User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Maxthon; Avant Browser; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
CA Name: [China Internet Network Information Center (CNNIC) CA ]
Website URL: [http://www.cnnic.cn ]
[CNNIC is an organization, which is administrated by Computer Network Information Center of Chinese Academy of Sciences. CNNIC CA only offers SSL Certificates for servers abroad now. There is only one subordinate CA we have for our SSL Server Certificate. ]
Audit Type (WebTrust, ETSI etc.): [ WebTrust ]
Auditor: [ Ernst&Young ]
Auditor Website URL: [http://www.ey.com/global/content.nsf/China_E/home ]
Audit Document URL(s):
URL of certificate hierarchy diagram (if available):
(To be completed once for each root certificate; note that we only
include root certificates in the store, not intermediates.)
Certificate Name: [ CNNIC Root ]
[End entities must offer real application materials and information. And the subscribers must accept and sign CPS of CNNIC CA. The detailed policies are described in CPS. ]
Root certificate download URL (on CA website):
Certificate SHA1 Fingerprint (in hexadecimal):
[ 8b af 4c 9b 1d f0 2a 92 f7 da 12 8e b9 1b ac f4 98 60 4b 6f ]
Key size (for RSA, modulus length) in bits: [ 2048bits ]
Valid From (YYYY-MM-DD): [ 2007-4-16 ]
Valid To (YYYY-MM-DD): [ 2027-4-16 ]
CRL HTTP URL (if any):
CRL issuing frequency for subordinate CA certificates: [ 0.5 days ]
CRL issuing frequency for subordinate EE certificates: [ days ]
OCSP responder URL (if any):
Certificate Policy URL:
[ Didn't publish ]
Requested Trust Indicators: [ SSL ]
URL of a sample website using a certificate chained to this root
(if applying for SSL):
Accepting this bug so we can begin the Information Gathering and Verification
phase as described in https://wiki.mozilla.org/CA:How_to_apply.
I am sorry. I am not familiar with this system. Can you tell me how to accept this bug please?
Created attachment 361221 [details]
Information Checklist of CNNIC Root Certificate
I attached the information checklist of CNNIC Root Certificate to show the detailed information.
Created attachment 361808 [details]
Initial Information Gathering Document
Attached is the Initial Information Gathering Document which summarizes the information that has been gathered and verified. Please review the document for accuracy and completeness. The items in the document that are highlighted in yellow indicate the information that needs to be clarified or provided. I will also summarize below.
1) This bug is set for Restricted Visibility. It is Mozilla Policy that CA requests and the related information be publicly available. Please remove the restricted visibility. Also, please be sure to only post publicly available information. All of the information that has been posted in this bug so far appears to be publicly available.
2) Is CNNIC a Chinese Government organization?
3) I have not been able to download the CNNIC ROOT certificate using the provided links. Please provide the URL where I can download this root.
4) Please review http://wiki.mozilla.org/CA:Problematic_Practices and comment as to which of these are relevant. Provide further information about the items that are applicable.
To Kathleen Wilson:
Thank you for your reminding!
1)All of the information I offered is public, but I don't know how to remove the restricted visibility. Is there any method to remove the restriction?
2)CNNIC is not a Chinese Government organization. It is an orgnization that mainly operate Chinese top level domain name registration. And CA is a new operation for CNNIC to protect Internet security.
3)Sorry about the wrong link. We revised the link and the new one is http://www.cnnic.cn/uploadfiles/rar/2009/2/12/cnnicroot.rar, please check.
4)Wildcard DV SSL Certificates:
Wildcard SSL Certificates indeed have some weakness, so we only issue this type certificate to appliers whose identities have been validated with organizational validation. In addition, the subscribers of this type have to sign a contract to promise that their sub-domains are really belonging to them.
This will be update in CPS in March 2009.
Certificates referencing hostnames or private IP addresses:
For single domain and wildcard domain certificates, the name is hostnames, not IP addresses. For Multi-domain Certificates, the name is composed by each domain name and the serial number designated by CNNIC, also not IP addresses.
Created attachment 364210 [details]
Completed Information Gathering Document
Attached is the Completed Information Gathering document.
I have also updated the pending list at
Please confirm the accuracy and completeness of both of these.
In regards to fixing the visibility of this bug:
When you scroll in this bug up above the Attachments section do you see a section with the following information?
Restrict Group Visibility:
Only users in all of the selected groups can view this bug:
(Unchecking all boxes makes this a more public bug.)
-- Confidential Mozilla Project Bug (use another group if possible)
Only members of a group can change the visibility of a bug for that group.
I think you just need to un-check the box for “Confidential Mozilla Project Bug”.
Thank you so much!
I reviewed the attachment. And I haven't found any problem. I wonder what should I do next?
I can't un-check the box for "Confidential Mozilla Project Bug" , so what should I do?
This request has been added to the queue for public discussion:
The status in the queue indicates which request is currently in discussion.
Based on the backlog in the queue, it will take a couple of months before this
request enters public discussion. I apologize for the delay.
Created attachment 405525 [details]
CNNIC ROOT cert
This request is next in the queue for public discussion
Would you please provide a link to the audit report for this year?
Thank you so much!
the URL for this year's audit report is https://cert.webtrust.org/ViewSeal?id=935.
Created attachment 405902 [details]
Completed Information Gathering Document
I am now opening the first public discussion period for this request from the China Internet Network Information Center (CNNIC) to add the “CNNIC ROOT” root certificate and enable the Websites trust bit.
For a description of the public discussion phase, see https://wiki.mozilla.org/CA:How_to_apply#Public_discussion
Public discussion will be in the mozilla.dev.security.policy newsgroup and the corresponding email@example.com mailing list.
The discussion thread is called “CNNIC Root Inclusion Request”
Please actively review, respond, and contribute to the discussion.
The public comment period for this request is now over.
This request has been evaluated as per sections 1, 5 and 15 of the official CA policy at
Here follows a summary of the assessment. If anyone sees any factual errors, please point them out.
To summarize, this assessment is for the request to add the “CNNIC ROOT” root certificate and enable the Websites trust bit.
Section 4 [Technical]. I am not aware of any technical issues with certificates issued by CNNIC, or of instances where they have knowingly issued certificates for fraudulent use. If anyone knows of any such issues or instances, please note them in this bug report.
Section 6 [Relevancy and Policy]. CNNIC appears to provide a service relevant to Mozilla users: It is a non-profit organization, and is the state network information center of China. CNNIC takes orders from the Ministry of Information Industry (MII) to conduct daily business, while it is administratively operated by the Chinese Academy of Sciences (CAS). The CNNIC Steering Committee, a working group composed of well-known experts and commercial representatives in domestic Internet community, supervises and evaluates the structure, operation and administration of CNNIC.
Policies are documented in the documents published on their website and listed in the entry on the pending applications list; the main document of interest is the CPS, which has been translated into English.
Section 7 [Validation]. CNNIC appears to meet the minimum requirements for subscriber verification, as follows:
* Email: Not applicable -- not requesting the email trust bit.
* SSL: As per sections 3.2 and 4.1 of the CPS, the Local Registration Authority performs a domain name registration information inquiry (whois), gets the information of the domain name registrar of the domain name certificate application, checks whether the domain name registrar is consistent with the domain name certificate applicant, and determines whether the domain name certificate applicant indeed owns this domain name. Then the RA auditor checks whether the legal domain name subscriber is consistent with the certificate applicant (also using the whois function), and whether the information is true, and compares it with the application information in the RA system.
* Code: Not applicable -- not requesting the code signing trust bit.
Section 8-10 [Audit]. CNNIC is audited every 12 months, according to their CPS.
CNNIC was recently audited by Ernst & Young. https://cert.webtrust.org/ViewSeal?id=935
Section 13 [Certificate Hierarchy]. There is currently one internally-operated subordinate CA named CNNIC SSL, which offers only SSL certificates. SSL certificates may be issued to general public, including enterprise, government, organization, league, and individual.
* CRL: CNNIC provides CRL, NextUpdate is 12 hours
* OCSP: CNNIC does not currently provide OCSP.
Based on this assessment I intend to approve this request to add the “CNNIC ROOT” root certificate and enable the Websites trust bit.
To the representatives of CNNIC: Thank you for your cooperation and your patience.
To all others who have commented on this bug or participated in the public discussion: Thank you for volunteering your time to assist in reviewing this CA request.
As per the summary and recommendation in Comment #14, and on behalf of the Mozilla project I approve this request from CNNIC to include the following root certificate in Mozilla, with trust bits set as indicated:
* CNNIC ROOT (websites)
I will file the NSS bug to effect the approved changes.
I have filed bug #525008 against NSS for the actual changes.
Confirmed that this root is a Builtin Object Token in Firefox 3.6.
Please remove this root CA! We Chinese users don't trust CNNIC.
Liu Yan said: 2)CNNIC is not a Chinese Government organization.
He is cheating! CNNIC is an infamous organ of the Chinese Communist government to monitor and control the Internet in China. For secrete reasons they even distributed spyware by making advantage of their administration privilege:
They're one of the tools used by the CCP government to censor the Internet users. If CNNIC root certificate is added by default as Builtin Object, they can forge verified gmail certificates to cheat the Chinese users by using MITM attack against the SSL protocol.
Please be alert of CCP government agents.
We object the adding of such untrusty CA to the Firefox Project! Please see the reaction of the users:
From McAfee siteadvisor about cnnic.net.cn:
When we tested this site we found links to tech.sina.com.cn, which we found to be a distributor of downloads some people consider adware, spyware or other potentially unwanted programs.
I've posted a message to the mozilla.dev.security.policy mailing list under the title CNNIC Root Inclusion. Please join and add your comments there.
Unfortunately you are bit late - a public discussion was held at that mailing list according to the processes of CA root inclusions of Mozilla. Your concerns could have been heard at that time and addressed accordingly.
