CNNIC Root Inclusion

1461 views
Skip to first unread message

Eddy Nigg

unread,
Jan 27, 2010, 9:14:03 AM1/27/10
to
I was made aware of some controversial issues regarding the inclusion of
the CNNIC Root. Please see comments
https://bugzilla.mozilla.org/show_bug.cgi?id=476766#c18 and the item
thereafter.

Even though this is mostly a technical forum, Mozilla might have an
opinion in this respect. Kathleen, could you please follow up at the
appropriate channels regarding the claims made as it might affect the
Mozilla CA policy section 4 and 6, maybe also others.

--
Regards

Signer: Eddy Nigg, StartCom Ltd.
XMPP: star...@startcom.org
Blog: http://blog.startcom.org/
Twitter: http://twitter.com/eddy_nigg

Eddy Nigg

unread,
Jan 27, 2010, 9:18:30 AM1/27/10
to
On 01/27/2010 04:14 PM, Eddy Nigg:

> I was made aware of some controversial issues regarding the inclusion
> of the CNNIC Root. Please see comments
> https://bugzilla.mozilla.org/show_bug.cgi?id=476766#c18 and the item
> thereafter.
>
> Even though this is mostly a technical forum, Mozilla might have an
> opinion in this respect. Kathleen, could you please follow up at the
> appropriate channels regarding the claims made as it might affect the
> Mozilla CA policy section 4 and 6, maybe also others.
>

Unfortunately this is some disturbing evidence regarding some of the claims:

http://safebrowsing.clients.google.com/safebrowsing/diagnostic?client=Firefox&hl=en-US&site=cnnic.net.cn

http://www.siteadvisor.com/sites/cnnic.net.cn

http://en.wikipedia.org/wiki/China_Internet_Network_Information_Center#Malware_Production_And_Distribution

Akkad

unread,
Jan 27, 2010, 9:55:38 AM1/27/10
to
On Jan 27, 9:18 am, Eddy Nigg <eddy_n...@startcom.org> wrote:
> On 01/27/2010 04:14 PM, Eddy Nigg:
>
> > I was made aware of some controversial issues regarding the inclusion
> > of the CNNIC Root. Please see comments
> >https://bugzilla.mozilla.org/show_bug.cgi?id=476766#c18and the item

> > thereafter.
>
> > Even though this is mostly a technical forum, Mozilla might have an
> > opinion in this respect. Kathleen, could you please follow up at the
> > appropriate channels regarding the claims made as it might affect the
> > Mozilla CA policy section 4 and 6, maybe also others.
>
> Unfortunately this is some disturbing evidence regarding some of the claims:
>
> http://safebrowsing.clients.google.com/safebrowsing/diagnostic?client...
>
> http://www.siteadvisor.com/sites/cnnic.net.cn
>
> http://en.wikipedia.org/wiki/China_Internet_Network_Information_Cente...

>
> --
> Regards
>
> Signer:  Eddy Nigg, StartCom Ltd.
> XMPP:    start...@startcom.org

Chinese users have started removing CNNIC from root certificates now.
pls see here: https://twitter.com/search?q=CNNIC .This is really a
SECURITY issue. It's for Mozilla's policy #4 $6 #7 #10

I konw what Liu Yan cares. You can except instructions to remove CNNIC
blocked or removed in China very soon.

Nelson Bolyard

unread,
Jan 27, 2010, 12:11:29 PM1/27/10
to
On 2010-01-27 06:18 PST, Eddy Nigg wrote:
> On 01/27/2010 04:14 PM, Eddy Nigg:
>> I was made aware of some controversial issues regarding the inclusion
>> of the CNNIC Root. Please see comments
>> https://bugzilla.mozilla.org/show_bug.cgi?id=476766#c18 and the item
>> thereafter.
>>
>> Even though this is mostly a technical forum,

It is?

I've seen MANY rants in past years from people who got infected by signed
malware. They were under the mistaken impression that signed software is
software that has been certified by the CA to be virus-free. Of course,
as we know, that's not what a code signing cert means at all. It merely
provides trustworthy identification of the source of the software, and
does not attest to the quality of the software.

I've also seen a lot of confusion in the past over who is the source if
signed software. A lot of people assume that the certificate issuer,
rather than the certificate subject, is the source of the signed software.

Now, we come to the immediate cases to which Eddy provided links:

I cannot determine, from the information presented on those pages, if CNNIC
was itself the source (the signer) of the signed software, or was merely the
issuer of certificates that were used by other subjects to sign malware.
The middle of those 3 links says that CNNIC had links to another site,
tech.sina.com.cn, which on its face seems to be another organization.
This doesn't seem inconsistent with CNNIC's role as a CA.

I think we need to be very careful to avoid getting caught in the trap of
thinking of certificates as attestations of morality or competence, and
thinking of CAs as judges of morality or competence. If we allow the role
of CAs to become defined as being those judges, they will CERTAINLY FAIL.
So, let's define their role as doing something at which they can succeed,
namely attesting to binding of keys to vetted identities.

Eddy Nigg

unread,
Jan 27, 2010, 12:28:00 PM1/27/10
to
On 01/27/2010 07:11 PM, Nelson Bolyard:

> On 2010-01-27 06:18 PST, Eddy Nigg wrote:
>
>>
>>> Even though this is mostly a technical forum,
>>>
> It is?
>

Technical in the sense of policies and CA practices. It's not a
political forum...

> I've seen MANY rants in past years from people who got infected by signed
> malware. They were under the mistaken impression that signed software is
> software that has been certified by the CA to be virus-free. Of course,
> as we know, that's not what a code signing cert means at all. It merely
> provides trustworthy identification of the source of the software, and
> does not attest to the quality of the software.
>

Sure, I think that the issues mentioned are a bit broader and haven't
much to do with code signing certificates per se. Distribution of
malware usually starts at a web site, and this is what the links below say.

I nowhere seen anything about signed software, this is your (wrong)
assumption.

> I think we need to be very careful to avoid getting caught in the trap of
> thinking of certificates as attestations of morality or competence, and
> thinking of CAs as judges of morality or competence. If we allow the role
> of CAs to become defined as being those judges, they will CERTAINLY FAIL.
> So, let's define their role as doing something at which they can succeed,
> namely attesting to binding of keys to vetted identities.
>

That's why I requested to have this handled at the proper channels.
Though I think a discussion specially by the affected parties might be
interesting to have in order to understand more about it. And obviously
there might be members willing to voice their opinion what should be done...

Yuki Sea

unread,
Jan 27, 2010, 2:05:25 PM1/27/10
to
On Jan 28, 1:28 am, Eddy Nigg <eddy_n...@startcom.org> wrote:
> On 01/27/2010 07:11 PM, Nelson Bolyard:
>
> > On 2010-01-27 06:18 PST, Eddy Nigg wrote:
>
> >>> Even though this is mostly a technical forum,
>
> > It is?
>
> Technical in the sense of policies and CA practices. It's not a
> political forum...
>
> > I've seen MANY rants in past years from people who got infected by signed
> > malware.  They were under the mistaken impression that signed software is
> > software that has been certified by the CA to be virus-free.  Of course,
> > as we know, that's not what a code signing cert means at all.  It merely
> > provides trustworthy identification of the source of the software, and
> > does not attest to the quality of the software.
>
> Sure, I think that the issues mentioned are a bit broader and haven't
> much to do with code signing certificates per se. Distribution of
> malware usually starts at a web site, and this is what the links below say.
>
> > I cannot determine, from the information presented on those pages, if CNNIC
> > was itself the source (the signer) of the signed software,
>
> I nowhere seen anything about signed software, this is your (wrong)
> assumption.
>
> > I think we need to be very careful to avoid getting caught in the trap of
> > thinking of certificates as attestations of morality or competence, and
> > thinking of CAs as judges of morality or competence.  If we allow the role
> > of CAs to become defined as being those judges, they will CERTAINLY FAIL.
> > So, let's define their role as doing something at which they can succeed,
> > namely attesting to binding of keys to vetted identities.
>
> That's why I requested to have this handled at the proper channels.
> Though I think a discussion specially by the affected parties might be
> interesting to have in order to understand more about it. And obviously
> there might be members willing to voice their opinion what should be done...
>
> --
> Regards
>
> Signer:  Eddy Nigg, StartCom Ltd.
> XMPP:    start...@startcom.org

If we include this cert, PRC government can hijack any SSL session
WITHOUT any warming to user.
PRC government always monitor online activities of chinese pro-
democracy people.
You know what Google's happening.

We need to protect the user whether this is political or not.

Warren

unread,
Jan 27, 2010, 9:27:03 PM1/27/10
to
On Jan 28, 1:11 am, Nelson Bolyard <NOnelsonS...@NObolyardSPAM.me>
wrote:

> On 2010-01-27 06:18 PST, Eddy Nigg wrote:
>
> I've also seen a lot of confusion in the past over who is the source if
> signed software.  A lot of people assume that the certificate issuer,
> rather than the certificate subject, is the source of the signed software.
>
> Now, we come to the immediate cases to which Eddy provided links:
>
> I cannot determine, from the information presented on those pages, if CNNIC
> was itself the source (the signer) of the signed software, or was merely the
> issuer of certificates that were used by other subjects to sign malware.
> The middle of those 3 links says that CNNIC had links to another site,
> tech.sina.com.cn, which on its face seems to be another organization.
> This doesn't seem inconsistent with CNNIC's role as a CA.
>
> I think we need to be very careful to avoid getting caught in the trap of
> thinking of certificates as attestations of morality or competence, and
> thinking of CAs as judges of morality or competence.  If we allow the role
> of CAs to become defined as being those judges, they will CERTAINLY FAIL.
> So, let's define their role as doing something at which they can succeed,
> namely attesting to binding of keys to vetted identities.

I agree with Eddy. We are not talking about who signed this software.

I am a Chinese internet user. CNNIC has produced a software called
CNNIC_Zhong_Wen_Shang_Wang which is well-known malware software in
China. Beside, I remembered that this software is signed by Verisign,
need to confirm, because CNNIC is not a trusted root CA at that time.

This software are usually installed by users' mistake activity. After
installed, pop-up windows, ADs, force IE homepage and etc. are all
coming. And it's very difficult to uninstall.

I don't know whether current verison of this software is still
malware. But you can also found some infomation from google by
searching "cnnic malware" (without quotes), or you can found some
Chinese people around you to search "CNNIC 中文上网" (
http://www.google.com/search?hl=en&source=hp&q=CNNIC+%E4%B8%AD%E6%96%87%E4%B8%8A%E7%BD%91&aq=f&aql=&aqi=&oq=
). Almost all results are relative to "How can I uninstall the d*mn
CNNIC_Zhong_Wen_Shang_Wang".

