Mozilla and CNNIC [LWN.net]

By Jake Edge
February 3, 2010

Adding a new Certificate Authority (CA) to a browser's list of accepted CAs is typically a quiet affair; the browser team vets the CA based on their criteria and adds those who pass the test. For Mozilla, the criteria and vetting process are not private, but the process generally happens behind the scenes. Users find out that new CAs have been added by looking at the CA store after a browser upgrade, though it is likely a very rare user that actually looks. When Mozilla followed its policies and added the China Internet Network Information Center (CNNIC) CA, things took a very different path—a firestorm of protest resulted.

CAs are the issuing authority for Secure Sockets Layer (SSL) certificates that are used to authenticate encrypted HTTP (i.e. HTTPS) sessions. A CA that has been accepted into a browser's "root store" can then sign SSL certificates for domains and those certificates will be accepted as valid by the browser. Much like self-signed certificates, SSL certificates that are signed by a CA that is not in the root store will cause the browser to emit scary security warnings.

As seen in the Mozilla bugzilla entry, Liu Yan of CNNIC requested addition to the root store in February 2009. Public discussion was opened on October 13. There were some technical concerns discussed, which CNNIC fixed, and the discussion closed on October 22. A bug was filed to actually get CNNIC's root certificate added to the root store (which is in the separate Network Security Services component). That bug was closed in mid-December once CNNIC verified that the proper certificate was added.

That is presumably how most new CAs get added, a somewhat bureaucratic process is followed, the certificate gets added, and everyone goes on their merry way. For CNNIC, though, things went a little differently. With at least some folks in the Chinese IT world, CNNIC has a terrible reputation. Starting on January 27, they were not shy about giving their opinion of CNNIC—and Mozilla's decision to include it—on the original bug report and a thread in the mozilla.dev.security.policy group.

The main complaints seem to stem from the accusation that CNNIC has been involved in distributing malware/spyware that is used by the Chinese government to monitor its citizens. It is also alleged to be involved with China's "Great Firewall" that censors specific web sites when accessed from China. In addition, Liu asserted that CNNIC is "not a Chinese Government organization" as part of the application process, but various commenters dispute that.

There are some 60 comments on the bug, along with more than 100 messages in the thread, many of them very passionate and/or heated requests to remove CNNIC. It is perfectly understandable that Chinese people are concerned about the possibility of government action against them because of what they might say on the internet. But, it is not clear that adding CNNIC as a CA has any bearing on that. Certainly CNNIC (or any CA) could abuse their position and issue SSL certificates for domains that it shouldn't, but, if they do, that act will provide clear evidence of wrongdoing.

In order for an SSL certificate to be accepted, it must be sent to the browser. Anyone visiting gmail.com, for example, and getting a certificate signed by anyone other than Thawte (the CA that signed Gmail's certificate), has proof of malfeasance. If CNNIC is abusing its position, it should be relatively easy to prove. As Mozilla's Johnathan Nightingale puts it:

What I have asked for here, and am asking for again, is specific, concrete evidence that this CA has acted in a way that contravenes our root policy. An illegitimate certificate would be the single, best example of such evidence.

To many of the commenters, though, there is abundant proof of CNNIC's involvement with malware and its "lies" about its governmental status should be enough, in their eyes, to remove CNNIC as a CA in Mozilla browsers. But, being affiliated with a government is not a reason that Mozilla would reject a CA (there are several others already in the root store for Japan, Taiwan, and others). It also isn't clear that distributing malware, separate from its CA activities, would be enough to remove a CA from the root store.

Other CAs have misbehaved along the way. Verisign's poorly-named Site Finder scheme redirected DNS queries in violation of the RFC, and in ways that were roundly criticized. But that action was separate from its CA business and there were no calls to remove it from any browser's root store. While Site Finder is a relatively minor transgression compared to the accusations leveled against CNNIC, it is difficult to punish organizations in a particular realm except based on its behavior within that realm. Thus the calls for evidence of CA abuse.

