Chinese Users Rushing to Root out CNNIC Root CA

How to untrust?
http://www.imminentweb.com/technologies/remove-cnnic-ca

What the hack is this fuss?
https://bugzilla.mozilla.org/show_bug.cgi?id=476766#c29

Consequence if trusted?
CNNIC + GFW = Tampering of SSL session originated from browsers or system which trust CNNIC Root CA will be unnoticeable, unless the users check the signing chain on each request.

Update
=============
Mozilla currently confirmed the bug: Remove CNNIC root CA from NSS
https://bugzilla.mozilla.org/show_bug.cgi?id=542689

to do : Microsoft and CNNIC's cross signers

If you have business in china and have valuable data to protect, join us and import CNNIC cert into windows Untrusted CA list. Remove CNNIC root CA from firefox's trusted CA list. Write to MS, WebTrust, Entrust.net and express your dissatisfaction against signing/adding untrustworthy certs/authorities.

 

Related Information :

about CNNIC:
- Who is CNNIC?

CNNIC is directly administrated by MII and CAS, the latter one is heavily related GFW R&D.

- What do they serve?

- CNNIC in-famous History:
[Chinese netizens' long term struggle against CNNIC's rouge behavior]
@2003 iiirc, cnnic plug-in emerged since this year (correct me if i am wrong ).
attempted to inject certs into user machine by malicious code.

@2005 Chinese netizen sued CNNIC for developing malware to promote its Chinese domain service. CNNIC keep arguing speciously.

@2006-2007 the malware evolved into a self-updated kernel-driver protected stubborn rogue-ware spread worldwide
(note: its 2006 when rootkit technique hasn't been that widely used as today).
here is an old analysis http://blog.spywareguide.com/2007/04/china_internet_network_informa_1.html

@2009-2010 help cens*ship & content ctrl
applied for Root CA position without propaganda
stop private cn domain revolving for a group of domains including blogs and forums
halt foreign cn domain registration


about the GFW & MITM Attack
- current status
It has long been worried that GFW could intercept SSL sessions. Later its proved that GFW can interrupt SSL sessions based on its Certificates, which make people worried more and more. Someone even related the SSL cert signing date change to Google's Infiltration event. GFW seems to be seeking MITM solutions.

- why CNNIC Root CA so important
CNNIC is directed by MII and CAS which is connected closely to GFW. With certificates specially signed by CNNIC, GFW can silently launch MITM attack on SSL sessions going through it. The users wouldn't even notice if the CNNIC Root Cert is trusted. All SSL sessions going through GFW could be affected. It would be very hard to gather evidence for such small scale attacks on high profile targets.
With url detection and certification identification capability, hijacking the SSL session during authentication is enough for GFW to harvest thousands of passwords on specific websites like Paypal Gmail and more.

You can join the Discussion Here:
https://groups.google.com/group/mozilla.dev.security.policy
And don't forget Bugzilla if you have valuable ideas on technical aspect to persuade die hard Mozilla members to rm CNNIC certs
https://bugzilla.mozilla.org/show_bug.cgi?id=542689

 

I just learned to kick it out of my computer!

CNNIC was completely infamous,now they've got trusted certificates? The world is insane!!

 

The things the chinese are prepared to do, and do, don't surprise me anymore. But i wouldn't count on Just the chinese using methods such as this, and whatever else. I would expect ANY other .GOV etc to try and do it too, if they havn't already

Certs are "supposed" to be about trust, but i say don't automatically trust anyone/anything on the www. And as we are finding out, as more and more covert/overt methods are used, we can't trust, nor should we.

Here's what i find in FF v3.0.13, with some suggestions/questions.











@Bensec

Thanks for the info etc Most of us won't be using chinese www's so could this still effect us indirectly in any way/s ?

@bonedriven

Can you explain the exact methods you used please

 

It's described in detail here.

Oh and BTW:

The above is completely false. Mozilla didn't confirm anything, it's a bug filed by a ~ Snipped as per TOS ~ user. Anyone can file bugs there. Mozilla is pretty much silent, the guys are paid by the commercial CAs apparently. OTOH, adding non-commercial ones such as CAcert.org is pretty much mission impossible

 

This is why SSL sucks and should never be trusted for anything really sensitive. The whole third-party certificate authority idea is just a bad one all around. There's too many CA's for one, and there is little oversight. Secondly, it's too easy for them to forge a legit cert and give it to NSA or sell it to a criminal organization, etc. If this happens these rogues or govt. organizations would be able to decrypt all traffic encrypted with that key in real-time.

If you want encryption, the only way to go is to generate your own (public) keys and exchange them with the people you want to communicate with in person (and then sign their key and begin a web of trust). PGP uses this model and it's the right one. Slightly inconvenient, but secure.