If we include this cert, PRC government can hijack any SSL session WITHOUT any warming to user.
PRC government always monitor online activities of chinese pro-democracy people.
You know what's Google happening.
We need to protect the user whether it is political or not.
I DO NOT trust CNNIC.
Most of the Chinese INTRANET(behind GFW) users know that CNNIC is full of UNREMOVABLE IE toolbars and lies.
As a Shanghai resident, I totally agree with lihlii in Comment 18 and Yuki Sea in Comment 21, CNNIC is infamous in China and it has a lot of connections with the government and GFW, I think there's no need to provide more evidence as we all know what GFW is, and the recent incident happened to Google China says its all.
Seriously, please take CNNIC out of the trusted Root CA list.
This bug should be reopen as rejected and the changes should be rollback.
Mozilla should really reconsider the decision or most Chinese users will no longer use Mozilla products.
Being a former Chinese resident, I still remembered years ago CNNIC automatically installed their UNREMOVABLE system drivers to our systems by using IE 6 bugs. CNNIC is really a gangster.
It has very closed tie with Chinese government and CPC (or CCP).
I'm seriously worried that CNNIC will use this to help Chinese government to hijack SSL seesions to monitor user activities.
It is incredible that CNNIC is taken as "authority". I just cannot trust in an organization who spreads unwanted adwares. Who can guarantee CNNIC . Almost everyone I know who concerns computer network and security is against this update.
Excuse me, I meant, who can guarantee CNNIC would not certificate gmaiI.com as gmail.com and phish my gmail password?
Also, please be reminded that discussion is going on here, though I cannot access in the GFW:
You can use Google Groups at http://groups.google.com/group/mozilla.dev.security.policy/browse_thread/thread/17be3bd7e0b33e8c# (doesn't this work for you?)
It doesn't work, while other groups work.
First, I want to thank everyone paying so much attention on CNNIC and CNNIC CA.
As one of the employers of CNNIC, I want to make some explanations. CNNIC is an organization, which is administrated by Computer Network Information Center of Chinese Academy of Sciences. It means that CNNIC just offers service on technology and research. CNNIC is the registry for Chinese Domain Name, the similar role as VeriSign which is responsible for .com’s registration. So obviously CNNIC is not a government. And as I know the WebTrust audit for government is much simpler compared to company.
In addition, CNNIC only offers server certificate now. The technology and authentication of issuing certificates is qualified with the international criteria. There is no possible for us to monitor the user's actions or do some attacks. I think every technical personnel knows that.
Liu Yan, are you kidding?
On CNNIC website, it's clearly stated that CNNIC is directly administrated by both "Ministry of Industry and Information Technology of the PRC" and Chinese Academy of Sciences (budget controlled by the government).
You are right, CNNIC is not a government, but it's directly managed by the government and did everything that Chinese government asked it to do.
We don't care whether CNNIC is going to hijack SSL sessions directly for the agents or not. The problem is when government order CNNIC to issue dodgy certificates to play the MITM games, CNNIC simply can't say no.
Bugzilla isn't a place for advocacy, this discussion belongs in the
mozilla.dev.security.policy newsgroup, as Eddy mentions.
Having said that - I am very sensitive to the concern here. In my latest
posting to that newsgroup, I said, in part:
1) We have never claimed as a matter of policy that our PKI decisions can
protect people from malicious governments. It's just not a plausible promise
for us to make.
2) I think, regardless of government ties, we'd carefully review and might well
yank trust for any CA that was complicit in MitM attacks.
3) CNNIC complied with our root addition policy, they are in the product
presently, so this isn't a question of approval, this is a question of whether
we should review.
It feels to me like that makes our next step clear, here. It won't help to
tally up the complainants (there will be many), and it won't help to demand
assurances from CNNIC (since the alleged governmental pressure would trump
those anyhow). It certainly won't help to cite wikipedia.
If there's truth to the allegation, here, then it should be possible to produce
a cert. It should be possible to produce a certificate, signed by CNNIC, which
impersonates a site known to have some other issuer. A live MitM attack, a
paypal cert issued by CNNIC for example. If anyone in a position to produce
such a thing needs help understanding the mechanics of doing so, I'm sure this
forum will help them.
SSL makes tampering visible to its victims. The certificate has to actually
make it to my client before I can decide to trust it. By all means, let's arm
people with the knowledge to detect and record such instances. But I don't see
any clear step we can take until then.
More comments in this bug will not help.
Information of the type I described would be helpful in bug 542689, but more advocacy will not help there, either.
Johnath, there appears to be a problem accessing the mailing list. Can somebody look into this?
Liu Yan said , "obviously CNNIC is not a government", but "just offers service on technology and research".
1. Is it considered by CNNIC as "service on technology and research" to spread malware with administrative power to spy on Internet users?
2. Is it considered by CNNIC as "service on technology and research" to ban personal website registration in the .cn domain space ?
3. CNNIC banned the DNS resolving of a lot of independent websites, such as bulllog.cn . Is this considered by CNNIC as your way of "service" of "registry for Chinese Domain Name"? Is this considered by CNNIC as "the similar role as VeriSign"?
4. Is CNNIC "qualified with the international criteria" as a trustworthy certificate authority?
5. Why did Liu Yan try to mask the real face of the PRC governmental nature of CNNIC ? Why did he even tried to hide the application by setting the bug report to "Restricted Visibility" at first?
6. Liu Yan said: "CA is a new operation for CNNIC to protect Internet security". Is it considered by CNNIC as "operation to protect Internet security" by spreading unremovable malware to spy on users' Internet activities exploiting security flaws of the browsers, as CNNIC did ?
Liu Yan further claimed that "the WebTrust audit for government is much simpler compared to company".
So do you think CNNIC is a government or not? If CNNIC is controlled by the PRC government, why don't you dare to clearly admit it, but misled the readers by posing as a "just offers service on technology and research" ? What's the motivation to hide the real identity of CNNIC? :)
Liu Yan said: "There is no possible for us to monitor the user's actions or do some attacks. I think every technical personnel knows that."
Unfortunately, this is an arrant lie. CNNIC not only DID "monitor the users' actions" with intentionally spreaded malware , but also cooperated actively with the PRC government to crack down independent blogs and websites . It's also highly possible that they may actively cooperate in MITM attacks with such a government which attacked  its citizens, as well as dozens of companies and many computers of foreign civil organizations and government offices .
Further, Is PRC government a decent government?
Should a government put all their citizens in an information jail by building a GFW (Great Firewall)  to block their access to Internet?
Should a government enforce news and speech censorship  on all the websites including search engines to block criticism on the crimes they committed?
Should a government jail journalists and writers for their free speech ?
Should a government kill the college students and citizens with guns, and roll over the bodies of college students with tanks? 
Should a government cheat the world by hiding information about SARS and melamine contaminated milk which caused repetitive man-made disasters, and further punish those who told the truth?
Is this PRC government a real government, or is it a maffia group? :)
Liu Yan claimed that the CNNIC is a subordinate of "Chinese Academy of Sciences". Let's take a look at what kind of "research" the "Chinese Academy of Sciences" has done before. :)
The Institute of Acoustics, Chinese Academy of Sciences closely cooperated with the PRC government in Internet censorship. Same as CNNIC which "takes orders from the Ministry of Information Industry (MII)" , they developed some natural language machine understanding algorithms for Internet text censorship . The target of their research is to distinguish speeches of the opponents of the government from those of the proponents, which general keyword based filtering can't achieve. Their "research" was already deployed in the censorware "Green Dam", which was orderd by the MII to be installed on each new PC in manufacturing process. Although this plan failed, they must have started some other plots to achieve the same goal.
> 2008年7月，在工业和信息化部的直接领导下，两家成交供应商项目负责人和主要项目人员共同组成绿色上网过滤软件项目工作组，全面负责“绿坝·花季护航”绿色软件的研发、推广及相关服务工作。[...]更好的配合第三方监测机构的监测工作，确保绿色上网过滤软件项目的顺利实施。 
> According to the official website of "Green Dam - Youth Escort" (http://www.lssw365.net):
> In July of 2008, under the direct administration of the Ministory of Industry and Information, the project managers and major staffs of the two chosen suppliers formed a green Internet filtering software project workgroup which was in full charge of development, deployment and relative services of the "Green Dam - Youth Escort" green software. [...] for better cooperation in monitoring the web with third party monitoring organs (of the government) to ensuresuccessful implementation of the green Internet filtering software project. 
> 四、成交供应商：郑州金惠计算机系统工程有限公司、北京大正语言知识处理科技有限公司 [...]
> Link: http://www.ccgp.gov.cn/gzdt/366770.shtml
> In May 2008, The Ministry of Industry and Information issued an "Announcement of Competitive Negotiation Results for '[Governmental] Purchase of One Year Usage Licence and Related Services of Green Internet Filtering Software Product'"
> A. Purchaser: Ministry of Industry and Information, PRC
> D. Chosen Supplier: Jinhui Computer System Engineering Inc., Zhengzhou City. Beijing Dazheng Language and Knowledge Processing Technology Inc. [...]
> Beijing Dazheng Language and Knowledge Processing Tech. Inc. got a project valued 19,900,000 CNY (About 2.9 million USD). 
> [...] 与中科院声学所合作注册成立了北京大正语言知识处理研究院 
> [...] established the Beijing Dazheng Language and Knowledge Processing Tech. Inc. together with the Institute of Acoustics, Chinese Academy of Sciences. [20
> @gonewater: 绿坝软件两开发商之一北京大正的董事长陈小盟，[...]其在中科院声学所主持开发的HNC网络信息过滤器，2003年实现了语义分析与过滤，并被率先运用在反轮子战线上 #greendam 
> @gonewater [a twitter user]: As the chairman of the board of Beijing Dazheng company which is one of the two developers of the "Green Dam" software, he was in charge of the development of HNC Internet Information Filter at the Institute of Acoustics, Chinese Academy of Sciences. The filter achieved semantic analysis and filtering in 2003 and was used primarily in the battle against the Falungong . 
