Weekly Edition
Return to the Security page
| |||||||||||||
China Internet Network Information Center accepted as a Mozilla root CA
Those who are concerned about the security of Mozilla's SSL certificate
validation might want to take a look at this bugzilla
entry. It seems that, at the end of October, Mozilla approved the
addition of the China Internet Network Information Center (CNNIC) as a root
certification authority, meaning that Firefox will accept CNNIC-signed
certificates as valid and fully trusted. CNNIC is said to be controlled by
the Chinese government and is alleged
to be heavily involved in spying on Chinese citizens; numerous people are
concerned that it will use its root CA position to facilitate
man-in-the-middle attacks. Unfortunately, most of these concerns were not
raised during the discussion period, making the removal of CNNIC - if
warranted - harder.
(Log in to post comments)
China Internet Network Information Center accepted as a Mozilla root CA Posted Feb 2, 2010 16:56 UTC (Tue) by zorro (subscriber, #45643) [Link]
So what should I do? Should I uninstall Firefox if I don't trust the CNNIC?
What to do Posted Feb 2, 2010 17:03 UTC (Tue) by corbet (editor, #1) [Link] Individual CAs can be removed via the "advanced" preferences panel. It's instructive, actually, to look at the list - there's a lot of entries there.One could switch to another browser, but it's worth thinking about how open that browser's CA inclusion process is first.
What to do Posted Feb 2, 2010 17:46 UTC (Tue) by Thue (subscriber, #14277) [Link]
That is a good argument for storing the certificates inside the DNSSEC entry. Then you are not vulnerable to every single signing entity, but only to the very short DNSSEC chain up to the DNS root.
As a side effect, getting a signed certificate for your domain would come free with the domain.
Obviously, Verisign would lose a lot of money in their certificate signing business if that were to happens. It also happens, as I understand it, that Verisign is responsible for part of the process to implement DNSSEC at the DNS root level. In an incredible coincidence, signing the DNS root seems to be taking a very long time...
DNSSEC Posted Feb 2, 2010 18:38 UTC (Tue) by tialaramex (subscriber, #21167) [Link]
A lot of new client software would have to be deployed before this fairytale (which I fully endorse) were to come true. However Verisign don't control the client, and so I believe it's actually possible this could happen.
Their influence (or anybody else's) over what actually happens to the root is dubious. The root operators take its reliability very seriously - it has inadvertently become one of the most vital utilities in the entire world, and so they've been going very slowly, but they are moving. Check out root server L, which is current emitting bogus DNSSEC results. They intend for this behaviour to gradually spread to the other letters (many of which consist of several physically distributed servers) to prove that the infrastructure can cope with the significantly increased load from DNSSEC. Then one day (this summer according to current schedules) the results won't be bogus any more. Tada!
Conspiracy theorists will, of course, continue to believe that the root is controlled by secret Reptilian overlords who seek to suppress the truth about the assassination of JFK or whatever. But for the majority of reasonable people the root will be secure and the question will be - which TLDs and domains do you trust? The ccTLD registries in particular will definitely vary in how trustworthy they are from a general competence standpoint and as a matter of independence from the sovereign governments via which their rights are delegated.
DNSSEC Posted Feb 2, 2010 19:03 UTC (Tue) by Thue (subscriber, #14277) [Link]
On the other hand, to me DNSSEC at the root seems to be a simple problem of load-balancing an embarrassingly parallel problem. Which really should not be that big of a problem to implement; just throw more servers at it behind the load balancers.
I have approximately zero insider knowledge as to what exactly is holding up the deployment of DNSSEC in the DNS root. But I have seen zero good explanations as to why it would not have been implemented long ago if it had any sort of priority. And DNSSEC should have very high priority, if nothing else then because of DNS poisoning.
DNSSEC Posted Feb 2, 2010 19:41 UTC (Tue) by tialaramex (subscriber, #21167) [Link]
Well, how long ago exactly is "long ago" ?
One hold up was that DNSSEC as originally conceived didn't offer privacy, because at that time DNS privacy was regarded as an esoteric thing to desire. If you're willing to admit that gazimble.example.com resolves to 10.1.2.3, why would you care that it's possible for someone to find that out without the advance knowledge of the existence of the name 'gazimble.example.com' ?
But by the time it was first considered good enough to be worth actually implementing things had changed - privacy was the default in many "public" registries as well as most private organisations. DNSSEC was unacceptable in its current form to those entities because it would mean giving up something they were used to having, and in some cases which they had guaranteed to others.
