Last Comment Bug 542689 - Please remove CNNIC CA root certificate from NSS
: Please remove CNNIC CA root certificate from NSS
Status: RESOLVED INCOMPLETE
If in China the CertPatrol add-on may...
:
Product: mozilla.org
Classification: Other
Component: CA Certificates (show other bugs)
: other
: All All
: -- normal with 211 votes (vote)
: ---
Assigned To: Kathleen Wilson
:
:
Mentors:
http://www.cnnic.net.cn/index.htm
: 836747 (view as bug list)
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2010-01-27 17:44 PST by thomas92911
Modified: 2015-10-09 10:33 PDT (History)
34 users (show)
qsj: needinfo? (qsj)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---


Attachments

Description thomas92911 2010-01-27 17:44:12 PST
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11

CNNIC is an evil organization

Reproducible: Always
Comment 1 ptptt5 2010-01-27 18:15:22 PST
We cannot believe it because of its history & now. Please remove it.
Comment 2 Eddy Nigg (StartCom) 2010-01-27 18:20:40 PST
Some comments were posted at bug 476766 and I've started a discussion at the mozilla.dev.security.policy mailing list under the title "CNNIC Root Inclusion".

Please join the discussion there and/or provide here any evidence you may have, but in a professional way. There is no criteria regarding "evil" in the CA policies and WebTrust audits and will not help your cause.
Comment 3 Xuqing Kuang 2010-01-27 19:23:42 PST
Yeah. The site can not be trusted for anyone. I believe add the certification to firefox must be mistake.

It's reported in most security web site[1].

[1] http://www.siteadvisor.com/sites/cnnic.net.cn?ref=safesearch&aff_id=0&premium=false&suite=true&client_ver=2.9.260&locale=zh-CN


(In reply to comment #2)
> Some comments were posted at bug 476766 and I've started a discussion at the
> mozilla.dev.security.policy mailing list under the title "CNNIC Root
> Inclusion".
> 
> Please join the discussion there and/or provide here any evidence you may have,
> but in a professional way. There is no criteria regarding "evil" in the CA
> policies and WebTrust audits and will not help your cause.
Comment 4 Yuanjin 2010-01-28 07:45:27 PST
(In reply to comment #2)
> Some comments were posted at bug 476766 and I've started a discussion at the
> mozilla.dev.security.policy mailing list under the title "CNNIC Root
> Inclusion".
> 
> Please join the discussion there and/or provide here any evidence you may have,
> but in a professional way. There is no criteria regarding "evil" in the CA
> policies and WebTrust audits and will not help your cause.

Actually, because of the censor policy of China mainland, we are afraid that the local government might spy our private information in some terms with this root certificate.
Comment 5 Johnathan Nightingale [:johnath] 2010-01-28 08:11:20 PST
Bugzilla isn't a place for advocacy, this discussion belongs in the mozilla.dev.security.policy newsgroup, as Eddy mentions.

Having said that - I am very sensitive to the concern here.  In my latest posting to that newsgroup, I said, in part:

1) We have never claimed as a matter of policy that our PKI decisions can protect people from malicious governments. It's just not a plausible promise for us to make.
2) I think, regardless of government ties, we'd carefully review and might well yank trust for any CA that was complicit in MitM attacks.
3) CNNIC complied with our root addition policy, they are in the product presently, so this isn't a question of approval, this is a question of whether we should review.

It feels to me like that makes our next step clear, here. It won't help to tally up the complainants (there will be many), and it won't help to demand assurances from CNNIC (since the alleged governmental pressure would trump those anyhow). It certainly won't help to cite wikipedia.

If there's truth to the allegation, here, then it should be possible to produce a cert. It should be possible to produce a certificate, signed by CNNIC, which impersonates a site known to have some other issuer. A live MitM attack, a paypal cert issued by CNNIC for example. If anyone in a position to produce such a thing needs help understanding the mechanics of doing so, I'm sure this forum will help them.

SSL makes tampering visible to its victims. The certificate has to actually make it to my client before I can decide to trust it. By all means, let's arm people with the knowledge to detect and record such instances. But I don't see any clear step we can take until then.
Comment 6 IDoNotSayanyThing 2010-01-28 21:15:51 PST
If cnnic can be trusted,so sow can climbing the tree!
It's a ridiculous reason to add cnnic to root certificate!
Comment 7 8r8c 2010-01-29 07:58:12 PST
The Chinese government can not be trusted, so CNNIC can not be trusted.
CNNIC is an evil organization like its gov.
Comment 8 Kevin Brosnan 2010-01-29 09:29:25 PST
Bugzilla is not for discussion, please make use of the newsgroups mozilla.dev.security.policy or http://groups.google.com/group/mozilla.dev.security.policy/browse_thread/thread/17be3bd7e0b33e8c#
Comment 9 David E. Ross 2010-01-30 11:08:27 PST
As reported in bug #476766, the "great firewall" of China apparently blocks citizen access to mozilla.dev.security.policy and to the Google groups for that newsgroup.  See <https://bugzilla.mozilla.org/show_bug.cgi?id=476766#c28>.  Thus, posting in bug reports is the only way the primary audience for the CCNIC root -- the people of China -- can comment.
Comment 10 Jesse Ruderman 2010-02-01 01:19:52 PST
One upside of this situation is that users are discovering bugs related to removing and untrusting built-in root CAs: bug 501697, bug 173729, bug 543417.
Comment 11 TianYi ZHU 2010-02-01 17:56:51 PST
i regiested an account only to show my support.
remove it. i don't trust CNNIC.
Comment 12 Liuyi Sun 2010-02-02 00:25:01 PST
strongly agreed. CNNIC cannot be trusted, too dangerous to have a root certificate from CNNIC shipped along with the release version of Firefox.
Comment 13 Rex Tsai 2010-02-02 00:25:50 PST
*** This bug has been confirmed by popular vote. ***
Comment 14 robb 2010-02-02 01:05:09 PST
CNNIC can not be trusted.It is not a non-profit organization, is only a government department.Please remove it.
Comment 15 Harry Li 2010-02-02 01:16:18 PST
we should set "Platform" to all :)
Comment 16 Paul 2010-02-02 01:18:19 PST
China has a continuing history for DNS phishing and hijacking and CNNIC is an
official department of China government. CNNIC has a hisotry of malware
distribution. I am very surprised Mozilla will include CNNIC root certificate
in a browser product whose safety is a big concern for its large user base.
Please consider removing this certificate before a potentially MitM attack on a
large scale could occur in foreseeable future.
Comment 17 swatowin 2010-02-02 01:28:58 PST
First,CNNIC has produce the spam software and the second ,CNNIC was control by the ruling party,the third ,the administration of CNNIC was not open and not transparent and the judicial system of china was serious damaged .To prevent SSL attrack from the netizen and protect citizen's  privacy and security,we strongly urges the Mozilla foundation to remove the CNNIC CA certificate.
Comment 18 mboxs 2010-02-02 01:38:28 PST
I don't trust CNNIC CA.
Mozilla have a big mistake,Pls to cancel the evil CNNIC CA!
Comment 19 jake zeng 2010-02-02 01:49:52 PST
You can see how the chinese people said about the CNNIC, a company produce Trojans software. http://baike.360.cn/wiki/item/Cnnic%D6%D0%CE%C4%C9%CF%CD%F8
Comment 20 cathsfz 2010-02-02 01:53:02 PST
Please remove this certificate from all versions of Mozilla Firefox for all platforms.
Comment 21 jake zeng 2010-02-02 01:53:50 PST
CNNIC(中国互联网络信息中心)旗下的“CNNIC中文上网”在诸多民意测试中均为网民投诉量名列前三甲的恶评插件,网民使用奇虎360安全卫士主动卸载CNNIC旗下产品“CNNIC中文上网”和“CNNIC无忧上网工具条”每周超过200万次,在每周用户自主查杀榜单中仅次于雅虎中国。 据网友反应,“CNNIC中文上网”软件有诸多特征符合中国互联网协会颁布的恶意软件定义,如下: 1、 强制安装:未经提示即被偷偷安装在用户电脑中,通过共享软件的渠道无提示捆绑CNNIC中文上网插件 2、 无法卸载:用户卸载时需要用户输入所谓复杂的“验证码“,用户照实输入后,也经常出现无法卸载的现象,更有一些版本的中文上网的卸载程序根本无效。用户也无法手工删除它的文件,造成了无法卸载。 3、最新版的“CNNIC中文上网”还使用了FSD INLINE HOOK技术。

证据:http://www.360.cn/k-cnnic.html

English version:http://translate.google.cn/translate?js=y&prev=_t&hl=zh-CN&ie=UTF-8&layout=1&eotf=1&u=http://www.360.cn/k-cnnic.html&sl=zh-CN&tl=en
Comment 22 chen 2010-02-02 01:55:01 PST
CNNIC is an evil organization
I don't trust it!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Comment 23 lifahu 2010-02-02 02:03:38 PST
CNNIC has been doing evil,I won't trust CNNIC,pls remove CNNIC CA,regards.
Comment 24 Qingbo Zhou 2010-02-02 02:07:03 PST
CNNIC's own about page explained its role quite clearly:

"CNNIC takes orders from the Ministry of Information Industry (MII) to conduct
daily business"

http://www.cnnic.net.cn/en/index/0Q/index.htm
Comment 25 benjamin.franklin.cn 2010-02-02 02:14:16 PST
I can not trust it.
Comment 26 muaiyangpizhi 2010-02-02 02:39:44 PST
I just don't trust CNNIC
Comment 27 zzyy 2010-02-02 03:00:29 PST
CNNIC is the administrative agency responsible for Internet affairs under the Ministry of Information Industry of the People's Republic of China. (from wikipedia :http://en.wikipedia.org/wiki/CNNIC)
The Chinese government has imposed heavy censorship on the Internet free expressing, for example, the famous Shi Tao case in 2005 which made US congress held a hearing about this and other similar incidents with representatives from Yahoo!, Google, and MSN, etc..(http://en.wikipedia.org/wiki/Shi_Tao)
Also, Chinese government has already imposed a filtering system to watch what the net users search or read.( If searching some improper words which Chinese government believed on google.com, the net connection will be reset and users could not connect to google in about 5 minutes.)
Due to the certificate could use in some fishing sites, the certificate would help the owners of the websites get the information from the user who trust the certificate. As many of the Chinese citizens now believe that the CNNIC is probable to help with this kind of censorship imposed on all the Internet users in mainland China (many companies in China help Chinese government do that), the security of mainland Internet users could not only be guaranteed but also be threatened with this certificate. And CNNIC is likely to send the information it get to Chinese government when the government requires.
Furthermore, as many people prove in this discuss board, the CNNIC used to spread the spam software as the so-called "official" organization. This matter of fact made Internet users in China find CNNIC even more trustless.
So, in my opinion, Mozilla should remove the CNNIC CA for the security of all the Internet users in mainland China.
Comment 28 BaoYu 2010-02-02 03:16:22 PST
I take a couple of minutes to sign up this account which I may never use again just to leave these words:Never Never Never trust CNNIC or any other  offical organizations in China.As a chinese,I thank you very much for remove CNNIC ROOT certificate.
Comment 29 wanderhuang 2010-02-02 04:05:37 PST
(In reply to comment #5)
> Bugzilla isn't a place for advocacy, this discussion belongs in the
> mozilla.dev.security.policy newsgroup, as Eddy mentions.
I am want to access that newsgroup 'cause I already have a Google account,
but I got this CONNECTION_RESET. Google group has been GFWed for years, so
stop asking chinese the go to that place for this discussion, its nonsense.

And as a Mozilla product user and a Chinese, I sincerely ask you Mozilla
members to removing this CA root immediately. CNNIC do not worth 
trust because what they have done and doing. Evidence was posted many and I 
won't repeat. We can remove it ourselves of course, but most users in china
even don't know the risk. Even Google can do nothing about the GFW and the 
cersorship, but please don't make things worse.

regards
Comment 30 shizhao 2010-02-02 04:15:20 PST
Some Chinese programmers wrote an article advocating removal of CNNIC
Root CA certificate.  After this blog post got some publicity, their
server suffered DDoS attack and was forced offline.

One popular Chinese blog writer and Internet technology critic William
Long commented on this event: CNNIC begins to
play with the black hands.

These programmers are authors of a Firefox addon Autoproxy which helps
the Chinese users “clime over the Great Firewall of PR China, an
information Berlin Wall.

from https://groups.google.com/group/wlaq/browse_thread/thread/2c04b4769e703c9c?hl=zh-CN
Comment 31 wmr89502270 2010-02-02 04:40:42 PST
CNNIC Hijacking youtube.com, twitter.com, and more.
Comment 32 Jimmy Xu 2010-02-02 04:44:29 PST
(In reply to comment #31)
> CNNIC Hijacking youtube.com, twitter.com, and more.

It's not the CNNIC that did the hijack. Anyway, the discussion is going off-topic.
Comment 33 goosy 2010-02-02 04:54:28 PST
I don't trust CNNIC!
Comment 34 wmr89502270 2010-02-02 05:11:15 PST
(In reply to comment #32)
> (In reply to comment #31)
> > CNNIC Hijacking youtube.com, twitter.com, and more.
> 
> It's not the CNNIC that did the hijack. Anyway, the discussion is going
> off-topic.

E:\Documents and Settings\wmr>ping youtube.com

Pinging youtube.com.domain [59.24.3.173] with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 59.24.3.173:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

E:\Documents and Settings\wmr>ping twitter.com

Pinging twitter.com.domain [159.106.121.75] with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 159.106.121.75:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

And CNNIC or 'Ministry of Information Industry of the PRC' controls the DNS ,so CNNIC or its parent organization that did the hijack. That proves CNNIC is bad, and Firefox should remove it.
Comment 35 Victor Fung 2010-02-02 05:39:42 PST
I can't trust CNNIC CA due to they made some malware in the past, pls remove from firefox to protect user away from Man in the middle attacked.
Comment 36 WuRuXu 2010-02-02 05:54:00 PST
Mozilla should REMOVE CNNIC CA from source, CNNIC isn't an organization, is controled by China government.
I cann't trust CNNIC CA.
Comment 37 alpha.mm 2010-02-02 05:54:56 PST
1.Here is a non-wikipedia official introduction of CNNIC:
http://www.cnnic.cn/en/index/0Q/index.htm
which cites:
"CNNIC takes orders from the Ministry of Information Industry (MII) to conduct
daily business, ..."
And MII is one of the ministries of Chinese government, whose official site is:
http://www.miit.gov.cn/

2.Do you mean that not until we provide solid evidence that CNNIC "has
committed" MitM attack or other abuse would Mozilla remove CNNIC certs from
default trusted cert list?


(In reply to comment #5)
> It certainly won't help to cite wikipedia.
> 
> If there's truth to the allegation, here, then it should be possible to produce
> a cert. It should be possible to produce a certificate, signed by CNNIC, which
> impersonates a site known to have some other issuer. A live MitM attack, a
> paypal cert issued by CNNIC for example. If anyone in a position to produce
> such a thing needs help understanding the mechanics of doing so, I'm sure this
> forum will help them.
> 
> SSL makes tampering visible to its victims. The certificate has to actually
> make it to my client before I can decide to trust it. By all means, let's arm
> people with the knowledge to detect and record such instances. But I don't see
> any clear step we can take until then.
Comment 38 wanderhuang 2010-02-02 05:57:45 PST
(In reply to comment #29)
> (In reply to comment #5)
> > Bugzilla isn't a place for advocacy, this discussion belongs in the
> > mozilla.dev.security.policy newsgroup, as Eddy mentions.
> I do want to access that newsgroup 'cause I already have a Google account,
> but I got this CONNECTION_RESET. Google group has been GFWed for years, so
> stop asking chinese the go to that place for this discussion, its nonsense.
Sorry, I shoud use SSL to access the newsgroup, normal HTTP connection would be reset by GFW.
> regards
Comment 39 patrick 2010-02-02 06:09:51 PST
cnnic is evil. anti human being. they are not no-profit organization.
please do not help those bastard.
remove it!!!!!!!!!!!!!!!!!!!!!
Comment 40 certificate us trust 2010-02-02 06:36:02 PST
Please review it ASAP!

in Mozilla we trust
no CNNIC
Comment 41 lh 2010-02-02 06:44:07 PST
i don't want my "https" method to the internet also be listenable by the gov.

plz remove that.
Comment 42 limbus 2010-02-02 07:24:44 PST
Firefox promises that she can keeps your personal info personal and your online interests away from the bad guys.But judging from the past and present,if CNNIC  be a root certificate provider,all of the above may be IMPOSSIBLE to Chinese users.
Comment 43 QiFei 2010-02-02 07:50:44 PST
Remove it, please.
Comment 44 Sheng Jiang 2010-02-02 08:03:50 PST
CNNIC is innocent until proven guilty for each and every alleged offence.
However, legal matters are off-topic here. The Mozilla foundation has no
jurisdiction over Chinese law (or law of any kind, it is not in any judiciary
system) nor does it falls under the jurisdiction of mainland China. It is
subject to Mountain View city laws, California state laws and USA federal laws.

And I think people have a false sense of security from a certificate.
Certificate does not improve security. It just proves that the issuer trusts
the web site. It does not certify the web site be free from malicious content
such as Trojan. Well, if an attacker web site uses the certificate, the
certificate helps to prove the attacker's identify as well, unless the issuance
of certificate is forged using a collision. 

It's interesting that GMail, Twitter, etc. aren't more routinely 
compromised at internet cafes and free wifi spots. Maybe people are not
interested in exploiting these or everyone use VPNs when they 
connect from insecure network.
Comment 45 rearbrook 2010-02-02 08:18:45 PST
We don't trust the CNNIC, it's a evil, please help to remove its CA from Firefox ASAP.
Comment 46 nfjinjing 2010-02-02 08:25:09 PST
Please remove it, a domain company operating in China in root certificate makes mozilla itself less trust worthy!
Comment 47 ant101tna 2010-02-02 09:02:20 PST
I didnt trust CNNIC from his bad toolbar, so I support to remove it.
Comment 48 limbus 2010-02-02 09:40:12 PST
Is there any right way to help remove CNNIC's CA from Firefox ASAP ? 
Please give us a officer answer
Comment 49 laiqinan 2010-02-02 09:49:43 PST
I support to remove it due to its bad behaviour. It made a toolbar that cannot be removed and other malware.
Comment 50 chunlin zhang 2010-02-02 17:07:35 PST
Or please modify the UI to make the action of remove CNNIC CA root certificate easier for user.
Please do something to help us.
Comment 52 alpha.mm 2010-02-02 22:56:59 PST
Yes, certs give a false sense of security. That is the point.
People feel protected when they see the blue block on the left of the address
bar and never doubt it's a phishing site.

(In reply to comment #44)
> 
> And I think people have a false sense of security from a certificate.
> Certificate does not improve security. It just proves that the issuer trusts
> the web site. It does not certify the web site be free from malicious content
> such as Trojan. Well, if an attacker web site uses the certificate, the
> certificate helps to prove the attacker's identify as well, unless the issuance
> of certificate is forged using a collision.
Comment 53 5135797 2010-02-02 23:17:58 PST
tear down the Great FireWall
Comment 54 ant101tna 2010-02-02 23:41:11 PST
People have rights to remove the certificate they dont trust, so maybe we could make removing certificate easier, and give the choice to people.
Comment 55 ablo 2010-02-02 23:42:27 PST
yes, I support to remove the cnnic CA from firefox.
Comment 56 Hou Xiang 2010-02-03 00:51:52 PST
I think you will not let someone work at a bank because they've only been involved in robbing armored cars (but not banks) in the past.  

With the same principle.

We have show a lot of solid evidence to proved the CNNIC have robbing armored cars.

You you said that we do not have evidence to proved the CNNIC have robbing a bank.

So , you will let him work in the bank.

How absurd it is.
Comment 57 lihlii 2010-02-03 04:08:56 PST
Comment #44 by Sheng Jiang is a Wumaodang. :)
What kind of lie he is telling!  Be alert of Wumaodang.

>unless the issuance of certificate is forged using a collision. 

CNNIC can only forge a certificate using collision?  What lie it is!
Comment 58 lihlii 2010-02-03 04:17:11 PST
Not only making certificate management easier, but should also ensure that the non-expert users know that which root CA they're trusting and what it means.

(In reply to comment #54)
> People have rights to remove the certificate they dont trust, so maybe we could
> make removing certificate easier, and give the choice to people.
Comment 59 Sheng Jiang 2010-02-03 04:39:44 PST
Anybody can forge the issuance of certificate, from any CA, given enough computing power.
Comment 60 lihlii 2010-02-03 05:55:31 PST
Roy, Would you please include the original URL of the webpages that these warnings are about?  So the evidences about CNNIC can be complete.

From the pages that you provided, it's difficult to see that they're talking about CNNIC websites.

(In reply to comment #51)
> > provide here any evidence you may have
> Google did a good job this time.
> 
> the AS where cnnic.cn hosts:
> http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=AS:7497
Comment 61 lihlii 2010-02-03 05:56:28 PST
So that's the reason to remove CNNIC. :)

(In reply to comment #59)
> Anybody can forge the issuance of certificate, from any CA, given enough
> computing power.
Comment 62 Hou Xiang 2010-02-03 06:13:05 PST
The following is the evidences from Google.

http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=cnnic.net.cn/

What happened when Google visited this site?
1 page(s) resulted in malicious software being downloaded and installed without user consent.
Comment 63 Roy Tam 2010-02-03 06:22:20 PST
(In reply to comment #60)
> Roy, Would you please include the original URL of the webpages that these
> warnings are about?  So the evidences about CNNIC can be complete.
> 
> From the pages that you provided, it's difficult to see that they're talking
> about CNNIC websites.
> 
> (In reply to comment #51)
> > > provide here any evidence you may have
> > Google did a good job this time.
> > 
> > the AS where cnnic.cn hosts:
> > http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=AS:7497

The AS which hosts Root Certificate Authority is dirty that I can't imagine malicious software will come from Root Certificate Authority while people trust all other root CAs.

And from what you said in this bug, now I can confirm that you are *Wumaodang(paid worker) of CNNIC* which make your comments untrustable.
Comment 64 Smallthing 2010-02-03 06:35:36 PST
http://translate.google.cn/translate?js=y&prev=_t&hl=zh-CN&ie=UTF-8&layout=1&eotf=1&u=http%3A%2F%2Fzhidao.baidu.com%2Fquestion%2F3057146.html&sl=zh-CN&tl=en

It's thousand of this call of help everyday about CNNIC malware please remove it thanks
Comment 66 Smallthing 2010-02-03 06:37:35 PST
I can promise
CNNIC IS EVIL
with my LIFE
Comment 67 Sheng Jiang 2010-02-03 07:51:17 PST
Come on, it is technical possible to forge any CA, not just CNNIC but every CA. If you want to pull CNNIC for that you may as well delete every CA from your certificate store.

(In reply to comment #61)
> So that's the reason to remove CNNIC. :)
> 
> (In reply to comment #59)
> > Anybody can forge the issuance of certificate, from any CA, given enough
> > computing power.
Comment 68 Jimmy Ma 2010-02-03 08:15:26 PST
CNNIC is fully controlled by Chinese gonvernment.

Now Firefox trusts CNNIC by root CA.It means that a gonvernment can make a SSL MITM attack by make a fake website,sign it,and use DNS hijack inside their network to make everyone trust that it is the original site.

If a enterprise like Verisign does the same thing,we can protect ourselves by law,but in many countries we cannot protect ourselves by law from a gonvernment's attack.To prevent this happens,we should only accept root CAs which their owners can be fully restricted by law in most countries.

And also,CNNIC released many malicious software before,and delete many .CN domain names without informing their owners.So we can hardly trust it again.
Comment 69 Eddy Nigg (StartCom) 2010-02-03 08:17:57 PST
(In reply to comment #67)
> Come on, it is technical possible to forge any CA, not just CNNIC but every CA.
> If you want to pull CNNIC for that you may as well delete every CA from your
> certificate store.

Sorry, you are spreading non-sense here, otherwise all CAs would be already compromised. But if you are so inclined I suggest to start forging one and show us the result.

As for deleting all CAs, that's fairly easy. Just remove libnss3.so|.dll from your Firefox installation.
Comment 70 Sheng Jiang 2010-02-03 09:13:25 PST
I am making an analogy about your reasoning, not mine. Good thing is that you realized that it is nonsense.

Another analogy for your follow-up comments. It is technical possible to put human on the moon. You reasoning looks like "the statement is false because you can't put one there or if it is possible then everyone must be there already".

Going back to technical discussion. CA is just a witness in handshaking. If the CA has interest in either party or is forged, then the trust relationship is broken. Technically any CA can be forged, it is not something that Mozilla or CNNIC can change, so I will put it off. If the CA is not trust worthy, it is still the job of the browser to declare that the web site is certified by the CA, so the user can make an action based on the user's perception of the CA. 

This is not the first time that some CA listed in Mozilla's trusted list - some reportedly even issued certificates for mozilla.com without asking proof of identity (https://bugzilla.mozilla.org/show_bug.cgi?id=470897) - are debated. There are some discussion in mozilla's dev.tech.crypto maillist if you need more technical discussion on CAs.

(In reply to comment #69)
> (In reply to comment #67)
> > Come on, it is technical possible to forge any CA, not just CNNIC but every CA.
> > If you want to pull CNNIC for that you may as well delete every CA from your
> > certificate store.
> 
> Sorry, you are spreading non-sense here, otherwise all CAs would be already
> compromised. But if you are so inclined I suggest to start forging one and show
> us the result.
> 
> As for deleting all CAs, that's fairly easy. Just remove libnss3.so|.dll from
> your Firefox installation.
Comment 71 Eddy Nigg (StartCom) 2010-02-03 11:02:49 PST
(In reply to comment #70)
> Technically any CA can be forged, 

I see, this was just a language problem - yes, a rough CA can forge certificates depending on the authorization thereof.

> This is not the first time that some CA listed in Mozilla's trusted list - some
> reportedly even issued certificates for mozilla.com without asking proof of
> identity (https://bugzilla.mozilla.org/show_bug.cgi?id=470897) - are debated.

Really? :-)

> There are some discussion in mozilla's dev.tech.crypto maillist if you need
> more technical discussion on CAs.

OK, I'll check it out. Thanks!
Comment 72 lihlii 2010-02-03 13:23:00 PST
I agree with Sheng Jiang.