It is quite possible that an outcry back in October, as part of the public comment period, might have slowed or stopped the inclusion of CNNIC. But, that didn't happen, CNNIC complied with the policy, and was added. So, the question now is "whether we should review" that decision, Nightingale said. In order to do that, some evidence needs to be presented, he suggested:

It feels to me like that makes our next step clear, here. It won't help to tally up the complainants (there will be many), and it won't help to demand assurances from CNNIC (since the alleged governmental pressure would trump those anyhow). It certainly won't help to cite wikipedia.

If there's truth to the allegation, here, then it should be possible to produce a cert. It should be possible to produce a certificate, signed by CNNIC, which impersonates a site known to have some other issuer. A live MitM attack, a paypal cert issued by CNNIC for example.

Mozilla's Kathleen Wilson announced the creation of a draft policy for changing a root certificate that has been added to the root store. This would provide a means for handling just this kind of dispute. Eddy Nigg of Startcom, who is part of the team that reviews root inclusion requests, has specifically asked Wilson to start a review of CNNIC.

In the meantime, though, there are several technical measures that users can take to protect themselves. To start with, in "Edit -> Preferences -> Advanced -> Encryption" in Firefox, one can remove particular CAs from the root store. There are also two different Firefox addons that could help. Certificate Patrol permanently stores each SSL certificate that the browser encounters, and alerts the user when one changes. Perspectives instead uses "network notaries" that store certificates for particular hosts and can help users decide whether a self-signed or other certificate is valid.

It is instructive to take a look at the long list of CAs that are installed with Firefox. Many are for high-profile companies, but there are quite a few for seemingly obscure organizations. There are certainly enough different CAs that a government—or criminal organization—that wished to apply some pressure could get its hands on a forged SSL certificate. In truth, the pressure only need be applied to an employee who has access to the signing key. That risk exists whether or not CNNIC, or any other particular CA, is on the list.

It is certainly unfortunate that the accusations against CNNIC only surfaced after the inclusion process had already been completed. Depending on what evidence is compiled, Mozilla is likely to have a difficult decision to make. But the controversy, along with other recent security concerns that may involve the Chinese government, is likely to further raise the profile of internet censorship. It is something that many governments like to condemn on one hand and implement with the other—the only defense against it is keeping it in the public eye.

(Log in to post comments)

Mozilla and CNNIC

Posted Feb 4, 2010 3:53 UTC (Thu) by erwbgy (subscriber, #4104) [Link]

I know of a company proxy setup that illustrates how the man-in-the-middle attack could work if the browser trusts a dodgy CA.

When using a proxy your web browser makes a connection to the proxy server which then connects to the destination web site on your behalf. When using HTTP the proxy may send back previously cached data, but for HTTPS the traffic is encrypted end-to-end between the client and the server so the proxy just passively passes the encrypted data back and forth, or allows a direct connection. At least that is what is supposed to happen with HTTPS.

In this particular setup the browsers were all configured to trust a new internal CA. Then the proxy was changed to replace every destination SSL server certificate with a new server certificate with the same details signed by the internal CA. As far as the browser is concerned the server certificate is valid: the CN field matches the server hostname and the certificate is signed by a trusted CA.

This change allows the proxy to snoop on all HTTPS traffic without most users being aware. The justification in this case was to be able to scan for malware, and there were assurances that known webmail and banking sites would be excluded from this process.

Something similar could be done by any trusted CA that is able to intercept and modify traffic between the client browser and the destination server.

Another way to achieve this without changing client browsers would be to create a rogue CA certificate like Alexander Sotirov's team did by exploiting MD5 collisions.

Mozilla and CNNIC

Posted Feb 4, 2010 4:40 UTC (Thu) by jimparis (subscriber, #38647) [Link]

> Then the proxy was changed to replace every destination SSL server
> certificate with a new server certificate with the same details signed by
> the internal CA. As far as the browser is concerned the server certificate
> is valid: the CN field matches the server hostname and the certificate is
> signed by a trusted CA.
>
> Something similar could be done by any trusted CA that is able to
> intercept and modify traffic between the client browser and the
> destination server.