> 郑州金惠计算机系统工程有限公司和北京大正语言知识处理有限公司，他们是该软件的联合开发者，前者主要负责图像过滤，后者主要负责文字过滤。 - 南方周末记者 胡贲 实习生 郭仕鹏 2009-06-10 23:45:12
> Zhengzhou Jinhui Computer System Engineering Inc. and Beijing Dazheng Language and Knowledge Processing Tech. Inc. teamed up in the development of the filtering software. The former one was responsible for the image filtering part, while the later one was responsible for the text filtering part.  - Report on the newspaper "Southern Weekend" by Ben Hu, 10 June 2009.
> The HNC research team of the Institute of Acoustics, Chinese Academy of Sciences combined the core techniques they acquired through many years of research they did on natural language understanding and processing and successfully developed a "Internet Bad Information Detection System" featuring semantic understanding capabilities. It will contribute to the clean-up of the content in the Internet world. Currently this system is primarily targeted at erotic, counter-revolutionary and vulgar information appeared on the Internet. It can download content automatically from specified websites, detect and present reports. Deferent from previous keyword based detection systems, it can distinguish web pages of bad information from criticisms against bad information. For those pages that it fails to judge, it can raise a warning message for human judgement. 
 Bullog.cn http://en.wikipedia.org/wiki/Bullog.cn
 牛博网 http://zh.wikipedia.org/wiki/%E7%89%9B%E5%8D%9A%E7%BD%91
 2008 Chinese milk scandal / Censorship http://en.wikipedia.org/wiki/2008_Chinese_milk_scandal#Censorship
 Liu Yan: Every technical personnel knows that; 2010-01-28 17:40:47 PST; https://bugzilla.mozilla.org/show_bug.cgi?id=476766#c29
 Liu Yan: CNNIC is not a Chinese Government organization; 2009-02-15 23:01:59 PST; https://bugzilla.mozilla.org/show_bug.cgi?id=476766#c5
 Kathleen Wilson: This bug is set for Restricted Visibility; 2009-02-11 11:43:10 PST; https://bugzilla.mozilla.org/show_bug.cgi?id=476766#c4
 Golden Shield Project http://en.wikipedia.org/wiki/Golden_Shield_Project
 金盾工程 http://zh.wikipedia.org/wiki/%E9%87%91%E7%9B%BE%E5%B7%A5%E7%A8%8B
 China Internet Network Information Center; / Malware Production And Distribution; http://en.wikipedia.org/wiki/CNNIC#Malware_Production_And_Distribution
 GhostNet; http://en.wikipedia.org/wiki/Ghostnet
 幽灵网; http://zh.wikipedia.org/wiki/%E5%B9%BD%E7%81%B5%E7%BD%91
 David Drummond, SVP, Corporate Development and Chief Legal Officer: A new approach to China; http://www.webcitation.org/5n92WuwKT = http://googleblog.blogspot.com/2010/01/new-approach-to-china.html
 中华人民共和国网络审查; http://zh.wikipedia.org/zh-cn/%E4%B8%AD%E5%8D%8E%E4%BA%BA%E6%B0%91%E5%85%B1%E5%92%8C%E5%9B%BD%E7%BD%91%E7%BB%9C%E5%AE%A1%E6%9F%A5
 Internet censorship in the People's Republic of China; http://en.wikipedia.org/wiki/Internet_censorship_in_the_People's_Republic_of_China
 极光行动; http://zh.wikipedia.org/wiki/%E6%9E%81%E5%85%89%E8%A1%8C%E5%8A%A8
 Operation Aurora; http://en.wikipedia.org/wiki/Operation_Aurora
 CNNIC Halts Website Domain Name Registration For Individuals In China;
December 15, 2009; http://www.chinatechnews.com/2009/12/15/11208-cnnic-halts-website-domain-name-registration-for-individuals-in-china
 中国互联网络信息中心; http://zh.wikipedia.org/wiki/%E4%B8%AD%E5%9C%8B%E4%BA%92%E8%81%AF%E7%B6%B2%E7%B5%A1%E4%BF%A1%E6%81%AF%E4%B8%AD%E5%BF%83#.E7.88.AD.E8.AD.B0
 Tiananmen Square protests of 1989; http://en.wikipedia.org/wiki/Tiananmen_Square_protests_of_1989
 Reports about Green Dam; https://groups.google.com/group/lihlii/msg/cff76953d4508ad7
 Analysis of the Green Dam Censorware System; https://groups.google.com/group/lihlii/msg/64b28befc01f8394
 Green Dam Youth Escort; http://en.wikipedia.org/wiki/Green_Dam
 绿坝·花季护航; http://zh.wikipedia.org/zh-cn/%E7%B6%A0%E5%A3%A9%C2%B7%E8%8A%B1%E5%AD%A3%E8%AD%B7%E8%88%AA
 中科院声学所主持开发的HNC网络信息过滤器，2003年实现了语义分析与过滤，并被率先运用在反轮子战线上; http://twitter.com/rmack/statuses/2090288450
 jiangzuyu: 中科院声学所成功研发网络不良信息检测系统; 网脉e代社区论坛; 2009-2-12 10:43; http://www.webcitation.org/5n9L4Z4mq = http://community.wm360.cn/space/index.php/viewthread-67157.html
 CNNIC takes orders from the Ministry of Information Industry (MII) to conduct daily business; https://bugzilla.mozilla.org/show_bug.cgi?id=476766#c14
 Falun Gong / Continued protests and statewide suppression; http://en.wikipedia.org/wiki/Falun_Gong#Continued_protests_and_statewide_suppression
Comments like comment 33 do not help. We don't need advocacy nor allegations, here. We need evidence of certificates issued that shouldn't have been.
Do you think certificates from liars should be included in Firefox? :)
Jonathan: might well yank trust for any CA that was complicit in MitM attacks.
Does the word "was" mean that until the MitM attack happened, any organizations can put their root CA certificates in Firefox provided that they can buy endorsement "services" from accountant companies like Ernst&Young  to acquire "trust" from webtrust.org?
The real concern of many Chinese programmers is not about "was", but "may", as CNNIC already "DID" quite some dirty things before! Now it's a new capability that the inclusion of root certificate of CNNIC will grant to the PRC government.
Anyway, since they already got secondary CA certificate issued by Entrust.net, adding CNNIC as root CA is not introducing more problems. But this discussion is an alert on the trust model of PKI when we face a rogue government and their minion organizations.
We should improve the browser to ask for permissions from the end users to grant trust to each root CA when it's used in each session (not only at the first time), clearly display the certificate signing path, and warn them of any change in certificates (to be alert of a MitM attack). This seems paranoiac but it's because we're facing real threats of attacks from a powerful rogue government, from which even big companies like Google and well equipped government offices suffered.
The security model of SSL was practically in danger because of the design flaws of the browser to place blind trust on root CAs without consent from the users. Since the CA certificates of rogue government agencies were added, we should consider Firefox as a rogue government controlled browser in the default configuration.
(In reply to comment #36)
> Jonathan: might well yank trust for any CA that was complicit in MitM attacks.
> Does the word "was" mean that until the MitM attack happened, any organizations
> can put their root CA certificates in Firefox provided that they can buy
> endorsement "services" from accountant companies like Ernst&Young  to
> acquire "trust" from webtrust.org?
Again, Bugzilla should not be used for advocacy! Nevertheless a short reply. I know Ernst & Young and have performed audits with them myself. Hence I'm trusting their attestation.
However it's common for CAs to comply to local laws and there might be a problem if the law would allow MITM attacks on its citizens. This would be counter to the Mozilla CA policy, even if a notable auditor audited the CA and the CA has disclosed its adherence to the local laws correctly.
> The real concern of many Chinese programmers is not about "was", but "may", as
> CNNIC already "DID" quite some dirty things before! Now it's a new capability
> that the inclusion of root certificate of CNNIC will grant to the PRC
I think Johnathan made it clear that Mozilla is sensible to this concern.
> Anyway, since they already got secondary CA certificate issued by Entrust.net,
> adding CNNIC as root CA is not introducing more problems.
Thanks for notifying on that. In this case there is indeed not much more to do here - on the other hand, there is another entity responsible in case anything bad should happen in the future and as long their CA is cross-signed by another CA.
> The security model of SSL was practically in danger because of the design flaws
> of the browser to place blind trust on root CAs without consent from the
This has nothing to do with what you reported and discussions on this should be held elsewhere. For me this is a non-starter and a distraction from the original concern. Please keep advocacy for new ideas out of this bug.
(In reply to comment #29)
> In addition, CNNIC only offers server certificate now. The technology and
> authentication of issuing certificates is qualified with the international
> criteria. There is no possible for us to monitor the user's actions or do some
> attacks. I think every technical personnel knows that.
I'm sorry, but that's nonsense. Probably not every employee at the CA is able to create certificates for attacking a certain target, depending on the controls in place. But with the necessary authority, CAs indeed could issue certificates wrongfully which could be used for MITM attacks. Not admitting this fact shows either a lack of knowledge or just blunt denial. Neither helps your cause either.
As such, the concerns which were raised are regarding web server certificates and interception of traffic.
we'd carefully review and might well yank trust for any CA that was complicit in MitM attacks.
The problem is that, CNNIC might have already aided some MitM attacks with their secondary CA certificate signed by Entrust.net root CA before CNNIC was added as root CA. Because the MitM attack is difficult to be carried out on a large scale, the PRC government mainly targeted at specific users (such as highly sensitive political dissidents) who often lack of knowledge to check the server certificate to determine whether it's real.
All we're worried about is "trust". Can we put a CA certificate that many Chinese programmers don't trust at all into the release package? What will be the consequences?