Technically any man can be castrated, so I think he has no difference from a castrated eunuch. :)

(In reply to comment #70)
> broken. Technically any CA can be forged, it is not something that Mozilla or
> CNNIC can change, so I will put it off. If the CA is not trust worthy, it is
Comment 73 lihlii 2010-02-03 13:26:43 PST
Sheng Jiang,

This is correct:

Because: Anybody can forge the issuance of certificate, from any CA.
So: Anybody can forge the issuance of the CNNIC certificate.
So: The CNNIC certificate is rubbish.
So: Let's remove it, why not?

For the other CAs, why should we remove them since they're rubbish? :)

(In reply to comment #67)
> Come on, it is technical possible to forge any CA, not just CNNIC but every CA.
> If you want to pull CNNIC for that you may as well delete every CA from your
> certificate store.
Comment 74 lihlii 2010-02-03 13:28:42 PST
Sheng Jiang,

I agree with you.

If you want to make love with your wife, for that you may as well make love with every women. :)

> If you want to pull CNNIC for that you may as well delete every CA from your
> certificate store.
Comment 75 Gervase Markham [:gerv] 2010-02-03 13:41:27 PST
Look, this is not a discussion board, it is a bug-tracking system. There is an expected code of behaviour:
https://bugzilla.mozilla.org/page.cgi?id=etiquette.html

The very first line of the instructions there is "Unless you have something constructive and helpful to say, do not add a comment to a bug."

People continuing to violate these principles will have their accounts disabled. No, this is not a way of avoiding the issue. No, you do not have a human right to spam our bug system.

Gerv
Comment 76 lihlii 2010-02-03 15:22:19 PST
Gerv,

You can use your privilege to threat users, but I don't mind and take your threat as only ****. :)
Comment 77 lihlii 2010-02-03 15:25:14 PST
Gerv and other Mozilla "security" managers,

I've tasted enough of your "policy" and "etiquette" of ****. :)
I don't want to "spam" here any more because it's totally ****.

Those users who tried to voice their ideas can continue and you will see why I choose to quit by being banned. :)

I'll be my honor to be banned by a ****, otherwise I can't distinguish myself from a ****.
Comment 78 Albert.Chen 2010-02-03 15:50:25 PST
@lihlii
It is not the right way to talk about technics things. If you do not even follow the rules here, how could you call for the justice of law in China? I'm really shamed by your behavior.

@Gervase Markham
We are really exciting and, well, *INSULTED* by the inclusion of CNNIC certificate in FF browser. I'm sorry, but that's my true feeling now.

@All
Anyway, for the interests of users, only trustworthy CA certificates could be shipped within the browser.
However, it is the FF's right to decide the good or bad. 
Personally, I think enough evidence and facts are listed here for FF to judge.
So my dear brothers/sisters, let's keep quiet and see what will happen later. Too many pointless arguments will only make the technicians feel unhappy :P
Comment 79 lihlii 2010-02-03 15:51:38 PST
Soon you will understand. :)

(In reply to comment #78)
> @lihlii
> It is not the right way to talk about technics things. If you do not even
> follow the rules here, how could you call for the justice of law in China? I'm
> really shamed by your behavior.
Comment 80 alpha.mm 2010-02-04 05:10:04 PST
Where are these two files? I can't find them. (Firefox 3.6)
And if user must goto installation directory to remove files with strange names, then how can you say it's easy?

(In reply to comment #69)
> As for deleting all CAs, that's fairly easy. Just remove libnss3.so|.dll from
> your Firefox installation.
Comment 81 ggwjgg 2010-02-04 06:11:54 PST
please remove CNNIC CA from firefox; 
I like FireFox ;I hope FireFox "do not be evil" like Google!
Comment 82 Gervase Markham [:gerv] 2010-02-04 06:34:13 PST
(In reply to comment #80)
> Where are these two files? I can't find them. (Firefox 3.6)
> And if user must goto installation directory to remove files with strange
> names, then how can you say it's easy?

This is not a recommended procedure.

The correct method of removing trust from particular CA certificates is to use the certificate manager in the preferences.

Gerv
Comment 83 Eddy Nigg (StartCom) 2010-02-04 06:54:19 PST
(In reply to comment #82)
> (In reply to comment #80)
> > Where are these two files? I can't find them. (Firefox 3.6)
> > And if user must goto installation directory to remove files with strange
> > names, then how can you say it's easy?
> 
> This is not a recommended procedure.
> 
> The correct method of removing trust from particular CA certificates is to use
> the certificate manager in the preferences.

For all CAs? :-)
Comment 84 Knight00931 2010-02-04 08:49:34 PST
Please remove it.Thanks.
Comment 85 Kathleen Wilson 2010-02-04 13:31:17 PST
All,

I apologize for the delay in my response. A lot of input has been provided in the past week.

To summarize the situation, Mozilla has received reports of possible violations of the Mozilla CA Certificate Policy (http://www.mozilla.org/projects/security/certs/policy/) by China Internet Network Information Center (CNNIC). During the past year Mozilla publicly reviewed and accepted the CNNIC root into the Mozilla root store as per the Mozilla CA Certificate Policy and as summarized in https://bugzilla.mozilla.org/show_bug.cgi?id=476766#c14. 

Mozilla thanks our community for raising their concerns to our attention. Community involvement in our CA operations is an important element of the project, and has helped us resolve issues with CA behavior in the past. 

Mozilla takes these concerns very seriously. As is the case for any included or pending root entry, we encourage people to report specific examples of policy violation, either inadvertent or intentional. 

One of the concerns raised is that CNNIC is organizationally part of the Chinese Academy of Sciences, a government research entity. Mozilla has included many root certificates that are operated either by actual government agencies or by organizations that are government sponsored. We do not have a policy against accepting government sponsored CAs into our program. 

There have been other claims and speculations about CNNIC, and Mozilla will seriously investigate all claims with substantiated evidence that CNNIC has not followed the Mozilla CA Certificate Policy.

We ask your continued patience and request that further input remain professional and focused on providing concrete evidence that can be acted on according to the Mozilla CA Certificate Policy. 

Sincerely, 
Kathleen
Comment 86 David E. Ross 2010-02-04 15:21:20 PST
Comment #85 states in part: 
> One of the concerns raised is that CNNIC is organizationally part of the 
> Chinese Academy of Sciences, a government research entity. Mozilla has 
> included many root certificates that are operated either by actual 
> government agencies or by organizations that are government sponsored. 
> We do not have a policy against accepting government sponsored CAs into 
> our program.

I have no concern about a certificate authority (CA) that is a government
agency.  Several other such CAs went through the approval process last year,
and others are currently in process.  The fact that they are agencies of a
national (or even local) government has rarely been a major issue.  

I have two concerns, however with CNNIC.  

First of all, in the initial bug #476766, the requester (Liu Yan, the author of
that bug report and the representative of CNNIC) stated: "CNNIC is not a
Chinese Government organization."  It appears that Liu Yan's assertion might
not be true.  If the assertion is false, it brings into question other
assertions on behalf of CNNIC.  An investigation into whether the assertion is
indeed false should be made.  That investigation should include whether the
problem is merely one of syntax by someone not entirely fluent in English or
whether it was a material misrepresentation.  

Then there is the issue of whether proper public review and discussion occurred
in accord with Mozilla policy regarding the request to approve bug #476766.  It
seems that access to mozilla.dev.security.policy might somehow be blocked for those accessing the Internet within China.  This too needs investigation.  If a
candid discussion of the CNNIC root certificate, its CP and CPS, its audit, and
whether CNNIC fully complies with its documented policies and practices is not
possible by those most likely to rely on that certificate, the approval stated
in bug #476766 should be withdrawn until after a thorough review and discussion can take place with participation by users in China.
Comment 87 Kathleen Wilson 2010-02-04 16:14:16 PST
> First of all, in the initial bug #476766, the requester (Liu Yan, the author 
> of that bug report and the representative of CNNIC) stated: "CNNIC is not a
> Chinese Government organization."  

CNNIC employees are not civil servants, but CNNIC is government sponsored. When I evaluate root inclusion requests, there is often different understandings due to translations and interpretations. Therefore, I sync my information between what is said in the bug, what is in the CP/CPS/audit, and what is on the CAs website. As you can see, my information gathering documents, the included page (the data was transferred directly from the pending page), and also in the public discussion I always stated: "China Internet Network Information Center (CNNIC), the state network information center of China, is a non-profit organization. CNNIC takes orders from the Ministry of Information Industry (MII) to conduct daily business, while it is administratively operated by the Chinese Academy of Sciences (CAS)." This is the information that was considered during the public review process.

> Then there is the issue of whether proper public review and 
> discussion occurred in accord with Mozilla policy regarding the 
> request to approve bug #476766.  It seems that access to 
> mozilla.dev.security.policy might somehow be blocked for
> those accessing the Internet within China.  This too needs investigation.  
> If a candid discussion of the CNNIC root certificate, its CP and CPS, 
> its audit, and whether CNNIC fully complies with its documented policies 
> and practices is not possible by those most likely to rely on that
> certificate, the approval stated in bug #476766 should be withdrawn 
> until after a thorough review and discussion can take place with
> participation by users in China.

