User: Password:
|
|
Subscribe / Log in / New account

Mozilla and CNNIC

Mozilla and CNNIC

Posted Feb 5, 2010 15:14 UTC (Fri) by __alex (subscriber, #38036)
In reply to: Mozilla and CNNIC by jimparis
Parent article: Mozilla and CNNIC

How is the attack detectable at all given standard user practices?

HTTPS security is multi-layered and not simply provided by cryptographic
functions. Things such as the pad-lock icon and the EV-SSL green address
bar UI a major components of the system and currently there is no part of that
system designed for detecting a MITM attack from a trusted authority.

Browsers have no standard mechanism for alerting users about changes in
certificates over time and there is no way for a user to tell what authority the
website provider intended to sign their content with.

This is not a reason to distrust CNNIC specifically, simply a weakness of SSL in
general.


(Log in to post comments)

Mozilla and CNNIC

Posted Feb 5, 2010 15:48 UTC (Fri) by jimparis (subscriber, #38647) [Link]

I imagine it will happen like this, if it's indeed true that CNNIC is doing bad things:
- Some user manually removes (or doesn't yet have) the CNNIC certificate
- When visiting a normal site like Gmail, they get a certificate error.
- They look at the certificate, notice it was issued by CNNIC, and complain publically.
- Mozilla removes the certificate for everyone.


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds