Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Why Chinese distrusts CNNIC and wants CNNIC CA removed
253 views
Skip to first unread message
George Yang
Apr 2, 2015, 11:49:47 AM4/2/15
to mozilla-dev-s...@lists.mozilla.org
Hi All,
You may be aware of a recent MIM incident regarding CNNIC ROOT CA and currently considering actions for Firefox, possibly like what Google has taken to drop CNNIC ROOT CA from Chrome completely.
However, this kind of incident are not unexpected at all to us Chinese people. In fact, many Chinese had expressed their concerns 5 years ago when Mozilla decided to include CNNIC ROOT CA. Obviously, the most fierce objections for this inclusion are from Chinese users, the intended beneficiaries of CNNIC ROOT CA. We had warned you and I want to warn you more because CNNIC is much more than a CA.
BTW, most, if not all, Chinese news/articles reporting Google removing CNNIC CA have been taken down. It is a obvious result of censorship ordinance from Chinese government to prevent Chinese people from knowing what is happening. So just ask yourself, what kind of ROOT CA could make Chinese state government to censor its negative news?
If you want to know what most Chinese users think, see bugzilla:
https://bugzilla.mozilla.org/show_bug.cgi?id=542689
https://bugzilla.mozilla.org/show_bug.cgi?id=476766
So you may have this question: why Chinese distrusts CNNIC and wants CNNIC ROOT CA removed? Please allow me to do some little explanation from a Chinese prospective. In addition, I apologize for any broken English.
1. Background
You may find very little to none voice of regular Chinese users here in this newsgroup. It doesn't mean that Chinese are not interested in what we are talking here. It is because the access to Google Groups, pretty much like all Google services, has been blocked in China by an internet-controlling government agency of which CNNIC is part. Let me repeat again, CNNIC is *NOT* a non-government entity at all, instead, it is closely related to, if not directly controlled by, the agency.
You may have known its name, Golden Shield, a.k.a. Great Fire Wall. Let's just call it GFW. GFW is actively monitoring, logging, controlling, modifying, and attacking the internet traffic from/to China. It sees what a regular Chinese internet user can see and what he/she has posted. It can log all such activities for later prosecution, for example, in Shi Tao's case ( http://en.wikipedia.org/wiki/Shi_Tao ).
It can modify internet traffic as well. For instance, it sends out TCP RST packet to both server and client to terminate a existing connection and block server's further access for some time, if it finds out any sensitive keyword in the traffic. "Freenode" was (may still be) one of such keywords because of the (now out-dated) software to circumvent GFW. It once made downloading gcc source tarball impossible within China because one of gcc developer used freenode.de email. Yes, it can look into zipped files.
GFW is also well capable of attacking. Just search google for recent GitHub DDoS. It just demonstrates how GFW can hijack a web link in China and inject arbitrary code into it.
For sites like Google (including Google Groups), GFW uses techniques like DNS pollution and IP redirecting/blocking, or nowadays combined, to prevent Chinese internet users from visiting. This is just a normal life in China. If you have opportunity to visit China, just try to access Google, Facebook, Twitter and so on, and you will know what means "blocking".
Therefore, silence of Chinese here in this group doesn't mean we have no opinion, but just mean that GFW is suppressing our voice and our objection to it (and the totalitarian government of China).
You may also ask the representative of CNNIC how he/she visit here from within China, but I doubt that he/she has unblocked access after all and he/she may be using a officially sanctioned VPN to post here.
2. CNNIC in my eyes (and of most Chinese internet users)
Let me repeat again, CNNIC is *NOT* a non-government entity. It is a Chinese state-run bureau and basically part of GFW. Its head is appointed by Chinese government and its staff are Chinese state officials and government employees. They are certainly members of Communist Party of China, too. For us Chinese, it means CNNIC acts as a government body and will do what ever the communist state asks it to do. Hence, CNNIC is absolutely *NOT* trustworthy at all.
Given GFW's capability to alter internet traffic inbound/outbound China, it can target any particular person within China and such attack is very difficult to be detected from outside China because of the limited scope of such attack. Of course I am not saying CNNIC is involved in all of those cases. CNNIC is just one small part of the big machine to conduct such attacks.
Inclusion of CNNIC ROOT CA just makes such attacks much easier to perform and makes such activities much harder to detect. GFW might just make use CNNIC-issued certificates to MIM-attack or forge any website for target shooting of some individuals. If targeted persons themselves are not aware of attacks, no one else would find out. CNNIC would take no objection, if not happily co-operation, to such GFW activities, although it will deny any involvement.