Everyone I know who travels or lives in China are aware of the issues with accessing websites from there, and they use proxy servers to access the websites that they desire. Based on my limited exposure, this appears to be common practice. (I'm not saying it's good...)

The information was also posted in the bug which apparently can be accessed -- based on all the comments that have been added after the fact.

As I said previously, Mozilla will seriously investigate all claims with substantiated evidence that CNNIC has not followed the Mozilla CA Certificate Policy. My opinion is that such evidence may be posted here in this bug, and proper due diligence will follow.  I do not see the need to open another discussion topic at this time. Viewers are encouraged to review the information that was considered.

For those who cannot access some of the websites, here is the information that was considered,

Information Gathering Document:
https://bugzilla.mozilla.org/attachment.cgi?id=405902

Policies of the CNNIC Trusted Network Service Center:
http://www.cnnic.cn/html/Dir/2007/04/29/4568.htm

English CPS of the CNNIC Trusted Network Service Center:
http://www.cnnic.cn/uploadfiles/pdf/2009/7/3/163452.pdf

Audit: https://cert.webtrust.org/SealFile?seal=935&file=pdf

Mozilla CA Certificate Policy: 
http://www.mozilla.org/projects/security/certs/policy/
Comment 88 Eddy Nigg (StartCom) 2010-02-04 17:01:18 PST
(In reply to comment #86)
> Then there is the issue of whether proper public review and discussion occurred
> in accord with Mozilla policy regarding the request to approve bug #476766.  It
> seems that access to mozilla.dev.security.policy might somehow be blocked for
> those accessing the Internet within China.  This too needs investigation.

I think this is a disturbing issue and one of my reasons calling for a repeat. I think that the current uproar would justify that, being it only for the reason to provide the platform to let those who object, to voice their opinion (in an organized manner).

At this point I want to state that I have reviewed the application of CNNIC back in October. At that time I've found no major faults, being it with their policies and practice statements, audits or compliance to the Mozilla CA Policy.

I admit that I'm not knowledgeable about the circumstances in China, neither about the local laws nor the practices and controls imposed by the Chinese government. I can however follow the logic of some of the allegations which were made recently, specially since the recent disclosure by Google and some 30 other companies which were affected by a disturbing incident. This lets me believe that there *might* be a valid case to reconsider, or at least review the previously made decision. Evidence of systematic problematic practices by the same bodies controlling CNNIC or affiliations are obviously not favorable under these circumstances.

Eventually it must be (re)evaluated if the inclusion of a particular CA root would cause undue risks to users' security and the inclusion would some service relevant to typical users of our software products (and not disservice) - as per Mozilla CA Policy.
Comment 89 wzl2005 2010-02-04 17:04:40 PST
Sorry for my poor english to reading so long sentence.
how mozilla included the root ca, what about the review process,
it is also another question,but here I just want to know what is the next
action?remove or not remove?
That is the question.
Comment 90 honglei 2010-02-04 18:26:41 PST
(In reply to comment #87)
> Everyone I know who travels or lives in China are aware of the issues with
> accessing websites from there, and they use proxy servers to access the
> websites that they desire. Based on my limited exposure, this appears to be
> common practice. (I'm not saying it's good...)
as i person in china.it's not the truth.it became more and more difficult for peoples in china to access websites freely. here this the evidences:
we can't access twitter,facebook,youtube,blogspot directly.for the existence of
dns hijack,forbidden  ip ,forbid web have keywordes,forbid certain https connect, use malicious Tor nodes.forbid mailes have sensitive keywords, yet fewer and fewer proxy server can help us access internet freely.
i just know CNNIC CA problems only because it already included in firefox and i can fanqian (bypass the GFW).all the web pages talk about CNNIC CA problems will be deleted or forbidden to access in Chinese languages or in China.

i believe in firefox so i believe the CAs that firefox .we don't believe CNNIC only because what it already did (produces malicious software,withdraw your .cn domain name at will without any reason),this is the real commonsense in china.
Comment 91 yuntao.liu@gmail.com 2010-02-05 09:48:56 PST
I DO NOT trust CNNIC.

In China, we are seems in a big LAN instead of internet. And the government guard the gateway. Please, imaging that if you are the network administrator of a LAN that you can do whatever you want, can you cheat the user by SSL?

Rumor has that the government sent spy to Google and steal some code of gmail during the well-known attack. And now, the government have a ROOT CA in browser  and they can also control our DNS in China. So that they can guide me to a fake  server when I visiting www.gmail.com and replace the certificate. How can I know if I am visiting the real gmail or fake one? 

So please remove CNNIC from CA ROOT. 
Adding CNNIC to CA ROOT is not safe to all the internet users in China.
Comment 92 woai 2010-02-05 23:16:03 PST
I am quoting Mozilla CA Certificate Policy (Version 1.2):
http://www.mozilla.org/projects/security/certs/policy/

>  # We will determine which CA certificates are included in software products distributed through mozilla.org, based on the benefits and risks of such inclusion to typical users of those products.

Risks of the typical users (being.. all users of any mozilla product):
A. CNNIC is a state institution (as well as a private organization).
B. As deemed by the Constitution of the People's Republic of China, all individuals and organizations should follow the command of the Chinese Communist Party.
C. The Chinese Communist Party is known to tamper, modify, and spy the communications of nationals and foreigners in Chinese soil and abroad.
D. The majority of users of mozilla products are either Chinese nationals or foreigners in Chinese soil and abroad.
E. If A and B, then the Chinese Communist Party can order CNNIC to issue a rogue certificate.
F. If C and E, then the Chinese Communist Party will be able to use a rogue certificate emitted by CNNIC to tamper, modify, and spy the communications of nationals and foreigners in Chinese soil and abroad.
G. If D and F, then the Chinese Communist Party will be able to tamper, modify, and spy the communications of the majority of users of mozilla products.

So, I am stating that having CNNIC or any CA that is under a government that can force an organization to create a rogue certificate is a threat against the security of the majority of Mozilla users.

In any case, if it can be legally proofed that the Ministry of Information Industry or Public Security Bureau (both directly or indirectly controlled by the Chinese Communist Party), can order CNNIC to issue a rogue certificate, then it would violate the following statement(even without they ever doing so, the fact that they HAVE TO do it UNDER REQUEST of another entity [which authority is restricted to CHINA]):
>  knowingly issue certificates without the knowledge of the entities whose information is referenced in the certificates

Am I right?

If so, the necessary law investigation efforts to proof the above statement (that the Chinese Communist Party can issue rogue certificates via CNNIC) will be started.

DISCLAIMER:
This is a disposable email address, and is being used to protect my identity. In the case another message is sent from this account, please ignore.. as it wont be me. In order to proof my identity I will post a SHA-1 hash that corresponds to a secret passphrase I will reveal in the next message I send under my real account.
Comment 93 woai 2010-02-05 23:18:16 PST
3d812b0ede9f025cc58d766ba3a31985f777e994
Comment 94 Earth Engine 2010-02-06 03:32:50 PST
I think I fully understand what the Chinese people concerning about.

However, we have to think about some troubles if we do remove the CNNIC CA from firefox. 

Some websites within China, may have to use their certificate issued by CNNIC for the WELL-KNOWN reason. I think everyone, especially Chinese, will understand what I am saying. Furthermore, the fact is, nevertheless they "have to" or not, some CNNIC issued certificates is IN USE.

If the CA had removed, the new users may complain about this; if we can't give them a better solution they may refuse to use a browser that CANNOT access the websites they want. Even for the experienced user, they will have to add the CNNIC CA manually and then remove it after accessing those websites. If they forget to do so, any "security" improved by removing CNNIC CA is gone.

As a conclusion, the benefit of removing CNNIC CA is not clear. 

However, I said understand why Chinese people afraid of the CNNIC CA. I believe there should be some better solution for them. Here is my suggestion of firefox improvement:

1. ROOT CA blacklist to be implemented. The end user should be able to move a specific CA into the blacklist. This ensures that even after the user updated the firefox instance, the CAs in blacklist is still in untrusted state. For more user friendly, this blacklist should be able to be exported and imported into the browser.

2. "Allow once" mechanism. If the user is accessing a website that is using untrusted certificate, a page with all certificate detail should shown, and the user should be able to choose "allow once", which means this website should be set to trusted in the current browser session, but should keep untrusted in further sessions.

I believe these two features is a better solution than simply remove the CNNIC CA.
Comment 95 Eddy Nigg (StartCom) 2010-02-06 03:44:54 PST
Regarding #1 you already if this by editing the trust bits of the CA root. However it's not easy to use for the casual user and neither is your idea I'm afraid.

If you have #1, you can do always also #2 by removing the "Remember" flag when adding an exception before accessing a particular site.