I don't know whether this certificate will be used for phishing SSL
session in future. But I think the worries are reasonable, because of
the internet censorship in China and GFW project.
Given this organization's past behavior, I personally untrust this
certificate.

http://en.wikipedia.org/wiki/Internet_censorship_in_the_People%27s_Republic_of_China

http://en.wikipedia.org/wiki/Golden_Shield_Project (GFW)

Mike Chen

unread,
Jan 28, 2010, 1:24:38 AM1/28/10
to
> Chinese people around you to search "CNNIC 中文上网" (http://www.google.com/search?hl=en&source=hp&q=CNNIC+%E4%B8%AD%E6%96%...

> ). Almost all results are relative to "How can I uninstall the d*mn
> CNNIC_Zhong_Wen_Shang_Wang".
>
> I don't know whether this certificate will be used for phishing SSL
> session in future. But I think the worries are reasonable, because of
> the internet censorship in China and GFW project.
> Given this organization's past behavior, I personally untrust this
> certificate.
>
> http://en.wikipedia.org/wiki/Internet_censorship_in_the_People%27s_Re...
>
> http://en.wikipedia.org/wiki/Golden_Shield_Project   (GFW)

Totally agree.

CAs issues certificates to bring people trust, how can people trust
websites signed by a non-trusted CA issuer?
Some say it's about politic, and yes, it can and eventually will be
used by government for censorship. CNNIC is directly controlled by PRC
government, that's make no sense that CNNIC can issue with justice.

What can be a nightmare is one day I figure out that Gmail's
certificate is issued by CNNIC and my browser trusts it. THAT SHOULD
NEVER EVER HAPPEN.

So please checkout what people are saying about CNNIC on twitter. A
not trusted organization should never be trust by browsers.

Nelson Bolyard

unread,
Jan 28, 2010, 1:40:01 AM1/28/10
to
On 2010-01-27 09:28 PST, Eddy Nigg wrote:
> On 01/27/2010 07:11 PM, Nelson Bolyard:
>> On 2010-01-27 06:18 PST, Eddy Nigg wrote:
> I think that the issues mentioned are a bit broader and haven't
> much to do with code signing certificates per se. Distribution of
> malware usually starts at a web site, and this is what the links below say.
>>> http://safebrowsing.clients.google.com/safebrowsing/diagnostic?client=Firefox&hl=en-US&site=cnnic.net.cn
>>>
>>> http://www.siteadvisor.com/sites/cnnic.net.cn
>>>
>>> http://en.wikipedia.org/wiki/China_Internet_Network_Information_Center#Malware_Production_And_Distribution
>>>
>> I cannot determine, from the information presented on those pages, if CNNIC
>> was itself the source (the signer) of the signed software,
>
> I nowhere seen anything about signed software, this is your (wrong)
> assumption.

Well, if that's the case, then the protests being lodged against CNNIC as
an issuer of SSL server certs are all the more absurd. The issuance of
an SSL server cert doesn't attest to the morality or competence of the
business dealings of the operator of the SSL server. It only attests
to the pairing or "binding" of the certified name to the certified public
key.

>> I think we need to be very careful to avoid getting caught in the trap of
>> thinking of certificates as attestations of morality or competence, and
>> thinking of CAs as judges of morality or competence. If we allow the role
>> of CAs to become defined as being those judges, they will CERTAINLY FAIL.
>> So, let's define their role as doing something at which they can succeed,
>> namely attesting to binding of keys to vetted identities.
>>
>
> That's why I requested to have this handled at the proper channels.
> Though I think a discussion specially by the affected parties might be
> interesting to have in order to understand more about it. And obviously
> there might be members willing to voice their opinion what should be done...

But my point is that any arguments that are based on the presence of malware
are irrelevant and should not be considered in whether or not
the CA acted properly as a CA. If the CA's cert properly indicated the
name of the party who should be held responsible for the malware, then
IMO the CA did its job admirably and should not be punished for the job
it did as a CA.

Xuqing Kuang

unread,
Jan 28, 2010, 1:50:15 AM1/28/10
to
Yeah.

I hope the CA certification could be remove from firefox as soon as
possible.

It makes the Chinese people in the insecurity place.

Xuqing


On Jan 27, 10:14 pm, Eddy Nigg <eddy_n...@startcom.org> wrote:
> I was made aware of some controversial issues regarding the inclusion of

> theCNNICRoot. Please see commentshttps://bugzilla.mozilla.org/show_bug.cgi?id=476766#c18and the item


> thereafter.
>
> Even though this is mostly a technical forum, Mozilla might have an
> opinion in this respect. Kathleen, could you please follow up at the
> appropriate channels regarding the claims made as it might affect the
> Mozilla CA policy section 4 and 6, maybe also others.
>
> --
> Regards
>
> Signer:  Eddy Nigg, StartCom Ltd.

> XMPP:    start...@startcom.org

Eddy Nigg

unread,
Jan 28, 2010, 6:43:24 AM1/28/10
to
On 01/28/2010 08:40 AM, Nelson Bolyard:

> Well, if that's the case, then the protests being lodged against CNNIC as
> an issuer of SSL server certs are all the more absurd.
>

Nelson, before commenting I suggest to read the concerns which were
raised at the comments posted at the bugs in order to understand what
they are. Those are starting from:

https://bugzilla.mozilla.org/show_bug.cgi?id=476766#c18

and

https://bugzilla.mozilla.org/show_bug.cgi?id=542689

> But my point is that any arguments that are based on the presence of malware
> are irrelevant and should not be considered in whether or not
> the CA acted properly as a CA.

This is not the issue, but it was provided by the concerned parties as
part of their "evidence" to confirm those concerns. The claims are
raised in the bug entries and at other places such as twitter and I
believe Mozilla and the community should at least listen to them and
consider if and how they are relevant regarding the root inclusion here.
Apparently there might be issues with the inclusion of this CA root
which we haven't considered here (because nobody raised any concern at
that time).

If the claims are correct, than this might be a serious cause for
concern and which might affect Mozilla policy requirements directly.
However I asked Kathleen to find the appropriate channels regarding
these claims because it's not something we've ever dealt with here.

doggie

unread,
Jan 28, 2010, 7:05:41 AM1/28/10
to
On Jan 27, 10:14 pm, Eddy Nigg <eddy_n...@startcom.org> wrote:
> I was made aware of some controversial issues regarding the inclusion of
> the CNNIC Root. Please see commentshttps://bugzilla.mozilla.org/show_bug.cgi?id=476766#c18and the item

> thereafter.
>
> Even though this is mostly a technical forum, Mozilla might have an
> opinion in this respect. Kathleen, could you please follow up at the
> appropriate channels regarding the claims made as it might affect the
> Mozilla CA policy section 4 and 6, maybe also others.
>
> --
> Regards
>
> Signer:  Eddy Nigg, StartCom Ltd.
> XMPP:    start...@startcom.org

Totally agreed.

I really hate CNNIC. They do evil.

crewlay

unread,
Jan 28, 2010, 7:50:16 AM1/28/10
to Nelson Bolyard, dev-secur...@lists.mozilla.org
On Thu, Jan 28, 2010 at 2:40 PM, Nelson Bolyard <NOnels...@nobolyardspam.me> wrote:
On 2010-01-27 09:28 PST, Eddy Nigg wrote:
> On 01/27/2010 07:11 PM, Nelson Bolyard:
>> On 2010-01-27 06:18 PST, Eddy Nigg wrote:
> I think that the issues mentioned are a bit broader and haven't
> much to do with code signing certificates per se. Distribution of
> malware usually starts at a web site, and this is what the links below say.
>>> http://safebrowsing.clients.google.com/safebrowsing/diagnostic?client=Firefox&hl=en-US&site=cnnic.net.cn
>>>
>>> http://www.siteadvisor.com/sites/cnnic.net.cn
>>>
>>> http://en.wikipedia.org/wiki/China_Internet_Network_Information_Center#Malware_Production_And_Distribution
>>>
>> I cannot determine, from the information presented on those pages, if CNNIC
>> was itself the source (the signer) of the signed software,
>
> I nowhere seen anything about signed software, this is your (wrong)
> assumption.

Well, if that's the case, then the protests being lodged against CNNIC as
an issuer of SSL server certs are all the more absurd.  The issuance of
an SSL server cert doesn't attest to the morality or competence of the
business dealings of the operator of the SSL server.  It only attests
to the pairing or "binding" of the certified name to the certified public
key.


Is also very absurd to directly built such a notorious hated certificate into the widely accepted open-source software in prc, almost everyone are looking for method how to remove it after being aware of the bulletin for either potential ssl hijack or consistent disgusted with cnnic, and it's so simple to prove that either protest poll or something similar.
 
>> I think we need to be very careful to avoid getting caught in the trap of
>> thinking of certificates as attestations of morality or competence, and
>> thinking of CAs as judges of morality or competence.  If we allow the role
>> of CAs to become defined as being those judges, they will CERTAINLY FAIL.
>> So, let's define their role as doing something at which they can succeed,
>> namely attesting to binding of keys to vetted identities.
>>
>
> That's why I requested to have this handled at the proper channels.
> Though I think a discussion specially by the affected parties might be
> interesting to have in order to understand more about it. And obviously
> there might be members willing to voice their opinion what should be done...

But my point is that any arguments that are based on the presence of malware
are irrelevant and should not be considered in whether or not
the CA acted properly as a CA.  If the CA's cert properly indicated the
name of the party who should be held responsible for the malware, then
IMO the CA did its job admirably and should not be punished for the job
it did as a CA.

_______________________________________________
dev-security-policy mailing list
dev-secur...@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Johnathan Nightingale

unread,
Jan 28, 2010, 11:07:09 AM1/28/10
to dev-secur...@lists.mozilla.org
On 27-Jan-10, at 9:14 AM, Eddy Nigg wrote:

> I was made aware of some controversial issues regarding the
> inclusion of the CNNIC Root. Please see comments https://bugzilla.mozilla.org/show_bug.cgi?id=476766
> #c18 and the item thereafter.
>
> Even though this is mostly a technical forum, Mozilla might have an
> opinion in this respect. Kathleen, could you please follow up at the
> appropriate channels regarding the claims made as it might affect
> the Mozilla CA policy section 4 and 6, maybe also others.


So, I have a couple reactions here:

1) We have never claimed as a matter of policy that our PKI decisions
can protect people from malicious governments. It's just not a
plausible promise for us to make.
2) I think, regardless of government ties, we'd carefully review and
might well yank trust for any CA that was complicit in MitM attacks.
3) CNNIC complied with our root addition policy, they are in the
product presently, so this isn't a question of approval, this is a
question of whether we should review.

It feels to me like that makes our next step clear, here. It won't
help to tally up the complainants (there will be many), and it won't
help to demand assurances from CNNIC (since the alleged governmental
pressure would trump those anyhow). It certainly won't help to cite
wikipedia.

If there's truth to the allegation, here, then it should be possible
to produce a cert. It should be possible to produce a certificate,
signed by CNNIC, which impersonates a site known to have some other
issuer. A live MitM attack, a paypal cert issued by CNNIC for example.
If anyone in a position to produce such a thing needs help
understanding the mechanics of doing so, I'm sure this forum will help
them.

