. Ross" <nob...@nowhere.invalid> wrote:
> Which Entrust signed the CNNIC root? I see 7 Entrust.net roots and 1
> Entrust Inc root in my configuration.
>
> --
>
> David E. Ross
> <http://www.rossde.com/>.
>
> Anyone who thinks government owns a monopoly on inefficient, obstructive
> bureaucracy has obviously never worked for a large corporation. © 1997
tophits
> tophits wrote:
> > If CNNIC aided
> > MITM attack using the Entrust signed CNNIC cert, Entrust might be
> > forced by international consensus to revoke the CNNIC cert
>
> CNNIC root cert immediately.
>
> It would be very fast and simple to do it for the one that's directly
> inside the root store of Firefox, but I'm certain Mozilla would also do
> all change needed to be able to disable CNNIC the one cross-signed by
> Entrust.
The Starsi police of PRC will do it even faster to put one innocent
journalist or dissident into jail for over 10 years. Those who are
most susceptible to such attacks are however those who don't have
enough computer knowledge to disable these poisonous root CAs.
Do you know how difficult it is for me to teach those non-technical
journalist friends to check the security of their gmail accounts?
Although it's very simple for our computer engineers.
Please consider it! The risk is too high for you to ignore.
Some computer engineers in China are trying to persuade Microsoft and
Entrust.net to cancel the CNNIC cert, but that's even more difficult.
tophits
censorship and those who insist that CNNIC is a reliable CA should
read this blog post. One Chinese blogger who posted free opinions on
his own blog was threatened by another blog owner who shares the same
host IP provided by a web hosting company in the US:
> A screenshot of your blog with your site IP, and your domain whois info is sent to CNNIC, and your personal info with some of your speech in Twitter is sent to Chengdu Police Station. [2]
CNNIC is one of the technical organs of the Internet Stasi of P.R.
China. By including CNNIC CAs, you're helping a rogue government to
crack down free speech and further persecute the Chinese people.
You're complicity. Be warned.
[1] CNNIC Root Inclusion;
http://groups.google.com/group/mozilla.dev.security.policy/browse_frm/thread/17be3bd7e0b33e8c
[2] 我的邻居真好 I have a really good neighbor; June 19th, 2010;
http://www.caichen.org/my-neighbor.html ;
http://translate.google.com/translate?js=y&prev=_t&hl=en&ie=UTF-8&layout=1&eotf=1&u=http://www.caichen.org/my-neighbor.html&sl=zh-CN&tl=en
[3] Fake DNS entries from China/CNNIC;
http://groups.google.com/group/mozilla.dev.security.policy/msg/e9b7d7b16f731d33
tophits
China that CNNIC is the technical organ of the Internet Starsi of PRC
gov.
Whether the DNS was registered in by GoDaddy doesn't make difference.
The CNNIC will do technical DNS hijacking to block the DNS resolving,
collect and report dissidents' personal information to the political
security police of the rogue gov.
Nelson is totally a pile of shit, so I won't reply to his shit.
On Jun 29, 8:24 am, Mook <mook.moz
+nntp.news.mozilla....@gmail.com.please-avoid-direct-mail> wrote:
> It does appear rather confusing that CNNIC is mentioned - his domain
> seems to have been registered with GoDaddy, so it's not like they could
> have done anything. Do they also administer the firewall or something?
> I'm not familiar with how all that is set up.
tophits
nonsense. :)
Go read the US congress report on CCP's Internet censorship and you
will know what CNNIC is doing.
Don't talk much but read little. That won't prove you're responsible
for your words.
Nelson Bolyard is another thing, totally shitty crap. :)
On Jun 29, 8:24 am, Mook <mook.moz
+nntp.news.mozilla....@gmail.com.please-avoid-direct-mail> wrote:
> I do agree though this does not appear to help tophits' argument - the
> same with pretty much all of the other things he's brought up, sadly.
>
> --
> Mook