So, back to the drawing board to come up with a way for a DNSSEC server to assert that the name you've asked for isn't known, without having to
pre-cache a denial for every conceivable unknown name
Of course you could argue that this shouldn't have held things up for the root - nobody expects TLDs to have privacy, this was only ever a concern for subdomains. But it was felt that if nobody else was going to deploy there was certainly no reason to _begin_ with the root where problems would be most costly.
DNSSEC Posted Feb 2, 2010 20:12 UTC (Tue) by Thue (subscriber, #14277) [Link]
RFC 5155 defining NSEC3 was published in March 2008. If DNSSEC was high priority, and NSEC3 was not that big of a change over base DNSSEC, then I don't see why it should take more than 6 months to implement at the root level. As I argued previously, once a basic software implementation is in place then it is just a question of load balancing. Other organizations have deployed DNSSEC, so software support exists.
Yes, it is important to take the time to get it right at the root DNS. But this is snails pace. I can't reasonably see that the supposed problems fit the time it is taking, if enough resources were allocated to this important project.
It is possible that we are just dealing with a large slow bureaucracy. But I still don't have to like it :). And it should be blindingly obvious that having Verisign near the center of the effort to implement DNSSEC is a potential conflict of interest. For example, Wikipedia says that Verisign ran the NSEC3 DNSSEC Pilot (http://en.wikipedia.org/wiki/NSEC3#Response_and_NSEC3).
What to do Posted Feb 3, 2010 3:57 UTC (Wed) by pabs (subscriber, #43278) [Link]
I heard a rumour that the monkeysphere folks were extending their SSH/GPG web-of-trust work to HTTPS, which could be another alternative.
What to do Posted Feb 2, 2010 18:08 UTC (Tue) by lkundrak (subscriber, #43452) [Link]
Unless I'm mistaken, switching to another browser would not always be a proper solution. At least fedora packages the Mozilla certificate bundle in a separate package (ca-certificates) and it's depended on nss, openssl, java and probably other ssl implementations. Therefore I presume it would be easiest to rebuild that package to be on "safe" side.
What to do Posted Feb 9, 2010 3:49 UTC (Tue) by sitaram (subscriber, #5959) [Link]
however, when I try to delete them, they always come back when the browser restarts...
I guess I have to dig deeper; regardless of whether this particular one is trustworthy or not, there's got to be a way for one to pare down the list on one's own machine!
China Internet Network Information Center accepted as a Mozilla root CA Posted Feb 2, 2010 18:12 UTC (Tue) by lkundrak (subscriber, #43452) [Link] I find Gervase Markham's response to the Bugzilla ticket valuable:If the hijacking is done "on a nationwide scale", then someone should be able to produce some actual evidence of it. Download the bad cert, email us a copy, and we will act.
China Internet Network Information Center accepted as a Mozilla root CA Posted Feb 2, 2010 19:08 UTC (Tue) by josh (subscriber, #17465) [Link]
As pointed out more than once in Bugzilla and other discussions, "innocent until proven guilty" represents an excellent policy for criminal charges, but a terrible one for security and trust policies. For those, I'd advocate "guilty unless they give no possible reason for mistrust".
That doesn't mean that every bit of hearsay should by itself represent enough reason to deny trust, but when this much unrefuted evidence exists it seems prudent to deny trust until receiving proof of trustworthiness.
One notable link posted in the bug: http://en.wikipedia.org/wiki/China_Internet_Network_Infor...
China Internet Network Information Center accepted as a Mozilla root CA Posted Feb 2, 2010 19:34 UTC (Tue) by tzafrir (subscriber, #11501) [Link]
Sorry, but I find no hard evidence in that entry. In fact this entry omits any evidence of any other malware detection software from around the world declaring that software as malware.
China Internet Network Information Center accepted as a Mozilla root CA Posted Feb 2, 2010 23:16 UTC (Tue) by redguardtoo (guest, #39215) [Link]
You found no evidence because you did NOT try.
See,
Or,
You can ask your Chinese friend to help you if you don't know Chinese
There is hard evidence that most Chinese IT guys don't trust CNNIC at all. Yes, I'm one of those Chinese guys because I know the notorious history of CNNIC too well.
China Internet Network Information Center accepted as a Mozilla root CA Posted Feb 2, 2010 23:28 UTC (Tue) by redguardtoo (guest, #39215) [Link]
I just googled CNNIC and 我 (means 'I').
