Stories
Slash Boxes
Comments

SoylentNews is people

Mozilla Joins Google Shunning China's Root Certificate Authority

posted by on Wednesday April 08 2015, @04:22AM   Printer-friendly
from the about-as-far-as-I-can-throw-you dept.

mendax writes:

El Reg has published a story which discusses the steps Google and Mozilla are taking, in response to the apparent misuse of a China Internet Network Information Center (CNNIC) intermediate Cetificate Authority (CA) administered by MCS Holdings, who claim it was all just a big mistake.

Firefox-maker Mozilla has joined Google in refusing to recognize SSL certificates issued by the China Internet Network Information Centre (CNNIC).

This should not be a surprise since:

This comes after a security biz in Egypt used a CNNIC-issued intermediate certificate to create unauthorized SSL certs that could be used to trick people into connecting to bogus, password-stealing Gmail.com or Google.com websites.

As a result:

[A]ll Mozilla products – including the Firefox web browser and the Thunderbird email client, among others – will be updated so that all CNNIC-based certificates issued on or after April 1, 2015 are considered untrusted.

Mozilla said it also plans to ask CNNIC for a comprehensive list of all of its current valid certificates. Any certificates issued before April 1 that are not included on this whitelist will also be subject to potential "further action."

Microsoft has also revoked the suspect CNNIC intermediate CA:

Microsoft is updating the Certificate Trust list (CTL) to remove the trust of the subordinate CA certificate. The trusted root Certificate Authority, the China Internet Network Information Center (CNNIC), has also revoked the certificate of the subordinate CA.

 
This discussion has been archived. No new comments can be posted.
Mozilla Joins Google Shunning China's Root Certificate Authority | Log In/Create an Account | Top | 30 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 4, Insightful) by Hairyfeet on Wednesday April 08 2015, @10:32PM

    by Hairyfeet (75) <bassbeast1968NO@SPAMgmail.com> on Wednesday April 08 2015, @10:32PM (#168024) Journal

    We need to get over the idea that these CAs can be trusted anymore than any other website because as we have seen over the past year? Their security is just as lax if not more so than your average shopping web site.

    While we are at it we need to get the major browsers not to shit themselves in fear when a website has a self signed cert as 1.- That keeps smaller sites that SHOULD have SSL not have it and 2.- The users have been trained to trust the lock icon so blindly that they will happily give their account info to Bankofamerlca.cm as long as they see the little lock. All we have done so far is give these CA corps a license to print money without holding them up to any higher standards than anybody else, and if this is the case, what is the point of having them? They certainly aren't creating any kind of verifible trust as we have seen time and time again how damned easy it is for a bad guy to get a cert for a site they do not own, so what's the point in giving them money?

    --
    ACs are never seen so don't bother. Always ready to show SJWs for the racists they are.
    Starting Score:    1  point
    Moderation   +2  
       Insightful=1, Interesting=1, Total=2
    Extra 'Insightful' Modifier   0  
    Karma-Bonus Modifier   +1  
    Total Score:   4