We discussed and considered other possible scenarios for such nationally aligned CAs in the past by using the naming constraint to limit a CA to particular domain name extensions for example. Unfortunately it doesn't work with the NSS module at the moment and it's not supported.
Comment 96 Earth Engine 2010-02-06 04:43:52 PST
>Regarding #1 you already if this by editing the trust bits of the CA root.
>However it's not easy to use for the casual user and neither is your idea I'm
>afraid.

If firefox only stores the "black" CAs in the same list for the "trusted" CAs with a different flag, I am afraid it would be replaced after an upgrade. In this case, keeping the user's decision is important.

>If you have #1, you can do always also #2 by removing the "Remember" flag when
>adding an exception before accessing a particular site.

I have seen the warning page before; In my feeling one thing to be improved is the detail of certificate or at least a brief description (i.e. the CA's name, DNS name...) should be shown in that page. This allows the user to make their decision quickly in most cases.
Comment 97 Eddy Nigg (StartCom) 2010-02-06 04:49:08 PST
(In reply to comment #96)
> If firefox only stores the "black" CAs in the same list for the "trusted" CAs
> with a different flag, I am afraid it would be replaced after an upgrade. In
> this case, keeping the user's decision is important.

No - if you try to delete a CA root, it will be back after restart. But if you EDIT the trust bits, if will be honored through restarts and upgrades.

> I have seen the warning page before; In my feeling one thing to be improved is
> the detail of certificate or at least a brief description (i.e. the CA's name,
> DNS name...) should be shown in that page. This allows the user to make their
> decision quickly in most cases.

There is the "View" button when adding an exception, but your idea is actually interesting.
Comment 98 alpha.mm 2010-02-06 08:53:11 PST
Yes.
1. Google *might* be spied by Chinese government.
2. And some said on twitter that the Add-on "AutoProxy" website had been DDoSed by unknown source shortly after a post was posted about CNNIC ROOT been added into firefox trusted certs.

Well, I can only say these *might* have sth to do with Chinese gov or CNNIC as I don't have any concrete evidence.

(In reply to comment #91)
Comment 99 alpha.mm 2010-02-06 08:55:15 PST
Good idea.
Cert settings should be improved.

(In reply to comment #94)
> improvement:
> 1. ROOT CA blacklist to be implemented. The end user should be able to move a
> specific CA into the blacklist. This ensures that even after the user updated
> the firefox instance, the CAs in blacklist is still in untrusted state. For
> more user friendly, this blacklist should be able to be exported and imported
> into the browser.
> 2. "Allow once" mechanism. If the user is accessing a website that is using
> untrusted certificate, a page with all certificate detail should shown, and the
> user should be able to choose "allow once", which means this website should be
> set to trusted in the current browser session, but should keep untrusted in
> further sessions.
> I believe these two features is a better solution than simply remove the CNNIC
> CA.
Comment 100 Jack 2010-02-06 19:19:35 PST
Earth Engine:

> I think I fully understand what the Chinese people concerning about.
> 
> However, we have to think about some troubles if we do remove the CNNIC CA from
> firefox. 
> 
> Some websites within China, may have to use their certificate issued by CNNIC
> for the WELL-KNOWN reason. I think everyone, especially Chinese, will
> understand what I am saying. Furthermore, the fact is, nevertheless they "have
> to" or not, some CNNIC issued certificates is IN USE.
> 
> If the CA had removed, the new users may complain about this; if we can't give
> them a better solution they may refuse to use a browser that CANNOT access the
> websites they want. Even for the experienced user, they will have to add the
> CNNIC CA manually and then remove it after accessing those websites. If they
> forget to do so, any "security" improved by removing CNNIC CA is gone.
> 
> As a conclusion, the benefit of removing CNNIC CA is not clear. 
> 
> However, I said understand why Chinese people afraid of the CNNIC CA. I believe
> there should be some better solution for them. Here is my suggestion of firefox
> improvement:
> 
> 1. ROOT CA blacklist to be implemented. The end user should be able to move a
> specific CA into the blacklist. This ensures that even after the user updated
> the firefox instance, the CAs in blacklist is still in untrusted state. For
> more user friendly, this blacklist should be able to be exported and imported
> into the browser.
> 
> 2. "Allow once" mechanism. If the user is accessing a website that is using
> untrusted certificate, a page with all certificate detail should shown, and the
> user should be able to choose "allow once", which means this website should be
> set to trusted in the current browser session, but should keep untrusted in
> further sessions.
> 
> I believe these two features is a better solution than simply remove the CNNIC
> CA.

There are two issues here:

1. removing CNNIC in root CA is "security by default", then users can add certificates for blocked sites whenever they want, as we do right now for self-signed certificates.  Including CNNIC in root CA and asking people to do special things to protect them, while most of these people are even not aware of the danger, is "insecurity by default".

2. including CNNIC in root CA threatens the security of all users in mainland China, as evident from the online polls and voices.  It also affects people living outside mainland China that Chinese Communist government has special interest, such as the google executives and those dozens of high profile companies recently hacked, or the vast amount of victims of GhostNet [1] throughout the world, or the British government [2] and many other governments, among many other different groups of people.  That is, a large number of people.  In comparison, excluding CNNIC by default only affects some Chinese people who have to deal with companies certified by CNNIC, which is a much smaller number.

The main advantage of Firefox over IE, in my opinion, is its security.  That is the main reason I converted many people.  Whenever I see someone's desktop littered by malware, I tell them and their office mates to use Firefox instead and only use IE only for sites that only works with IE (unfortunately some internal websites in large entities was written only for IE).  If Mozilla does not include CNNIC in root CA and prompts people to manually add individual trust to specific website signed by CONNIC, most people will feel safer with Firefox compared to other browsers, and more people will use Firefox.  This is even true for people outside mainland China, since untrusted root CA built into browser coupled with phishing email etc threatens everyone, and the threat is real as mentioned above.

Earth Engine also said above that:
> they will have to add the
> CNNIC CA manually and then remove it after accessing those websites. If they
> forget to do so, any "security" improved by removing CNNIC CA is gone.

I think people do not need to add CONNIC's root certificate, they only need to add that specific certificate signed by CONNIC.  This has added security that CNNIC can not subsequently fake other certificates, which is good risk management.  Also, in most cases, if a user chooses to trust a certificate once, he would prefer to keep that trust for ever, so doesn't have to manually remove afterwards.  And, this improved security doesn't affect anything else.

[1] http://www.nytimes.com/2009/03/29/technology/29spy.html
[2] http://www.infoniac.com/news/chinese-hackers-spotted-british-government-attack.html
Comment 101 Jiaji 2010-02-07 04:37:08 PST
This info may be unrelated but it may help your decision: China is starting to crack up HTTPS connection to Google Docs.
Comment 102 Eddy Nigg (StartCom) 2010-02-07 04:40:06 PST
(In reply to comment #101)
> This info may be unrelated but it may help your decision: China is starting to
> crack up HTTPS connection to Google Docs.

Please don't make baseless allegations without backing it up. Please provide some evidence, everything else is NOT helpful whatsoever!
Comment 103 Li Daobing 2010-02-07 05:11:41 PST
(In reply to comment #102)
> (In reply to comment #101)
> > This info may be unrelated but it may help your decision: China is starting to
> > crack up HTTPS connection to Google Docs.
> 
> Please don't make baseless allegations without backing it up. Please provide
> some evidence, everything else is NOT helpful whatsoever!

China Channel Firefox Add-on can help you verify the informations in this bug report: http://chinachannel.hk/
Comment 104 Jiaji 2010-02-07 07:05:37 PST
(In reply to comment #102)
> (In reply to comment #101)
> > This info may be unrelated but it may help your decision: China is starting to
> > crack up HTTPS connection to Google Docs.
> 
> Please don't make baseless allegations without backing it up. Please provide
> some evidence, everything else is NOT helpful whatsoever!

Well, if I can prove it's China behind it I'd expect some big bright bureau in Google or McAfee, if you need to verify the facts you may need a poll or a walkabout in China.
Comment 105 Adam Borowski 2010-02-07 08:07:05 PST
While no direct evidence for SSL man-in-the-middle attacks has been provided yet, I wouldn't expect it to crop up so soon -- CNNIC's root was included in Internet Explorer very recently and in Firefox just a few days ago.

There is plenty of hard evidence for related attacks, though.  These include such prominent cases as DNS hijacking google.com to redirect it to Baidu.  Take a look at this beautiful screenshot: http://www.techcrunch.com/2007/10/18/baidu-hijacking-google-traffic-in-china/


Certificates signed by CNNIC provide no better security than self-signed certificates and should be treated as such.  And here lies a problem: the current support for certificates not in default roots is abysmal.  The user is scared into thinking these are much worse than plain non-encrypted http.
Thus, my suggestion would be to copy the interface already present in Thunderbird and say:
"This certificate is not signed by a default root.  It is signed by CNNIC.  [Accept once] [Accept permanently] [Reject]". (the current interface doesn't recognize authorities other than trusted ones)
"Accept permanently" would cache the certificate (not URL!), and provide additional (as scary as possible!) warnings if the certificate changes and is not either expired or very close to expiring (say, 7 days before its limit).
Comment 106 Eddy Nigg (StartCom) 2010-02-07 09:02:48 PST
(In reply to comment #105)
> http://www.techcrunch.com/2007/10/18/baidu-hijacking-google-traffic-in-china/

Thanks for this, ignoring the rest. File a different bug or discuss at the mailing lists.
Comment 107 alpha.mm 2010-02-07 09:40:00 PST
In China, Google Docs can only be accessed through HTTP.
Connections to https://docs.google.com will be reset (by GFW).