SSL makes tampering visible to its victims. The certificate has to
actually make it to my client before I can decide to trust it. By all
means, let's arm people with the knowledge to detect and record such
instances. But I don't see any clear step we can take until then.

Does that seem dismissive? I really hope not. I really don't want us
to trust CAs that we can't actually trust, but I don't want our root
program choosing favourites in political debates either.

J

---
Johnathan Nightingale
Human Shield
joh...@mozilla.com

aasa0001 shadewither

unread,
Jan 28, 2010, 3:07:51 PM1/28/10
to
As a Chinese citizen, let me elaborate two reasons why I do not trust
CNNIC Root.

1. CNNIC do evil.
Because CNNIC did much evil before, including spreading the malware
mentioned above.

It is apparently pointless for to trust CNNIC.

2. CNNIC cannot do their job well.
A few weeks ago, CNNIC announced that .cn suffix (which is under
administration of CNNIC) is not longer available to individuals.
Soon after CNNIC attained a sharp decrease of .cn domain names, and
had to revoke the preposterous decision.

CNNIC so easily scewed up its primary duty, it might fail in other
duties.

So it's a Root CA with an incompetent and (potentially) wicked
organization named CNNIC behind.
Why would we Chinese bother to believe in it?

There is no political points above, right? It's all about common sense/
feelings.
I did not read Mozilla CA policies, however, if it conflicts with what
I addressed, I would suggest that those policies be reviewed.

Paul Wang

unread,
Jan 28, 2010, 4:22:36 PM1/28/10
to
On 1月29日, 上午4时07分, aasa0001 shadewither <shdw...@gmail.com> wrote:
> As a Chinese citizen, let me elaborate two reasons why I do not trust
> CNNIC Root.
>
> 1. CNNIC do evil.
> Because CNNIC did much evil before, including spreading the malware
> mentioned above.
>
> It is apparently pointless for to trust CNNIC.
>
> 2. CNNIC cannot do their job well.
> A few weeks ago, CNNIC announced that .cn suffix (which is under
> administration of CNNIC) is not longer available to individuals.
> Soon after CNNIC attained a sharp decrease of .cndomain names, and

> had to revoke the preposterous decision.
>
> CNNIC so easily scewed up its primary duty, it might fail in other
> duties.
>
> So it's a Root CA with an incompetent and (potentially) wicked
> organization named CNNIC behind.
> Why would we Chinese bother to believe in it?
>
> There is no political points above, right? It's all about common sense/
> feelings.
> I did not read Mozilla CA policies, however, if it conflicts with what
> I addressed, I would suggest that those policies be reviewed.

As you may all know, I or anyone in mainland China uses proxy network,
probably "traveled around the world" to get around the GFW, and
finally get here in the mailing list. So I think the Firefox people
should understand how painful it is for us to live in the shadow of
GFW, and why people are so upset about CNNIC's root cert getting
trusted.

I'm not sure whether it is a smart move to get involve into political
debates as Johnathan said. But I'm sure getting rid of CNNIC's cert
from the trust list is the right thing to do. Millons of Chinese
Firefox users will thank Firefox for its justice. Google stood out, I
thank them! We thank them! We think they are great! If firefox can
remove CNNIC from the trust list, we will thank you too!

Is there anyone who agree with me? Come on, give me some love.

Sincerely,
Wenbo Wang

tophits

unread,
Jan 28, 2010, 4:47:03 PM1/28/10
to lihlii-g
After a second thought, I found that even if Firefox didn't add CNNIC
root certificate as built-in object, CNNIC still can issue a false
gmail.com certificate signed by its CNNIC SSL secondary CA certificate
signed by Entrust.net root CA. The browser will still accept the
forged gmail.com certificate without any warning.

So the inclusion of CNNIC Root CA certificate in Firefox is almost
equivalent to the endorsement by Entrust.net to sign the CNNIC SSL
secondary CA certificate, which CNNIC already acquired years ago.

Thus, it is in fact a serious security design flaw in the way that the
browser handles SSL certificates in the userage scenario. I suggest
the following measures to be taken:

1. Display clear warning message of certificate change, which is
possibly a result of MITM attack with a forged certificate. Firefox
should include the addon Certificate Patrol [1] as a built-in module.

2. Eye-catching display of certificate signing path for HTTPS
connections, e.g. in the address bar or a floating warning bar like
that of an addon installation. Because general non-expert users even
don't know how to check the certificate signing path.

It's a big problem, as you can see the PR China government is actively
involved in cyber attacks against its citizens. Their secret agents
used trojan-horse attacks to intrude gmail and Google services
successfully[2]. They have clear intention to intercept, snoop or
spoof SSL connections. There are successful MITM attack experiments
done on Internet and Tor network, by forging a certificate which the
general public users won't notice at all because the browser silently
accepted it.

It's a real threat to the trust model of PKI. We should have prompt
countermeasures and actions.

References:

[1] Certificate Patrol http://patrol.psyced.org/
https://addons.mozilla.org/en-US/firefox/addon/6415
[2] Kim Zetter: Google Hack Attack Was Ultra Sophisticated, New
Details Show; January 14, 2010, 8:01 pm; http://www.wired.com/threatlevel/2010/01/operation-aurora/

Paul Wang

unread,
Jan 28, 2010, 6:17:11 PM1/28/10
to
> [1] Certificate Patrolhttp://patrol.psyced.org/https://addons.mozilla.org/en-US/firefox/addon/6415

> [2]Kim Zetter: Google Hack Attack Was Ultra Sophisticated, New
> Details Show; January 14, 2010, 8:01 pm;http://www.wired.com/threatlevel/2010/01/operation-aurora/

Thank you Tophits, for supporting us who are under monitor and
severely limited regarding internet freedom.
I maybe risking my personal freedom to discuss with you here.
Freedom is the spirit of Opensource anyway, isn't it?
If even the SSL fail to protect us, then we can lose the only privacy
or freedom we have left.
I guess I can still remove CNNIC and Entrust.net from trust list
mannually anyway. But disasters could happen to general users who
"accidently" said something the government don't like to hear. It's
horrible even thinking about it. People's privacy and freedom of
speech is all I concerned about.
Displaying warning and signing path sounds like a good idea, better
than silently nothing. Thank you again.

Sincerely,
Wenbo Wang

Eddy Nigg

unread,
Jan 28, 2010, 6:29:17 PM1/28/10
to
On 01/28/2010 06:07 PM, Johnathan Nightingale:

Thanks Johnathan for your response and guidance. I believe there isn't
an easy solution unfortunately for those affected and neither for
Mozilla. I think it's correct that we should stick to the technical
requirements and facts, but act upon them swiftly if any evidence is
presented that might infringe on the Mozilla CA policy.

Currently section #4 of the policy come to mind, in particular
"knowingly issue certificates that appear to be intended for fraudulent
use." If CNNIC is directly branded by anti-virus and other safe-guarding
groups as a source for distributing mal-ware, there might be a problem.

Additionally section #6 calls for "provide some service relevant to
typical users of our software products", apparently for some this root
presents for them a disservice. I don't know how to evaluate that or
what to recommend, but I believe it's worth to look at it and listen
carefully to complaints.

More disturbing however is, that apparently this news group can't be
accessed according to
https://bugzilla.mozilla.org/show_bug.cgi?id=476766#c28
This makes participation here difficult and I wonder if this happened on
purpose. Such a fact would have made our process and public comments
period void of any value and if the allegations are correct we could
call for annulling the previous decision taken here. The purpose of the
public comments period is to voice amongst others the concerns we are
hearing today. If those rights were withheld for a large group affected
by this root inclusion and/or the proceedings here were not known to
them, it could present a valid reason to reconsider the previously made
decision.

陈少举

unread,
Jan 28, 2010, 8:24:33 PM1/28/10
to
agree

David E. Ross

unread,
Jan 28, 2010, 10:11:06 PM1/28/10
to

On reviewing bug #476766, I see in comment #5 Liu Yan's (the applicant)
assertion: "CNNIC is not a Chinese Government organization."

However, later comments by users in China seem to indicate the contrary.
Comment #18 states: "CNNIC is an infamous organ of the Chinese
Communist government to monitor and control the Internet in China."
Comment #23 states: "...CNNIC is infamous in China and it has a lot of
connections with the government..." Comment #24 states: "It has very
closed tie with Chinese government and CPC (or CCP [Chinese Communist
Party?])."

If any of these comments are true, then the application violates the
second bullet under section 6 of the Mozilla CA Certificate Policy: >
We require that all CAs whose certificates are distributed with our
software products:
>
> * publicly disclose information about their policies and business practices
That is, the relationship between CCNIC and the government or political
structure of China -- a business practices -- has not been publicly
disclosed.

I am further concerned about the fact that individuals inside China are
blocked from participating in this discussion, perhaps by the "great
firewall". If CCNIC indeed operates independently of the government and
political structure of China and is indeed worthy of the trust implied
by having its root certificate in the NSS database, then why would
anyone object to a discussion of this issue?

--

David E. Ross
<http://www.rossde.com/>.

Anyone who thinks government owns a monopoly on inefficient, obstructive
bureaucracy has obviously never worked for a large corporation. © 1997

LionheartZhang

unread,
Jan 29, 2010, 1:04:06 AM1/29/10
to
> [1] Certificate Patrolhttp://patrol.psyced.org/https://addons.mozilla.org/en-US/firefox/addon/6415

> [2] Kim Zetter: Google Hack Attack Was Ultra Sophisticated, New
> Details Show; January 14, 2010, 8:01 pm;http://www.wired.com/threatlevel/2010/01/operation-aurora/

+1,Should use a more compelling way to prompt the user to change any
of the relevant certificate
CNNIC is a puppet for the PRC Government to provide all facilities, we
do not believe CNNIC. I have canceled CNNIC ROOT and the related
certificate of trust option, but not everyone know how to do it. Since
the issuance of certificates for the CNNIC, I have canceled the trust
of Entrust, I would rather give up their certificates and use Entrust
on any website, I do not want this list continues to grow.
I'm just an ordinary Chinese netizens, the main purpose is to obtain
information and knowledge, but the PRC Government do everything
possible to intercept them. The SSL certificate is used to attack no
one will be surprised, there is a certain web-based Chinese netizens
think that this is a matter of course will be happen.

makrober

unread,
Jan 29, 2010, 2:42:33 AM1/29/10
to dev-secur...@lists.mozilla.org, Johnathan Nightingale
Johnathan Nightingale wrote:
> 1) We have never claimed as a matter of policy that our PKI decisions
> can protect people from malicious governments. It's just not a plausible
> promise for us to make.