The result is the hard evidence how average Chinese "trust" CNNIC.
China Internet Network Information Center accepted as a Mozilla root CA Posted Feb 3, 2010 7:29 UTC (Wed) by farter (guest, #62197) [Link]
You really don't need to understand Chinese to know about CNNIC.
Just google "CNNIC malware". For instance, this page on MS: http://www.microsoft.com/security/portal/Threat/Encyclope....
Maybe I'm xenophobic, but IMHO, any institution having an entry bearing its name in nearly all major malware databases simple is not trustworthy, period.
China Internet Network Information Center accepted as a Mozilla root CA Posted Feb 3, 2010 15:56 UTC (Wed) by tzafrir (subscriber, #11501) [Link]
josh above pointed to a certain section of a Wikipedia article as an evidence of some fact. I merely pointed out that the specific section provides no evidence.
You claim that there is evidence elsewhere? Fine. BTW: you can still fix that Wikipedia article. I generally have some more trust in Wikipedia articles that are popular enough because they have been reviewed by enough eyeballs, and it is usually easy to tell when the content of the article is controversial (which means I should then further review the talk page and relevant links.
What I saw in the bug report was a bunch of poeple shouting. Beyond shouting, they provided relatively little supporting evidence.
China Internet Network Information Center accepted as a Mozilla root CA Posted Feb 3, 2010 13:53 UTC (Wed) by gerv (subscriber, #3376) [Link]
"Innocent until proven guilty" is not, of course, a summary of our CA inclusion policy. The inclusion policy is here:
http://www.mozilla.org/projects/security/certs/policy/
Given that CNNIC met all the requirements, just as all other CAs included under the policy did, we think that the burden of proof of wrongdoing should be on those who are alleging it.
The link you gave to Wikipedia shows that CNNIC produced some software, other people called it malware, CNNIC sued them and CNNIC won.
We also have official government CAs in our root store from Japan, Taiwan and the Netherlands. Where does this end? Given China's historical difficult relationships with Taiwan and Japan, are the "army of Chinese internet users" next going to say that they don't trust the Taiwanese and Japanese governments either, and we should remove their roots too?
Gerv
China Internet Network Information Center accepted as a Mozilla root CA Posted Feb 3, 2010 10:21 UTC (Wed) by PO8 (guest, #41661) [Link]
"...innocent until proven guilty - an important cornerstone of justice."
Uh, no. "Innocent until proven guilty" is a founding principle of the American criminal justice system, which is not the same thing at all. Indeed, American courts use "a preponderance of the evidence" in civil cases. Why this difference? Because hypothetically the government wields enormous power over the judicial system that it may abuse without strong safeguards. In lawsuits between private parties, it is assumed that the parties have equal access to the judicial system. This is often a poor assumption, but there you are.
The relevance here is that the case of CNNIC is much more like a civil case than a criminal one, and really not like a court case at all. The Mozilla Foundation, a private party, has to try to evaluate the trustworthiness of CNNIC, a quasi-governmental agency, in order to decide about access to the public software that they control. IMHO, an "innocent until proven guilty" rule would be not just wrong but dangerous in this situation. The burden of proof should be on CNNIC, who should provide evidence that they are operating their CA in a safe, responsible and aboveboard manner. In other words, CNNIC (and everyone else) should be denied access to Mozilla's CA cache if there is "any substantial possibility" that they will abuse this access. This is a strong standard, but it would make me feel safer.
civil vs criminal Posted Feb 3, 2010 12:58 UTC (Wed) by tialaramex (subscriber, #21167) [Link]
[Off topic] The difference is because of the outcomes, not who wields power.
If I say that Barry took my pig...
In the criminal justice system the outcomes are either Barry is a thief, and may lose his liberty and most likely his current job and future job prospects. Or, he is not a thief and may go free. These outcomes are not balanced, if I set one thief in ten free, there are a few thieves roaming free, hardly noticeable. But if I send one innocent man in ten to jail, I end up with a jail full of innocent men, a gross injustice.
Whereas in the civil justice system, either Barry gets to keep the pig, or I do. These outcomes are balanced, either way somebody has a pig and someone doesn't. If a mistake is made, an honest man loses his pig no matter who it is.
If CNNIC make bogus certs, there should be evidence of it, let those who accuse them collect that evidence. If you prefer, in the meanwhile, to exercise the precaution of not trusting dubious entities as CAs, then I recommend disabling _every single one_ of the root CAs included with your OS or browser, since in my opinion none of them could be considered trustworthy in the relevant sense.