The repetitive hijacking of gmail accounts of dissidents by the PRC government secret agents (Political Defend Police like Starsi of former East Germany) might be achieved with SSL hijacking, besides trojan-horse phishing email.
I think it's a detriment to the user trust on Firefox to add CNNIC (notorious in Chinese programmers community, while powerful enough to buy whatever certificates they need) root CA. Yet it's not safe by simply removing it. There should be a way to return the ability and authority of judging whether to trust a CA to the users, not unconditionally decided by the browser as it's implemented now. Currently an experienced user can inspect the certificate signing chain to check whether the root CA is trustworthy; while layman users need more help from an improved UI to alert them of possible vulnerabilities and guide them through steps to check the certificate chain of the HTTPS session.
Furthermore, some Chinese programmers observed  that the certificates of google.com was modified several times after 18 Nov. 2009.
Three abnormal changes of certificates were observed :
18 Nov. 2009 from: Thawte SGC CA, valid from 2009/3/25 to 2010/3/25
to: Google Internet Authority, valid from 2009/11/12 to 2010/11/12
18 Nov. 2009 from: Google Internet Authority, valid from 2009/11/12 to 2010/11/12
to: Thawte SGC CA, valid from 2009/3/25 to 2010/3/25
28 Dec. 2009 from: Thawte SGC CA, valid from 2009/3/25 to 2010/3/25
to: Thawte SGC CA, valid from 2009/12/18 to 2011/12/18
19 Jan. 2010 from: Google Internet Authority, valid from 2009/11/12 to 2010/11/12
to: Google Internet Authority, valid from 2009/12/22 to 2010/12/22
Google's announcement declared that "in mid-December , we detected a highly sophisticated and targeted attack on our corporate infrastructure originating from China that resulted in the theft of intellectual property from Google". Taking these strange certificate changes into consideration together with the Google announcement, we suspect that the "intellectual property" might include private keys to sign the google certificates. This might be the answer to why google changed certificates in an abnormal frequency.
This also alert us of possible cyber attacks making use of CA certificates and exploiting the inadequate certificate validation in current browser user interaction. Although the inclusion of an untrustworthy CNNIC root CA won't make the situation worse, it really alert us to review the pyramid trust model of PKI and design flaws of unconditional trust of root CAs in browsers.
The trust model is unreasonable, in that the trust propagates in a forced, involuntary way: Ernst & Young trusts CNNIC because it trusts those special paper sheets marked with "In God We Trust" ;P, webtrust.org trusts CNNIC because it trusts Ernst & Young; Mozilla Firefox project or Microsoft trust CNNIC because they trust webtrust.org; the browser users trust CNNIC because the they trust the browser. But the users in fact don't trust CNNIC at all! The result is: the users were forced to trust CNNIC silently. Experienced users take the trouble to remove or disable the CNNIC certificates, while the majority of non-technical users just don't know they're trusting CNNIC because of their browser!
 David Drummond, SVP, Corporate Development and Chief Legal Officer: A new approach to China; http://www.webcitation.org/5n92WuwKT = http://googleblog.blogspot.com/2010/01/new-approach-to-china.html
 zuola: 关于GMAIL安全证书的疑问 https://groups.google.com/group/lihlii/browse_frm/thread/92be93b6648af29/
 Google 的证书更新了 可能是因为数字证书密钥被窃 警惕假冒数字证书
please remove (CNNIC) CA Root Certificate
firefox Users from Singapore,
About the extend of MITM attacks already widely deployed in China, one can refer to the Harvard study "Empirical Analysis of Internet Filtering in China" that repeated documented this:
"the authors prepared screenshots documenting the September 2002 redirection of requests for google.com to other search engines."
"some newer forms of Chinese filtering -- namely, redirection of a request for a sensitive web site to another web site"
"DNS Filtering/Redirection and Its Implications"
"For some 1,043 of sites tested, we confirmed that DNS servers in China report a web server other than the official web sever actually designated via each site's authoritative name servers."
As mentioned in Comment #30, CNNIC is directly administrated by
"Ministry of Industry and Information Technology of the PRC" (budget controlled by the government). So when the government orders CNNIC to issue fake
certificates to perfect its MITM attacks, CNNIC simply can't say no.
So, if this root certificate crisis is not properly addressed, it's very likely that in a couple years, the relatives of some Tibetan or Falun Gong, or home church followers would sue Microsoft and Mozilla in U.S. for assisting the Chinese Communist regime to steal their email passwords using faked websites and certificates so could login to their real accounts later leading to their imprisonment, just like someone did against yahoo (http://www.rsf.org/Yahoo-settles-lawsuit-by-families.html).
(In reply to comment #31)
> If there's truth to the allegation, here, then it should be possible to produce
> a cert. It should be possible to produce a certificate, signed by CNNIC, which
> impersonates a site known to have some other issuer. A live MitM attack, a
> paypal cert issued by CNNIC for example. If anyone in a position to produce
> such a thing needs help understanding the mechanics of doing so, I'm sure this
> forum will help them.
This quotation from Johnath sums things up. I note that there are various extensions such as Certificate Patrol:
which can tell you when a certificate changes. If the concerned community also want to make an extension which alerts you when a particular CA has signed the cert for the site you are visiting, that is also possible. Firefox is designed exactly to be extended in this way.
If and when evidence, rather than allegations, is produced of bad certificate issuance, we will swiftly consider it.
> If and when evidence, rather than allegations, is produced of bad certificate
> issuance, we will swiftly consider it.
Please consider it seriously. General non-programmer users don't even know there is such a root CA security problem. They don't know their browser trusted a notorious CA. If they knew, they would have reacted by removing it.
Most people even don't know there is a Certificate Patrol addon. Please consider make it a built-in function. The web is in danger of a mafia group attacking the people who're not equipped with enough knowledge of protecting themselves. If Firefox will be a safe browser, it should take security considerations serious.
Hijacking is done in a national wide scale by the rogue government in PR China. Please never wait until the foreseeable crime happens and some innocent people already harmed by careless decisions of software developers. Then it's too late to react.
If the hijacking is done "on a nationwide scale", then someone should be able to produce some actual evidence of it. Download the bad cert, email us a copy, and we will act.
How would you like it if I locked you up or fined you because I thought you were a criminal and didn't want to "wait until the foreseeable crime happens"? CNNIC is innocent until proven guilty - an important cornerstone of justice. If their abuses are as widespread as you say, then producing evidence to prove them guilty should not be difficult.
Gerv, is MITMing 1,043 sites already "on a nationwide scale"? The widely quoted Harvard study already proved that, see http://cyber.law.harvard.edu/filtering/china/appendix-tech.html#dns . If this happened in UK/US the criminal is already rounded up. But no, this is in China, so the criminal is still "innocent" looking just like you and me, or worse, that criminal now also controls root certificate, ready to complete deadly attack any second. We can wait until word spread that certain cert is faked by CNNIC, but very likely at that time some victims are already tortured and jailed and their relatives filed lawsuit against Mozilla just like in the yahoo case (http://www.rsf.org/Yahoo-settles-lawsuit-by-families.html).
Many people do not know how much the never-elected Chinese Communist "government" can do to average citizens. See New York Times report http://www.nytimes.com/2010/01/16/world/asia/16china.html
on how they treated Zhisheng Gao, a Christian lawyer, by "more than a month of torture that included jabs with an electric baton and the piercing of his genitals with toothpicks. At the time, he said, his torturers told him he would be killed if he spoke publicly about his treatment in detention." And his "crime"? He "represented members of underground Christian churches and farmers whose land had been appropriated by powerful officials. At one point, he orchestrated a hunger strike by practitioners of Falun Gong."
Now armed with full control of MITM and root certificate, the Party just got a more powerful weapon to persecute more people like Gao.
Jack: the Harvard study you reference says nothing about CNNIC or certificates. We can't make the Great Firewall go away by removing CNNIC's root from Firefox.
As a Christian myself, I am well aware of the persecutions that Christians and others undergo in China, including the case of Zhisheng Gao. However, you are arguing ad misericordiam. Even if other organizations or governments convict people for no crime, we do not. Provide evidence of abuse of the CNNIC root.
It'll be too late when we present the "evidence" of bad certificate hijacking to you. At that time, there is no need for you to "swiftly consider" any more, because it's too "swift". :)
You're denying the facts that countless evidences have been accumulated. Some are already presented as above, but you keep ignoring them. So there is no good talking with you like this. We can do better things with our precious one-time lives.
CNNIC is proven guilty countless times. But for those people who refuse to see, it's always innocent.
Even if other organizations or governments convict
people for no crime, we do not. Provide evidence of abuse of the CNNIC root.
Gerv mixed the concept of a criminal law principle of "innocent before convicted" with security guarding and trust.
Do you lock your doors until you lost your property? Please think it over.
If Firefox excluded CNNIC Root cert, does it mean that Mozilla Foundation convicted CNNIC as guilty?
It's all about trust!
But further than that, CNNIC was convicted by the Chinese users as guilty
with plenty of evidences, but you refused to see.
CNNIC did too many dirty things that it doesn't have the least credit to be a qualified CA.
With security guarding and trust, it's the reverse principle than the criminal law: It's about proof of goodness. If you can't prove you're good, we can't trust you. If you can't proof you're secured enough, we can't be safe.
Those who defend a notorious CA using criminal law principles are neither qualified as a criminal law expert, nor a security expert.
> the Harvard study you reference says nothing about CNNIC or certificates.
> As a Christian myself, I am well aware of the persecutions that Christians and
> others undergo in China, including the case of Zhisheng Gao.
In China in terms of persecutin people there is no distinction between CNNIC, the great firewall, the Communist Party, or the "government", or the "law". Since the Constitution of China said all should follow the leadership of the Chinese Communist Party.
