Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

We are sorry to see you leave - Beta is different and we value the time you took to try it out. Before you decide to go, please take a look at some value-adds for Beta and learn more about it. Thank you for reading Slashdot, and for making the site better!

Mozilla Debates Whether To Trust Chinese CA

timothy posted more than 4 years ago | from the but-that-would-never-happen dept.

Mozilla 276

At his Freedom to Tinker blog, Ed Felten has a thoughtful, accessible piece on the debate at Mozilla about whether Firefox, by default, should trust a Chinese certificate authority (as it has since October). Felten explains in clear language why this is significant, and therefore controversial. An excerpt: "To see why this is worrisome, let's suppose, just for the sake of argument, that CNNIC were a puppet of the Chinese government. Then CNNIC's status as a trusted CA would give it the technical power to let the Chinese government spy on its citizens' 'secure' web connections. If a Chinese citizen tried to make a secure connection to Gmail, their connection could be directed to an impostor Gmail site run by the Chinese government, and CNNIC could give the impostor a cert saying that the government impostor was the real Gmail site."

Sorry! There are no comments related to the filter you selected.

Well in that case (4, Insightful)

Monkeedude1212 (1560403) | more than 4 years ago | (#31176906)

Maybe I shouldn't trust the North American Certificates either, since I don't want my government spying on me either.

As long as the Chinese CA only deals with China, I have no problems with it. Any of the certifying agencies could be puppets for anyone.

Re:Well in that case (4, Insightful)

Fantom42 (174630) | more than 4 years ago | (#31177056)

Maybe I shouldn't trust the North American Certificates either, since I don't want my government spying on me either.

As long as the Chinese CA only deals with China, I have no problems with it. Any of the certifying agencies could be puppets for anyone.

I guess this is true, although considering the amount of malware coming out of China, and China's human rights record as compared to north american countries, I think there is reason not to equivocate about this.

Re:Well in that case (-1, Troll)

Anonymous Coward | more than 4 years ago | (#31177238)

I guess this is true, although considering the amount of malware coming out of China, and China's human rights record as compared to north american countries, I think there is reason not to equivocate about this.

Where's your proof? Or are you just parroting hate for the sake of parroting hate?

Re:Well in that case (0, Funny)

Anonymous Coward | more than 4 years ago | (#31177480)

OK, here it is:

World news for the last 30 years. Go ahead, google it. I'll wait while you catch up...

Re:Well in that case (1)

abbynormal brain (1637419) | more than 4 years ago | (#31178124)

Parroting = Hearing *something, and repeating it (to the best of your ability)

*Something = The issues du jour

The issues du jour = we have been hearing a lot (lately) about China. Yes, China can be replaced (and has been) by any other country.

So - "parroting hate"? C'mon - you just added the hate part. He was parroting current events. Point that finger back at yourself and see who is feeling hate.

Re:Well in that case (4, Insightful)

Anonymous Coward | more than 4 years ago | (#31178154)

Where's your proof? Or are you just parroting hate for the sake of parroting hate?

People throw around accusations of "hate" too lightly these days. Please try not to inject hyperbole into a reasonable disagreement.

Re:Well in that case (2, Interesting)

Beardo the Bearded (321478) | more than 4 years ago | (#31178450)

You're right, I forgot how kindly a nation China is. They use slave labour to manufacture our crap (one of my former co-worker's parents were slaves in an iPod factory). They poison our kids with lead, melamine, and cadmium. It is a nation that we should cut off all trade ties with. Nothing good comes from China.

Google should have responded to their attacks with

"Did you mean "Tiananmen Square?"

for every answer and turned off SafeSearch.

Re:Well in that case (-1, Flamebait)

orient (535927) | more than 4 years ago | (#31177970)

Well, I have the admit the Chinese do not have the right to die because they cannot afford medical insurance. That right is reserved to the democratic society of USA.

Re:Well in that case (3, Interesting)

Anonymous Coward | more than 4 years ago | (#31177074)

Unless your nation has a track record of spying on its citizens web traffic, then you have a much more unfounded claim.

This should be default off, with an option to enable it. I certainly do not want to visit a site that has a trusted certificate whose root authority resides in China.

Re:Well in that case (4, Insightful)

Hatta (162192) | more than 4 years ago | (#31177430)

Unless your nation has a track record of spying on its citizens web traffic, then you have a much more unfounded claim.

You mean, like when the FBI put splitters [wired.com] into AT&T offices to monitor all the internet traffic going through them?

Remember, any authority that can be abused will be abused. I wouldn't trust any certificate authority to protect me against the government.

Re:Well in that case (-1, Flamebait)

sp3d2orbit (81173) | more than 4 years ago | (#31177706)

I'm fucking sick of people comparing the US government to the Chinese government. Get a fucking clue. The US government has made some mistakes but the Chinese government killed 30 MILLION of its citizens [wikipedia.org] , it attacks protesters with tanks [google.com] , executes the mentally retarded [guardian.co.uk] , and jails those who protest their own children's deaths at the hands of the government corruption [miamiherald.com] .

Are you paid by the Chinese government [dw-world.de] to write these posts or just ignorant?

Re:Well in that case (2, Insightful)

Hatta (162192) | more than 4 years ago | (#31177844)

When did I compare the US government to China? You said the US government has made mistakes. "We're not as bad as China" does not excuse those mistakes.

Personally, I care more about the abuses of the US government than those of China because I live here. Those abuses directly affect me. I'm glad we're not China, but without eternal vigilance, someday we could be.

Re:Well in that case (0)

Anonymous Coward | more than 4 years ago | (#31177904)

Exactly. The left always has a boner for Stalin, Mao, Chavez, Castro, etc.

Re:Well in that case (3, Insightful)

sp3d2orbit (81173) | more than 4 years ago | (#31178172)

I've re-read your post and it still seems to me that you are equating FBI wire tapping with Chinese wire tapping.

When did I say those mistakes were excused?

Re:Well in that case (1)

commodore64_love (1445365) | more than 4 years ago | (#31178370)

>>>I've re-read your post and it still seems to me that you are equating FBI wire tapping with Chinese wire tapping.

Yes that is EXACTLY what he did.

You then erected a strawman about 30 million dead, tanks running over people, and other outrageous events. Then you knocked down the strawman you built by saying "we're not as bad as that". That's a logical fallacy you committed. The author had the right to call you on it.

Anyway...

I agree with the author, especially after 6 years of Bush wire-tapping, and recent Obama decisions to track our cellphones like locater beacons ("citizens have no reasonable expectation of privacy on their phones). You cannot trust ANY government. Not Chinese. Not Australian (filtering). Not French (three strike law). And not American.

Re:Well in that case (1)

Hatta (162192) | more than 4 years ago | (#31178528)

Yes, wiretapping is wiretapping. Wiretapping is not murder. I'm not sure why you brought it up.

Re:Well in that case (1, Informative)

boombaard (1001577) | more than 4 years ago | (#31178282)

And the US government condoned not giving blacks treatment for syphilis even though it was readily available and known to work [wikipedia.org] , as well as testing vaccines and seeing how Hepatitis-C infections progressed in on mentally retarded children, [wikipedia.org] sterilized them [wikipedia.org] , locked up its Japanese citizens in concentration camps during and after WWII, allowed state-sponsored racism at least until 1964, and is currently feeding Illinois state prisoners a diet that is known to cause organ failure [westonaprice.org]
Isn't this a href= thing fun? I can go on all day. I am, however, saddened, that you call this "some mistakes".

Re:Well in that case (1, Insightful)

Anonymous Coward | more than 4 years ago | (#31178700)

I am, however, saddened, that you call this "some mistakes".

One difference is that these were/are recognized as mistakes (now). With the Chinese government, they don't think they're doing anything wrong. Another difference is that you can openly criticize them without risk of imprisonment or being shot--you can freely fight to have the wrongs righted.

I don't think anyone is saying the US (or West) is perfect, but in a more open / transparent society there's a measure of self-correction (eventually).

(Of course we're using our own value system to say that these things are "wrong". The citizens of China may themselves have no problem with that the government is doing.)

Re:Well in that case (2, Informative)

DeadCatX2 (950953) | more than 4 years ago | (#31178342)

Finding examples of how China went off the deep end does not justify some of the terrible things that have been perpetrated in the name of the United States by "government" employees, some of which are comparable to some terrible things that China has done, especially if you consider how we treat people of other countries.

No one country has a monopoly on evil psychos. Yes, we're better than them, but still flawed. However, if playing "out of sight, out of mind" helps you sleep at night, then I'm sure any number of examples I could come up with won't affect your opinion.

Tuskegee Syphilis Study. Cornelius Rhoads. The Pellagra Incident. Operation Paperclip. Program F. MKULTRA. CIA LSD experiments, and other parts of the "CIA's Family Jewels". Funding the mujahideen that later grew up to be al-Qaeda. Overthrowing the democratically elected government of Iran in the 50s. Selling Saddam Hussein chemical weapons, knowing full well he would use them on the Iranians. Lying about Iraq's WMD. Dropping bombs on multiple wedding parties in Afghanistan (six the last time I checked). Dropping two nuclear bombs on civilians in Japan.

Re:Well in that case (2, Informative)

DeadCatX2 (950953) | more than 4 years ago | (#31178390)

Wow, I looked into the claim about killing 30 million of its citizens. I can't believe you'd use this as an example of their evil. From what I read, it looks like they just made some stupid decisions and it lead to widespread famine. Much different than taking 30m citizens out back and putting one between the eyes of each.

Re:Well in that case (2, Interesting)

Anonymous Coward | more than 4 years ago | (#31178206)

I don't think you should ever completely trust anyone you don't personally know. Hell, sometimes I even have problems with people I do know.

That said, I'm sorry but the frequency, breadth and (most importantly) consequences of snooping and blocking of internet traffic by the US and Chinese governments on their respective populations are two ENORMOUSLY different things. Finding out that a US cert auth was in collusion with unwarranted snooping on US traffic would be a serious scandal. It'd be more like business as usual in China. That makes a debate on the topic completely reasonable.

Put another way, the FBI hasn't put me in a medieval dungeon and disappeared my family for voicing my opinion during our last election.

Re:Well in that case (0)

Anonymous Coward | more than 4 years ago | (#31178554)

Put another way, the FBI hasn't put me in a medieval dungeon and disappeared my family for voicing my opinion during our last election.

Neither has the Chinese government.
You also don't know whether the FBI has done so or not.
Forgotten Guantanamo already?

Re:Well in that case (1, Informative)

Anonymous Coward | more than 4 years ago | (#31178646)

I shouldn't even justify this absurdity with a response, but it's my moral duty to make sure people know what's going on in the world.

First the good news, the FBI was not sending US citizens to Guantanamo for voicing opinions during our election. Second, yes I do know because we have free press and unregulated internet access. These are important things for precisely this reason. China has neither.

Third, and most important, the Chinese government does imprison dissidents. There's a whole Wiki list on the subject for chrissake.

http://en.wikipedia.org/wiki/List_of_Chinese_dissidents [wikipedia.org]

Re:Well in that case (3, Insightful)

theshowmecanuck (703852) | more than 4 years ago | (#31178242)

I tend to agree that the U.S. government... the Bush government, and now the Obama government; which doesn't seem to mind what Bush put in place in this regard... has pretty much shot themselves in the foot when it comes to whether we should trust them or not with our privacy. Even going so far as ignoring the constitution.

On the other hand, the Chinese government is still an autocratic entity that frequently jails people for expressing their opinions. As bad as what the FBI has done, I am not convinced that they have abused the spirit of the constitution enough to equal what China frequently does to its own people. My first inclination is that I would say to not trust Chinese CA's. And for those who think they only apply to the Chinese themselves, you have your head in the sand at the Walmart Beach Resort. So much of our stuff comes out of China; and many companies' web sites for support and such are hosted there now. What happens if you log in with https? I think we give China too much already. Granted with all the offshoring scumbag companies out there, my bank account info is probably on servers over there already, but why help more?

Re:Well in that case (1)

commodore64_love (1445365) | more than 4 years ago | (#31178466)

In just the last ten years, the U.S. government has violated multiple parts of our Supreme Law: Congress shall make no law...abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble.....

A well regulated Militia, being necessary to the security of a free State, the right of the people to keep and bear Arms, shall not be infringed. [DC gun ban which was eventually overturned by the SCOTUS]

  The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, .... [Police routinely bust down doors and enter without permission, or warrant. See Prof. Gates' home. Se Drug War.]

No person shall... be compelled in any criminal case to be a witness against himself, nor be deprived of life, liberty, or property, without due process of law; nor shall private property be taken for public use, without just compensation. [See Drug War.]

The enumeration in the Constitution, of certain rights, shall not be construed to deny or disparage others retained by the people. [i.e. Our privacy rights are being violated with spying on our conversations and internet.]

And Last But Most Important:

The powers not delegated to the United States government by the Constitution, nor prohibited by it to the States, are reserved to the States respectively, or to the people.

Re:Well in that case (2, Informative)

SpaceLifeForm (228190) | more than 4 years ago | (#31178580)

That was NSA, not the FBI.

Link [arstechnica.com]

Re:Well in that case (0)

Anonymous Coward | more than 4 years ago | (#31178616)

Unless your nation has a track record of spying on its citizens web traffic, then you have a much more unfounded claim.

You mean, like when the FBI put splitters [wired.com] into AT&T offices to monitor all the internet traffic going through them?

Remember, any authority that can be abused will be abused. I wouldn't trust any certificate authority to protect me against the government.

Except that the FBI and NSA can't do a MITM with your encrypted communications like CNNIC theoretically can. The above example is also why everything should be encrypted by default regardless of perceived "value".

The splitter worked because the majority of traffic in plain text. If everything was cipher text then the best the TLAs could do is traffic analysis.

Re:Well in that case (1)

msauve (701917) | more than 4 years ago | (#31177692)

Unless your nation has a track record of spying on its citizens web traffic

Who did you have in mind that doesn't fit that description? I'm having a hard time thinking of anyone.

The original point was valid. Perhaps it's time to change the cert infrastructure so that two geographically and politically disparate authorities must sign them.

Or, maybe get rid of "authorities" altogether, and move to a global "web of trust," a la GPG. Forget that, I don't think I want to trust a cert just because it's accepted by 1,400,000,000 Chinese.

Re:Well in that case (2, Interesting)

mewsenews (251487) | more than 4 years ago | (#31177200)

Remember "hackers" got a hold of signed Microsoft.com certs that would be INCREDIBLY useful for a MITM attack? Which registrar let that happen, again? Clearly they didn't do it deliberately..

Also remember back in the early days of the Internet *cough October 2009 cough cough* when certificates could be forged for any browser using MSIE's SSL library [theregister.co.uk] ?

If the Chinese registry starts publishing bogus certs we can just blacklist them and it will all be a failed experiment in diplomacy.

Re:Well in that case (5, Interesting)

Anonymous Coward | more than 4 years ago | (#31177218)

Precisely. It's not exactly a subtle way of snooping, either. Anyone technically competent could see that the SSL has been changed.

A better way for the browsers to make things like this secure would be to remember the first SSL they received from the site and notify once that changes - similar to SSH. Yes it would be a PITA for them to implement, but once it's done, that's it, security went up a bit.

Re:Well in that case (5, Insightful)

chill (34294) | more than 4 years ago | (#31177740)

As long as the Chinese CA only deals with China, I have no problems with it.

And you know that, how?

With built-in root certificates, they are automatically trusted. Unless you're examining the entire cert chain of every SSL/TLS site you access, you have no idea which trusted root signed the vendor's certificate.

Re:Well in that case (1, Interesting)

Anonymous Coward | more than 4 years ago | (#31178122)

regardless of whether western gov spies on us too or not, there is a fundamental difference.
here we're innocent before proven guilty; there you're guilty, executed and harvested for your organs.

i'm chinese and i !don't trust! communist china in most of the things they do (regardless of how big its sovereign fund is), especially not in privacy matters.
they stole most of their technologies; they stole most of their wealth & savings from their own people producing consumable goods for us in the first world.

yes i'm an anonymous coward and proud of it. vive la liberte.

Have the best of both worlds (1, Interesting)

Anonymous Coward | more than 4 years ago | (#31178416)

Why do Certificate Authorities have to be either completely trusted or not trusted at all? It couldn't be a ton of work to enable restrictions to be placed on the domains a CA is authoritative for.

Looks like there's already a thread discussing this for the Mozilla suite [mozilla.org] .

you cant stop governments (-1, Troll)

Anonymous Coward | more than 4 years ago | (#31176934)

Aint that exactly what happened with bush in America so why concern yourself with the affairs of governments.
They are full of win we are full of lose

I wonder... (2, Interesting)

eexaa (1252378) | more than 4 years ago | (#31176942)

Seriously, shouldn't all users manage their certificate trust themselves?

If they aren't capable to do so, are they capable to actually _have_ their things secure?

Re:I wonder... (4, Insightful)

Sir_Sri (199544) | more than 4 years ago | (#31177080)

no they aren't. Which is the problem. The average user probably doesn't know what a security certificate is, let alone when you should, or should not trust one. That's why we have experts debating which ones to actually trust on their behalf.

Half the first year students we have in computer science courses can't navigate to a directory (note that these are generally not core comp sci students, but taking a course on say how to use photoshop), let alone figure out what a security certificate is. That's why we need experts to design systems which are inherently as secure as is legally possible in the first place.

Re:I wonder... (-1, Troll)

Anonymous Coward | more than 4 years ago | (#31177164)

you consider "how to use photoshop" computer science? no wonder you have so many retards in your courses.

Re:I wonder... (2, Interesting)

Sir_Sri (199544) | more than 4 years ago | (#31177980)

agreed. I'm not in charge of anything so my opinion on what should or should not be computer science isn't considered. Strictly speaking the courses are supposed to be about design or something, but in practice they tend to be a lot of handholding on how to do basic things in excel, photoshop or the like. When you have to teach students how to unzip files from the course webpage, you know you're not starting with the most informed lot.

And ya, those courses attract the computer illiterate, who spend half the class talking to friends on facebook and not learning basic skills. In other words: precisely the sort of person who has a computer, but doesn't know anything about using it safely.

As to the reason we offer those courses. They can attract 2000 students between all the various 'service' courses we offer. Core comp sci, maybe 300 or 400 combined. Enrollment depending on whether other departments make their students take the courses, that's at a first year level.

How? (1)

Chirs (87576) | more than 4 years ago | (#31177134)

How do I know that the server on the other end is who they say they are? Without a trusted authority, I would need to manually verify (via some other trusted form of communication) each certificate.

As long as I rely on *any* central authority, I'm dependent on that authority to remain neutral.

Re:I wonder... (2, Insightful)

Anonymous Coward | more than 4 years ago | (#31177222)

No. They're not capable of securing their own things. I'm not talking about the 'average' user, who may be somewhat competent, but the 'below average' user who falls for phishing schemes and virus attacks. If a 'below average' or even an 'average' user somehow learns that they need to add CA's to their browser to view certain sites then SSL will be completely and thoroughly broken and useless. Incidentally, clicking on a link to a .pem file makes it worryingly easy to add a CA in FireFox.

But that doesn't mean that web browsers shouldn't give users a better idea of how SSL works. Users have no idea they are relying on third party CA's to prove that the site they're connecting to is the right site, and hasn't been tampered with.

The most sensible option would be to include all the CAs by default, but mark some as "iffy". CACert.org could for example be included. If you browse to an 'iffy' website for the first time a window will pop explaining that your connection is verified by a certain organization, and you can 'always trust' this organization, 'trust but warn' with a *small and less-obnoxious* dialog box, or 'never trust'. Maybe they should just do this for all CAs. This is really the only way to make the user understand that they are implicitly trusting some organization, whether it be VeriSign, a non-profit CA, or a company that might be under the control of the Chinese government.

CAcert ? (2, Informative)

Antiocheian (859870) | more than 4 years ago | (#31177866)

I'll ask you the same question I asked CAcert some years ago: "who is going to take responsibility, and what is he going to lose, if your security is compromised ?"

It's OSS (5, Insightful)

Anonymous Coward | more than 4 years ago | (#31176946)

Firefox is Open Source. Let the Chinese build their own version of Firefox and see who trusts them to use it.

Re:It's OSS (3, Insightful)

Late Adopter (1492849) | more than 4 years ago | (#31178164)

Considering that the Firefox download itself isn't SSLed, what's to stop China from MITM'ing from the Great Firewall and replacing the *default* install with their own.

What about a gov't backed private corp? (0)

Anonymous Coward | more than 4 years ago | (#31176948)

What's to stop a non-Chinese corporation from doing the same thing? Corporations can usually be bought since they exercise profit seeking behavior; it would probably take a ridiculously small bribe for a government such as the People's Republic of China to encourage such a corporation to engage in such compromising behavior and it would be much harder to track.
g=

Ask the user (1)

Jorl17 (1716772) | more than 4 years ago | (#31176962)

Let the user decide. Don't be idiots trying to judge everything in the world. If the user is too silly, then bring a default option -- that's the only reason for this debate IMO.

Re:Ask the user (3, Insightful)

natehoy (1608657) | more than 4 years ago | (#31177158)

Actually, this debate is about the default option. You can add and delete trusted certificate authorities all you want once you install Firefox.

Options / Encryption / Advanced / View Certificates / Authorities.

Personally, I think the Chinese CAs should be unlisted in Firefox by default, and those users that want to trust them can simply say "always trust this CA" when Firefox asks. Then again, I think every CA should be treated that way. Why does Firefox automatically trust TurkTrust, Dell, the Japanese government, and the Netherlands (to randomly pick four out of the hundreds of trusted CAs in the default list)?

Actually, that has a simple answer. A nontechnical segment of the population is simply going to do exactly what they do every time you ask a security question - answer YES, ALLOW, or whatever button is stopping them from seeing the cute video of the cat puking up noodles or the boobage behind the prompt box. Bombarding them with more security questions isn't really going to increase security, it's just going to increase frustration. So you add the (hopefully!) truly trustworthy CAs to the default list, then if a user ever encounters a CA warning box it'll be unusual enough that they might pause a few seconds before pressing ALLOW, and maybe even call a neighborhood 12-year-old to check to see if it's a really good idea.

The "hopefully!" part is important. If you're making decisions for your users in the form of shipped defaults, they'd better be well-thought-out.

Re:Ask the user (0)

Anonymous Coward | more than 4 years ago | (#31177658)

Do nto let the 12-year-old see the boobage...

Re:Ask the user (1)

fearlezz (594718) | more than 4 years ago | (#31177722)

Good point. Both morocco and turkey have been spying on the Dutch government and especially the Dutch police. Also, turkish online jihadists attack websites worldwide. Why would i trust turktrust and tubitak by default?

Re:Ask the user (1)

Chris Burke (6130) | more than 4 years ago | (#31177854)

cat puking up noodles or the boobage

I missed a very important "the" in this phrase the first time I read it. o_O

Re:Ask the user (1)

Opportunist (166417) | more than 4 years ago | (#31178074)

The double-clicking sound you're hearing is SA's forum regulars firing up Photoshop.

Re:Ask the user (1)

tonycheese (921278) | more than 4 years ago | (#31177856)

Bombarding them with more security questions isn't really going to increase security, it's just going to increase frustration.

Marginally related, but this is exactly why Windows Vista security doesn't work. It asks a question for almost everything you do, if an application connects to the internet, if you want to delete a file, if you want to move a shortcut, or if you want to run that suspicious looking program. They all have similar or identical prompts that come up! Everybody gets so used to clicking the big "Allow" button every time they start up their game that if one popped up right now out of nowhere I'd probably instinctively click allow before realizing what I was doing.

Now to avoid the off-topic mod... this is absolutely right on as to why there is such a debate over the issue of allowing CA certificates by default. Otherwise certificates will start to be like Windows Vista UAC.

Re:Ask the user (0)

Anonymous Coward | more than 4 years ago | (#31177978)

After you mentioned this, I decided it would probably be a good idea to go and delete the Turkish and Chinese certificates from Firefox. I exported them just in case to the hdd beforehand and deleted them and hit OK, and they vanished from the list. However, when I went back into the preferences and looked at the list of trusted authorities they were back again. Your assumption that you can just go ahead and delete trusted certificates in Firefox after you install it is invalid.

No. HELL No. (5, Insightful)

Anonymous Coward | more than 4 years ago | (#31176974)

Why should Mozilla take a chance at this? If someone wants this CA, it is trivial to manually add it to Mozilla's certificates. However, including it will mean that Mozilla's rep is now tied to the Chinese government, and should someone misuse the CA key, it will mean that if China starts another offensive on compromising Western systems, the Mozilla foundation is guilty of espionage by proxy.

Physical car analogy: A car dealership giving a master key to every vehicle to a group of people who have been noted in the past for car theft.