With due respect, "never have made the promise" just doesn't cut it in
my eyes. To turn it around: never was there any warning to the user base
that there is some "special class" of miscreants that Mozilla would not
protect the users from. This can be explained (but not excused) by the
mindset of those that instituted the process: in their minds, "governments",
by definition, can't be miscreants. I and (as that discussion on bugzilla
demonstrates) many, many, others do not share this mindset.

Perhaps it is time to review the process. It would be smart to take Mozilla
out of the trust business. At the very least, all root certificates that
are included should not be trusted until the user explicitly turns those he
or she knows and trusts (and needs for his or her transactions) on.

MacRober

Justin Dolske

unread,
Jan 29, 2010, 4:39:31 AM1/29/10
to
On 1/28/10 8:07 AM, Johnathan Nightingale wrote:

> If there's truth to the allegation, here, then it should be possible to
> produce a cert. It should be possible to produce a certificate, signed
> by CNNIC, which impersonates a site known to have some other issuer. A
> live MitM attack, a paypal cert issued by CNNIC for example. If anyone
> in a position to produce such a thing needs help understanding the
> mechanics of doing so, I'm sure this forum will help them.

As a related aside...

It would be an interesting experiment to create an addon to crowd-source
checking for such certs. Not as a CNNIC-specific issue, but any case of
valid certs for a site coming from an unexpected CA. It could also be
easily to just store a local record of certs you've encountered, and
warn you when a site's cert has changed.

Justin

Eddy Nigg

unread,
Jan 29, 2010, 7:28:08 AM1/29/10
to
On 01/29/2010 09:42 AM, makrober:

> Johnathan Nightingale wrote:
>> 1) We have never claimed as a matter of policy that our PKI decisions
>> can protect people from malicious governments. It's just not a
>> plausible promise for us to make.
>
> With due respect, "never have made the promise" just doesn't cut it in
> my eyes.


Even though I agree with you that there is an understanding that the
security decisions taken at Mozilla, being it by fixing flaws or here at
this group with admitting CAs, are made to protect and provide
reasonable security to the users, I'm ignoring the rest of your message
as a distraction from the problem at hand. If you feel you would like to
discuss your idea, lets do so under a different thread.

Having said that, most CAs disclose in their policies compliance to
local legislation and law. If those laws allow for MITMs, we obviously
should consider this accordingly. In the meantime some more comments
have been posted at the various bugs, I'd like to highlight one of them
since there is some relevance to the above:

On CNNIC website, it's clearly stated that CNNIC is directly administrated by
both "Ministry of Industry and Information Technology of the PRC" and Chinese
Academy of Sciences (budget controlled by the government).

You are right, CNNIC is not a government, but it's directly managed by the
government and did everything that Chinese government asked it to do.

tophits

unread,
Jan 29, 2010, 12:28:40 PM1/29/10
to lihlii-g
There are several related addons for Firefox for similar purposes. I
hope they will be included as core modules in Firefox soon.

Certificate Patrol [1] warns users with pop-up window whenever the
certificate of a website changes. But it's not updated to be
compatible with the newest 3.6 version of Firefox yet.

Perspectives [2] tries to verify the certificate of a website from
various notary sources. It's a good idea, but I tested and found it
not functional or the notary services are not stable enough yet.

At least I think the user interface of Firefox should be improved to
address such security threats of false certificate MITM attack against
SSL. Many Chinese programmers believe (or suspect) that the PRC
government already started to do such MITM attacks. This is why the
inclusion of CNNIC root certificate caused an Internet protest to
remove it from the browser and OS certificate storage. A simple
google search [3] will tell you what most Chinese programmers think
about this. Most of them are discussing how to remove or disable this
newly added root CA! :)

Technically speaking, even if CNNIC root CA is not included as a
builtin object of Firefox, it CAN still issue false certificates with
their legitimate secondary CA certificate signed by Entrust.net, to
intercept SSL connections with websites like gmail.com while the
browse won't show any warning about this. The surprise and opposition
in the Chinese technical community reflects the security concerns of
the Chinese Internet users and showed what a reputation CNNIC has
accumulated with their actual behaviors over the past years. This
even eroded the user trust on Entrust.net and Firefox, because
Entrust.net issued a secondary CA certificate to CNNIC. Many
programmers suggested to remove the root CA certificates of
Entrust.net together.

I agree with some comments here, that the key issue is: A secure
browser should tell the users clearly what they're trusting, and let
them choose whether to trust or not.

Whether a root CA is trustworthy or not, that's the social judgement,
a part of the trust model that a browser should not and can't
determine. The browser should provide an easy and clear UI for the
users to make the decision.


References:

[1] Certificate Patrol https://addons.mozilla.org/en-US/firefox/addon/6415
[2] Perspectives : Firefox Extension http://www.cs.cmu.edu/~perspectives/firefox.html
[3] Google search: CNNIC 证书 http://www.google.com/search?q=CNNIC+%E8%AF%81%E4%B9%A6

>> 苹果下的FIREFOX如何删除CNNIC的根证书 - Jan 27 - [ Translate this page ]
更正:http://www.cnnic.cn/download/crl/CRL1.crl 这里是CNNIC的根证书的证书吊销列表,我不知道如何
创建自己的不信任列表,谁知道创建证书吊销列表? ...
https://www.zuola.com/weblog/?p=1454

如何阻止不信任的CNNIC 证书<< scavin weblog - [ Translate this page ]
2010年1月27日 ... 是的,CNNIC 这个完全不可信任的有关部门,竟然诱惑微软将其列为根证书发布者,这个消息太可怕了。并且
Firefox 也信任了CNNIC 证书,这是疯狂的事情, ...
blog.lzzxt.com/394

玩聚SR | 如何阻止不信任的CNNIC 证书| 52个推荐者- 热文快照 - [ Translate this page ]
《如何阻止不信任的CNNIC 证书》的热文快照: 是的,CNNIC 这个完全不可信任的有关部门,竟然诱惑微软将其列为根证书发布者,这个消息太可
怕了。
sr.ju690.com/meme/item/59498

阻止不信任的CNNIC 证书.docx - 下载- 共享资料 - [ Translate this page ]
阻止不信任的CNNIC 证书.docx,下载,IT资料,解决方案. ... 说明: CNNIC被微软、FireFox加入根证书,这是非常可怕的
事情,所以我们要删除! ...
ishare.iask.sina.com.cn/f/6665520.html

Nabble - GFans - 如何阻止不信任的CNNIC 证书 - [ Translate this page ]
4 posts - 2 authors - Last post: yesterday
如何阻止不信任的CNNIC 证书. 这是非常非常重要的,一定要做好。这比放病毒和流氓软件更加重要! Sent to you by 夜の猫
via Google Reader: 如何阻止 ...
old.nabble.com/如何阻止不信任的-CNNIC-证书-td27342964.html

Firefox和微软已将CNNIC添加到根证书列表中,如何阻止CNNIC 证书 ... - [ Translate this page ]
2010年1月28日 ... SummerWa 写道Microsoft和Firefox已经将CNNIC作为根证书颁发机构添加到证书列表中:
Microsoft | 有关最新互联网资讯的IT博客.
http://www.pcstar.org.ru/main/2010-01/632-firefox-microsoft-cnnic-root-certificates.html

David E. Ross

unread,
Jan 29, 2010, 10:31:15 AM1/29/10
to

But the applicant (Liu Yan) asserted in comment #5 of bug #476766:


"CNNIC is not a Chinese Government organization."

This is the point of my earlier response in this thread.

tophits

unread,
Jan 29, 2010, 3:40:24 PM1/29/10
to
Liu Yan said [4][5], "obviously CNNIC is not a government", but "just
offers service on technology and research"[4].

1. Is it considered by CNNIC as "service on technology and research"
to spread malware with administrative power to spy on Internet users?

2. Is it considered by CNNIC as "service on technology and research"
to ban personal website registration in the .cn domain space [1][2]
[17]?

3. CNNIC banned the DNS resolving of a lot of independent websites,
such as bulllog.cn [1][2]. Is this considered by CNNIC as your way of
"service" of "registry for Chinese Domain Name"[4]? Is this
considered by CNNIC as "the similar role as VeriSign"[4]?

4. Is CNNIC "qualified with the international criteria"[4] as a
trustworthy certificate authority?

5. Why did Liu Yan try to mask the real face of the PRC governmental
nature of CNNIC [5]? Why did he even tried to hide the application by
setting the bug report to "Restricted Visibility"[6] at first?

6. Liu Yan said: "CA is a new operation for CNNIC to protect Internet
security"[5]. Is it considered by CNNIC as "operation to protect
Internet security" by spreading unremovable malware to spy on users'
Internet activities exploiting security flaws of the browsers, as
CNNIC did [9][18]?

Liu Yan further claimed that "the WebTrust audit for government is
much simpler compared to company"[4].

So do you think CNNIC is a government or not? If CNNIC is controlled
by the PRC government, why don't you dare to clearly admit it, but
misled the readers by posing as a "just offers service on technology
and research" [4]? What's the motivation to hide the real identity of
CNNIC? :)

Liu Yan said: "There is no possible for us to monitor the user's
actions or do some attacks. I think every technical personnel knows
that."[4]

Unfortunately, this is an arrant lie. CNNIC not only DID "monitor the
users' actions" with intentionally spreaded malware [9], but also
cooperated actively with the PRC government to crack down independent
blogs and websites [1][2][17]. It's also highly possible that they
may actively cooperate in MITM attacks with such a government which
attacked [15][16] its citizens, as well as dozens of companies and
many computers of foreign civil organizations and government offices
[10][11].

Further, Is PRC government a decent government?

Should a government put all their citizens in an information jail by
building a GFW (Great Firewall) [7][8][14] to block their access to
Internet?
Should a government enforce news and speech censorship [14] on all the
websites including search engines to block criticism on the crimes
they committed?
Should a government jail journalists and writers for their free speech
[14]?
Should a government kill the college students and citizens with guns,
and roll over the bodies of college students with tanks? [19]
Should a government cheat the world by hiding information about SARS
and melamine contaminated milk[3] which caused repetitive man-made
disasters, and further punish those who told the truth?

Is this PRC government a real government, or is it a maffia group? :)

Liu Yan claimed that the CNNIC is a subordinate of "Chinese Academy of
Sciences". Let's take a look at what kind of "research" the "Chinese
Academy of Sciences" has done before. :)

The Institute of Acoustics, Chinese Academy of Sciences closely
cooperated with the PRC government in Internet censorship. Same as
CNNIC which "takes orders from the Ministry of Information Industry
(MII)" [26], they developed some natural language machine
understanding algorithms for Internet text censorship [25]. The
target of their research is to distinguish speeches of the opponents
of the government from those of the proponents, which general keyword
based filtering can't achieve. Their "research" was already deployed
in the censorware "Green Dam"[22][23], which was orderd by the MII to
be installed on each new PC in manufacturing process. Although this
plan failed, they must have started some other plots to achieve the
same goal.