Take the Gao's case for example, was it the court who sentenced Gao? No, they couldn't because Gao didn't violate any law. Was it the police who tortured Gao? Yes, although they have no status power on that without sentencing. Did the court sued or sentenced the police who illegally tortured Gao? No, the police are proudly taking interviews. How could all these illegal acts happen, and without consequence? There must be one supreme power at China that supersedes all law or individual institutions, which obviously including the small cake CNNIC.
lihlii: We have a set of criteria all CAs must meet before being included:
Those are the discussed and approved criteria the Mozilla community has come with with for inclusion in our root store. This is our "proof of goodness", if such a thing can ever be measured. If you think CNNIC's inclusion does not meet those criteria (perhaps because of some of the issues you have outlined), please let us know how, and which criterion they do not meet. If they do meet the criteria, they should be included. We are not going to not include them just because some people shout at us. Various Turkish people shouted a lot when we released a Kurdish localization, but we did it anyway.
The evidence you cite in comment 39 of "strange certificate changes" doesn't mean anything unless we can see the full certificate chain. If it chains up to CNNIC, that's might make your case. But "Google Internet Authority" is, as far as Googling can tell me, the name of an intermediate CA Google does actually use. And who knows why they switch their certificates around? Their infrastructure is highly complex.
I am not arguing that CNNIC is independent of the Chinese government. No CA can be entirely independent of the government of the country in which it operates anyway. This is why johnath rightly said (roughly) that if you want protection from a government, our default settings are probably not for you. If you don't trust CNNIC, that's your choice. Switch the root off. (Edit | Preferences | Advanced | View Certificates... | Authorities tab | Select CNNIC root | click Delete | click OK).
Does an organization who intentionally spread malware qualify? :)
lihlii: We have a set of criteria all CAs must meet before being included:
Does an organization who intentionally spread malware qualify? :)
> lihlii: We have a set of criteria all CAs must meet before being included:
> The evidence you cite in comment 39 of "strange certificate changes"
It's not direct evidence that CNNIC did that. It's a suspicion that the PR China government stole the private keys of Google so they were forced to change certificates in an abnormal frequency. Please, please read my messages carefully before you reply.
There are already plenty of evidences that you refuse to read!! How can I say more about these rubbish?
It's not about "protection from a government", but avoid harm from rogues! Why should you add a rogue in a browser and force the users to accept?!
(In reply to comment #53)
> Please, please read my messages carefully before you reply.
Please read ours.
We don't need 8 paragraph missives, and we don't need copious linkage to tangentially related news stories. No one here is unsympathetic to your concerns, but you are not giving us something we can act on. More of the same won't help, either.
When there is specific evidence that CNNIC has abused its position as a CA, or otherwise contravened our certificate policy, please comment here with that specific detail.
In the meantime, you are *losing* supporters, not winning them, by continuing to spam this bug.
Johnathan> you are *losing* supporters
I don't need supporters from you. :) I'm already clear enough.
Even those who can't distinguish criminal law from qualification for a CA is repeating here, while others who take great effort to post plenty of evidences are regarded as "spam". :P
If you won't read but still ask for "evidences", you're talking rubbish. "When there is specific evidence that CNNIC has abused its position as a CA" is the true spamming message repeating rubbish!
I don't think it's valuable to ask to remove CNNIC root CA from Firefox now. I think the only conclusion is that some Mozilla developers are standing on ungrounded points while asking others to present "evidences" of possible violation of security. :P All that we keep saying is about high risk! Not a fact. But there are enough facts that CNNIC is not trustable! Risk is not things that you can wait to happen, then "swiftly consider" actions! What kind of security are you doing in Firefox project?
I "spam" here because rubbish keeps spam before me. :) Sorry, this is the last post I'll put here. Others go to the newsgroup .
People who were blocked from access to usenet newsgroups or mozilla security discussion group  can try to subscribe to the mailing list , so you can receive and post messages to the same group.
You can also try to access the mozilla.dev.security.policy group through the usenet news server news.mozilla.org. You can configure your news client (Thunderbird, Outlook Express, Windows Live Mail, MS Office Outlook, etc.) to access usenet newsgroups. But seems messages posted through the googlegroups is not synchronized to news.mozilla.org yet.
Gerv, Johnath and All. As a member of the team that reviews regularly CA inclusion requests, I believe that if those allegations and concerns have been raised during the public discussion, the request to include this CA root would have been looked at more into depth and might have been put on ice for a while in order to learn more about it and its implications.
Now that we are after the fact of the inclusion, removal of a root requires some specific evidence. Additionally it appears that this root is also cross-signed by another notable CA, removal of the root wouldn't produce the desired result.
I suggest to walk the extra mile and raise the claims and allegations made with the CA which cross-signed this root for a better understanding. This understanding might help to evaluate and perhaps also refute the claims and concerns made for the benefit of all parties.
[This mid-aired a few hours ago and I only just noticed.]
All new participants here should take note of the fact that there are some behaviours expected of Bugzilla commenters:
Failure to respect these could result in your account being disabled.
(In reply to comment #53)
> Does an organization who intentionally spread malware qualify? :)
As Nelson has said in the newsgroup, a code-signing certificate is not an
indication of the "goodness" of the code, it is a way to determine who the
creator of the code is. CAs do not, and never have, done code reviews of all
code they sign.
If some code says:
This code was written by: Joe Bloggs
Identity verified by: CNNIC
you are trusting CNNIC that Joe Bloggs wrote the code, and then you are
trusting (or not trusting) Joe Bloggs that his code is not malicious. CNNIC is
not responsible for the code, only for the correct attribution of authorship.
> It's not direct evidence that CNNIC did that. It's a suspicion that the PR
> China government stole the private keys of Google so they were forced to change
> certificates in an abnormal frequency. Please, please read my messages
> carefully before you reply.
Do remember that I can't read Chinese, so your references were mostly opaque to
You say yourself that "the inclusion of an untrustworthy CNNIC root CA won't
make the situation worse". So I fail to see how this evidence is relevant to
their inclusion or not.
> There are already plenty of evidences that you refuse to read!! How can I say
> more about these rubbish?
I've commented on at least two bits of the evidence you have quoted in this
bug, and I have set out in detail what evidence we would accept for your
assertions. This conversation can only really continue productively when you or
someone else produces some evidence which fits our criteria.
This is really terrible!!!!!!!!
Chinese Twitter Group
Fact #1: Chinese Communist government has been MITMing at least 1,043 websites. 
Fact #2: Chinese Communist government has tortured and imposed ten-year imprisonment to netizens for peaceful online speech 
Fact #3: Chinese Communist government is the boss of CNNIC [Comment #30]
The Mozilla CA Certificate Policy (Version 1.2)  states that CA certificate can be revoked if "we believe that including a CA certificate (or setting its "trust bits" in a particular way) would cause undue risks to users' security".
Now, if Chinese Communist government want to have root certificate itself, the above Mozilla policy will directly apply, since Chinese Communist government does massive MITM and tortures and jails people for peaceful online speech. Now the question is whether that Mozilla policy applies to CNNIC, an agency that Chinese Communist government directly directs and fully controls.
Almost chinese ITer don't trust CNNC that is why chinese wanna to remove cnnc certificate
see [[Bug 542689]]: Remove "CNNIC ROOT" root certificate from NSS
I think CNNIC's own about page explained its role quite clearly:
"CNNIC takes orders from the Ministry of Information Industry (MII) to conduct daily business"
I just signed up an account to say something to show my support of removing CNNIC from the mozilla firefox.
CNNIC is an organization supported by the *COMMUNIST PARTY*. You guys really don't know what this *COMMUNIST PARTY* means to the general public of China, huh?
Please, please, please, just remove CNNIC from firefox. The removal of CNNIC won't cause big losses to firefox, will it?
I signed up to add a comment:
As a long time Chinese internet use, I don't trust CNNIC. Please remove it.
This cert should be backed out because the communist dictatorship of China is well known and well documented to to have the willingness and ability to interfere with individual and global internet security which defeats security features Mozilla chooses to implement and maintain for Firefox.
CCNIC is ran out of China therefore, due to the pervasive nature of dictatorships, is an subject to arbitrary influence by this interfering government. The "ad misericordiam" point got me thinking and I believe "ad hominem" against CCNIC is correct in this rare case: evidence of new guilt is not required because China is guilty of past and active ongoing violations.
As some Mozilla team member worried, CNNIC was already a secondary SSL issuer under Entrust years ago, which complicated the situation. We need to consider the following:
1. Entrust has business presence at China, their inclusion of CNNIC is a business contract, Entrust financially gains through that deal, and it's Entrust that bears the burden that certificates issued through their chain is clean. While Mozilla's inclusion of CNNIC as root certificate provided a different channel for CNNIC to issue certificates, with more liberty. And Mozilla will bear the burden of trust to CNNIC-issued certificates.
2. Mozilla is one of the two browsers to first include CNNIC as root certificate, the other is Microsoft. All other browsers don't want to be the first to do so. Most users came from Microsoft to Mozilla just because we didn't like M$'s money-driven business model. So now Mozilla wants to follow its suit?
3. there is a poll and vast amount of posts on the internet showing most Chinese users don't trust Chinese Communist government's internet stuff, google is hacked by Chinese Communist government, and yahoo apologized for cooperating with Chinese Communist government in online suppression, and the Harvard and a couple similar credible expert studies all showed online users, big companies, academia all have no trust in Chinese Communist government, which directly directs and fully controls CNNIC. Where did Mozilla get better trust in CNNIC?
I like Mozilla, and am happy to see its market share today. Many years ago, I converted many people in my institute to thunderbird when it was far from version 1.0 and little known even among some computer majors. I believer many people like me like the way Mozilla does things, that give us trust. Now if Mozilla doesn't listen to the online users, big western companies, and reputable academia's conclusions, and shield yourself behind some party line, that will deeply hurt yourself among former wholeheartedly advocates of Mozilla.
Note this dost NOT only affect mainland Chinese users. Combined with phishing emails, we in the western countries can also fall victim of CNNIC's fake certificates without being warned by Firefox.
