Chinese Users Rushing to Root out CNNIC Root CA

Discussion in 'other security issues & news' started by Bensec, Feb 2, 2010.

Thread Status:
Not open for further replies.
  1. Bensec

    Bensec Registered Member

    Joined:
    Aug 4, 2008
    Posts:
    177
    Location:
    China Changsha
    How to untrust?
    http://www.imminentweb.com/technologies/remove-cnnic-ca

    What the hack is this fuss?
    https://bugzilla.mozilla.org/show_bug.cgi?id=476766#c29

    Consequence if trusted?
    CNNIC + GFW = Tampering of SSL session originated from browsers or system which trust CNNIC Root CA will be unnoticeable, unless the users check the signing chain on each request.

    Update
    =============
    Mozilla currently confirmed the bug: Remove CNNIC root CA from NSS
    https://bugzilla.mozilla.org/show_bug.cgi?id=542689

    to do : Microsoft and CNNIC's cross signers

    If you have business in china and have valuable data to protect, join us and import CNNIC cert into windows Untrusted CA list. Remove CNNIC root CA from firefox's trusted CA list. Write to MS, WebTrust, Entrust.net and express your dissatisfaction against signing/adding untrustworthy certs/authorities.
     
    Last edited: Feb 2, 2010
  2. Bensec

    Bensec Registered Member

    Joined:
    Aug 4, 2008
    Posts:
    177
    Location:
    China Changsha
    Related Information :

    about CNNIC:
    - Who is CNNIC?
    CNNIC is directly administrated by MII and CAS, the latter one is heavily related GFW R&D.

    - What do they serve?
    - CNNIC in-famous History:
    [Chinese netizens' long term struggle against CNNIC's rouge behavior]
    @2003 iiirc, cnnic plug-in emerged since this year (correct me if i am wrong :)).
    attempted to inject certs into user machine by malicious code.

    @2005 Chinese netizen sued CNNIC for developing malware to promote its Chinese domain service. CNNIC keep arguing speciously.

    @2006-2007 the malware evolved into a self-updated kernel-driver protected stubborn rogue-ware spread worldwide
    (note: its 2006 when rootkit technique hasn't been that widely used as today).
    here is an old analysis http://blog.spywareguide.com/2007/04/china_internet_network_informa_1.html

    @2009-2010 help cens*ship & content ctrl
    applied for Root CA position without propaganda
    stop private cn domain revolving for a group of domains including blogs and forums
    halt foreign cn domain registration


    about the GFW & MITM Attack
    - current status
    It has long been worried that GFW could intercept SSL sessions. Later its proved that GFW can interrupt SSL sessions based on its Certificates, which make people worried more and more. Someone even related the SSL cert signing date change to Google's Infiltration event. GFW seems to be seeking MITM solutions.
    - why CNNIC Root CA so important
    CNNIC is directed by MII and CAS which is connected closely to GFW. With certificates specially signed by CNNIC, GFW can silently launch MITM attack on SSL sessions going through it. The users wouldn't even notice if the CNNIC Root Cert is trusted. All SSL sessions going through GFW could be affected. It would be very hard to gather evidence for such small scale attacks on high profile targets.
    With url detection and certification identification capability, hijacking the SSL session during authentication is enough for GFW to harvest thousands of passwords on specific websites like Paypal Gmail and more.

    You can join the Discussion Here:
    https://groups.google.com/group/mozilla.dev.security.policy
    And don't forget Bugzilla if you have valuable ideas on technical aspect to persuade die hard Mozilla members to rm CNNIC certs
    https://bugzilla.mozilla.org/show_bug.cgi?id=542689
     
    Last edited: Feb 2, 2010
  3. bonedriven

    bonedriven Registered Member

    Joined:
    Jan 14, 2007
    Posts:
    565
    I just learned to kick it out of my computer! :mad:

    CNNIC was completely infamous,now they've got trusted certificates? The world is insane!!
     
  4. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    The things the chinese are prepared to do, and do, don't surprise me anymore. But i wouldn't count on Just the chinese using methods such as this, and whatever else. I would expect ANY other .GOV etc to try and do it too, if they havn't already :D

    Certs are "supposed" to be about trust, but i say don't automatically trust anyone/anything on the www. And as we are finding out, as more and more covert/overt methods are used, we can't trust, nor should we.

    Here's what i find in FF v3.0.13, with some suggestions/questions.

    c1.gif

    c2.gif

    c3.gif

    c4.gif



    @Bensec

    Thanks for the info etc :thumb: Most of us won't be using chinese www's so could this still effect us indirectly in any way/s ?

    @bonedriven

    Can you explain the exact methods you used please :)
     
  5. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    It's described in detail here.

    Oh and BTW:

    The above is completely false. Mozilla didn't confirm anything, it's a bug filed by a ~ Snipped as per TOS ~ user. Anyone can file bugs there. Mozilla is pretty much silent, the guys are paid by the commercial CAs apparently. OTOH, adding non-commercial ones such as CAcert.org is pretty much mission impossible

    :thumbd: :thumbd: :thumbd:
     
    Last edited by a moderator: May 3, 2010
  6. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    This is why SSL sucks and should never be trusted for anything really sensitive. The whole third-party certificate authority idea is just a bad one all around. There's too many CA's for one, and there is little oversight. Secondly, it's too easy for them to forge a legit cert and give it to NSA or sell it to a criminal organization, etc. If this happens these rogues or govt. organizations would be able to decrypt all traffic encrypted with that key in real-time.

    If you want encryption, the only way to go is to generate your own (public) keys and exchange them with the people you want to communicate with in person (and then sign their key and begin a web of trust). PGP uses this model and it's the right one. Slightly inconvenient, but secure.
     
Loading...
Thread Status:
Not open for further replies.