> 根据“绿坝-花季护航“软件官方网站(http://www.lssw365.net)的介绍:
>
>   2008年7月,在工业和信息化部的直接领导下,两家成交供应商项目负责人和主要项目人员共同组成绿色上网过滤软件项目工作组,全面负责“绿坝·花季护航”绿色软件的研发、推广及相关服务工作。[...]更好的配合第三方监测机构的监测工作,确保绿色上网过滤软件项目的顺利实施。 [20]
>
> According to the official website of "Green Dam - Youth Escort" (http://www.lssw365.net):
> In July of 2008, under the direct administration of the Ministory of Industry and Information, the project managers and major staffs of the two chosen suppliers formed a green Internet filtering software project workgroup which was in full charge of development, deployment and relative services of the "Green Dam - Youth Escort" green software. [...] for better cooperation in monitoring the web with third party monitoring organs (of the government) to ensuresuccessful implementation of the green Internet filtering software project. [20]

> 链接:http://www.ccgp.gov.cn/gzdt/366770.shtml
>
>   2008年5月,工信部发布了一份《“绿色上网过滤软件产品一年使用权及相关服务采购”竞争性谈判结果的公告》:
> 一、采购人:中华人民共和国工业和信息化部
> [...]
> 四、成交供应商:郑州金惠计算机系统工程有限公司、北京大正语言知识处理科技有限公司 [...]
>     北京大正语言知识处理科技有限公司成交19,900,000元整(大写:壹仟玖佰玖拾万元)。[21]
>
> Link: http://www.ccgp.gov.cn/gzdt/366770.shtml
> In May 2008, The Ministry of Industry and Information issued an "Announcement of Competitive Negotiation Results for '[Governmental] Purchase of One Year Usage Licence and Related Services of Green Internet Filtering Software Product'"
>
> A. Purchaser: Ministry of Industry and Information, PRC
> [...]
> D. Chosen Supplier: Jinhui Computer System Engineering Inc., Zhengzhou City. Beijing Dazheng Language and Knowledge Processing Technology Inc. [...]
> Beijing Dazheng Language and Knowledge Processing Tech. Inc. got a project valued 19,900,000 CNY (About 2.9 million USD). [21]

> [...] 与中科院声学所合作注册成立了北京大正语言知识处理研究院 [20][21]
>
> [...] established the Beijing Dazheng Language and Knowledge Processing Tech. Inc. together with the Institute of Acoustics, Chinese Academy of Sciences. [20[21]

> @gonewater: 绿坝软件两开发商之一北京大正的董事长陈小盟,[...]其在中科院声学所主持开发的HNC网络信息过滤器,2003年实现了语义分析与过滤,并被率先运用在反轮子战线上 #greendam [21][24]
>
> @gonewater [a twitter user]: As the chairman of the board of Beijing Dazheng company which is one of the two developers of the "Green Dam" software, he was in charge of the development of HNC Internet Information Filter at the Institute of Acoustics, Chinese Academy of Sciences. The filter achieved semantic analysis and filtering in 2003 and was used primarily in the battle against the Falungong [27]. [21][24]

> 郑州金惠计算机系统工程有限公司和北京大正语言知识处理有限公司,他们是该软件的联合开发者,前者主要负责图像过滤,后者主要负责文字过滤。[21] - 南方周末记者 胡贲 实习生 郭仕鹏 2009-06-10 23:45:12
>
> Zhengzhou Jinhui Computer System Engineering Inc. and Beijing Dazheng Language and Knowledge Processing Tech. Inc. teamed up in the development of the filtering software. The former one was responsible for the image filtering part, while the later one was responsible for the text filtering part. [21] - Report on the newspaper "Southern Weekend" by Ben Hu, 10 June 2009.

> 中国科学院声学研究所HNC研究团队集多年从事自然语言理解处理的核心技术,成功研发出具有语义理解特点的“网络不良信息检测系统”,将为净化网络世界的内容做出贡献。目前这一系统主要针对网络上出现的色情、反动、低俗等不良信息,根据指定的网站自动进行内容下载、检测并给检测报告。不同于以往的基于关键字词的检测系统,能够区分出不良信息和批判不良信息的网页内容,对不能做出判断的内容还能提出警告,供人工判别。[25]
>
> The HNC research team of the Institute of Acoustics, Chinese Academy of Sciences combined the core techniques they acquired through many years of research they did on natural language understanding and processing and successfully developed a "Internet Bad Information Detection System" featuring semantic understanding capabilities. It will contribute to the clean-up of the content in the Internet world. Currently this system is primarily targeted at erotic, counter-revolutionary and vulgar information appeared on the Internet. It can download content automatically from specified websites, detect and present reports. Deferent from previous keyword based detection systems, it can distinguish web pages of bad information from criticisms against bad information. For those pages that it fails to judge, it can raise a warning message for human judgement. [25]


References:

[1] Bullog.cn http://en.wikipedia.org/wiki/Bullog.cn
[2] 牛博网 http://zh.wikipedia.org/wiki/%E7%89%9B%E5%8D%9A%E7%BD%91
[3] 2008 Chinese milk scandal / Censorship
http://en.wikipedia.org/wiki/2008_Chinese_milk_scandal#Censorship
[4] Liu Yan: Every technical personnel knows that; 2010-01-28 17:40:47
PST; https://bugzilla.mozilla.org/show_bug.cgi?id=476766#c29
[5] Liu Yan: CNNIC is not a Chinese Government organization;
2009-02-15 23:01:59 PST; https://bugzilla.mozilla.org/show_bug.cgi?id=476766#c5
[6] Kathleen Wilson: This bug is set for Restricted Visibility;
2009-02-11 11:43:10 PST; https://bugzilla.mozilla.org/show_bug.cgi?id=476766#c4
[7] Golden Shield Project http://en.wikipedia.org/wiki/Golden_Shield_Project
[8] 金盾工程 http://zh.wikipedia.org/wiki/%E9%87%91%E7%9B%BE%E5%B7%A5%E7%A8%8B
[9] China Internet Network Information Center; / Malware Production
And Distribution; http://en.wikipedia.org/wiki/CNNIC#Malware_Production_And_Distribution
[10] GhostNet; http://en.wikipedia.org/wiki/Ghostnet
[11] 幽灵网; http://zh.wikipedia.org/wiki/%E5%B9%BD%E7%81%B5%E7%BD%91
[12] David Drummond, SVP, Corporate Development and Chief Legal
Officer: A new approach to China; http://www.webcitation.org/5n92WuwKT
= http://googleblog.blogspot.com/2010/01/new-approach-to-china.html
[13] 中华人民共和国网络审查;
http://zh.wikipedia.org/zh-cn/%E4%B8%AD%E5%8D%8E%E4%BA%BA%E6%B0%91%E5%85%B1%E5%92%8C%E5%9B%BD%E7%BD%91%E7%BB%9C%E5%AE%A1%E6%9F%A5
[14] Internet censorship in the People's Republic of China;
http://en.wikipedia.org/wiki/Internet_censorship_in_the_People's_Republic_of_China
[15] 极光行动; http://zh.wikipedia.org/wiki/%E6%9E%81%E5%85%89%E8%A1%8C%E5%8A%A8
[16] Operation Aurora; http://en.wikipedia.org/wiki/Operation_Aurora
[17] CNNIC Halts Website Domain Name Registration For Individuals In
China;
December 15, 2009;
http://www.chinatechnews.com/2009/12/15/11208-cnnic-halts-website-domain-name-registration-for-individuals-in-china
[18] 中国互联网络信息中心;
http://zh.wikipedia.org/wiki/%E4%B8%AD%E5%9C%8B%E4%BA%92%E8%81%AF%E7%B6%B2%E7%B5%A1%E4%BF%A1%E6%81%AF%E4%B8%AD%E5%BF%83#.E7.88.AD.E8.AD.B0
[19] Tiananmen Square protests of 1989; http://en.wikipedia.org/wiki/Tiananmen_Square_protests_of_1989
[20] Reports about Green Dam; https://groups.google.com/group/lihlii/msg/cff76953d4508ad7
[21] Analysis of the Green Dam Censorware System;
https://groups.google.com/group/lihlii/msg/64b28befc01f8394
[22] Green Dam Youth Escort; http://en.wikipedia.org/wiki/Green_Dam
[23] 绿坝·花季护航; http://zh.wikipedia.org/zh-cn/%E7%B6%A0%E5%A3%A9%C2%B7%E8%8A%B1%E5%AD%A3%E8%AD%B7%E8%88%AA
[24] 中科院声学所主持开发的HNC网络信息过滤器,2003年实现了语义分析与过滤,并被率先运用在反轮子战线上;
http://twitter.com/rmack/statuses/2090288450
[25] jiangzuyu: 中科院声学所成功研发网络不良信息检测系统; 网脉e代社区论坛; 2009-2-12 10:43;
http://www.webcitation.org/5n9L4Z4mq = http://community.wm360.cn/space/index.php/viewthread-67157.html
[26] CNNIC takes orders from the Ministry of Information Industry
(MII) to conduct daily business; https://bugzilla.mozilla.org/show_bug.cgi?id=476766#c14
[27] Falun Gong / Continued protests and statewide suppression;
http://en.wikipedia.org/wiki/Falun_Gong#Continued_protests_and_statewide_suppression

tophits

unread,
Jan 29, 2010, 4:06:05 PM1/29/10
to
Some corrections:

> 6. Liu Yan said: "CA is a new operation for CNNIC to protect Internet security"[5]. Is it considered by CNNIC as "operation to protect Internet security" by spreading unremovable malware to spy on users' Internet activities exploiting security flaws of the browsers, as CNNIC did [9][18]?

by spreading unremovable malware exploiting security flaws of the
browsers to spy on users' Internet activities

> So do you think CNNIC is a government or not? If CNNIC is controlled by the PRC government, why don't you dare to clearly admit it, but misled the readers by posing as a "just offers service on technology and research" [4]? What's the motivation to hide the real identity of CNNIC? :)

by posing as an organization which "just offers service on technology
and research"

> @gonewater [a twitter user]: As the chairman of the board of Beijing Dazheng company which is one of the two developers of the "Green Dam" software,

Xiaomeng Chen, as the chairman of the board of Beijing Dazheng company


which is one of the two developers of the "Green Dam" software,

> developed a "Internet Bad Information Detection System" featuring semantic understanding capabilities. It will contribute to the clean-up of the content in the Internet world.

developed an "Internet Bad Information Detection System" featuring


semantic understanding capabilities. It will contribute to the

purification of contents in the Internet world.

> Currently this system is primarily targeted at erotic, counter-revolutionary and vulgar information appeared on the Internet.

Currently this system is primarily targeted at erotic, reactionist
[means anti Communist Party of China] and vulgar information appeared
on the Internet.