Recent MCS incident is just one example above the surface. What if such incident had happened inside China? No one would find out since access to Google is completely blocked. Hence, we Chinese strongly feel insecurity as CNNIC ROOT CA still sits in our web browser and is still trusted by default. That is why so many Chinese web sites/pages are dedicated to help people remove/untrust CNNIC ROOT CA. Just search google for "删除 CNNIC CA" to find how many pages you may find. The Chinese "删除" here means "remove".
Of course dropping CNNIC ROOT CA would not destroy GFW, but it may well save a lot people from falling into victims of GFW within China.
3. Notorious history of CNNIC as a malware maker
CNNIC was once the largest malware maker in China and is very notorious among Chinese people due to this history. Before the era of internationalized DNS, some Chinese company were trying to sell domain name in Chinese characters. Of course, the method behind was not using DNS server, instead, plug-ins were installed to intercept domain name requests and if Chinese was detected, the plug-in would do translation. Those companies made profit by selling mappings between Chinese keywords and real websites.
One of such companies was 3721, which was later acquired by Yahoo! China to become now defunct Yahoo! Assistant ( http://en.wikipedia.org/wiki/Yahoo!_Assistant ). Yahoo China is a bad name among Chinese users due to this history. CNNIC was another player in this market too and thus earned notorious name among Chinese users as well.
3721, CNNIC and others competed with each other by hijacking users' computer and make their software (plug-in) impossible to remove. They monitored every traffic of affected computer and acted like a virus to propagate. Sometimes they were even worse than virus because they didn't hide at all because once they were installed and do whatever in your computer, you would never get rid of them. So they just didn't care users' experience at all, and would do anything to stay because their profit were based on installation base. The common practice of 3721/CNNIC would be infecting system files, forking into multiple processes and letting each process keep monitoring those files and other processes. If any infected file was restored or any of its process got killed, it just infects and fork again. No one cares that users' computer would just be slowed down to death by all these process and their activities.
CNNIC did care users then, and there is no reason to believe it will in the future.
4. Conclusion
We Chinese distrusts CNNIC and requests for removal of CNNIC ROOT CA from Mozilla. Some of us have already taken our own steps to untrust CNNIC ROOT CA in Firefox/Chrome/IE. Google has taken action to remove CNNIC ROOT CA and I urge Mozilla to take the same actions too.
Thank you for reading this long post. Please help us Chinese by taking decisive action to remove CNNIC ROOT CA immediately.
George
(an obvious alias)
You may be aware of a recent MIM incident regarding CNNIC ROOT CA and currently considering actions for Firefox, possibly like what Google has taken to drop CNNIC ROOT CA from Chrome completely.
However, this kind of incident are not unexpected at all to us Chinese people. In fact, many Chinese had expressed their concerns 5 years ago when Mozilla decided to include CNNIC ROOT CA. Obviously, the most fierce objections for this inclusion are from Chinese users, the intended beneficiaries of CNNIC ROOT CA. We had warned you and I want to warn you more because CNNIC is much more than a CA.
BTW, most, if not all, Chinese news/articles reporting Google removing CNNIC CA have been taken down. It is a obvious result of censorship ordinance from Chinese government to prevent Chinese people from knowing what is happening. So just ask yourself, what kind of ROOT CA could make Chinese state government to censor its negative news?
If you want to know what most Chinese users think, see bugzilla:
https://bugzilla.mozilla.org/show_bug.cgi?id=542689
https://bugzilla.mozilla.org/show_bug.cgi?id=476766
So you may have this question: why Chinese distrusts CNNIC and wants CNNIC ROOT CA removed? Please allow me to do some little explanation from a Chinese prospective. In addition, I apologize for any broken English.
1. Background
You may find very little to none voice of regular Chinese users here in this newsgroup. It doesn't mean that Chinese are not interested in what we are talking here. It is because the access to Google Groups, pretty much like all Google services, has been blocked in China by an internet-controlling government agency of which CNNIC is part. Let me repeat again, CNNIC is *NOT* a non-government entity at all, instead, it is closely related to, if not directly controlled by, the agency.
You may have known its name, Golden Shield, a.k.a. Great Fire Wall. Let's just call it GFW. GFW is actively monitoring, logging, controlling, modifying, and attacking the internet traffic from/to China. It sees what a regular Chinese internet user can see and what he/she has posted. It can log all such activities for later prosecution, for example, in Shi Tao's case ( http://en.wikipedia.org/wiki/Shi_Tao ).
