SoylentNews is people
SoylentNews
El Reg has published a story which discusses the steps Google and Mozilla are taking, in response to the apparent misuse of a China Internet Network Information Center (CNNIC) intermediate Cetificate Authority (CA) administered by MCS Holdings, who claim it was all just a big mistake.
Firefox-maker Mozilla has joined Google in refusing to recognize SSL certificates issued by the China Internet Network Information Centre (CNNIC).
This should not be a surprise since:
This comes after a security biz in Egypt used a CNNIC-issued intermediate certificate to create unauthorized SSL certs that could be used to trick people into connecting to bogus, password-stealing Gmail.com or Google.com websites.
As a result:
[A]ll Mozilla products – including the Firefox web browser and the Thunderbird email client, among others – will be updated so that all CNNIC-based certificates issued on or after April 1, 2015 are considered untrusted.
Mozilla said it also plans to ask CNNIC for a comprehensive list of all of its current valid certificates. Any certificates issued before April 1 that are not included on this whitelist will also be subject to potential "further action."
Microsoft has also revoked the suspect CNNIC intermediate CA:
Microsoft is updating the Certificate Trust list (CTL) to remove the trust of the subordinate CA certificate. The trusted root Certificate Authority, the China Internet Network Information Center (CNNIC), has also revoked the certificate of the subordinate CA.
(Score: 0, Flamebait) by Anonymous Coward on Wednesday April 08 2015, @05:09AM
Why the hell would you listen to anything Microsoft says about trust?
(Score: 4, Informative) by deimios on Wednesday April 08 2015, @05:19AM
Because the world is not black-or-white and Microsoft being a behemoth has many heads. Some of them actually think and some of those actually have good ideas.
Yes you should take anything coming out of Redmond with a grain of salt and only after 2 service packs, but this time they might be right.
(Score: 0) by Anonymous Coward on Wednesday April 08 2015, @05:23AM
May I have 2 biscuit packs instead? Hell, even to packs of cigarettes would be healthier.
(Score: 4, Informative) by FatPhil on Wednesday April 08 2015, @09:59AM
Why should we trust Microsoft? We shouldn't, as they are (tainted by being in part) criminal liars.
Why should we trust what Microsoft says? We shouldn't, as they are ( - " - ) criminal liars, we should verify it.
Why should we listen to what Microsoft says? Because how else can we verify or disprove it?
If AC has some issue with what MS have said in that announcement, perhaps he'd like to document them here. A cursory read of it looks truthful and useful. I expect no response from AC, as he seems a bit of an idiot (which is not an /ad hominem/, it's just an insult - do you see the difference?).
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 0) by Anonymous Coward on Wednesday April 08 2015, @04:53PM
Your statement applies even more-so to the NSA, but you'll get mod-bombed to Hell if you even suggest that. All issues are only black-and-white on this site.
(Score: 2) by davester666 on Wednesday April 08 2015, @05:25AM
So you can do the opposite...
(Score: 4, Insightful) by NotSanguine on Wednesday April 08 2015, @05:39AM
Why the hell would you listen to anything Microsoft says about trust?
Seeing as Internet Explorer has a larger market share [wikipedia.org] than Firefox, Microsoft's revocation of MCS's intermediate certificate will have an impact on large numbers of people. Hence, even if you think Microsoft are a bunch of hydrocephalic idiots, their decision to revoke the intermediate CA certificate is worthy of note.
Whether you agree with their actions (the same as those taken by Google and Mozilla) or not is another issue entirely.
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 4, Informative) by maxwell demon on Wednesday April 08 2015, @07:25AM
According to Statcounter [statcounter.com] (the very source also Wikipedia cites), IE is now at 12.29%, while Firefox is at 11.68%. While the IE number is in fact larger, the difference is so small that I'm not even sure that it isn't inside the (not given) error bar.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by takyon on Wednesday April 08 2015, @11:46AM
1. Wow Chrome has done that much direct damage to IE?
2. Wow Firefox is sliding more than I thought.
3. Wow Opera has increased since 2011 even with the engine change.
4. Turning off mobile, tablet, and console does nothing to help Firefox.
No wonder Microsoft is launching Spartan and IE side by side. I'm shocked that Chrome got to 50%. It must have been banner ads for the browser on Google homepages that did it. Monopoly abuse!!!