No one can give concrete evidence of the existence of GFW as long as Chinese government denies it and orders ISPs to deny it. (Indirect evidences like Ping or Tracert results are also not concrete enough.)
But GFW does exist.

So some truths are not provable.

(In reply to comment #102)
> (In reply to comment #101)
> > This info may be unrelated but it may help your decision: China is starting to
> > crack up HTTPS connection to Google Docs.
> 
> Please don't make baseless allegations without backing it up. Please provide
> some evidence, everything else is NOT helpful whatsoever!
Comment 108 Jack 2010-02-07 09:42:05 PST
(In reply to comment #102)
> (In reply to comment #101)
> > This info may be unrelated but it may help your decision: China is starting to
> > crack up HTTPS connection to Google Docs.
> 
> Please don't make baseless allegations without backing it up. Please provide
> some evidence, everything else is NOT helpful whatsoever!

"Domain names that have not registered will not be resolved or transferred," Ministry of Industry and Information Technology (which directs CNNIC) ordered. 

http://www.reuters.com/article/idUSTRE5BL19620091222

Actually Chinese Communist regime's control is everywhere you look.  Every politically sensitive website is blocked, plus some neutral websites such as CNN [1] . 

And here is how they monitor Chinese users through skype [2] .  It's through Skype's partner at Chinese - Tom-Skype, however in China http://skype.com is redirected to http://skype.tom.com .

[1] http://cyber.law.harvard.edu/filtering/china/block-kw-detail.html
[2] http://www.nytimes.com/2008/10/02/technology/internet/02skype.html
Comment 109 Eddy Nigg (StartCom) 2010-02-07 10:33:20 PST
Those testimonials and reports are helpful. The question is, if HTTPS is blocked anyway, would the CNNIC root inclusion make things worse...Overall the situation is less than clear and quite troubling, one of the reasons for my request to review this CNNIC inclusion.

This would give all parties the chance to comment - including CNNIC - and allow to to assess everything.
Comment 110 Jack 2010-02-07 11:38:05 PST
As far as I know they selectively block websites, and gmail/yahoo/hotmail are not blocked at this time.  google docs is not used by too many Chinese anyway.

Furthermore, weaving CNNIC into Firefox threatens a large number of people outside mainland China as well, as explained in Comment #100 above.  Before a https connection to a trusted website is suffice to guarantee the connection.  If phished, browser will warn of mismatched or self-signed certificate.  Now that protection is gone.
Comment 111 Hou Xiang 2010-02-07 18:29:52 PST
(In reply to comment #109)
> Those testimonials and reports are helpful. The question is, if HTTPS is
> blocked anyway, would the CNNIC root inclusion make things worse...


Yes, It will make things worse!!!

They blocked the https for Google Docs, because they can not crack SSL connection. So, they blocked the https protocol and forced the people in china using the http, Which is not encrypted, Can be viewed by GFW.

But, if they have a fake certificate issued with a domain name of “google.com” from CNNIC. Everybody here can know what can be happened.

Not only for Google Docs, also for Gmail, the most concern by Chinese.

PS: Https for Gmail is working in China, because a lot of Chinese is using it. But put the CNNIC ROOT Certificate is danger for HTTPS users.
Comment 112 zengbl 2010-02-07 19:01:25 PST
Please.
Thanks.
Comment 113 zengbl 2010-02-07 19:10:13 PST
Before the CNNIC SSL root certificate is removed from the official Firefox, I deleted it from my firefox. 
I do it following the steps in http://autoproxy.org/zh-CN/node/66 .
Comment 114 Hou Xiang 2010-02-07 20:32:14 PST
As the DNS hijack has already widely implement in china,  We do not want the SSL hijack do it again !
Comment 115 Carter Wang 2010-02-08 04:24:18 PST
Yes, this is very critical issue. I don't know how mozila accept CNNIC's validity? What assurance do we users have? But apparently this whole process is not satisfactory.
Comment 116 iwantit 2010-02-10 01:14:52 PST
(In reply to comment #5)
> Bugzilla isn't a place for advocacy, this discussion belongs in the
> mozilla.dev.security.policy newsgroup, as Eddy mentions.
> 
> Having said that - I am very sensitive to the concern here.  In my latest
> posting to that newsgroup, I said, in part:
> 
> 1) We have never claimed as a matter of policy that our PKI decisions can
> protect people from malicious governments. It's just not a plausible promise
> for us to make.
> 2) I think, regardless of government ties, we'd carefully review and might well
> yank trust for any CA that was complicit in MitM attacks.
> 3) CNNIC complied with our root addition policy, they are in the product
> presently, so this isn't a question of approval, this is a question of whether
> we should review.
> 
> It feels to me like that makes our next step clear, here. It won't help to
> tally up the complainants (there will be many), and it won't help to demand
> assurances from CNNIC (since the alleged governmental pressure would trump
> those anyhow). It certainly won't help to cite wikipedia.
> 
> If there's truth to the allegation, here, then it should be possible to produce
> a cert. It should be possible to produce a certificate, signed by CNNIC, which
> impersonates a site known to have some other issuer. A live MitM attack, a
> paypal cert issued by CNNIC for example. If anyone in a position to produce
> such a thing needs help understanding the mechanics of doing so, I'm sure this
> forum will help them.
> 
> SSL makes tampering visible to its victims. The certificate has to actually
> make it to my client before I can decide to trust it. By all means, let's arm
> people with the knowledge to detect and record such instances. But I don't see
> any clear step we can take until then.

你们不了解中国互联网的状况,让大家到google group里面去讨论,可是你们知不知道在中国境内是无法访问google group的?另一方面,在这个问题上,你们是否应该倾听一下中国技术人员的意见,而不要自作主张做他们的上帝?

You know less of the Internet situation in China. Lots of people in China can not access google group at all. 
For this problem, shouldn't you listen to the technical people from China? Do not simply accept CNNIC CA, and be the GOD of Chinese people.

no cnnic project hosted on google code.
http://code.google.com/p/nocnnic/

CNNIC topic on twitter
https://twitter.com/search?q=CNNIC
https://twitter.com/search?q=CNNIC#search?q=CNNIC%20CA
Comment 117 Chan Tsz Kin 2010-02-11 10:31:45 PST
Mozilla is stupid... only 3 guys voted 
Then, the bug fixed...
However, this kind of report does not get fixed...
Comment 118 Kathleen Wilson 2010-02-11 12:11:18 PST
Here follows the recommended approach for users to change the settings of root certificate authorities in Mozilla products. This is the best way to disable a root certificate authority in your installation of Firefox, Thunderbird, and SeaMonkey.

Root certificates that are included by default have their "trust bits" set for various purposes, so that the software in question can use the CA certificates to verify certificates for SSL servers, S/MIME email users, and digitally-signed code objects without having to ask users for further permission or information. 

Caution: If you turn off the websites trust bit of a commonly used root certificate, you may get an "Untrusted Connection" error when you navigate to a website that you regularly use. Therefore, it is strongly recommended that you note which root certificate you modify, so that you can turn the trust bit back on if the change negatively impacts your browsing experience.

Important: This change will be permanent, such that it can only be changed again by you. This change will not be affected by upgrading to newer versions of Mozilla software.

Firefox
1. Open the Options/Preferences window:
   * On Windows: Pull down the Tools menu and select Options…
   * On Mac: Pull down the Firefox menu and select Preferences...
   * On Linux: Pull down the Edit menu and select Preferences 
2. Select Advanced
3. Select Encryption
4. Click on View Certificates to open the Certificate Manager
5. Select Authorities
   * Note: The root certificates with "Builtin Object Token" as the 
     Security Device are the root certificates that are included by 
     default in Mozilla products. 
6. Select the Root Certificate that you want to change
7. Click on Edit...
8. Unselect the check-boxes indicating the trust bits, then click on OK
9. Click on OK in the Certificate Manager
10. Close the Options/Preferences window
11. Close and restart Firefox 

Thunderbird
1. Open the Options/Preferences window:
   * On Windows: Pull down the Tools menu and select Options…
   * On Mac: Pull down the Thunderbird menu and select Preferences...
   * On Linux: Pull down the Edit menu and select Preferences 
2. Select Advanced
3. Select Certificates
4. Click on View Certificates to open the Certificate Manager
5. Select Authorities
   * Note: The root certificates with "Builtin Object Token" as the 
     Security Device are the root certificates that are included by 
     default in Mozilla products. 
6. Select the Root Certificate that you want to change
7. Click on Edit...
8. Unselect the check-boxes indicating the trust bits, then click on OK
9. Click on OK in the Certificate Manager
10. Close the Options/Preferences window
11. Close and restart Thunderbird 

SeaMonkey
1. Open the Preferences window:
   * On Windows: Pull down the Edit menu and select Preferences
   * On Mac: Pull down the SeaMonkey menu and select Preferences...
   * On Linux: Pull down the Edit menu and select Preferences 
2. Select Privacy & Security
3. Select Certificates
4. Click on Manage Certificates to open the Certificate Manager
5. Select Authorities
   * Note: The root certificates with "Builtin Object Token" as the 
     Security Device are the root certificates that are included by 
     default in Mozilla products. 
6. Select the Root Certificate that you want to change
7. Click on Edit...
8. Unselect the check-boxes indicating the trust bits, then click on OK
9. Click on OK in the Certificate Manager
10. Close the Preferences window
11. Close and restart SeaMonkey 

Further details are available here: https://wiki.mozilla.org/CA:UserCertDB
Comment 119 lee chun lok 2010-02-18 08:39:56 PST
I won't delete the cert until Mozilla proved that this is not another nasty politic move after Google. 