(In reply to comment #67)
> I like Mozilla, and am happy to see its market share today. Many years ago, I
> converted many people in my institute to thunderbird when it was far from
> version 1.0 and little known even among some computer majors. I believer many
> people like me like the way Mozilla does things, that give us trust. Now if
> Mozilla doesn't listen to the online users, big western companies, and
> reputable academia's conclusions, and shield yourself behind some party line,
> that will deeply hurt yourself among former wholeheartedly advocates of
I'm repeating myself needlessly here, but I appreciate your attempt to lay the issue out so I'm going to try one. more. time.
No one is ignoring the community, nor the evolving situation in China.
No one is ignoring this bug.
The trust people put in Mozilla is the most important thing we have, and that trust comes in no small part from the fact that we try to do what's best for the internet and our users, and try to do so objectively. What I have asked for here, and am asking for again, is specific, concrete evidence that this CA has acted in a way that contravenes our root policy. An illegitimate certificate would be the single, best example of such evidence.
I don't need news articles about the Chinese government. I don't need long essays talking about CNNICs involvement with the government (we have several government-based CAs in the product). I *certainly* don't need 500 more "me too" comments.
We need evidence, not advocacy.
In the meantime, I encourage you to use Firefox's certificate management UI to manage the trust placed in each CA in your software.
(In reply to comment #68)
> We need evidence, not advocacy.
Johnathan, I believe that in the meantime we have enough support and comments seen in order call for another review for inclusion of this CA root. Which this I mean, that would have those allegations been made during the comments and review discussion at the mozilla.dev.security.policy mailing list, this CA root wouldn't be in Mozilla software at the moment. Because of that, it's my intention to request such a review at the mailing list.
At this time I'm not voicing an opinion beyond acknowledging to have heard the allegations and concerns and that apparently there is a real problem here and Mozilla should address it - it's however a situation which Mozilla never faced in this form. Perhaps it would be good to acknowledge on your part that there is an apparent problem and that we should use the existing tools (such as the inclusion discussions) to address it.
As such, the Mozilla CA Policy is sensitive enough to guide us and we don't need hard evidence of real MITM attacks and forged certificates. Besides that providing either of them is difficult to come by.
I wanted to clarify one of the major concerns to Chinese Internet users. The MITM attacks suggested above are not the only form of this attack.
The MITM attack can be carried out by use of a hostile CA that is trusted/included within the web browser. Certain Web Security Proxies are conducting this type of "attack" now as part of corporate SSL monitoring.
It works like this: The proxy intercepts the web browser request for gmail.com and instead of presenting the Google cert for this site, it spoofs gmail.com and presents a certificate that was created on-the-fly for gmail.com to terminate the SSL session at the proxy.
In normal cases, the browser would warn the user the certificate was issued by an unknown authority. However, if the corporate CA has been added to the browser, this on-the-fly certificate for gmail.com causes no warning.
Meanwhile, the proxy sends a request to gmail.com (as the browser) and sets up an SSL session with the request it intercepted from the browser. The proxy is now connected to gmail.com, acting as the browser. When gmail.com replies to the proxy, the data is decrypted, various rules, sniffing, etc. take place, and the data is re-encrypted and stuffed into the SSL session between the browser and the proxy using the spoofed (but valid) proxy/corporate between the proxy and the browser.
This is the real risk -- in transit (or recorded) sniffing of Internet user sessions. There will be almost no indication these spoofed certs are being used for most users -- the activity will be very hard for most people to detect.
The risk is not bogus certs for gmail.com being issued by CNNIC -- that would be very obvious, would be simple to detect and would (hopefully) violate their status as a CA.
Hiding behind "policy" by saying things like "we have a procedure" smacks of attempting to avoid potential blame, rather than taking responsibility and addressing a problem.
It seems that some people are unclear on the definition of the word "trust". My dictionary has it as "reliance on the integrity, strength, ability, surety, etc., of a person or thing; confidence."
It therefore does not matter whether there is concrete evidence of malfeasance on the part of CNNIC. What matters is whether we have confidence in them. If there is any reasonable doubt as to their integrity, they are axiomatically not trusted.
So there are two possibilities:
1. Everyone in here objecting is UNreasonable. Not trusting CNNIC is UNreasonable. Not trusting the Chinese government is UNreasonable.
2. The CNNIC's root certificate should not be installed by default.
Gerv and all,
I will refer to Mozilla CA Certificate Policy (http://www.mozilla.org/projects/security/certs/policy/) as Policy.
===== "The burden is on the CA to prove that it has met the above requirements." (Policy #12)
In another words, the "presumption of innocence" does not apply here. Chinese users have shown their reasons why they do not trust CNNIC. To argu whether CNNIC had already done evil things as a CA, or whether users have evidence for that is away-from-the-topic.
===== There are material misleading (if not intentionally lying) in the CA request process.
"Summary of Information Gathered and Verified"
In Organization Type, the doc stated that CNNIC is not a government organization; while from CNNIC website, "CNNIC takes orders from the Ministry of Information Industry (MII) to conduct daily business".
===== CNNIC is in violation with Policy #6, item 4: (We require that all CAs whose certificates are distributed with our software products) otherwise operate in accordance with published criteria that we deem acceptable.
I believe making and distributing malware is not deem acceptable by Mozilla.
===== According to Policy #6, CNNIC needs to publicly disclose information about their policies and business practices (e.g., in a Certificate Policy and Certification Practice Statement).
Would someone kindly show me a link to that?
(In reply to comment #72)
> ===== According to Policy #6, CNNIC needs to publicly disclose information
> about their policies and business practices (e.g., in a Certificate Policy and
> Certification Practice Statement).
> Would someone kindly show me a link to that?
Please go back to comment 0 and re-read the first several comments, all the required information is there.
A quick note:
Root CA's are at the root of TRUST in the internet ecosystem. We need trusted CA's.
I like China and hope to visit and have enjoyed working with folks from China. However, China is not a free country, and CNIC, despite what a company doing business in China is willing to say about a government entity, is not trusted
I wondered, just who normally gets a Root CA? I looked at he average of 34 certificates in terms of political and civil liberties as outlined by Freedom House. They score countries on a scale of 1 (most free) to 7 (least free). The average is 1.4. CNNIC is 6.5 and is the *only* country accepted as a Root CA by Mozilla which is classified as "Not Free".
Type "CNNIC Malware" in any search engine shows that CNNIC is listed in almost every malware database it seems. From Microsoft to here: http://www.exterminate-it.com/malpedia/remove-cnnic-update This organization is one of the most trusted organizations on the web? Hard to believe.
What is the benefit of adding a Root CA from a company with demonstrated poor action, located in a country with poor history of internet freedom and security?
(In reply to comment #70)
> It works like this: The proxy intercepts the web browser request for gmail.com
> and instead of presenting the Google cert for this site, it spoofs gmail.com
> and presents a certificate that was created on-the-fly for gmail.com to
> terminate the SSL session at the proxy.
Yes, that is a classic MITM attack. Every user connected to that proxy is presented with evidence of the proxy's malfeasance, and if just one of them would save that cert--with intermediates, preferably--we can close this issue.
We don't expect every or even most users to be capable of noticing this, but if it's happening at this scale there are more than enough activists capable of installing things like the previously mentioned "Certificate Patrol" or http://www.cs.cmu.edu/~perspectives/ to catch this in the act.
> The risk is not bogus certs for gmail.com being issued by CNNIC -- that would
> be very obvious, would be simple to detect
You just said the proxy did issue bogus certs for gmail.com -- which is it? If the browser thinks it's connected to gmail.com then it had better get a working gmail.com cert, which means either the real one or one issued fraudulently by a real CA (or you have malware already on your machine which has compromised the built-in roots).
I'm curious why MITM attacks need to be large scale? If you control the DNS for your target (which CNNIC do) and the certs (which CNNIC do) then targeted MITM attacks seem pretty straightforward.
You do this once, you have someone's password, and frankly, the user is probably none the wiser.
It would be nice if at a minimum Mozilla stored certificates presented in an easy to grasp form even if duplicates of a name, so that folks could dig around if needed. Perhaps that is already done.
> We don't expect every or even most users to be capable of noticing this, but if
> it's happening at this scale there are more than enough activists capable of
> installing things like the previously mentioned "Certificate Patrol" or
> http://www.cs.cmu.edu/~perspectives/ to catch this in the act.
As explained in Comment #76, they have no need to hijack gmail SSL blindly, they will easily do that for a particular user's IP once to capture his username/password. Since the police-controlled Chinese Communist government knows the IP of every user, they easily do this to any user they want.
They spend billions of dollars on internet surveillance  , it's naive, to say the least, to expect them needlessly and stupidly hand out hijacked certificates in large scale waiting to get their root CA revoked. They can easily do this to any particular user using the knowledge of an average sysadmin.
Also, although the most likely persecuted people worries more about their security, usually these people are inadequate in computer knowledge. The victim of yahoo is a writer  . The massive number of victims of China's GhostNet include Dalai Lamai, NGOs, international organisations, embassies, government foreign ministries  . Many such victims inside China would know little about computer.
http://www.cs.cmu.edu/~perspectives/ won't work as well in China. If you go to that page you will see a question "Q: But what if an attacker takes over all paths to the destination?" The authors replied: "If the attacker is able to compromise all paths for a long time, then you are in trouble, but then again such a powerful adversary could also fool the so-called "verification procedures" of many certificate authorities, which often consist of a one-time email verification. " That's exactly what's happening in mainland China, since they only have a couple and heavily patrol the couple internet backbones.
The only defense of the users is to watch changing of certificate. But legitimate certificates do change over time, as pointed out above, even google has changed certificates a few times recently. Let me ask, how many of you, yes you, the internet expert have called google to verify the change of the certificate?