Yes, definitely. That's the main concerned being raised here. But Mozilla's point is that this is a traceable attack -- the end user can simply save a copy of the new, modified certificate as evidence that the proxy/government/whatever was doing it. While it's true that their browser will accept it without complaining, all the user has to do is glance at the issuer to see if it was the rogue CA or not. At that point, you'd send this proof to Mozilla and they would blacklist the CA.

Mozilla and CNNIC

Posted Feb 5, 2010 15:14 UTC (Fri) by __alex (subscriber, #38036) [Link]

How is the attack detectable at all given standard user practices?

HTTPS security is multi-layered and not simply provided by cryptographic
functions. Things such as the pad-lock icon and the EV-SSL green address
bar UI a major components of the system and currently there is no part of that
system designed for detecting a MITM attack from a trusted authority.

Browsers have no standard mechanism for alerting users about changes in
certificates over time and there is no way for a user to tell what authority the
website provider intended to sign their content with.

This is not a reason to distrust CNNIC specifically, simply a weakness of SSL in
general.

Mozilla and CNNIC

Posted Feb 5, 2010 15:48 UTC (Fri) by jimparis (subscriber, #38647) [Link]

I imagine it will happen like this, if it's indeed true that CNNIC is doing bad things:
- Some user manually removes (or doesn't yet have) the CNNIC certificate
- When visiting a normal site like Gmail, they get a certificate error.
- They look at the certificate, notice it was issued by CNNIC, and complain publically.
- Mozilla removes the certificate for everyone.

Mozilla and CNNIC

Posted Feb 4, 2010 10:32 UTC (Thu) by Cato (subscriber, #7643) [Link]

This setup is a lot more common than I realised, just saw this myself recently. Presumably the motivation is often to secure internal sites, but is there any way to tell if the proxy is pulling this trick? At least CertificatePatrol for Firefox should tell you what's happening.

Mozilla and CNNIC

Posted Feb 5, 2010 10:50 UTC (Fri) by cortana (subscriber, #24596) [Link]

Assuming that the proxy does not intercept requests from Certificate Patrol/Perspectives and
friends as well... :)

So many trusted authorities

Posted Feb 4, 2010 9:56 UTC (Thu) by rahulsundaram (subscriber, #21946) [Link]

If you have a reasonable way to do that without dozens of prompts to every
user I am all ears

So many trusted authorities

Posted Feb 4, 2010 10:56 UTC (Thu) by tzafrir (subscriber, #11501) [Link]

FWIW, Debian prompts the user in a "medium" priority debconf checkboxes for which of the CAs to enable.

The list is a long one, and provides practically no information about the specific CA besides its name. It can be re-run later using the standard dpkg-reconfigure.

So it's a single dialog rather than dozens of prompts. But somehow I'm not sure the UI is optimal (or even reasonable).

So many trusted authorities

Posted Feb 4, 2010 16:32 UTC (Thu) by ejr (subscriber, #51652) [Link]

No, Debian prompts the system administrator and not the user.

So many trusted authorities

Posted Feb 4, 2010 21:43 UTC (Thu) by bronson (subscriber, #4806) [Link]

They're the same person, and have been for going on 25 years now.

So many trusted authorities

Posted Feb 5, 2010 1:26 UTC (Fri) by giraffedata (subscriber, #1954) [Link]

Even if the prompts aren't too big a burden, knowing whether to answer yes or no is.

There's a lot of value in the Firefox developers screening these guys for me.

Bear in mind that the penalty for saying "no" to a CA that is actually trustworthy and legitimate (perhaps because you've never heard of it) is high: you don't get to use the web site you wanted to use.

I'm not sure any of it really matters in the big picture, though. The Chinese government can just use a self-signed certificate. In browsers I've seen, that results in a prompt to the user that, to 99% of them, is gobbledygook that boils down to "do you want to go to the web site you requested or not?"