Adding a new Certificate Authority (CA) to a browser's list of accepted CAs
is typically a quiet affair; the browser team vets the CA based on their
criteria and adds those who pass the test. For Mozilla, the criteria and
vetting process are not private, but the process generally happens behind
the scenes. Users find out that new CAs have been added by looking at the
CA store after a browser upgrade, though it is likely a very rare user that
actually looks. When Mozilla followed its policies and added the China
Information Center (CNNIC) CA, things took a very different path—a
firestorm of protest resulted.
CAs are the issuing authority for Secure Sockets Layer (SSL) certificates
that are used to authenticate encrypted HTTP (i.e. HTTPS) sessions. A CA
that has been accepted into a browser's "root store" can then sign SSL
certificates for domains and those certificates will be accepted as valid
by the browser. Much like self-signed certificates, SSL certificates that
are signed by a CA that is not in the root store will cause the browser to
emit scary security warnings.
As seen in the Mozilla bugzilla
entry, Liu Yan of CNNIC requested addition to the root store in
February 2009. Public discussion was opened
on October 13. There were some technical concerns discussed, which CNNIC
fixed, and the discussion closed on October 22. A bug was filed to
actually get CNNIC's root certificate added to the root store (which is in
the separate Network Security Services component). That bug was closed
in mid-December once CNNIC verified that the proper certificate was added.
That is presumably how most new CAs get added, a somewhat bureaucratic
is followed, the certificate gets added, and everyone goes on
their merry way. For CNNIC, though, things went a little differently.
With at least some folks in the Chinese IT world, CNNIC has a terrible
reputation. Starting on January 27, they were not shy about giving their
opinion of CNNIC—and Mozilla's decision to include it—on the
original bug report and a thread
in the mozilla.dev.security.policy group.
The main complaints seem to stem from the accusation that CNNIC has been
involved in distributing malware/spyware that is used by the Chinese
government to monitor its citizens. It is also alleged to be involved with
China's "Great Firewall" that censors specific web sites when accessed from
China. In addition, Liu asserted that CNNIC is "not a Chinese
Government organization" as part of the application process, but
various commenters dispute that.
There are some 60 comments on the bug, along with more than 100 messages in
the thread, many of them very passionate and/or heated requests to remove
CNNIC. It is perfectly understandable that Chinese people are concerned
about the possibility of government action against them because of what
they might say on the internet. But, it is not clear that adding CNNIC as
a CA has any bearing on that. Certainly CNNIC (or any CA) could
abuse their position and issue SSL certificates for domains that it
shouldn't, but, if they do, that act will provide clear evidence of
In order for an SSL certificate to be accepted, it must be
sent to the browser. Anyone visiting gmail.com, for example, and
getting a certificate signed by anyone other than Thawte (the CA that
signed Gmail's certificate), has proof of malfeasance. If CNNIC is abusing
its position, it should be relatively easy to prove. As Mozilla's
Johnathan Nightingale puts it:
What I have asked for
here, and am asking for again, is specific, concrete evidence that this CA has
acted in a way that contravenes our root policy. An illegitimate certificate
would be the single, best example of such evidence.
To many of the commenters, though, there is abundant proof of CNNIC's
involvement with malware and its
"lies" about its governmental status should be enough, in their eyes, to
remove CNNIC as a CA in Mozilla browsers. But, being affiliated with a
government is not a reason that Mozilla would reject a CA (there are
several others already in the root store for Japan, Taiwan, and others).
It also isn't clear that distributing malware, separate from its CA
activities, would be enough to remove a CA from the root store.
Other CAs have misbehaved along the way. Verisign's poorly-named Site Finder scheme redirected DNS
queries in violation of the RFC, and in ways that were roundly criticized.
But that action was separate from its CA business and there were no calls
to remove it from any browser's root store. While Site Finder is a
relatively minor transgression compared to the accusations leveled against
it is difficult to punish organizations in a particular realm except based
on its behavior within that realm. Thus the calls for evidence of CA abuse.
It is quite possible that an outcry back in October, as part of the public
comment period, might have slowed or stopped the inclusion of CNNIC. But,
that didn't happen, CNNIC complied with the policy, and was added. So, the
question now is "whether
we should review" that decision, Nightingale said.
In order to do that, some evidence needs to be presented, he suggested:
It feels to me like that makes our next step clear, here. It won't help to
tally up the complainants (there will be many), and it won't help to demand
assurances from CNNIC (since the alleged governmental pressure would trump
those anyhow). It certainly won't help to cite wikipedia.
If there's truth to the allegation, here, then it should be possible to produce
a cert. It should be possible to produce a certificate, signed by CNNIC, which
impersonates a site known to have some other issuer. A live MitM attack, a
paypal cert issued by CNNIC for example.
Mozilla's Kathleen Wilson announced
the creation of a draft policy for
changing a root certificate that has been added to the root store. This
would provide a means for handling just this kind of dispute. Eddy Nigg of
Startcom, who is part of the team that reviews root inclusion requests, has
Wilson to start a review of CNNIC.
In the meantime, though, there are several technical measures that users
can take to protect themselves. To start with, in "Edit -> Preferences ->
Advanced -> Encryption" in Firefox, one can remove particular CAs from
the root store. There are also two different Firefox addons that could
Patrol permanently stores each SSL certificate that the browser
encounters, and alerts the user when one changes. Perspectives
instead uses "network notaries" that store certificates for particular
hosts and can help users decide whether a self-signed or other certificate
It is instructive to take a look at the long list of CAs that are installed
with Firefox. Many are for high-profile companies, but there are quite a
few for seemingly obscure organizations. There are certainly enough
different CAs that a government—or criminal organization—that wished to apply some
pressure could get its hands on a forged SSL certificate. In truth, the
need be applied to an employee who has access to the signing key. That risk
exists whether or not CNNIC, or any other particular CA, is on the list.
It is certainly unfortunate that the accusations against CNNIC only
surfaced after the inclusion process had already been completed. Depending
on what evidence is compiled, Mozilla is likely to have a difficult
decision to make. But the controversy, along with other recent security concerns that may
involve the Chinese government, is likely to further raise the profile of
internet censorship. It is something that many governments like to condemn
on one hand and implement with the other—the only defense against it
is keeping it in the public eye.
to post comments)