Let alone those writers, spiritual leaders, dissidents, farmers deprived of their land, parents whose children were buried in the bribed-to-poorly-built-school and were denied compensation AND denied legal assistance, and relatives of Falun Gong practitioners whose organs are taken  ? You expect them to record and call to verify every certificate change?
Bug #542689 was created for the request to consider removing the CNNIC root. Please post further follow-up there, rather than in this closed bug.
I have posted a response there too:
**** the CNNIC. All the cn people wants butcher them. ****!
fireofx is no longer safe because of CNNIC. I am to turn to OPERA. So are the people around me --I recommended firefox to them
PLEASE REMOVE CHINA CNNIC. WE NEVER TRUST IT. FOR EVER.
today，I create a new account,I justs want to ask you to remove the CNNIC certificate.It's absolutely a government organisation.**** the CNNIC!
Please remove CNNIC CA, or I have to remove Mozilla Firefox from my computer.
REMOVE CNNIC CA NOW !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
IT IS A SHOCK TO ME, COZ ALL CHINESE COMPUTER GEEKS KNOW CNNIC=MALWARE ABSOLUTELY INCLUDING ME! I HAVE HEAPS OF CONNECTIONS IN IT FOR YEARS, DONT TELL ME I AM WRONG!!!
I AM ONE OF THE FIRST CHINESE INTERNET USERS, I GROW UP WITH IT. I KNOW CNNIC SO WELL THAT FORCE ME TO REGISTER AN ACCOUNT JUST TO WRITE THIS COMMENT!
HISTORY of CNNIC！！！！！！！！！！！！！:
EARLIER DAYS,CNNIC MAKING/TRADE MELWARE, SOMETHING CALLED "3721" AND OTHER STUFF THAT HIJACK BROWSER URL BAR. AT THAT TIME FOR EXAMPLE TYPING GOOGLE IN URL BAR THE CNNIC WILL REDIRECT BROWSER TO BAIDU.COM BECAUSE BAIDU PAY CNNIC BETTER MONEY. AND THIS BEHAVIOR WAS SUPPORTED BY CHINESE GOV BECAUSE THEY ALSO WANT TO STOP CHINESE PPL FROM VIEWING FOREIGN WEBSITE.
LATER CNNIC FORM A ALLIANCE THAT DEFINE WHAT IS MELWARE AND WAT IS NOT. RECOGNIZED BY CHINESE GOV. AND OF COURSE FOLLOWING LOTS OF DIRTY DEALS. SEARCH FOR IT ,LOTS OF CHINESE PPL MENTION THESE HERE AND THERE.
LATELY, ONE YEAR THEY SELL .CN DOMAIN FOR 1 CHINESE YUAN PER YEAR, AND ADVERTISE THAT "EVERY CHINESE PPL MUST HAVE A .CN DOMAIN". THEN NEXT YEAR THE RENEWAL OF THE .CN BECOME HUNDREDS OF YUANS AND FORCE PPL TO PAY IT. I AM NOT A .CN USER BUT I FEEL LIKE VOMITING WHEN I READ THEIR SUNDAY SAINT ANNOUNCEMENT.
WHAT I AM WRITTING IS ONLY PART OF WHAT THEY DID. FOR MANY YEARS I FOLLOW CNNIC NEWS AND ALL I SEE IS THEY MAKING GREEDY DEALS, BETRAY USERS CONTRACTS, CONTROL AND ROB VALUABLE DOMAINS, RECEIVING BRIBERY TO LEGALIZE SOME MALWARES, HELP WITH INTERNET CENSORSHIP AND TRACKING DOWN PPL WHO TALK "FREELY", AND THEY SLOWLY USING THE GOVERNMENT CONNECTIONS TO REACH MORE AND MORE POWER OVER INTERNET.
SO I TOTALLY DONT BELIEVE IT WHEN I SAW FIREFOX COME WITH CNNIC CA NOW!! GOOD THING IS I KNOW LOTS OF CHINESE PPL ARE DELETING CNNIC CA FROM THEIR COMPUTER MANUALLY.
WE ALL KNOW CHINESE GOV WANT TO CONTROL THE THINGS LIKE GMAIL,TWITTER, THEY WERE ASKING GOOGLE TO HAND OVER THE GMAIL USER INFO AND DATA FOR CENSORSHIP AND GOOGLE SAY NO.(THAT IS WHY BEFORE GOOGLE QUIT CHINA, THE GOOGLE.CN HAVE NO GMAIL AND ACCOUNT BUTTONS, BECAUSE GOOGLE WAS NOT ALLOWED TO PROVIDE GMAIL SERVICE WITHOUT CENSORSHIP AND GOOGLE CAN'T MAKE SURE USER ACOUNT 100% SAFE, IF THEY PROVIDE LOGIN SERVICE IN CHINA) I KNOW WHAT CNNIC IS CAPABLE TO DO.
THIS SECURITY LEAK IS NOT ABOUT SOME THINGS LIKE "CRDIT CARD NUMBER" OR "GAME ACCOUNT"
IT IS A RISK OF HUMAN LIFE!!!!!! WE KNOW ALL THE TIME THEY KILL/PRISON A LOT ONLY FOR PPL SAID STH THEY DONT LIKE.
EVEN THERE IS A 1/10000 CHANCE THAT CNNIC CAN USE THE CA TO HIJACK USER, IT IS DANGEROUS ENOUGH. REMOVE IT ASAP!
I signed up simply to say CNNIC is responsible for the Great Firewall of China and WE WILL NEVER TRUST CNNIC, NEVER!!! I am not a rude person but I would say **** YOU CNNIC, **** YOU! You have ruined my computer with your malwares, and you are now censoring the whole internet in China. In my eyes, you and the goverment are the same **** thing. Damn all of you in CNNIC. For those people who doubt what I said, google it. Talk to anybody who is in China and find out the correct answer.**** CNNIC or it will **** you dadly one day.
Mozilla violates the rules first.
The CA inclusion process requests public discussion.
However, the CNNIC Root Inclusion Request discussed by only a few people, and without any Chinese. see
I think PUBLIC DISCUSSION means public involved, not discussion in the public place, i.e. google groups.
Mozilla voilates the process in the first place. The inclusion process is illegal. And now, so many people have shown their options, removing CNNIC root CA. The mozilla guys should remove the CNNIC root CA.
I do not trust CNNIC CA, please remove it; otherwise, I would switch to Chrome.
CNNIC is a government organization, chinese people not trust it.
(In reply to comment #80)
> fireofx is no longer safe because of CNNIC. I am to turn to OPERA.
(In reply to comment #87)
> I do not trust CNNIC CA, please remove it; otherwise, I would switch to Chrome.
Opera and Chrome both honor CNNIC certs, all current browsers do. Whether its root is trusted directly or because it's cross-signed by Entrust, CNNIC-issued certs will work. By having CNNIC directly installed in the browser it is now possible for average users to mark it as UN-trusted, whereas before they would have only had the option to mark all of Entrust untrusted.
Please remove the CNNIC waste from FF!Or I will have no choice but to abandon FF!
Daniel Veditz: then mark CNNIC as untrusted as default.
sry for many of us getting angry.
its not only about how secure the internet is, or 100grands in my online bank.
it is about real human lifes.
how you feel if you say to your friend "i dont like XXX" through a "secured" site, next day you find yourself in jail for 10 years, without any trial or lawyers and no one is allowed to talk about you?
It happend and still happening everyday.For the gov who spent 20+ billion dallors for developing censorship tech, everything is possible and they certainly wont miss the CA.
I can't post you a bloody finger or something for "evidence".Actually there are many smart ppl working for CNNIC and if they do it very carefully, target only certain IPs, there will never be any evidence.
Follow and jump few links from wikipedia or whatever, you will find a site you trust talking about CNNIC. Use it as the evidence.
99% Chinese dont read English and 99% of you dont read chinese. Its difficult to let you understand the horror of CNNIC.
Just say, CNNIC did more damage than Bin laden did on 9/11. Thats the organization you are trusted.
kylechen, thank you for your comment, and I totally agree with you with that "99% Chinese dont read English and 99% of you dont read chinese. Its difficult
to let you understand the horror of CNNIC", in other words, CNNIC=GFW=Chinese Persecution Pty. Evidence? Nope, because it is not even possible to talk about it publicly.
Don't rely on those rusted heads in firefox team to keep yourself secure on the internet. For me the first thing after I install firefox is to check CAs and remove all CNNIC related, incl. entrust who gives them cross authorization.
kylechen, scy, thanks for your comments. The mozilla guys know little about CNNIC. They could never imagine lots of people thrown into jail, just because of they said something, even mail something the government dislikes. However, they made this decision, put lots of people in danger.
I have said, the inclusion process was illegal. It was not discussed in public, and no Chinese people involved in. After the inclusion, Chinese people say they were wrong, and ask they remove the CA. They refuse to!
Of course, some of us know how to disable the CNNIC CA. But others don't. They may even know nothing about the CNNIC CA :(
I just read a article regarding to CNNIC ROOT CA and find this particular 'fix' for inclusion in Firefox of root CA of that infamous organization in China.
I completely support the allegation of extremely high risk of abuse by CNNIC and suggestion of removal of CNNIC ROOT CA from Firefox IMMEDIATELY made by my fellow Chinese netizens. Hat off. That is the only reason I sign up and leave this comment here.
Everyone I know in China, especially those with IT background, know how notorious CNNIC has been and still be. CNNIC made spyware indeed unremovable even for IT technicians. CNNIC cooperates with Chinese totalitarian government to censor Internet from Chinese residents. They are blocking a great number of web sites (including but not limited to: wikipeida, twitter, facebook, youtube, myspace, nearly all oversea news sources with Chinese language, ...). They redirect DNS queries for some certain web sites to local mirror in order to collect private information, sometimes hijack DNS queries intent for DNS servers outside China and return fake records. Chinese government made arrests and are still making arrest by collecting privacy of their own citizens who are just dissents and only express themselves peacefully in the name of so-called 'national security'. For myself, I left China many years ago but I have not yet dare to use my regular email to register and make comments here, fearing unexpected trouble from someone if would go back to my homeland.
