El Reg has published a story which discusses the steps Google and Mozilla are taking, in response to the apparent misuse of a China Internet Network Information Center (CNNIC) intermediate Cetificate Authority (CA) administered by MCS Holdings, who claim it was all just a big mistake.
Firefox-maker Mozilla has joined Google in refusing to recognize SSL certificates issued by the China Internet Network Information Centre (CNNIC).
This should not be a surprise since:
This comes after a security biz in Egypt used a CNNIC-issued intermediate certificate to create unauthorized SSL certs that could be used to trick people into connecting to bogus, password-stealing Gmail.com or Google.com websites.
As a result:
[A]ll Mozilla products – including the Firefox web browser and the Thunderbird email client, among others – will be updated so that all CNNIC-based certificates issued on or after April 1, 2015 are considered untrusted.
Mozilla said it also plans to ask CNNIC for a comprehensive list of all of its current valid certificates. Any certificates issued before April 1 that are not included on this whitelist will also be subject to potential "further action."
Microsoft has also revoked the suspect CNNIC intermediate CA:
Microsoft is updating the Certificate Trust list (CTL) to remove the trust of the subordinate CA certificate. The trusted root Certificate Authority, the China Internet Network Information Center (CNNIC), has also revoked the certificate of the subordinate CA.
Related Stories
Over the last several months Mozilla has been investigating a large number of breaches of what Mozilla deems to be acceptable CA protocols by the Chinese root CA WoSign and their perhaps better known subsidiary StartCom, whose acquistion by WoSign is one of the issues in question. Mozilla has now published their proposed solution (GoogleDocs link), and it's not looking good for WoSign and Startcom. Mozilla's position is that they have lost trust in WoSign and, by association StartCom, with a proposed action to give WoSign and StartCom a "timeout" by distrusting any certificates issued after a date to be determined in the near future for a period of one year, essentially preventing them issuing any certificates that will be trusted by Mozilla. Attempts to circumvent this by back-dating the valid-from date will result in an immediate and permanent revocation of trust, and there are some major actions required to re-establish that trust at the end of the time out as well.
This seems like a rather elegant, if somewhat draconian, solution to the issue of what to do when a CA steps out of line. Revoking trust for certificates issued after a given date does not invalidate existing certificates and thereby inconvenience their owners, but it does put a severe - and potentially business ending - penalty on the CA in question. Basically, WoSign and StartCom will have a year where they cannot issue any new certificates that Mozilla will trust, and will also have to inform any existing customers that have certificate renewals due within that period they cannot do so and they will need to go else where - hardly good PR!
What do the Soylentils think? Is Mozilla going too far here, or is their proposal justified and reasonable given WoSign's actions, making a good template for potential future breaches of trust by root CAs, particularly in the wake of other CA trust breaches by the likes of CNNIC, DigiNotar, and Symantec?
It appears this situation developed from this discussion at Google Groups.
[Editor's Note: SoylentNews used StartCom certificates in the past but we now use only certificates from Gandi and "Let's Encrypt."]
(Score: 0, Flamebait) by Anonymous Coward on Wednesday April 08 2015, @05:09AM
Why the hell would you listen to anything Microsoft says about trust?
(Score: 4, Informative) by deimios on Wednesday April 08 2015, @05:19AM
Because the world is not black-or-white and Microsoft being a behemoth has many heads. Some of them actually think and some of those actually have good ideas.
Yes you should take anything coming out of Redmond with a grain of salt and only after 2 service packs, but this time they might be right.
(Score: 0) by Anonymous Coward on Wednesday April 08 2015, @05:23AM
May I have 2 biscuit packs instead? Hell, even to packs of cigarettes would be healthier.
(Score: 4, Informative) by FatPhil on Wednesday April 08 2015, @09:59AM
Why should we trust Microsoft? We shouldn't, as they are (tainted by being in part) criminal liars.
Why should we trust what Microsoft says? We shouldn't, as they are ( - " - ) criminal liars, we should verify it.
Why should we listen to what Microsoft says? Because how else can we verify or disprove it?
If AC has some issue with what MS have said in that announcement, perhaps he'd like to document them here. A cursory read of it looks truthful and useful. I expect no response from AC, as he seems a bit of an idiot (which is not an /ad hominem/, it's just an insult - do you see the difference?).
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 0) by Anonymous Coward on Wednesday April 08 2015, @04:53PM
Your statement applies even more-so to the NSA, but you'll get mod-bombed to Hell if you even suggest that. All issues are only black-and-white on this site.
(Score: 2) by davester666 on Wednesday April 08 2015, @05:25AM
So you can do the opposite...
(Score: 4, Insightful) by NotSanguine on Wednesday April 08 2015, @05:39AM
Why the hell would you listen to anything Microsoft says about trust?
Seeing as Internet Explorer has a larger market share [wikipedia.org] than Firefox, Microsoft's revocation of MCS's intermediate certificate will have an impact on large numbers of people. Hence, even if you think Microsoft are a bunch of hydrocephalic idiots, their decision to revoke the intermediate CA certificate is worthy of note.