Wenbo Wang

unread,
Jan 29, 2010, 5:29:33 PM1/29/10
to
On 1月30日, 上午1时28分, tophits <wan...@gmail.com> wrote:
> I agree with some comments here, that the key issue is: A secure
> browser should tell the users clearly what they're trusting, and let
> them choose whether to trust or not.
>
> Whether a root CA is trustworthy or not, that's the social judgement,
> a part of the trust model that a browser should not and can't
> determine. The browser should provide an easy and clear UI for the
> users to make the decision.

Good point! You've made it so clear to me. *Applaud*

BRs
Wenbo Wang

tophits

unread,
Jan 29, 2010, 5:47:14 PM1/29/10
to lihlii-g
Dear Johnathan,

Do you think certificates from liars should be included in Firefox? :)

> Jonathan: might well yank trust for any CA that was complicit in MitM attacks.

Does the word "was" mean that until the MitM attack happened, any
organizations
can put their root CA certificates in Firefox provided that they can
buy
endorsement "services" from accountant companies like Ernst&Young [1]
to
acquire "trust" from webtrust.org?

The real concern of many Chinese programmers is not about "was", but
"may", as
CNNIC already "DID" quite some dirty things before! Now it's a new
capability
that the inclusion of root certificate of CNNIC will grant to the PRC
government.

Anyway, since they already got secondary CA certificate issued by
Entrust.net,
adding CNNIC as root CA is not introducing more problems. But this
discussion
is an alert on the trust model of PKI when we face a rogue government
and their
minion organizations.

We should improve the browser to ask for permissions from the end
users to
grant trust to each root CA when it's used in each session (not only
at the
first time), clearly display the certificate signing path, and warn
them of any
change in certificates (to be alert of a MitM attack). This seems
paranoiac
but it's because we're facing real threats of attacks from a powerful
rogue
government, from which even big companies like Google and well
equipped
government offices suffered.

The security model of SSL was practically in danger because of the
design flaws
of the browser to place blind trust on root CAs without consent from
the
users. Since the CA certificates of rogue government agencies were
added, we
should consider Firefox as a rogue government controlled browser in
the default
configuration.

[1] https://cert.webtrust.org/SealFile?seal=935&file=pdf

tophits

unread,
Jan 29, 2010, 6:21:30 PM1/29/10
to lihlii-g
Dear Eddy,

Please notice the fact that there is no such thing as "law" in PRC.
All that exist are "rules".
Those companies who do evil things in China always say that they need
to comply with local "laws". That's not true.

There is no LAW in PR China, but only RULES determined completely by
the 9-person "Standing Committee of Central Political Bureau" of the
Chinese Communist Party (CCP). There is no legal legislation, but all
rules are determined by the CCP. The "People's Delegation Congress"
is only a "rubber seal" to pretend to pass the "rules" made by the
CCP.

--- Comment #37 from Eddy Nigg (StartCom) <eddy...@startcom.org>
2010-01-29 15:12:13 PST ---
(In reply to comment #36)


> > Jonathan: might well yank trust for any CA that was complicit in MitM attacks.
> >

> > lihlii:


> > Does the word "was" mean that until the MitM attack happened, any organizations
> > can put their root CA certificates in Firefox provided that they can buy
> > endorsement "services" from accountant companies like Ernst&Young [1] to
> > acquire "trust" from webtrust.org?

Again, Bugzilla should not be used for advocacy! Nevertheless a short
reply. I
know Ernst & Young and have performed audits with them myself. Hence
I'm
trusting their attestation.

However it's common for CAs to comply to local laws and there might be
a
problem if the law would allow MITM attacks on its citizens. This
would be
counter to the Mozilla CA policy, even if a notable auditor audited
the CA and
the CA has disclosed its adherence to the local laws correctly.

tophits

unread,
Jan 29, 2010, 8:17:06 PM1/29/10
to lihlii-g, 网络安全
J:

we'd carefully review and might well yank trust for any CA that was
complicit in MitM attacks.

L:
The problem is that, CNNIC might have already aided some MitM attacks
with their secondary CA certificate signed by Entrust.net root CA
before CNNIC was added as root CA. Because the MitM attack is
difficult to be carried out on a large scale, the PRC government
mainly targeted at specific users (such as highly sensitive political
dissidents) who often lack of knowledge to check the server
certificate to determine whether it's real.

All we're worried about is "trust". Can we put a CA certificate that
many Chinese programmers don't trust at all into the release package?
What will be the consequences?

The repetitive hijacking of gmail accounts of dissidents by the PRC
government secret agents (Political Defend Police like Starsi of
former East Germany) might be achieved with SSL hijacking, besides
trojan-horse phishing email.

I think it's a detriment to the user trust on Firefox to add CNNIC
(notorious in Chinese programmers community, while powerful enough to
buy whatever certificates they need) root CA. Yet it's not safe by
simply removing it. There should be a way to return the ability and
authority of judging whether to trust a CA to the users, not
unconditionally decided by the browser as it's implemented now.
Currently an experienced user can inspect the certificate signing
chain to check whether the root CA is trustworthy; while layman users
need more help from an improved UI to alert them of possible
vulnerabilities and guide them through steps to check the certificate
chain of the HTTPS session.

Furthermore, some Chinese programmers observed [3] that the
certificates of google.com was modified several times after 18 Nov.
2009.
Three abnormal changes of certificates were observed [2]:

CN: mail.google.com
18 Nov. 2009 from: Thawte SGC CA, valid from 2009/3/25 to 2010/3/25
to: Google Internet Authority, valid from 2009/11/12
to 2010/11/12

18 Nov. 2009 from: Google Internet Authority, valid from 2009/11/12
to 2010/11/12
to: Thawte SGC CA, valid from 2009/3/25 to 2010/3/25

28 Dec. 2009 from: Thawte SGC CA, valid from 2009/3/25 to 2010/3/25
to: Thawte SGC CA, valid from 2009/12/18 to
2011/12/18

CN: *.google.com
19 Jan. 2010 from: Google Internet Authority, valid from 2009/11/12
to 2010/11/12
to: Google Internet Authority, valid from 2009/12/22
to 2010/12/22

Google's announcement[1] declared that "in mid-December [2009], we
detected a highly sophisticated and targeted attack on our corporate
infrastructure originating from China that resulted in the theft of
intellectual property from Google". Taking these strange certificate
changes into consideration together with the Google announcement, we
suspect that the "intellectual property" might include private keys to
sign the google certificates. This might be the answer to why google
changed certificates in an abnormal frequency.

This also alert us of possible cyber attacks making use of CA
certificates and exploiting the inadequate certificate validation in
current browser user interaction. Although the inclusion of an
untrustworthy CNNIC root CA won't make the situation worse, it really
alert us to review the pyramid trust model of PKI and design flaws of
unconditional trust of root CAs in browsers.

The trust model is unreasonable, in that the trust propagates in a
forced, involuntary way: Ernst & Young trusts CNNIC because it trusts
those special paper sheets marked with "In God We Trust" ;P,
webtrust.org trusts CNNIC because it trusts Ernst & Young; Mozilla
Firefox project or Microsoft trust CNNIC because they trust
webtrust.org; the browser users trust CNNIC because the they trust the
browser. But the users in fact don't trust CNNIC at all! The result
is: the users were forced to trust CNNIC silently. Experienced users
take the trouble to remove or disable the CNNIC certificates, while
the majority of non-technical users just don't know they're trusting
CNNIC because of their browser!


References:

[1] David Drummond, SVP, Corporate Development and Chief Legal

[2] zuola: 关于GMAIL安全证书的疑问 https://groups.google.com/group/lihlii/browse_frm/thread/92be93b6648af29/
[3] Google 的证书更新了 可能是因为数字证书密钥被窃 警惕假冒数字证书
https://groups.google.com/group/lihlii/browse_frm/thread/5f9dbff575fa9579/

Nelson Bolyard

unread,
Jan 30, 2010, 2:05:06 PM1/30/10
to
On 2010-01-28 19:11 PST, David E. Ross wrote:

> On reviewing bug #476766, I see in comment #5 Liu Yan's (the applicant)
> assertion: "CNNIC is not a Chinese Government organization."
>
> However, later comments by users in China seem to indicate the contrary.
> Comment #18 states: "CNNIC is an infamous organ of the Chinese
> Communist government to monitor and control the Internet in China."
> Comment #23 states: "...CNNIC is infamous in China and it has a lot of
> connections with the government..." Comment #24 states: "It has very
> closed tie with Chinese government and CPC (or CCP [Chinese Communist
> Party?])."

First, those statements are accusatory in nature. They lack proof.
Second, even if true, it's not clear that those statements disqualify
CNNIC. Other CAs that Mozilla has admitted to the root list also have
government ties with their respective governments, IINM, and we have not
disqualified them.

So, I conclude that the writers of the above comments are people who dislike
the Chinese government. But like or dislike of the Chinese government is
not a basis of acceptance nor rejection of CAs under Mozilla policy, is it?

Let's be very careful not to allow this discussion group to become a forum
for discussion of Chinese government policies. Whether you or I like it or
hate it, the Chinese government's great firewall is no basis for acceptance
or rejection of any Chinese CA, IMO. If Mozilla decides that it IS, then
IMO, Mozilla should reject all Chinese CAs, and not consider them one by
one, because the issue is the action of the government.

> If any of these comments are true, then the application violates the
> second bullet under section 6 of the Mozilla CA Certificate Policy:

I'm not so sure.

> We require that all CAs whose certificates are distributed with our

> software products publicly disclose information about their policies and
> business practices

Let's imagine, just for the sake of discussion, that CNNIC is wholly owned
by the Chinese government. Is that a policy? Is that a business practice?

> That is, the relationship between CCNIC and the government or political
> structure of China -- a business practices -- has not been publicly
> disclosed.

I disagree that it is necessarily a policy or practice.

Further, in the PRC, ALL business is done at the pleasure of the government.
The larger the business, the more far reaching it is in scope, the more
that government will watch over it to ensure that it doesn't step over the
unwritten unspoken line. This is known to every citizen in China. It is
not written as a business policy anywhere, anymore than it is written that
all employees must breathe.

> I am further concerned about the fact that individuals inside China are
> blocked from participating in this discussion, perhaps by the "great
> firewall". If CCNIC indeed operates independently of the government and
> political structure of China and is indeed worthy of the trust implied
> by having its root certificate in the NSS database, then why would
> anyone object to a discussion of this issue?

Why are those things related?

Why is ANYTHING other than a CAs honesty regarding certification of bindings
of names to public keys, and its scope being wide enough to be of value to a
significant part of Mozilla's user base, at issue in determining it
acceptability?

This newsgroup is NOT the place for discussion of international politics.
Discussion of a government's positions on human rights, great firewalls,
etc. have no place here, IMO. because they are not relevant, IMO, to the
operation and acceptability of a CA.

Eddy Nigg

unread,
Jan 30, 2010, 3:42:17 PM1/30/10
to
On 01/30/2010 09:05 PM, Nelson Bolyard:

> This newsgroup is NOT the place for discussion of international politics.
>

Correct.

