LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Mozilla and CNNIC

Mozilla and CNNIC

Posted Feb 5, 2010 15:14 UTC (Fri) by __alex (subscriber, #38036)
In reply to: Mozilla and CNNIC by jimparis
Parent article: Mozilla and CNNIC

How is the attack detectable at all given standard user practices?

HTTPS security is multi-layered and not simply provided by cryptographic
functions. Things such as the pad-lock icon and the EV-SSL green address
bar UI a major components of the system and currently there is no part of that
system designed for detecting a MITM attack from a trusted authority.

Browsers have no standard mechanism for alerting users about changes in
certificates over time and there is no way for a user to tell what authority the
website provider intended to sign their content with.

This is not a reason to distrust CNNIC specifically, simply a weakness of SSL in
general.

(Log in to post comments)

Mozilla and CNNIC

Posted Feb 5, 2010 15:48 UTC (Fri) by jimparis (subscriber, #38647) [Link]

I imagine it will happen like this, if it's indeed true that CNNIC is doing bad things:
- Some user manually removes (or doesn't yet have) the CNNIC certificate
- When visiting a normal site like Gmail, they get a certificate error.
- They look at the certificate, notice it was issued by CNNIC, and complain publically.
- Mozilla removes the certificate for everyone.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds