Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 17 submissions in the queue.

Mozilla Joins Google Shunning China's Root Certificate Authority

posted by on Wednesday April 08 2015, @04:22AM   Printer-friendly
from the about-as-far-as-I-can-throw-you dept.

mendax writes:

El Reg has published a story which discusses the steps Google and Mozilla are taking, in response to the apparent misuse of a China Internet Network Information Center (CNNIC) intermediate Cetificate Authority (CA) administered by MCS Holdings, who claim it was all just a big mistake.

Firefox-maker Mozilla has joined Google in refusing to recognize SSL certificates issued by the China Internet Network Information Centre (CNNIC).

This should not be a surprise since:

This comes after a security biz in Egypt used a CNNIC-issued intermediate certificate to create unauthorized SSL certs that could be used to trick people into connecting to bogus, password-stealing Gmail.com or Google.com websites.

As a result:

[A]ll Mozilla products – including the Firefox web browser and the Thunderbird email client, among others – will be updated so that all CNNIC-based certificates issued on or after April 1, 2015 are considered untrusted.

Mozilla said it also plans to ask CNNIC for a comprehensive list of all of its current valid certificates. Any certificates issued before April 1 that are not included on this whitelist will also be subject to potential "further action."

Microsoft has also revoked the suspect CNNIC intermediate CA:

Microsoft is updating the Certificate Trust list (CTL) to remove the trust of the subordinate CA certificate. The trusted root Certificate Authority, the China Internet Network Information Center (CNNIC), has also revoked the certificate of the subordinate CA.

 
This discussion has been archived. No new comments can be posted.
Mozilla Joins Google Shunning China's Root Certificate Authority | Log In/Create an Account | Top | 30 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: -1, Flamebait) by Anonymous Coward on Wednesday April 08 2015, @05:58AM

    by Anonymous Coward on Wednesday April 08 2015, @05:58AM (#167751)

    Inscrutable Orientals canna be troosted!

    Starting Score:    0  points
    Moderation   -1  
       Flamebait=1, Total=1
    Extra 'Flamebait' Modifier   0  
    Total Score:   -1  

  • (Score: 2) by Yog-Yogguth on Monday April 13 2015, @03:29PM

    by Yog-Yogguth (1862) Subscriber Badge on Monday April 13 2015, @03:29PM (#169755) Journal

    Saw this one too late but let's hope whoever moderated it simply misunderstood it. I think the AC makes a very pertinent point.

    TFS says the Chinese RA itself has banned the offending party so both Google and Mozilla seem to be overreacting by quite a bit and most likely intentionally. Neither Google nor Mozilla are any more trustworthy than the Chinese root authority (and the reaction argues that both Google and Mozilla are less trustworthy).

    There aren't any technical reasons for what Google and Mozilla have done (technically it's moronic) but there sure are political ones.

    --
    Bite harder Ouroboros, bite! tails.boum.org/ linux USB CD secure desktop IRC *crypt tor (not endorsements (XKeyScore))