Wasn't that long ago that there weren't even a dozen root CAs but the open market has put paid to that. Unless specific governments take this over I can't see how you can regulate it. Looking at what the IANA are doing with gTLDs I won't hold my breath.
Mozilla piles on China's SSL cert overlord: We don't trust you either
Firefox-maker Mozilla has joined Google in refusing to recognize SSL certificates issued by the China Internet Network Information Centre (CNNIC). This comes after a security biz in Egypt used a CNNIC-issued intermediate certificate to create unauthorized SSL certs that could be used to trick people into connecting to bogus, …
COMMENTS
-
This post has been deleted by its author
-
-
-
-
Friday 3rd April 2015 08:30 GMT Lee D
I don't get why I have to trust a CA at all.
Trusting someone who will make me "trust" hundreds of thousands of other websites, just to visit the one I want, seems absolutely ludicrous on the face of it. Convenience over security from the start isn't a good sign.
Until we get to publishing TLS records inside a secure DNS, what's wrong with showing the hash of the website's certificate and I get to choose whether or not to trust them, ala SSH?
I'd much rather have an adhoc system of someone publishing what hash THEY see for Facebook, and what I see for Facebook and then if they match I have a semblance of security. Even some kind of P2P collection of known hashes would be a good start and if we can get a Bitcoin-like "You have to control more than 50% of nodes in order to change hashes" system, then it's perfect.
CA's are a nonsense. By default, my browser will trust the opinion of several dozens of international organisations as to whether one of TENS OF MILLIONS of certificates are genuine (based on how much they are paid and usually nothing more than domain-verification by email of all things!).
-
This post has been deleted by its author
-
Saturday 4th April 2015 03:31 GMT James Ashton
Beware of the Man in the Middle (Kingdom)
I'd much rather have an adhoc system of someone publishing what hash THEY see for Facebook, and what I see for Facebook and then if they match I have a semblance of security.
How are these published hashes going to reach you? Over the Internet? So the man in the middle is just going to intercept your request for these hashes and replace them with hashes for their bogus certs. In China in particular, the government controls your Internet connexion so this would be trivial for them. You could try downloading the hashes over SSL but, whoops, chicken meets egg. What you're suggesting is just an alternative or secondary system of trust that's really no different from what we have already.
-
Saturday 16th January 2016 18:26 GMT Anonymous Coward
Re: Beware of the Man in the Middle (Kingdom)
> How are these published hashes going to reach you? Over the Internet?
The whole point of hashes / fingerprints is that you compare the one being presented with the one that you already have, obtained via a different channel.
E.g., for OTR or my public key fingerprint, I usually either give them in person, enter them myself into my contact's computer, or send them via SMS.
Scaling this could be a wee bit of a problem though, even if we take to large scale signing of each other's keys, PGP-style.
-
-
-
-
-
-
-
-
Friday 3rd April 2015 01:06 GMT Anonymous Coward
Re: They still have IE
True, but to be fair the Windows built in SSL cert store is a lot easier to manage than the NSS thingie that FF and Chrome use, once you get the hang of the console. As for the nightmare that is the OpenSSL collection ...
Actually they are all bollocks and should be easier to get at, explained better and bulk ops should be supported so you can actually manage **YOUR** policy not have it simply foisted on you.
-
-
-
Friday 3rd April 2015 16:56 GMT Anonymous Coward
Re: Verbosity
Obviously a failure to communicate: Translation failure. Perhaps they meant "incomprehensible"? It's the Middle Kingdom so they have problems with having to take instruction from "foreign devils." Thousands of years of history behind that problem and Modern China is just as bad.
-
-
Saturday 4th April 2015 14:12 GMT Graves
I'd go one further and urge Google and Mozilla to think of the users even more and take out a number of other CA's that i'd personally not even trust with €.5c, let alone my connection, and i'd suggest they permanently put CNNIC on the 'we will trust you on a cert by cert basis' list.
But that's me.
-
-
Friday 3rd April 2015 08:34 GMT Ken Hagan
The solution is for anyone who wants to prove their identity to make their own certificate and get it signed by several CAs. That way the certificate remains valid until all of the counter-signatories have mis-behaved.
It's also more expensive (ie, a money-spinner for the CAs) so I'm surprised the CAs themselves aren't pushing this approach.
-
Saturday 16th January 2016 18:30 GMT Anonymous Coward
> The solution is for anyone who wants to prove their identity to make their own certificate and get it signed by several CAs
You mean several as opposed to one? Because if you s/several/a/, what you get is exactly the current system. You do not ever send your certificate to the CA, just the CSR (Certificate Signing Request).
-
-
Friday 3rd April 2015 21:24 GMT James 100
No-brainer move
Frankly, I'd be stunned and concerned if any outfit *didn't* revoke CNNIC's validity for this lot.
"Unacceptable"? Fortunately, CNNIC, you don't get to decide whether to accept things or not: we do, based on defaults from Chrome and others. It's CNNIC and their fake certificates which are not acceptable any more. Inexplicable? Well, that would be the suicidal decision to abuse that trust to issue a bunch of fake IDs, or enable a third party to do so with your implied approval.
Looks like we need a tougher auditing regime for these CAs, if not an alternative scheme entirely; I rather like the DANE DNSSEC approach for regular certificates. Maybe limit the current CA system to EV certs instead, and be much more restrictive about who can issue them.