I hope Vivaldi [wikipedia.org] makes things more interesting. Or Firefox default Tor.
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 2) by WillR on Wednesday April 08 2015, @04:42PM
I'm shocked that Chrome got to 50%. It must have been banner ads for the browser on Google homepages that did it.
I would bet it's that got more to do with the way YouTube "just works" on Chrome without the headache of either updating Flash 3 times a week, or getting pwned Friday morning because you didn't update Flash on Thursday.
(Score: 2) by WillR on Wednesday April 08 2015, @06:20PM
Yup. Vulnerable.
Again.
(Score: 1) by kc on Thursday April 09 2015, @04:19PM
Firefox and even Chrome seem to default to HTML5, not Flash, for Youtube videos. I just removed Flash entirely since getting tired of the constant updates.
(Score: 2) by NotSanguine on Wednesday April 08 2015, @09:31PM
According to Statcounter (the very source also Wikipedia cites), IE is now at 12.29%, while Firefox is at 11.68%. While the IE number is in fact larger, the difference is so small that I'm not even sure that it isn't inside the (not given) error bar.
In that case, let's say that Firefox and IE are in a dead heat WRT to market share. Even better, let's assume that the difference is within the margin of error and Firefox has a larger market share than IE.
How does that change my contention that that if it's worth reporting the actions of Mozilla in this case, it's worth reporting what Microsoft's actions are too?
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 2) by maxwell demon on Thursday April 09 2015, @06:46AM
Where did I say that it does?
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by NotSanguine on Thursday April 09 2015, @07:40AM
Where did I say that it does?
If that wasn't your intent, then what was your point?
Was it that the error bars on the survey used to collect the data we both cited were unknown? Which, I suppose, could be useful information in certain contexts.
I'm not sure what that has to do with including information about Microsoft's or Mozilla's response to the issues with CNNIC/MCS Holdings CA certificates. Please enlighten me.
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 2) by maxwell demon on Thursday April 09 2015, @05:40PM
My point was to clarify that IE has not a significantly higher market share than Firefox. Not every reply must be related to the main point of a post.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 0) by Anonymous Coward on Wednesday April 08 2015, @04:19PM
Why the hell would you listen to anything Microsoft says about trust?
Because Microsoft has a well know history of excellent trust. In fact they were so trusted that the European Union had to sue them with an anti-trust lawsuit because they were too trustworthy.
(Score: 2) by sjames on Wednesday April 08 2015, @06:34PM
Because even a broken clock will be right twice a day?
(Score: 1, Interesting) by Anonymous Coward on Wednesday April 08 2015, @07:25PM
Because on Windows Chrome uses Microsoft's certificate infrastructure (that's why I use Firefox :) ).
And the way Microsoft's cert stuff works is even if a CA's cert is not in any cert store, if it's signed by a good enough existing cert in the cert store, it will be added to the cert store.
So you could have a pretty empty cert store but the CA certs get magically added, and to blacklist CA certs, you'd have to add all the CA certs you want to blacklist to the untrusted store. But the big problem is the certs might not be around for you to add, till the day they decide to pwn you.
If CNNIC somehow has another (or gets a new) CA cert that's signed by Microsoft or whoever else that's trusted, that CA cert will automagically be trusted.
Whereas with Firefox - all the root CA certs that the browser will trust have to already be in the repo. Yes there's some chaining etc, but it's still a better situation.
It's not a great situation of course, given none of the browsers have a feature like "Certificate Patrol" - where they warn you if a cert has been changed. Certificate Patrol unfortunately is not able to remember more than one cert for a site - so you can get lots of warnings if a site is load balanced across servers with different certs.