It can modify internet traffic as well. For instance, it sends out TCP RST packet to both server and client to terminate a existing connection and block server's further access for some time, if it finds out any sensitive keyword in the traffic. "Freenode" was (may still be) one of such keywords because of the (now out-dated) software to circumvent GFW. It once made downloading gcc source tarball impossible within China because one of gcc developer used freenode.de email. Yes, it can look into zipped files.
GFW is also well capable of attacking. Just search google for recent GitHub DDoS. It just demonstrates how GFW can hijack a web link in China and inject arbitrary code into it.
For sites like Google (including Google Groups), GFW uses techniques like DNS pollution and IP redirecting/blocking, or nowadays combined, to prevent Chinese internet users from visiting. This is just a normal life in China. If you have opportunity to visit China, just try to access Google, Facebook, Twitter and so on, and you will know what means "blocking".
Therefore, silence of Chinese here in this group doesn't mean we have no opinion, but just mean that GFW is suppressing our voice and our objection to it (and the totalitarian government of China).
You may also ask the representative of CNNIC how he/she visit here from within China, but I doubt that he/she has unblocked access after all and he/she may be using a officially sanctioned VPN to post here.
2. CNNIC in my eyes (and of most Chinese internet users)
Let me repeat again, CNNIC is *NOT* a non-government entity. It is a Chinese state-run bureau and basically part of GFW. Its head is appointed by Chinese government and its staff are Chinese state officials and government employees. They are certainly members of Communist Party of China, too. For us Chinese, it means CNNIC acts as a government body and will do what ever the communist state asks it to do. Hence, CNNIC is absolutely *NOT* trustworthy at all.
Given GFW's capability to alter internet traffic inbound/outbound China, it can target any particular person within China and such attack is very difficult to be detected from outside China because of the limited scope of such attack. Of course I am not saying CNNIC is involved in all of those cases. CNNIC is just one small part of the big machine to conduct such attacks.
Inclusion of CNNIC ROOT CA just makes such attacks much easier to perform and makes such activities much harder to detect. GFW might just make use CNNIC-issued certificates to MIM-attack or forge any website for target shooting of some individuals. If targeted persons themselves are not aware of attacks, no one else would find out. CNNIC would take no objection, if not happily co-operation, to such GFW activities, although it will deny any involvement.
Recent MCS incident is just one example above the surface. What if such incident had happened inside China? No one would find out since access to Google is completely blocked. Hence, we Chinese strongly feel insecurity as CNNIC ROOT CA still sits in our web browser and is still trusted by default. That is why so many Chinese web sites/pages are dedicated to help people remove/untrust CNNIC ROOT CA. Just search google for "删除 CNNIC CA" to find how many pages you may find. The Chinese "删除" here means "remove".
Of course dropping CNNIC ROOT CA would not destroy GFW, but it may well save a lot people from falling into victims of GFW within China.
3. Notorious history of CNNIC as a malware maker
CNNIC was once the largest malware maker in China and is very notorious among Chinese people due to this history. Before the era of internationalized DNS, some Chinese company were trying to sell domain name in Chinese characters. Of course, the method behind was not using DNS server, instead, plug-ins were installed to intercept domain name requests and if Chinese was detected, the plug-in would do translation. Those companies made profit by selling mappings between Chinese keywords and real websites.
One of such companies was 3721, which was later acquired by Yahoo! China to become now defunct Yahoo! Assistant ( http://en.wikipedia.org/wiki/Yahoo!_Assistant ). Yahoo China is a bad name among Chinese users due to this history. CNNIC was another player in this market too and thus earned notorious name among Chinese users as well.
3721, CNNIC and others competed with each other by hijacking users' computer and make their software (plug-in) impossible to remove. They monitored every traffic of affected computer and acted like a virus to propagate. Sometimes they were even worse than virus because they didn't hide at all because once they were installed and do whatever in your computer, you would never get rid of them. So they just didn't care users' experience at all, and would do anything to stay because their profit were based on installation base. The common practice of 3721/CNNIC would be infecting system files, forking into multiple processes and letting each process keep monitoring those files and other processes. If any infected file was restored or any of its process got killed, it just infects and fork again. No one cares that users' computer would just be slowed down to death by all these process and their activities.
CNNIC did care users then, and there is no reason to believe it will in the future.
4. Conclusion
We Chinese distrusts CNNIC and requests for removal of CNNIC ROOT CA from Mozilla. Some of us have already taken our own steps to untrust CNNIC ROOT CA in Firefox/Chrome/IE. Google has taken action to remove CNNIC ROOT CA and I urge Mozilla to take the same actions too.
Thank you for reading this long post. Please help us Chinese by taking decisive action to remove CNNIC ROOT CA immediately.
George
(an obvious alias)
0 new messages