Re:No. HELL No. (1)

maxume (22995) | more than 4 years ago | (#31177418)

Except for the part where you can selectively and trivially turn off keys.

Anybody with non-trivial security needs really better be doing more than trusting the defaults.

Re:No. HELL No. (1)

amicusNYCL (1538833) | more than 4 years ago | (#31177502)

However, including it will mean that Mozilla's rep is now tied to the Chinese government, and should someone misuse the CA key, it will mean that if China starts another offensive on compromising Western systems, the Mozilla foundation is guilty of espionage by proxy.

I'm sorry, but Mozilla trusting any given CA does not make them guilty of a single thing, let alone espionage.

Physical car analogy: A car dealership giving a master key to every vehicle to a group of people who have been noted in the past for car theft.

Yeah, you wouldn't be able to say that the dealership is guilty of theft if the people they gave the key to steal the cars. The people stealing the cars are the ones who are guilty.

Re:No. HELL No. (1)

Hatta (162192) | more than 4 years ago | (#31177506)

You could say the same about any certificate authority. What reason do we have to believe that any CA is not compromised by the NSA?

If you want to protect yourself against the government, you cannot trust any third party. Exchange your keys manually, in person.

Re:No. HELL No. (1)

Colin Smith (2679) | more than 4 years ago | (#31177570)

this is true of any and all CAs.

Re:No. HELL No. (1)

stephanruby (542433) | more than 4 years ago | (#31177936)

Agreed, besides governments are not all created equal. If you want to buy a government bond for instance, you check its credit rating first. Countries/States/Counties/Cities all have them. As a professional, it's your duty to do your due diligence if other people are relying on your decision to make their decision.

In the case of China, it's not really a big deal anyway. If they really want to use their own certificates, they'll just mirror the source from mozilla/firefox, and distribute their slightly different rebranded version (even a private individual, or a private organization in China could do it). That's what China did for Android, China essentially forked Android 1.5. If you have your own country (with enough resources), it's probably a good idea to do that anyway. You take open source code, you audit it and you plug any security holes, and then you re-release it as your own rebranded version for your people to use (after all, for all you know the NSA and CIA may have forced the Mozilla developers to place backdoors in their code, or left security holes purposefully unpatched).

This way, the open source project is happy (I personally know that Google was actually delighted that 1.5 billion people were going to standardize on a version of Android), the country is happy to have its own browser (it can audit and approve/fork each version every time), and the user is happy too (since, at least he would be aware that he's browsing the web with a version of Firefox that has been rebranded locally, and that is potentially under the control of its own government).

Configuration Option (3, Insightful)

Fantom42 (174630) | more than 4 years ago | (#31177008)

Just make it a configuration option, default NO.

Yeah, its not the most elegant solution, but welcome to the real world guys.

Re:Configuration Option (4, Insightful)

drinkypoo (153816) | more than 4 years ago | (#31177232)

While we're at it, can we get a paranoid install option that disables ALL CAs by default, and requires you to enable each in turn? Maybe I don't trust Verisign, and would like to pass/fail all certs on an individual basis.

Re:Configuration Option (3, Funny)

natehoy (1608657) | more than 4 years ago | (#31177358)

All you have to do is click your heels together three times, and repeat after me.

There's no place like Options / Advanced / Encryption / View Certificates / Authorities / (use mouse to select all) / DELETE.
There's no place like Options / Advanced / Encryption / View Certificates / Authorities / (use mouse to select all) / DELETE.
There's no place like Options / Advanced / Encryption / View Certificates / Authorities / (use mouse to select all) / DELETE. ...

Re:Configuration Option (1)

jrumney (197329) | more than 4 years ago | (#31178532)

Years ago, when I first noticed the growing proliferation of CAs in Netscape's default set, I tried disabling them all, then enabling only the ones which clearly referenced a valid URL describing their certification policy. Starting with about 80, I ended up with 5 certificates installed, 2 of which were already expired.

Re:Configuration Option (2, Informative)

natehoy (1608657) | more than 4 years ago | (#31177392)

This already IS a configuration option with a default "no". If a CA does not appear on the list (Options / Advanced / Encryption / View Certificates / Authorities) you will be asked when you first encounter a certificate registered with that CA. You can then choose to "Trust this once", "Trust always", or "Do not trust" (the actual text of the options may vary).

Firefox is debating whether to add it as an entry in a user-configurable list. Obviously, your answer is "no, don't". :)

Re:Configuration Option (1)

Lord Ender (156273) | more than 4 years ago | (#31177396)

That's not a practical option.

What would be reasonable would be to dedicate more screen space to certificate information. Make sure the users see exactly who signed a cert, and exactly which site the certificate is assigned to.

Re:Configuration Option (1)

Vahokif (1292866) | more than 4 years ago | (#31177648)

It IS a configuration option. The question is whether it should be on by default.

On the other hand... (3, Insightful)

Bogtha (906264) | more than 4 years ago | (#31177052)

If the Chinese CA were stupid enough to actually perform this attack, it would be easy to gain incontrovertible evidence of their spying, as the hijacked responses would all be digitally signed with their signature.