It is also obvious that among the comments here, all Chinese users (except for a CNNIC representative) object to the inclusion of CNNIC ROOT CA and request a immediately removal of that particular CA. Please be remind that it is not a emotional expression of disliking CNNIC. We request it because IT IS A REAL THREAT to all Chinese users who access his/her private information using FF. I understand that you FF developers need proof, but please also be reminded that such 'proof' means that someone would have been in deep trouble with Chinese authority without doing anything wrong. Please allow me to pay respect to Mr. Shi Tao, who happened to send some emails through Yahoo and get 10-year jail time for this because Yahoo hand over all info to Chinese prosecutor without legal due process. Now Yahoo had to face the consequences and I don't want FF to follow it by allowing anything similar to happen again.
And as I know, almost everyone who knows about this CNNIC ROOT CA story will immediately do what I have done: DISABLE this CA. However it could be a great difficulty for those knowing few about computer. And inclusion of this particular ROOT CA make such group of people extremely vulnerable to government prosecution. If you FF developer would have lived in China for some years, you would understand why we fear and if you would have understand Chinese, you would be aware of a lot of evidence against CNNIC's heinous past and suspicious intention behind the ROOT CA.
Please let me repeat my (and our) request clearly again. Remove CNNIC ROOT CA of a Chinese state-run organization IMMEDIATELY for the sake of Chinese people. Please. Thanks.
I know this bug is closed, but this article raises some real alarms regarding the addition of this certificate.
That article makes many technically incorrect statements, some even attributed to McAfee. In particular, as has been discussed to death, "No one outside of China can say whether any of these potentially nefarious events occurred" is utterly wrong - it would have left evidence on every computer which was MITMed.
As the status whiteboard says, this bug is closed, and bugs are not the right place for this discussion.
I am a programer, I don't trust CNNC ,the CNNC have a notorious history in China . So I suggest to remove CNNC from certificate list
Good job, man. You added CNNIC into CA, now all the experienced Chinese users have to manually remove it, because CNNIC is a notorious org which previously issued the 3721 malware/spyware.
There is now a discussion underway in
called "CNNIC Inclusion Request for Additional Root"
Note 1: Technically, CA root certificates cannot be used to trace and monitor end-user’s internet activities.
Note 2: Previously regarding CNNIC there were many complaints about "Zhongwenshangwang", which is activeX product of browser to help Chinese people to access the internet with Chinese characters. It was warned as a malware by some anti-virus software. CNNIC stopped distribution of this product in 2006.
Note 3: Previous applications from CNNIC have generated considerable discussion. Participants are reminded that Mozilla is committed to even-handed analysis of applications, and objections based on alleged misbehavior regarding issuance and use of SSL certificates must have evidence of that misbehavior.
Note 4: The discussion forum is moderated in order to filter out SPAM, so there may be a delay between when you post to it, and when your message appears.
Note 1: Technically, CA root certificates cannot be used to trace and monitor end-user’s internet activities.
My response to this note:
Although CA cannot directly trace/monitor user activites in most situation, it is a HUGE risk to Chinese users. Just consider this, all internet traffic in/out China is monitored and filtered by the "Great Fire Wall", which is also capable of interrupting and modify such traffics. For example, if you (within China) retrive web page (outside China) contains some words that Chinese government don't want you to read, GFW will send fake RST packets to both ends to reset connection and you would never be able to get the page. And then your connection to that website/IP would be blocked for about 20 minutes before you could access it again.
With trusted root ca, GFW is now able to seletively act as middleman to forge secure connections between Chinese users and, for example gmail.com. No one else can detect this but the user himself/herself. If you want any evidence, well, you may hope to get it from jailed person. Please search for "Shi Tao" to find out what they would do, although his case is slightly different.
I can't trust the CNNIC .It uses its right to make a rogue software and monitor network connection.It prohibits Chinese from connecting some websides which are like https://www.google.com etc. and we can't search for huluobu etc. I hope you can call off add CNNIC into CA.it can kidnap safe websides which it count agaist
(In reply to 453501921 from comment #100)
sorry,it have a mistake.It should be"delete the CA from CA list"sorry!
Evidence's here (Written in Chinese):
Those letters show that someone is conducting MITM attacks in China, but that they are using self-signed certificates, not certificates which chain up to the CNNIC root.
(In reply to Johnathan Nightingale [:johnath] from comment #34)
> Comments like comment 33 do not help. We don't need advocacy nor
> allegations, here. We need evidence of certificates issued that shouldn't
> have been.
That did not take long: http://googleonlinesecurity.blogspot.de/2015/03/maintaining-digital-certificate-security.html
(In reply to Christian from comment #104)
> That did not take long:
Discussion of this incident should take place in mozilla.dev.security.policy, not here.
(In reply to Gervase Markham [:gerv] from comment #105)
> (In reply to Christian from comment #104)
> > That did not take long:
> > http://googleonlinesecurity.blogspot.de/2015/03/maintaining-digital-
> > certificate-security.html
> Discussion of this incident should take place in
> mozilla.dev.security.policy, not here.
Well, that's cannot be done to people from behind the GFW, coz mozilla.dev.security.policy and the whole Google Groups are blocked.
As noted at the link above, there are three ways to access that forum - as a newsgroup on news.mozilla.org, as an email list, or as a Google Group. If someone is genuinely unable to take part using _any_ of those three methods, then they should email me and I will post their comments if they add value to the discussion.
Many china user know the evil of CNNIC, but you don't care it . and many chinese user can not login and post comments on Google groups.
So, let's us make clear.
We (Most chinese users) Do not trust our goverment. CNNIC is a part of our Goverment, It will do evil things. worse than NSA did for ever.
The china great wall block us access the internet. we have no idea to fight or against it . we have no power.
So, i request you guys think about carefully, PLEASE REMOVE CNNIC CA ROOT cert . You can not trust it at all.
If you still keep it , trust it , may some day the fire will burn all you down. Let's see.
(In reply to Johnathan Nightingale [:johnath] from comment #54)
> When there is specific evidence that CNNIC has abused its position as a CA,
> or otherwise contravened our certificate policy, please comment here with
> that specific detail.
Here is the specific detail.
CNNIC gave MCS certs that allowed MCS to MITM traffic from internet users to Google. The MITM didn't ring alarm bells because at the time of the MITM, CNNIC's CA certs were supplied with Firefox, and therefore, trusted by the browser.
Six years ago, Mozilla was warned of this, and did nothing. We can never know whose communications were intercepted, and what the ramifications for those people are.
An apology would be nice, along with a commitment to listen, when your users tell you of life-endangering consequences.
I can't believe I just found "CNNIC ROOT" in my firefox 40 CA trusted list. Mozilla, are you kidding your users or what? It's simply unacceptable to ignore user complaints and ignore serious certificate authority misconduct.
The whitelist approach adopted by google seems like a reasonable solution. But just ignoring the problem is a complete carelessness about users.
Alexander: on what basis do you make those accusations? Mozilla and Google took pretty much the same action as each other:
The restrictions outlined in those blog posts are hard-coded, and require the CNNIC root to still appear in the trust list.
As far as I understand from the blog, newer certificates than 1.Apr.2015 are valid without any public review. I'm sorry that I implied google did better. If they did the same, this doesn't make a lot of sense because it still allows the CA to repeat the misdeed.
It's necessary to allow finer grained control over what domains is a particular CA trusted for. And ask user by installation if particular CAs are to be trusted and for which domains.
(In reply to Alexander from comment #112)
> As far as I understand from the blog, newer certificates than 1.Apr.2015 are
> valid without any public review.
Not newer, _older_.
> If they did the same, this doesn't make a lot of sense because it still
> allows the CA to repeat the misdeed.
Newly-issued certificates from CNNIC are currently not trusted.
> It's necessary to allow finer grained control over what domains is a
> particular CA trusted for. And ask user by installation if particular CAs
> are to be trusted and for which domains.
I don't know more than a handful of users who would be able to meaningfully answer such a question.
Ok, thank you for clarification. I couldn't understand properly the blog. I went ahead and read the full doc:
What I read is that there should be a public list with the good certificates. But I can see no link to such list. Also I see no indication that any certificates outside of that list would be detected automatically.
How is mozilla/users supposed to detect any non-listed certificates? Also do we have any example web site with a newer cert that can be checked to see if firefox properly rejects newer certificates?
> This plan relies on CNNIC accurately reflecting issuance times in the notBefore field. We will
> be asking CNNIC for a comprehensive list of their currently valid certificates, and publishing it.
> After the list has been provided, if a certificate not on the list, dated before 1 April 2015, is detected on the public internet, we reserve the right to take further action.
Thank you again for providing insights about this issue.
(In reply to Alexander from comment #114)
> Ok, thank you for clarification. I couldn't understand properly the blog. I
> went ahead and read the full doc:
> What I read is that there should be a public list with the good
> certificates. But I can see no link to such list.
> Also I see no indication
> that any certificates outside of that list would be detected automatically.
> How is mozilla/users supposed to detect any non-listed certificates?
The list of permitted certificates is hard-coded into Firefox:
If it's not in the list, it will be refused.
> Also do
> we have any example web site with a newer cert that can be checked to see if
> firefox properly rejects newer certificates?
Not to hand, but you could perhaps check the Certificate Transparency logs to try and find one. I believe CNNIC is still issuing certs, but I could be wrong.
I'm restricting further comments on this bug -- rehashing the same arguments on a bug fixed 7 years ago isn't helpful, and Bugzilla isn't intended as a discussion forum.
See comment 31 -- the mozilla.dev.security.policy mailing list is a better discussion forum if you have something new to add.