Whether you agree with their actions (the same as those taken by Google and Mozilla) or not is another issue entirely.
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 4, Informative) by maxwell demon on Wednesday April 08 2015, @07:25AM
According to Statcounter [statcounter.com] (the very source also Wikipedia cites), IE is now at 12.29%, while Firefox is at 11.68%. While the IE number is in fact larger, the difference is so small that I'm not even sure that it isn't inside the (not given) error bar.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by takyon on Wednesday April 08 2015, @11:46AM
1. Wow Chrome has done that much direct damage to IE?
2. Wow Firefox is sliding more than I thought.
3. Wow Opera has increased since 2011 even with the engine change.
4. Turning off mobile, tablet, and console does nothing to help Firefox.
No wonder Microsoft is launching Spartan and IE side by side. I'm shocked that Chrome got to 50%. It must have been banner ads for the browser on Google homepages that did it. Monopoly abuse!!!
I hope Vivaldi [wikipedia.org] makes things more interesting. Or Firefox default Tor.
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 2) by WillR on Wednesday April 08 2015, @04:42PM
I'm shocked that Chrome got to 50%. It must have been banner ads for the browser on Google homepages that did it.
I would bet it's that got more to do with the way YouTube "just works" on Chrome without the headache of either updating Flash 3 times a week, or getting pwned Friday morning because you didn't update Flash on Thursday.
(Score: 2) by WillR on Wednesday April 08 2015, @06:20PM
Yup. Vulnerable.
Again.
(Score: 1) by kc on Thursday April 09 2015, @04:19PM
Firefox and even Chrome seem to default to HTML5, not Flash, for Youtube videos. I just removed Flash entirely since getting tired of the constant updates.
(Score: 2) by NotSanguine on Wednesday April 08 2015, @09:31PM
According to Statcounter (the very source also Wikipedia cites), IE is now at 12.29%, while Firefox is at 11.68%. While the IE number is in fact larger, the difference is so small that I'm not even sure that it isn't inside the (not given) error bar.
In that case, let's say that Firefox and IE are in a dead heat WRT to market share. Even better, let's assume that the difference is within the margin of error and Firefox has a larger market share than IE.
How does that change my contention that that if it's worth reporting the actions of Mozilla in this case, it's worth reporting what Microsoft's actions are too?
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 2) by maxwell demon on Thursday April 09 2015, @06:46AM
Where did I say that it does?
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by NotSanguine on Thursday April 09 2015, @07:40AM
Where did I say that it does?
If that wasn't your intent, then what was your point?
Was it that the error bars on the survey used to collect the data we both cited were unknown? Which, I suppose, could be useful information in certain contexts.
I'm not sure what that has to do with including information about Microsoft's or Mozilla's response to the issues with CNNIC/MCS Holdings CA certificates. Please enlighten me.
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 2) by maxwell demon on Thursday April 09 2015, @05:40PM
My point was to clarify that IE has not a significantly higher market share than Firefox. Not every reply must be related to the main point of a post.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 0) by Anonymous Coward on Wednesday April 08 2015, @04:19PM
Why the hell would you listen to anything Microsoft says about trust?
Because Microsoft has a well know history of excellent trust. In fact they were so trusted that the European Union had to sue them with an anti-trust lawsuit because they were too trustworthy.
(Score: 2) by sjames on Wednesday April 08 2015, @06:34PM
Because even a broken clock will be right twice a day?
(Score: 1, Interesting) by Anonymous Coward on Wednesday April 08 2015, @07:25PM
Because on Windows Chrome uses Microsoft's certificate infrastructure (that's why I use Firefox :) ).
And the way Microsoft's cert stuff works is even if a CA's cert is not in any cert store, if it's signed by a good enough existing cert in the cert store, it will be added to the cert store.
So you could have a pretty empty cert store but the CA certs get magically added, and to blacklist CA certs, you'd have to add all the CA certs you want to blacklist to the untrusted store. But the big problem is the certs might not be around for you to add, till the day they decide to pwn you.
If CNNIC somehow has another (or gets a new) CA cert that's signed by Microsoft or whoever else that's trusted, that CA cert will automagically be trusted.
Whereas with Firefox - all the root CA certs that the browser will trust have to already be in the repo. Yes there's some chaining etc, but it's still a better situation.
It's not a great situation of course, given none of the browsers have a feature like "Certificate Patrol" - where they warn you if a cert has been changed. Certificate Patrol unfortunately is not able to remember more than one cert for a site - so you can get lots of warnings if a site is load balanced across servers with different certs.
(Score: 4, Insightful) by bradley13 on Wednesday April 08 2015, @05:54AM
When do we get the obvious solution?
CAs should only be able to issue certificates in their domains. So CNNIC should never have been able to issue certificates outside of .cn, and the same for any intermediate CA relying on a CNNIC certificate.