China Internet Network Information Center accepted as a Mozilla root CA Posted Feb 2, 2010 19:04 UTC (Tue) by zaitcev (guest, #761) [Link]
Bet Chromium isn't going to ship the new cert after the Google-China flap.
China Internet Network Information Center accepted as a Mozilla root CA Posted Feb 3, 2010 13:43 UTC (Wed) by gerv (subscriber, #3376) [Link]
Chromium uses the Microsoft root store on Windows, the Apple root store on Mac, and the system copy of NSS (Mozilla's crypto library) on Linux (I think). Therefore, given that the CNNIC root is in the Microsoft root store, Chrome trusts it, at least on Windows. I don't know if it's in the Apple root store.
Gerv
China Internet Network Information Center accepted as a Mozilla root CA Posted Feb 2, 2010 20:23 UTC (Tue) by xxiao (subscriber, #9631) [Link]
probably USA is also spying on people, do you believe that?
I just do not understand why anything related to china is negative, this big country does not attack others, do not send troops all over the globe,its people work hard at the end of food chain daily. besides, the democracy exported from USA only make other countries worse, plenty examples, one of them is Haiti.
China Internet Network Information Center accepted as a Mozilla root CA Posted Feb 2, 2010 22:37 UTC (Tue) by dkg (subscriber, #55359) [Link] I agree that this article's focus solely on China is probably a form of short-sighted xenophobia, and that there are many other dubious entities we should also be skeptical about.But that doesn't mean we shouldn't be skeptical of CNNIC's inclusion. It means we should also be skeptical of the existing CAs that we're all implicitly "trusting" thanks to the vendors/distributors of our browsers (and other tools). Debian's ca-certificates includes the Brazilian government's CA, for example. And the majority of the CAs included by default in Mozilla are subject to US Government jurisdiction and pressure. We should be securing our communications based on interpersonal networks of trust, not relying on these monolithic, unaccountable CAs. Unfortunately, the single-issuer nature of X.509 certificates creates a structural bias toward centralization of authority, which is neither socially beneficial nor secure for the end user. What we need is more work on projects like monkeysphere (i'm one of the developers), which looks to supplant existing PKIs (including X.509) with the distributed, de-centralized Web of Trust offered by OpenPGP. The more communications security is in the hands of the end users, with tools that are intelligible to end users, the more we can reject these abusive (or at least easily abused) centralized authorities.
China Internet Network Information Center accepted as a Mozilla root CA Posted Feb 2, 2010 23:18 UTC (Tue) by redguardtoo (guest, #39215) [Link]
I don't trust CCP (CNNIC is controlled by CCP) does not mean I am xenophobia.
China Internet Network Information Center accepted as a Mozilla root CA Posted Feb 2, 2010 23:54 UTC (Tue) by dkg (subscriber, #55359) [Link] I didn't say being suspicious of the CCP meant that you were xenophobic. I said that the articles sole focus on China was probably a form of xenophobia because it ignores the other threats. My point is that there are bigger questions at stake than just the Chinese gov't's surveillance regime.Focus on the bigger, systemic problem of crappy networked PKI, not on just one of the (likely) abusers.
China Internet Network Information Center accepted as a Mozilla root CA Posted Feb 3, 2010 6:19 UTC (Wed) by redguardtoo (guest, #39215) [Link]
I get your point.
There must be something wrong in the basic work flow of the authority (or some committee?) who granted the CNNIC root CA.
From my point of view, it is so easy to validate CNNIC's credit. You just grab anyone who can read Chinese from the street. Let him/her google CNNIC to know how average Chinese people think about CNNIC. It won't take more than 5 minutes!
China Internet Network Information Center accepted as a Mozilla root CA Posted Feb 3, 2010 9:09 UTC (Wed) by paulj (subscriber, #341) [Link]
Could you state your point more explicitly? I'm not quite sure what answer
you're assuming to your rhetorical question.
E.g. I would think most Chinese people would have either:
a) No opinion, just as 99.99% of people in the West would have no opinion of
b) Approve, on learning it was a Chinese state entity to manage important
The one thing I know about China is that the people there are very patriotic
I wonder though if perhaps you are chinese (and if so, are you mainland or
China Internet Network Information Center accepted as a Mozilla root CA Posted Feb 3, 2010 11:18 UTC (Wed) by redguardtoo (guest, #39215) [Link]
I *have* said I am a Chinese. Yes, I am from main land China.