> Discussion of a government's positions on human rights, great firewalls,
> etc. have no place here, IMO. because they are not relevant, IMO, to the
> operation and acceptability of a CA.
>

The relevance starts, when as a matter of local legislation and law, CAs
could and would assist to or perform themselves MITM attacks or would
assist to what we could consider fraudulent and harmful intent and
knowingly wrongful issuance of certificates. This would be in fact
clearly against the Mozilla CA policy.

What some reporters try to say is, that the known politics and alleged
behavior of the Chinese government and associated organizations and
tools are used for various purposes which could fall under the above
mentioned. I can understand that facts are hard to come by, specially
because of the nature of government.

The Chinese Firewall are a matter of local legislation, it's not against
their laws. However it's still a problematic practice in the view of the
Western hemisphere. The recent incidents with Google and many other
American companies might be testimonial and supportive evidence of other
very disturbing practices. Now, if this same establishment and its
legislation runs a CA (by proxy and/or third party), the same local laws
which allows for the former, might allow for MITM attacks and other
fraudulent issuance (in our eyes). This might be a problem directly
affecting the users of Mozilla products and against what the Mozilla
policy calls for (and is intended).

The close relationship between the CA and the political structure in
China could be viewed in itself as problematic! If this is a fact, than
this fact was perhaps not sufficiently disclosed here at the public
discussion and any such relationship was even denied.

(It must be clear that some CAs are more independent from governments
and might have different locations of operations, whereas some are
tightly associated or even operated by governments. For my taste I have
a huge dislike of any association with governments at all. I made that
clear previously at other occasions. But the Mozilla CA policy doesn't
care about this, hence it remains my personal point of view.)

Wenbo Wang

unread,
Jan 30, 2010, 4:40:28 PM1/30/10
to
On 1月31日, 上午3时05分, Nelson Bolyard <NOnelsonS...@NObolyardSPAM.me>
wrote:

> Let's be very careful not to allow this discussion group to become a forum
> for discussion of Chinese government policies.   Whether you or I like it or
> hate it, the Chinese government's great firewall is no basis for acceptance
> or rejection of any Chinese CA, IMO.  If Mozilla decides that it IS, then
> IMO, Mozilla should reject all Chinese CAs, and not consider them one by
> one, because the issue is the action of the government.
>

Who cares if all Chinese CAs get rejected. We just hope firefox to be
safer for Chinese users.

>
> Further, in the PRC, ALL business is done at the pleasure of the government.
> The larger the business, the more far reaching it is in scope, the more
> that government will watch over it to ensure that it doesn't step over the
> unwritten unspoken line.  This is known to every citizen in China.  It is
> not written as a business policy anywhere, anymore than it is written that
> all employees must breathe.
>

If the above is true, then how could anyone but the government itself
know where the line is? Can you smell it? Is it a round shape or a
square shape? No offence, but I mean it could be anything the
government want, whenever they want, however they want. How could
anybody trust anything like that?

Maybe I'm not so familiar with Mozilla's CA acceptance policy, but I
know such kind of CA cannot be trust, and I know it in a tragic
"unwritten unspoken way".
And you know a lot about China, BTW. :)

BRs
Wenbo Wang

anonymous chineseguy

unread,
Jan 31, 2010, 12:40:24 AM1/31/10
to
While we talking about those, please keep in mind: even Google groups
has been walled( a Chinese internet terminology, means the a website
is blocked by GFW ), and that's why the topic is beginning in
bugzilla. We're all talking behind proxies. Though that protects us
from being jailed with the name of defaming government - and there
has been many case.
CNNIC said it isn't a government organization, it is a completely
lying. In China, NGOs is never clearly allowed to be exist. All of
them either has to be pretend to be a for-profit corporation, either
has to find a government allowed organization and beg to affiliate
under it, so the government can control it, either by give a tax which
cannot afford( you can google "Xu zhi yong" ), or directly order its
superior to close it.
Let's look at a sample. Dec 2009, when china government decide to
"clear sex information on internet" ( and of course, in the same time
ten of thousands of normal BBS & websites is closed. YOU KNOW WHY),
CNNIC quickly make a statement ".cn domain NEVER allowed personal
registration", while Chinese people has registered hundreds of
thousands of personal dot-cn domains? And after a main while they make
another decision of white-list name resolving?
If that's not government dominated organization, that definition can
be eliminated, I think.

Anonymously,
A Chinese guy

tophits

unread,
Jan 31, 2010, 3:49:31 AM1/31/10
to lihlii-g, 网络安全
On Jan 30, 8:05 pm, Nelson Bolyard <NOnelsonS...@NObolyardSPAM.me>
wrote:

> First, those statements are accusatory in nature.  They lack proof.

Lack proof? Or you simply close your eyes and refuse to see the
proves? :)

> CNNIC.  Other CAs that Mozilla has admitted to the root list also have
> government ties with their respective governments, IINM, and we have not
> disqualified them.

Other CAs are tied with governments, but CNNIC is tied with a mafia
group, NOT a government. :)

> So, I conclude that the writers of the above comments are people who dislike
> the Chinese government.  But like or dislike of the Chinese government is
> not a basis of acceptance nor rejection of CAs under Mozilla policy, is it?

Google also doesn't like the "Chinese government", do they? So they
don't have "basis" of this announcement [1].

> Let's be very careful not to allow this discussion group to become a forum
> for discussion of Chinese government policies.   Whether you or I like it or

It IS about policy, trust and security of the whole framework of PKI!
It will not only breach the web security of Chinese users, but also
users worldwide! Be alert of the consequences.

> hate it, the Chinese government's great firewall is no basis for acceptance
> or rejection of any Chinese CA, IMO.  If Mozilla decides that it IS, then

The fact is that the acceptance is not based on adequate publicity and
discussion. The information behind is not fully revealed. The end
users especially the Chinese programmers are in effect excluded from
the discussion because only lately they discovered the new certificate
from Microsoft and Firefox updates. This is why we raised this
question against the trust in CNNIC.

> IMO, Mozilla should reject all Chinese CAs, and not consider them one by
> one, because the issue is the action of the government.

In fact we should reject any CA that has bad credit records. Just as
a credit card company won't issue a credit to a person who often
cheats.

> Let's imagine, just for the sake of discussion, that CNNIC is wholly owned
> by the Chinese government.  Is that a policy?  Is that a business practice?

The Chinese Communist Party government is not qualified as a root CA
administration, because it is building the biggest information jail to
intercept and cheat in DNS resolving, attack citizens all over the
world by trojan-horse phishing email and intrude companies and
governmental computers illegally. It's a criminal group.

> Further, in the PRC, ALL business is done at the pleasure of the government.
> The larger the business, the more far reaching it is in scope, the more
> that government will watch over it to ensure that it doesn't step over the
> unwritten unspoken line.  This is known to every citizen in China.  It is

CA doesn't need to be a "large business", but a trustworthy business.
That's it. We Chinese know better the Chinese government and CNNIC,
and how the business should be in China. :)

> Why is ANYTHING other than a CAs honesty regarding certification of bindings
> of names to public keys, and its scope being wide enough to be of value to a

CNNIC can't be linked with the word "honest" in the loosest sense.

> This newsgroup is NOT the place for discussion of international politics.
> Discussion of a government's positions on human rights, great firewalls,
> etc. have no place here, IMO. because they are not relevant, IMO, to the
> operation and acceptability of a CA.

They're closely related. It's not only about GFW, but about hijacking
Internet communication, cheating, phishing, trojan-horse attack and
intrusion. These were all done by the CCP government and CNNIC DID
intentionally spread malware that spied on users!

tophits

unread,
Jan 31, 2010, 3:58:45 AM1/31/10
to lihlii-g
On Jan 30, 9:42 pm, Eddy Nigg <eddy_n...@startcom.org> wrote:
> The relevance starts, when as a matter of local legislation and law, CAs
> could and would assist to or perform themselves MITM attacks or would
> assist to what we could consider fraudulent and harmful intent and
> knowingly wrongful issuance of certificates. This would be in fact
> clearly against the Mozilla CA policy.

I agree mostly with Eddy. But I must point out that there is no "law"
in PR China. Everything that is called a "law" is in fact "rules"
determined by the CCP officials at their own will and can be broken or
changed at any time they like.

Any statement that talks about "law" in China is in fact based on a
false premise.

> The Chinese Firewall are a matter of local legislation, it's not against
> their laws. However it's still a problematic practice in the view of the

The GFW itself in fact is even NEVER compliant to any Chinese "laws"
made by the CCP government itself! This is why the CCP government
never admitted that its existence! :) Please, please don't say that
GFW is based on "local legislation", it's even against the "rules"
made by the CCP government itself!

The official declaration of the PRC government is: The Internet in
China is completely free. There is no censorship. full stop.

If you can trust such a "government", good luck to you! :)

Jack

unread,
Feb 1, 2010, 2:40:12 AM2/1/10
to
As many have pointed out above, the trust of root certificate is
immediately jeopardized when MITM attack is waged. - Unfortunately
MITM attack is already widely deployed in China. The Harvard study
"Empirical Analysis of Internet Filtering in China" repeated
documented this:

"the authors prepared screenshots documenting the September 2002
redirection of requests for google.com to other search engines."
"some newer forms of Chinese filtering -- namely, redirection of a
request for a sensitive web site to another web site"
"DNS Filtering/Redirection and Its Implications"
"For some 1,043 of sites tested, we confirmed that DNS servers in
China report a web server other than the official web sever actually
designated via each site's authoritative name servers."
http://cyber.law.harvard.edu/filtering/china/
http://cyber.law.harvard.edu/filtering/china/appendix-tech.html#dns

Some "50 cent party" (to save your google trip: it's the thousands of
people Chinese Communist Party pays to defend itself on the internet)
may claim CNNIC is not the same institute who launched these MITM
attacks. But I trust the Mozilla developers are not so naive to
believe CNNIC can violate the Party's order, or the billion-dollar
Great Firewall involving numerous technical institutes were
accomplished by those institutes voluntarily - and most those
institutes look just like CNNIC.
In fact, the very DNS servers doing MITM attack as documented by the
Harvard study above are either closely related to CNNIC or another
innocent-looking "non-government" institute, because in China all
shiny hats are worn by the same Party.

So, if this root certificate crisis is not properly addressed, it's
very likely that in a couple years, the relatives of some Tibetan or
Falun Gong, or home church followers would sue Microsoft and Mozilla
in U.S. for assisting the Chinese Communist regime to steal their
email passwords using faked websites and certificates so could login
to their real accounts later leading to their imprisonment, just like
someone did against yahoo (http://www.rsf.org/Yahoo-settles-lawsuit-by-
families.html).

Gervase Markham

unread,
Feb 1, 2010, 5:48:02 AM2/1/10
to
On 29/01/10 09:39, Justin Dolske wrote:
> It would be an interesting experiment to create an addon to crowd-source
> checking for such certs. Not as a CNNIC-specific issue, but any case of
> valid certs for a site coming from an unexpected CA.

