SoylentNews is people
SoylentNews
El Reg has published a story which discusses the steps Google and Mozilla are taking, in response to the apparent misuse of a China Internet Network Information Center (CNNIC) intermediate Cetificate Authority (CA) administered by MCS Holdings, who claim it was all just a big mistake.
Firefox-maker Mozilla has joined Google in refusing to recognize SSL certificates issued by the China Internet Network Information Centre (CNNIC).
This should not be a surprise since:
This comes after a security biz in Egypt used a CNNIC-issued intermediate certificate to create unauthorized SSL certs that could be used to trick people into connecting to bogus, password-stealing Gmail.com or Google.com websites.
As a result:
[A]ll Mozilla products – including the Firefox web browser and the Thunderbird email client, among others – will be updated so that all CNNIC-based certificates issued on or after April 1, 2015 are considered untrusted.
Mozilla said it also plans to ask CNNIC for a comprehensive list of all of its current valid certificates. Any certificates issued before April 1 that are not included on this whitelist will also be subject to potential "further action."
Microsoft has also revoked the suspect CNNIC intermediate CA:
Microsoft is updating the Certificate Trust list (CTL) to remove the trust of the subordinate CA certificate. The trusted root Certificate Authority, the China Internet Network Information Center (CNNIC), has also revoked the certificate of the subordinate CA.
(Score: 3, Interesting) by gnuman on Wednesday April 08 2015, @05:19PM
CAs should only be able to issue certificates in their domains. So CNNIC should never have been able to issue certificates outside of .cn
That's not how CAs work. Certificates don't even have a notion of a domain, it's just something part of the subject line that is then signed.
The "obvious solution" is for admins to pull their heads out of their butts and require DNSSEC. Then we can deploy DANE and finally have two-factor authentication for certificates - DNS *and/or* CA, but domain controller has 100% control over this, not the CA.
http://www.internetsociety.org/deploy360/resources/dane/ [internetsociety.org]
https://tools.ietf.org/html/rfc6698 [ietf.org]
(Score: 2) by bradley13 on Wednesday April 08 2015, @07:21PM
Granted, I'm no expert in the area, but when you say "Certificates don't even have a notion of a domain", that doesn't make sense to me.
If I visit my private homepage, it happens to be on a server that has a certificate installed for a company in the .ch domain. Access my homepage with https, Apache applies the certificate for the other domain, and the browser promptly complains: "Server's certificate does not match the URL".
If that isn't a certificate tied to a domain, what is it?
Follow the certificate chain up, and the top-level certificate is in the .il domain. So a company in Israel has issued a certificate to a company in Switzerland. That is exactly the sort of scenario I suggest should not be allowed.
Can you explain where I've misunderstood your post, or what your objections were?
Everyone is somebody else's weirdo.
(Score: 4, Insightful) by Hairyfeet on Wednesday April 08 2015, @10:32PM
We need to get over the idea that these CAs can be trusted anymore than any other website because as we have seen over the past year? Their security is just as lax if not more so than your average shopping web site.
While we are at it we need to get the major browsers not to shit themselves in fear when a website has a self signed cert as 1.- That keeps smaller sites that SHOULD have SSL not have it and 2.- The users have been trained to trust the lock icon so blindly that they will happily give their account info to Bankofamerlca.cm as long as they see the little lock. All we have done so far is give these CA corps a license to print money without holding them up to any higher standards than anybody else, and if this is the case, what is the point of having them? They certainly aren't creating any kind of verifible trust as we have seen time and time again how damned easy it is for a bad guy to get a cert for a site they do not own, so what's the point in giving them money?
ACs are never seen so don't bother. Always ready to show SJWs for the racists they are.