Re:On the other hand... (0)

Anonymous Coward | more than 4 years ago | (#31177140)

It isn't that detectable. All it would take is one DNS cache poisoning, and one bogus key, and some critical passwords can be lost. There will be no proof it happened, because Web browsers do not keep logs of what keys they accept via SSL, nor what CAs stated which key is valid.

It would allow China to strike at will using Mozilla against US and European banks and other interests, and absolutely no proof that a site was spoofed.

Re:On the other hand... (0)

Anonymous Coward | more than 4 years ago | (#31177572)

why mozilla specifically?
it would be all web browsers.

its just that microsoft will be more than happy to trust the chinese ca

Re:On the other hand... (1)

compro01 (777531) | more than 4 years ago | (#31177878)

its just that microsoft will be more than happy to trust the chinese ca

If I am reading correctly, internet explorer has included CNNIC's cert since 2007.

Re:On the other hand... (1)

Penguinshit (591885) | more than 4 years ago | (#31177288)

AIUI, the Chinese openly admit to interfering with their citizens' Internet access.

Re:On the other hand... (0)

Anonymous Coward | more than 4 years ago | (#31177972)

I doubt they would mind this setback once they're engaging in full-scale cyber war, as well as conventional/nuclear. They only need it once...

Yeah that is a problem (1)

FooBarWidget (556006) | more than 4 years ago | (#31177086)

Now if only there was a way for anybody to start a certificate authority and to issue certificates, and for the users to decide for themselves which certificate authorities they trust.

Re:Yeah that is a problem (0)

Anonymous Coward | more than 4 years ago | (#31177110)

Unfortunately, this method has been patented by the Ace Tomato Company.

Re:Yeah that is a problem (1)

F.Ultra (1673484) | more than 4 years ago | (#31177226)

That didn't work to well for PGP though. Not that PGP is a fail, but the key signing bit went kind of crazy when people started to sign every key they found.

Re:Yeah that is a problem (1)

IamTheRealMike (537420) | more than 4 years ago | (#31177562)

How would that work? Even expert users can't easily know that an arbitrary CA follows a set of rules unless they are audited, and that's what the current process gives you (CNNIC passed the audits).

Doubt (0)

Anonymous Coward | more than 4 years ago | (#31177180)

So there is some doubt over if this is a good idea.

Surely that means it's a bad idea.

Why not change of certifcation notification? (1)

F.Ultra (1673484) | more than 4 years ago | (#31177184)

One "simple" solution would be for the browser to remember which certificate or CA that a page uses, and put up a warning if it ever changed (within the validation period). A warning if the site all of the sudden went http would perhaps also be a good idea. Yes, people ignore warnings, but it would at least help us in the know.

Re:Why not change of certifcation notification? (4, Informative)

jhantin (252660) | more than 4 years ago | (#31177364)

Have a look at Perspectives [cmu.edu] : an approach to detecting MITM attacks by comparing the keys visible from other vantage points on the net.

Re:Why not change of certifcation notification? (1)

IamTheRealMike (537420) | more than 4 years ago | (#31177586)

Key changes are a part of life though. Your proposed solution can't distinguish between key rotation and attack, which is a non starter.

Re:Why not change of certifcation notification? (1)

Hatta (162192) | more than 4 years ago | (#31177916)

His proposed solution is essentially how SSH does it. What's wrong with that? Why would I ever need to "rotate" a key. They don't go bad, unless they've been compromised. If they were compromised, I'd like to know about it.

Re:Why not change of certifcation notification? (1)

F.Ultra (1673484) | more than 4 years ago | (#31178376)

It doesn't have to, all it does is to warn me the user if the cert has changed regardless of wheter it is due to key rotation or attack, then I can decide for myself. As it is know the system is wide open for a rouge CA and the attack would be completely invisible.

Re:Why not change of certifcation notification? (1)

F.Ultra (1673484) | more than 4 years ago | (#31178410)

oh and btw, if one used the CA instead of the cert then 99% of key rotations would be caught. Most people do not change CA.

Re:Why not change of certifcation notification? (1)

rainer_d (115765) | more than 4 years ago | (#31177666)

One "simple" solution would be for the browser to remember which certificate or CA that a page uses, and put up a warning if it ever changed (within the validation period). A warning if the site all of the sudden went http would perhaps also be a good idea.

Yes, people ignore warnings, but it would at least help us in the know.

Well, Firefox is open source...

Privacy loss should be opt-out, but never is (1)

noidentity (188756) | more than 4 years ago | (#31177212)

The loss of one's privacy should always be opt-out, but anyone concerned with privacy should always assume that it's currently being violated and thus take steps to actively protect it. Thus, anyone in China who wants privacy is going to have to do things like ensure that the Chinese CA is disabled in their browser (and actually verify that by accessing a side signed with it).

Re:Privacy loss should be opt-out, but never is (1)

noidentity (188756) | more than 4 years ago | (#31177276)

Whoops, I got opt-out and opt-in switched. Argh! Privacy loss should be opt-in.

Re:Privacy loss should be opt-out, but never is (1)

selven (1556643) | more than 4 years ago | (#31178036)

Don't you mean "loss of privacy should be opt in"? Opt-out loss of privacy means that unless you opt out of losing privacy you lose your privacy.