It would certainly be interesting to know if a particular site had a
cert from a different issuer depending on where in the world you were.

However, I strongly suspect that any government which was putting
pressure on a CA to issue certs for surveillance purposes would use
those certs only in very limited circumstances - for precisely the
reason Johnath outlines. You have to send the cert to the browser, and
someone is eventually going to notice.

> It could also be
> easily to just store a local record of certs you've encountered, and
> warn you when a site's cert has changed.

It would be easy. See the "Connection Repeatability" section of this
article:
http://www.gerv.net/security/self-signed-certs/
for my explanation of why it's not a good idea for Firefox to do this by
default.

Gerv

Gervase Markham

unread,
Feb 1, 2010, 5:50:59 AM2/1/10
to
On 29/01/10 07:42, makrober wrote:
> Johnathan Nightingale wrote:
>> 1) We have never claimed as a matter of policy that our PKI decisions
>> can protect people from malicious governments. It's just not a
>> plausible promise for us to make.
>
> With due respect, "never have made the promise" just doesn't cut it in
> my eyes. To turn it around: never was there any warning to the user base
> that there is some "special class" of miscreants that Mozilla would not
> protect the users from. This can be explained (but not excused) by the
> mindset of those that instituted the process: in their minds,
> "governments",
> by definition, can't be miscreants. I and (as that discussion on
> bugzilla demonstrates) many, many, others do not share this mindset.

Anyone who is concerned about government surveillance of their
activities needs to take rather more care about the security of their
software than the average person. The default configuration of any
mass-market security software is unlikely to be suitable for their
needs. Given that, I don't think it's unreasonable to expect them to
deactivate certs from entities they don't trust. (And this will be a
different set of certs for different people.)

> Perhaps it is time to review the process. It would be smart to take Mozilla
> out of the trust business. At the very least, all root certificates that
> are included should not be trusted until the user explicitly turns those he
> or she knows and trusts (and needs for his or her transactions) on.

That is an utterly impractical suggestion, and would be
counter-productive - faced with a barrage of "please approve me"
requests, users would either a) click "Yes", "Yes", "Yes" or b) abandon
Firefox for a browser which didn't irritate them nearly so much.

Gerv

Gervase Markham

unread,
Feb 1, 2010, 5:56:34 AM2/1/10
to
On 28/01/10 12:50, crewlay wrote:
> Is also very absurd to directly built such a notorious hated certificate
> into the widely accepted open-source software in prc, almost everyone
> are looking for method how to remove it after being aware of the
> bulletin for either potential ssl hijack or consistent disgusted with
> cnnic, and it's so simple to prove that either protest poll or something
> similar.

If you wish to create and publicise a web page which details how to
disable roots in Firefox in general, and CNNIC's root in particular,
then you have every freedom to do that.

Without evidence of wrongdoing, there is nothing to provoke us to
action. I'm sure you'd want a similar standard of proof to be applied if
you were accused of something.

Also, I think "notorious hated certificate" is hyperbole. The latest
NetCraft statistics show CNNIC has signed the certs of 30 websites - a
tiny fraction. Of course, NetCraft's coverage may be incomplete.

Gerv

makrober

unread,
Feb 1, 2010, 8:29:34 AM2/1/10
to dev-secur...@lists.mozilla.org
Gervase Markham wrote:

> Anyone who is concerned about government surveillance of their
> activities needs to take rather more care about the security of
> their software than the average person.

For those defining and implementing technical infrastructure of
protection and security, it is worth giving a bit of thought to
the following issues:

1) what defines a "government"?

2) why should such participants be, by definition, exempt from the
the list of potential miscreants?

3) If we allow a certain class of miscreants to be exempt from
the security our software offers, how do we make sure that the
user base understands that there are such exemptions?

MacRober

tophits

unread,
Feb 1, 2010, 8:49:22 AM2/1/10
to lihlii-g
Dear Gervase,

There are many evidences that CNNIC is not trustable. It's not a
"hyperbole".
Please do some investigation before you conclude.

There can be a lot of websites signed by CNNIC CA. This says nothing
about whether it's trustable or not.
There are more websites that you can count that carries certain
malware. Is the number a proof that the malware is trustable?

tophits

unread,
Feb 1, 2010, 8:51:44 AM2/1/10
to
On Feb 1, 11:48 am, Gervase Markham <g...@mozilla.org> wrote:
> However, I strongly suspect that any government which was putting
> pressure on a CA to issue certs for surveillance purposes would use
> those certs only in very limited circumstances - for precisely the

Gerv, you're missing the case when a rogue government is trying to
intercept public websites like gmail.
Then the users in China might get a different fake certficate of
mail.google.com!

tophits

unread,
Feb 1, 2010, 8:54:36 AM2/1/10
to
Do you mean this by the Mozilla policy? It's really irresponsible to
talk about user's security like this.

tophits

unread,
Feb 1, 2010, 9:03:39 AM2/1/10
to lihlii-g, 网络安全
Now I conclude that it's a waste of time to convince the Mozilla guys
of the level of danger that the inclusion of a rogue CA will cause to
the users. Let them ruin the reputation of Firefox. Let them pretend
that it's not a problem. :)

It's more efficient to start trying to make Certificate Patrol or
something alike into a better addon for the defective certificate
manager of Firefox. At least we can help those prudent people who
treasure their privacy and security.

The new addon should help the users to remove rogue CAs and immune the
browser from accepting them in the future.
Surely the immunity list should be editable by the user. Let's bring
full control of trust back to the users.

tophits

unread,
Feb 1, 2010, 9:06:17 AM2/1/10
to
Dear Gervase,

Do you think "average person" can live with malware that is
unremovable from their system once installed, and spy on their web
activities?

If your answer is "yes", then you go with CNNIC. :)

On Feb 1, 11:50 am, Gervase Markham <g...@mozilla.org> wrote:

Test Test

unread,
Feb 1, 2010, 9:54:24 AM2/1/10
to
CNNIC is absolutely an evil.
If firefox trusts CNNIC, then I think the words "We believe that the
internet should be public, open and accessible." should be removed
from mozilla home page.

tophits

unread,
Feb 1, 2010, 10:24:31 AM2/1/10
to lihlii-g
Chinese users started a vote page here to remove CNNIC CA from default
installations:
https://spreadsheets.google.com/viewform?formkey=dGctTVY0Y3VxX3lrXzZoeG90WDFBVXc6MA

And here is the vote result:
https://spreadsheets.google.com/pub?key=tg-MV4cuq_yk_6hxotX1AUw&output=html

Currently,
376 users don't trust CNNIC.
4 users don't know whether to trust CNNIC.
3 users trust CNNIC.

If you can read Chinese and do a simple google search of "CNNIC 根证书
(root certificate in Chinese)" and you will see how the Chinese users
react to this new addition. If you can't read Chinese, Google
translate can help to understand more or less the content.

Please read this machine translation of some Chinese blogs to evaluate
the possible consequences of adding CNNIC as root CA:

When network security mechanisms encountered in the core of rogue
government
http://translate.google.com/translate?js=y&prev=_t&hl=en&ie=UTF-8&layout=1&eotf=1&u=http://oogami.name/799/&sl=zh-CN&tl=en

CNNIC CA: far the most the most serious safety warning!
http://translate.google.com/translate?js=y&prev=_t&hl=en&ie=UTF-8&layout=1&eotf=1&u=http://autoproxy.org/zh-CN/node/66&sl=zh-CN&tl=en

CNNIC, I do not trust you! - Drive CNNIC out of "trusted root
certificate"
http://translate.google.com/translate?js=y&prev=_t&hl=en&ie=UTF-8&layout=1&eotf=1&u=http://felixcat.net/2010/01/throw-out-cnnic/&sl=zh-CN&tl=en

fire alarm, theft prevention, anti-CNNIC, remove the root certificate
CNNIC way!
http://translate.google.com/translate?hl=en&sl=zh-CN&tl=en&u=http://www.google.com/search%3Frlz%3D1C1GPCK_en___NL364%26sourceid%3Dchrome%26ie%3DUTF-8%26q%3D%25E9%2598%25B2%25E7%2581%25AB%25E9%2598%25B2%25E7%259B%2597%25E9%2598%25B2%25E7%259B%2591%25E6%258E%25A7%25E9%2598%25B2CNNIC,%25E5%2588%25A0%25E9%2599%25A4CNNIC%25E6%25A0%25B9%25E8%25AF%2581%25E4%25B9%25A6%25E7%259A%2584%25E6%2596%25B9%25E6%25B3%2595%25EF%25BC%2581

Chinese netizens launched action against the root certificate CNNIC
http://translate.google.com/translate?hl=en&sl=zh-CN&tl=en&u=http://www.rfa.org/mandarin/yataibaodao/CNNIC-01292010114844.html

Why Internet users do not trust the root certificate of CNNIC
http://translate.google.com/translate?hl=en&sl=zh-CN&tl=en&u=http://allinfa.com/cnnic-root-certification.html

how to remove the root certificate of CNNIC under FIREFOX Apple
http://translate.google.com/translate?hl=en&sl=zh-CN&tl=en&u=http://www.zuola.com/weblog/%3Fp%3D1454

Treated the same as the Green Dam [1], the CNNIC root certificate from
your computer to expel
http://translate.google.com/translate?hl=en&sl=zh-CN&tl=en&u=http://hi.baidu.com/litiejun/blog/item/8c6d38d8409a3f3e32fa1c73.html
[1] Green Dam Youth Escort http://en.wikipedia.org/wiki/Green_Dam_Youth_Escort

How to prevent a CNNIC not trusted certificate
http://translate.google.com/translate?hl=en&sl=zh-CN&tl=en&u=http://blog.lzzxt.com/394

On Feb 1, 11:50 am, Gervase Markham <g...@mozilla.org> wrote:

Simon

unread,
Feb 1, 2010, 11:06:16 AM2/1/10
to
Hi Gerv,
I am from China. I just don't trust CNNIC. But I agree with what
you said.We indeed could not find any evidence to prove it.But I
reserve that rights to reject it. People outside China just can not
understand things happening in China. It is the coldest winter days
from 2009 till now. I dont want to argue about the politics.We just
want Firefox listen to users from China ,that CNNIC may not do
anything bad in CA problem by now (but it did lots of other bad
things),but as it is under GOV control, no one knows what it would do
when GOV asks it to. You said "CNNIC is innocent until proven guilty
- an important cornerstone of justice",it is right for the criminal
judge, but not for CNNIC CA. It is too late when it does something
wrong ,maybe,no one even notice what it has done because Firefox
trusts it. So for that situation,how am I supposed to provide any
evidence?

Best wishes,
Simon.

PS. It take me 15 minutes to post my reply here. The proxy is so slow.
I can not access google group directly due to the GFW.