back to article Mozilla piles on China's SSL cert overlord: We don't trust you either

Firefox-maker Mozilla has joined Google in refusing to recognize SSL certificates issued by the China Internet Network Information Centre (CNNIC). This comes after a security biz in Egypt used a CNNIC-issued intermediate certificate to create unauthorized SSL certs that could be used to trick people into connecting to bogus, …

  1. This post has been deleted by its author

    1. Hairy Airey

      Wasn't that long ago that there weren't even a dozen root CAs but the open market has put paid to that. Unless specific governments take this over I can't see how you can regulate it. Looking at what the IANA are doing with gTLDs I won't hold my breath.

      1. Destroy All Monsters Silver badge
        Holmes

        Unless specific governments take this over I can't see how you can regulate it.

        As governments are to all evidence a fat part of the problem, this would be a case of destroying the village in order to save it.

        1. Oninoshiko

          I couldn't have said it better myself. governments have given me every reason to NOT trust them.

          1. Lee D Silver badge

            I don't get why I have to trust a CA at all.

            Trusting someone who will make me "trust" hundreds of thousands of other websites, just to visit the one I want, seems absolutely ludicrous on the face of it. Convenience over security from the start isn't a good sign.

            Until we get to publishing TLS records inside a secure DNS, what's wrong with showing the hash of the website's certificate and I get to choose whether or not to trust them, ala SSH?

            I'd much rather have an adhoc system of someone publishing what hash THEY see for Facebook, and what I see for Facebook and then if they match I have a semblance of security. Even some kind of P2P collection of known hashes would be a good start and if we can get a Bitcoin-like "You have to control more than 50% of nodes in order to change hashes" system, then it's perfect.

            CA's are a nonsense. By default, my browser will trust the opinion of several dozens of international organisations as to whether one of TENS OF MILLIONS of certificates are genuine (based on how much they are paid and usually nothing more than domain-verification by email of all things!).

            1. This post has been deleted by its author

            2. James Ashton

              Beware of the Man in the Middle (Kingdom)

              I'd much rather have an adhoc system of someone publishing what hash THEY see for Facebook, and what I see for Facebook and then if they match I have a semblance of security.

              How are these published hashes going to reach you? Over the Internet? So the man in the middle is just going to intercept your request for these hashes and replace them with hashes for their bogus certs. In China in particular, the government controls your Internet connexion so this would be trivial for them. You could try downloading the hashes over SSL but, whoops, chicken meets egg. What you're suggesting is just an alternative or secondary system of trust that's really no different from what we have already.

              1. Anonymous Coward
                Anonymous Coward

                Re: Beware of the Man in the Middle (Kingdom)

                > How are these published hashes going to reach you? Over the Internet?

                The whole point of hashes / fingerprints is that you compare the one being presented with the one that you already have, obtained via a different channel.

                E.g., for OTR or my public key fingerprint, I usually either give them in person, enter them myself into my contact's computer, or send them via SMS.

                Scaling this could be a wee bit of a problem though, even if we take to large scale signing of each other's keys, PGP-style.

          2. TeeCee Gold badge

            It's not trusting government that's the problem, it's that governments don't trust each other and insist on having complete ownership of "their" certificates. Hence the proliferation.

            Same reason we have three GPS systems when one will do the job perfectly well.

  2. Mikel

    They still have IE

    Nobody who cares about security is using IE anyway, so they probably always will.

    1. gerdesj Silver badge
      Linux

      Re: They still have IE

      True, but to be fair the Windows built in SSL cert store is a lot easier to manage than the NSS thingie that FF and Chrome use, once you get the hang of the console. As for the nightmare that is the OpenSSL collection ...

      Actually they are all bollocks and should be easier to get at, explained better and bulk ops should be supported so you can actually manage **YOUR** policy not have it simply foisted on you.

      1. Vic

        Re: They still have IE

        so you can actually manage **YOUR** policy

        If people were to manage their own security, life would probably be pretty good.

        But what we know from experience is that they won't - the vast bulk of them will just accept whatever defaults they're given...

        Vic.

  3. gerdesj Silver badge

    Verbosity

    "The decision that Google has made is unacceptable and unintelligible to CNNIC"

    If the decision is unintelligible, then how do they know that it would be unacceptable to them?

    1. Richard Jones 1
      FAIL

      Re: Verbosity

      So, they get some spiv somewhere to turn out what appear to be invalid security tokens. Now people don't trust these untrustworthy tokens and they say this is unacceptable. What planet or which illegal substance(s) are they on?

    2. daealc

      Re: Verbosity

      Maybe the message was sent by someone else using an email signed from CNNIC :P

    3. Anonymous Coward
      Facepalm

      Re: Verbosity

      Obviously a failure to communicate: Translation failure. Perhaps they meant "incomprehensible"? It's the Middle Kingdom so they have problems with having to take instruction from "foreign devils." Thousands of years of history behind that problem and Modern China is just as bad.

    4. NogginTheNog

      Re: Verbosity

      How sophisticated of you: mocking other people's second language skills.

  4. Martijn Otto

    Interesting that CNNIC urges for Google to reconsider and "think of the users". If you ask me, thinking of the users is exactly what they are doing in this case.

    1. Graves

      I'd go one further and urge Google and Mozilla to think of the users even more and take out a number of other CA's that i'd personally not even trust with €.5c, let alone my connection, and i'd suggest they permanently put CNNIC on the 'we will trust you on a cert by cert basis' list.

      But that's me.

  5. Ken Hagan Gold badge

    The solution is for anyone who wants to prove their identity to make their own certificate and get it signed by several CAs. That way the certificate remains valid until all of the counter-signatories have mis-behaved.

    It's also more expensive (ie, a money-spinner for the CAs) so I'm surprised the CAs themselves aren't pushing this approach.

    1. Anonymous Coward
      Anonymous Coward

      > The solution is for anyone who wants to prove their identity to make their own certificate and get it signed by several CAs

      You mean several as opposed to one? Because if you s/several/a/, what you get is exactly the current system. You do not ever send your certificate to the CA, just the CSR (Certificate Signing Request).

  6. James 100

    No-brainer move

    Frankly, I'd be stunned and concerned if any outfit *didn't* revoke CNNIC's validity for this lot.

    "Unacceptable"? Fortunately, CNNIC, you don't get to decide whether to accept things or not: we do, based on defaults from Chrome and others. It's CNNIC and their fake certificates which are not acceptable any more. Inexplicable? Well, that would be the suicidal decision to abuse that trust to issue a bunch of fake IDs, or enable a third party to do so with your implied approval.

    Looks like we need a tougher auditing regime for these CAs, if not an alternative scheme entirely; I rather like the DANE DNSSEC approach for regular certificates. Maybe limit the current CA system to EV certs instead, and be much more restrictive about who can issue them.

  7. Lostintranslation

    Cynical? Moi?

    "China Internet Network Information Centre (CNNIC)".

    Surely that should be CINIC?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019