This wouldn't eliminate abuse, particularly abuses by the USA (which would undoubtedly retain control over .com, .net, .org, etc.), but it would at least make abuse a lot more difficult.
Everyone is somebody else's weirdo.
(Score: 3, Interesting) by gnuman on Wednesday April 08 2015, @05:19PM
CAs should only be able to issue certificates in their domains. So CNNIC should never have been able to issue certificates outside of .cn
That's not how CAs work. Certificates don't even have a notion of a domain, it's just something part of the subject line that is then signed.
The "obvious solution" is for admins to pull their heads out of their butts and require DNSSEC. Then we can deploy DANE and finally have two-factor authentication for certificates - DNS *and/or* CA, but domain controller has 100% control over this, not the CA.
http://www.internetsociety.org/deploy360/resources/dane/ [internetsociety.org]
https://tools.ietf.org/html/rfc6698 [ietf.org]
(Score: 2) by bradley13 on Wednesday April 08 2015, @07:21PM
Granted, I'm no expert in the area, but when you say "Certificates don't even have a notion of a domain", that doesn't make sense to me.
If I visit my private homepage, it happens to be on a server that has a certificate installed for a company in the .ch domain. Access my homepage with https, Apache applies the certificate for the other domain, and the browser promptly complains: "Server's certificate does not match the URL".
If that isn't a certificate tied to a domain, what is it?
Follow the certificate chain up, and the top-level certificate is in the .il domain. So a company in Israel has issued a certificate to a company in Switzerland. That is exactly the sort of scenario I suggest should not be allowed.
Can you explain where I've misunderstood your post, or what your objections were?
Everyone is somebody else's weirdo.
(Score: 4, Insightful) by Hairyfeet on Wednesday April 08 2015, @10:32PM
We need to get over the idea that these CAs can be trusted anymore than any other website because as we have seen over the past year? Their security is just as lax if not more so than your average shopping web site.
While we are at it we need to get the major browsers not to shit themselves in fear when a website has a self signed cert as 1.- That keeps smaller sites that SHOULD have SSL not have it and 2.- The users have been trained to trust the lock icon so blindly that they will happily give their account info to Bankofamerlca.cm as long as they see the little lock. All we have done so far is give these CA corps a license to print money without holding them up to any higher standards than anybody else, and if this is the case, what is the point of having them? They certainly aren't creating any kind of verifible trust as we have seen time and time again how damned easy it is for a bad guy to get a cert for a site they do not own, so what's the point in giving them money?
ACs are never seen so don't bother. Always ready to show SJWs for the racists they are.
(Score: -1, Flamebait) by Anonymous Coward on Wednesday April 08 2015, @05:58AM
Inscrutable Orientals canna be troosted!
(Score: 2) by Yog-Yogguth on Monday April 13 2015, @03:29PM
Saw this one too late but let's hope whoever moderated it simply misunderstood it. I think the AC makes a very pertinent point.
TFS says the Chinese RA itself has banned the offending party so both Google and Mozilla seem to be overreacting by quite a bit and most likely intentionally. Neither Google nor Mozilla are any more trustworthy than the Chinese root authority (and the reaction argues that both Google and Mozilla are less trustworthy).
There aren't any technical reasons for what Google and Mozilla have done (technically it's moronic) but there sure are political ones.
Bite harder Ouroboros, bite! tails.boum.org/ linux USB CD secure desktop IRC *crypt tor (not endorsements (XKeyScore))
(Score: 2) by kaszz on Wednesday April 08 2015, @09:42AM
Why is there no option for users themselves to add a certificate firewall that says CNNIC certificates are invalid for any domain outside "*.cn" ..?
Instead of relying on this archaic system where big producers patch the actual code to do this? Which in essence is just doing like above. Comodo should be banned outright by the way.
Oh wait.. [soylentnews.org]
(Score: 0) by Anonymous Coward on Wednesday April 08 2015, @03:09PM
How does "China Internet Network Information Centre" become "CNNIC"? Shouldn't it be "CINIC"? Or am I believing too easily that China is motivated purely by self-interest rather than acting for honorable or unselfish reasons.
(Score: 0) by Anonymous Coward on Wednesday April 08 2015, @04:24PM
Acronyms do not always reflect their English translations. Consider CCCP.
(Score: 0) by Anonymous Coward on Thursday April 09 2015, @09:24AM
Of course in Chinese the very concept of an acronym doesn't make sense since each Chinese symbol is already a complete word.
(Score: 2) by NotSanguine on Wednesday April 08 2015, @10:36PM
How does "China Internet Network Information Centre" become "CNNIC"? Shouldn't it be "CINIC"? Or am I believing too easily that China is motivated purely by self-interest rather than acting for honorable or unselfish reasons.
My guess would be that since '.cn' is the country domain for China, naming China's 'Network Information Center' CNNIC does make some sense.
I could be completely wrong of course.
No, no, you're not thinking; you're just being logical. --Niels Bohr