Of course gov's will spy (1)

dragisha (788) | more than 4 years ago | (#31177248)

And of course, it's in interest of it's citizens. Use irony at will :).
Some news are just boring these days. This government good, that government bad.... I suppose we just need simplemindedness of Animal Farm, it's soo good.
Thus said, any person who trusts her privacy to Windo*s is just ridiculous when she starts worrying about governments. Who needs government with spyware stargate on his desk?

China (2, Insightful)

wisnoskij (1206448) | more than 4 years ago | (#31177298)

China has been getting a lot of flak recently, and from how I understand it deservedly.
If they have done some stuff that is damning enough for companies like Google and Firefox to risk alienating such a huge market, then how can you trust anything that comes from them?

Re:China (0)

Anonymous Coward | more than 4 years ago | (#31177406)

Trouble is practically everything these days comes from them...

Re:China (0, Flamebait)

darthaya (66687) | more than 4 years ago | (#31177626)

The most popular browser in China is IE6. You know why? Because it runs on pirated XP best.

The whole CA concept is horribly broken (3, Insightful)

Omnifarious (11933) | more than 4 years ago | (#31177496)

There is no good definition of exactly what you're trusting them with, no good independent verification that their trustworthiness is deserved, and as far as I know, no legal recourse if it isn't.

I consider the whole CA system to be fundamentally broken. But a new system would be so significantly different in both character and detail that I don't know how it could ever happen. UIs would have to be redesigned. Crypto geeks would have to start thinking about usability. I think the world would have to end first.

But I consider this to be one of the reasons the concept is broken.

In my opinion, as a half-baked measure that moves a little in the right direction, browsers would do better to just download the certificate from the website, and then warn you if the certificate ever changed when you went back to a website that claimed the same identity. Then you'd have to trust a CA at most once.

Re:The whole CA concept is horribly broken (1)

calmofthestorm (1344385) | more than 4 years ago | (#31177772)

> In my opinion, as a half-baked measure that moves a little in the right direction, browsers would do better to just
> download the certificate from the website, and then warn you if the certificate ever changed when you went back to a
> website that claimed the same identity. Then you'd have to trust a CA at most once.
This is indeed hte correct approach. Though I'd also apprecaite an option for "I don't care" in the current mozilla, when I jus twant to read a page that won't let me access it through http. Instead I have to click through multiple dialogs full of misleading fud just to load the page.

The debate is over (0)

Anonymous Coward | more than 4 years ago | (#31177640)

The debate is over. The results are in. Mozilla decided to trust the Chinese government CA. A transcript of their email debate can be found at english.gov.cn

Forgive me for belaboring the obvious... (5, Insightful)

Angst Badger (8636) | more than 4 years ago | (#31177644)

...but maybe the takeaway lesson from this whole affair is that it is impossible to remain ethical while knowingly doing business with an entity you know to be deeply corrupt. Sooner or later, you will find yourself faced with situations in which you directly or indirectly become party to unethical acts.

This is hardly limited to Google. We all help pay the salaries of the oppressive Chinese regime from the politburo on down to the prison camp guards every time we buy Chinese goods.

also... (0)

Anonymous Coward | more than 4 years ago | (#31177708)

a reason why FF would never be accepted by the US Government as an approved browser.

No CA should be trusted by default (1, Insightful)

DragonWriter (970822) | more than 4 years ago | (#31177830)

To me, its simple. Trust is something that should be granted by the user. A browser distribution may well include certificates for various CA's as a convenience, but generally shouldn't include any of them as trusted by default. There should be an option for the user to designate bundled CA certs (or ones obtained elsewhere) as trusted, and installers could even include option to enable them in the install procedure.

Wow, just wow. (2, Informative)

yttrstein (891553) | more than 4 years ago | (#31178014)

The authenticity of certs no longer matter, and I'm frankly astonished that neither mozilla nor slashdot has ever heard of ssl taps, an *enormous number* of which are currently active in Chinese public networks.

It's a man-in-the middle thing, and I run them at work. They're very easy to configure, and if you really know what you're doing, you can "legitimately" fake the identity of any cert you want, and every single byte of your traffic is sniffable to whoever runs the tap.

One word: lynx. (0)

Anonymous Coward | more than 4 years ago | (#31178264)

The only way to be completely safe is to surf the web in plain text. Never had a virus yet. Of course, buying stuff on Amazon.com is kinda tricky...

I lost faith when they kept the RapidSSL cert. (1)

DamnStupidElf (649844) | more than 4 years ago | (#31178298)

After the security researchers were able to get a rogue CA issued by RapidSSL by exploiting an MD5 collision and the predictable sequence number generation, I wish at least some of the major browsers would have revoked that compromised root CA. Despite the fact that any attacker could have gotten their own intermediate CA undetected before the exploit was published, no one bothered to remove their implicit trust of the root CA.

One Should Always Trust (3, Insightful)

LifesABeach (234436) | more than 4 years ago | (#31178414)

"Trust, but verify." - President Reagan
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?