My point is if the CNNIC root CA could be easily accepted, maybe the general approval procedure has some flaw. I am expecting some security experts to explain to me on the detail of such procedure.
You analogy of most people in west not knowing IANA or Verisign is inappropriate because you don't get the fact that CNNIC is hated by many Chinese, at least most IT guys, for some good reasons.
China Internet Network Information Center accepted as a Mozilla root CA Posted Feb 3, 2010 12:42 UTC (Wed) by paulj (subscriber, #341) [Link]
Ok, but can you expand on why?
I know some chinese people quite well, but I don't know any who'd have any clue
China Internet Network Information Center accepted as a Mozilla root CA Posted Feb 3, 2010 12:41 UTC (Wed) by TRS-80 (subscriber, #1804) [Link] I'd also like to see RFC 5054 (TLS/SRP) supported widely. You could then encrypt your IMAP connection without having to get a PKIX cert.
China Internet Network Information Center accepted as a Mozilla root CA Posted Feb 3, 2010 1:51 UTC (Wed) by eparis123 (guest, #59739) [Link] I just do not understand why anything related to china is negative, this big country does not attack others, do not send troops all over the globe,its people work hard at the end of food chain daily. Shhhhht; China is the new evil. Those several hundred thousand innocent people who died in a completely unreasoned war? Who get the damn care about them? The 'leader of the Free World' is always exporting democracy, especially to - you know - the Middle East. All Hail Democracy! Damn hypocrisy ..
China Internet Network Information Center accepted as a Mozilla root CA Posted Feb 4, 2010 16:07 UTC (Thu) by stevan (subscriber, #4342) [Link] I just do not understand why anything related to china is negativeYes, it is becoming rather tedious. In my own country, an unelected person is responsible for business affairs, and the government monitors all car movements by default. That unelected official is planning scanning of all Internet traffic too.* But that's seems OK to those who regurgitate the standard line of China being the enemy du jour * - Yes, it's the UK.
last I looked either GM or GE had a root cert in browsers Posted Feb 2, 2010 20:42 UTC (Tue) by dlang (✭ supporter ✭, #313) [Link]
take a look at all the root certs that the browsers accept by default. It's a lot more than you think it is.
Specify which TLDs the root CAs are responsible for! Posted Feb 3, 2010 11:23 UTC (Wed) by cortana (subscriber, #24596) [Link]
Why don't browsers maintain, for each CA, a list of TLDs that they are allowed to certify?
I doubt many will care if CNNIC is happy to issue bogus certificates in the .cn domain. But I don't
Specify which TLDs the root CAs are responsible for! Posted Feb 3, 2010 12:52 UTC (Wed) by paulj (subscriber, #341) [Link]
x.509 has this ability already. Subordinate CAs can be recognised by root CAs,
and the subordinate CAs can then sign certificates named below their name.
It's basically little used. My vague impression is that existing root CAs charge
Basically, while technical people love logical, hierarchical systems for
SSL, DNS, etc.. They've all tended from hierarchalisation at inception towards
Specify which TLDs the root CAs are responsible for! Posted Feb 3, 2010 13:48 UTC (Wed) by gerv (subscriber, #3376) [Link]
It's a good idea. There is such a thing built into the standard, called "name constraints". However, NSS doesn't support them quite right yet.
https://bugzilla.mozilla.org/show_bug.cgi?id=394919
That bug appears to have stalled. In general, NSS is under-resourced, so if someone wanted to step in and help, that would be great.
Gerv
China Internet Network Information Center accepted as a Mozilla root CA Posted Feb 3, 2010 22:46 UTC (Wed) by HenrikH (guest, #31152) [Link]
One way to prevent this man-in-the-middle-attack would be to make Firefox remember the hash of the public cert of the site. And on the next visit it could then present a warning if the public key had changed since the last visit (and the certs expiry date hasn't happened yet + check revocation list).
China Internet Network Information Center accepted as a Mozilla root CA Posted Feb 7, 2010 0:37 UTC (Sun) by jroysdon (guest, #63273) [Link]
Except certs expire, which is normal, and new certs replace them. You'd have to address that. MitM attacks would at least be possible when certs are close to expiring.
China Internet Network Information Center accepted as a Mozilla root CA Posted Feb 7, 2010 4:38 UTC (Sun) by jordanb (guest, #45668) [Link]
They shouldn't expire. They should be revokable, but they should never expire.
|
|||||||||||||