By deleting the cert, you effectively untrust all the chinese websites signed by the cert, making first time visitors susceptible to man-in-the-middle attack.

BTW, how did the reporter find the "bug" at the first place? for a ssl sniffing as you propose, no evidence can be collected from the client side, so i think it is safe to say, this is JUST A GUESS, at best; a conspiracy at worst.
Comment 120 Erwann Abalea 2010-02-18 10:05:57 PST
Deleting the CNNIC certificate will revert you to the same exact situation you were in before its inclusion in Mozilla.
All this bargain is about the inclusion of this root, which shouldn't have been permitted (from a lot of chinese comments). Now it's included, you don't want to delete it, because this would make all "CNNIC-signed" servers untrusted?

As to the potential conspiracy between Mozilla and the PRC, what world are you living in?
Comment 121 lee chun lok 2010-02-18 11:17:08 PST
Please don't bend the meaning of my original post. 
I was saying:
1. I don't delete the cert because I don't trust Mozilla. It's not the most moral company I have seen.
2. Removal of the cert won't fix anything, it only creates more problems, putting more people at risk.
3. If Mozilla is trying to start anything, they should support it with evidence instead of vain words by some random people.

No one really know how many Chinese like/dislike the inclusion of the cert. Please do not land on the premature conclusion right after you find the comment writers use some Chinese names. People can use any name on internet, including the reporter of this bug and first ten comment posters who set the tone of this discussion. You never know whether they are the different people or who they work for in real life.

As to where i live, I don't hold a USA nor China passport. You can safely assume I am quite neutral in this topic.
Comment 122 lee chun lok 2010-02-18 11:22:21 PST
Mozilla  doesn't even give us any details about what's wrong with the cert, they just call us to remove it. I think it is sensible to find out what is really happening before I do anything.
Comment 123 Albert.Chen 2010-02-18 17:18:13 PST
[reply] [-] Comment 121 lee chun lok 

Oh, please, please do not play your pitty logic tricks here.

1. You don't trust Mozilla, so you use all its certificates? You don't trust mozilla, then you accept CNNIC as a CA as mozilla did? What's wrong with you?

2,3. Human beings, in general, could well understand what is *potential risk*. Think of what punishment will be imposed on Versign, if it should ever cheat its user, while what will happen when CNNIC reveal our information to a third party (NOTHING.). 

4. How many Chinese like/dislike uh? You have just said that mozilla should rely on evidence, right? Even there is no individual in China dislike CNNIC, if the certificate does cause potential risk to FF users, it should be definitely removed.

You are neutral? No, you are crazy.
Comment 124 :Gavin Sharp [email: gavin@gavinsharp.com] 2010-02-18 18:30:53 PST
(In reply to comment #122)
> Mozilla  doesn't even give us any details about what's wrong with the cert,
> they just call us to remove it.

"Mozilla" is *NOT* asking or encouraging anyone to remove the root cert.

Some people have decided that they want to remove it, and Kathleen has provided instructions on the best way to do that (e.g. so that it persists across updates).
Comment 125 nfjinjing 2010-02-22 08:45:08 PST
(In reply to comment #121)
> Please don't bend the meaning of my original post. 
> I was saying:
> 1. I don't delete the cert because I don't trust Mozilla. It's not the most
> moral company I have seen.

You use a browser, the maker of which you don't trust? Why are you here?

楼主五毛?

50c?

For those who are not familiar with this term, 50c, short for 50 cent, (a direct translation of 五毛) is a way to identify government employed agents who "guide" public opinions on the internet. It is rumored that 五毛 are payed 50c per every online discussion. Since by giving an easily identifiable (filterable) term of this kind of scenario usually leads to a ban of that particular term on the chinese internet, chinese net citizens had to be creative and critical, which leads to the term 50c.

More information can be found by searching the keyword: 五毛 .

> 2. Removal of the cert won't fix anything, it only creates more problems,
> putting more people at risk.

Typical 50c style.

Why it won't fix anything, why it creates more problems, why it puts more people at risk?

> 3. If Mozilla is trying to start anything, they should support it with evidence

I happen to agree. 

A search of : 
---------------------------

#### cnnic malware 

* [CNNIC Tries to Justify Its Software](http://www.spamfighter.com/News-6573-CNNIC-Tries-to-Justify-Its-Software.htm)
* [BrowserModifier.CNNIC Description](http://www.enigmasoftware.com/browsermodifiercnnic-removal/)

and  252,000 more results

#### cnnic 禁止 个人 (translated to cnnic forbid individual)

leads to 1 million results

BTW, registration of domain names from individuals has been banned starting from Dec 14, 2009, it's reopened since Jan 18, 2010, with a restriction that personal identity needs to be revealed.

reference: * [CNNIC称实名制是向个人注册域名开放基础](http://tech.sina.com.cn/i/2010-01-18/01043778967.shtml)

articles
--------

* [CNNIC收回奥运冠军域名 部分原持有者不服](http://www.cnbeta.com/articles/62209.htm)
* [Translated: CNNIC took away domain name with the same name of olympic champion, original owner dissatisfied](http://translate.google.com/translate?js=y&prev=_t&hl=en&ie=UTF-8&layout=1&eotf=1&u=http://www.cnbeta.com/articles/62209.htm&sl=zh-CN&tl=en)

Please note, that this is a link to a server hosted in China, it's very likely that this page will be taken down after this post, which is quite common. To reproduce the same article, just search the "CNNIC收回奥运冠军域名" keyword, which yields to 9450 results on Google, as of today.

current public opinions
-----------------------

#### twitter search on: cnnic (Jan 22, 2009)

* <http://twitter.com/#search?q=cnnic>

for those who can't read chinese, more the half of the discussions are about how to remove CNNIC root certificate.


conclude
--------

The fact that cnnic has ever made a malware is enough for it to be excluded from the trusted domain.


> instead of vain words by some random people.
> 
> No one really know how many Chinese like/dislike the inclusion of the cert.
> Please do not land on the premature conclusion right after you find the comment
> writers use some Chinese names. People can use any name on internet, including
> the reporter of this bug and first ten comment posters who set the tone of this
> discussion. You never know whether they are the different people or who they
> work for in real life.
> 
> As to where i live, I don't hold a USA nor China passport. You can safely
> assume I am quite neutral in this topic.

Typical, "I'm neutral".
Comment 126 ryenus 2010-02-22 17:15:57 PST
As pointed out by David E. Ross in Comment 9, the Chinese (mainland) people cannot access the mozilla.dev.security.policy mailing list because of the GFW.

So,

1. Chinese people are not aware of the approval process to accept CNNIC, was there a vote or poll, we don't/didn't know. This effectively invalidated the acceptance of CNNIC. 

2. Please stop asking people to turn from bugzilla to the mailing list, it has been blocked by GFW for quite a while.

3. Because of item 1 above, given that the CNNIC acceptance was decided not in a fair condition, and people have provided evidence that in the past CNNIC has done evil things including DNS-hijacking google, creating virus-like IE add-in, both of which have been evidenced by normal non-tech people. it should be clear that the CNNIC should not be a trusted ROOT CA and why people have been arguring and *shouting* here.

Thanks
Comment 127 Rex Tsai 2010-02-22 21:53:15 PST
For people who are concerned about risk of CNNIC Root certifications. There are two addons available for help you manage the risks.

* CA Untrustworthy, Delete or disable CA certificates owned by CNNIC
https://addons.mozilla.org/en-US/firefox/addon/83152
* Cert Alert, Notify the user if download any content from CNNIC SSL sites.
https://addons.mozilla.org/en-US/firefox/addon/83154

https://addons.mozilla.org/en-US/firefox/tag/CNNIC
Comment 128 wangjl 2010-02-23 08:40:41 PST
i cannot believe firefox trust cnnic as root ca.it's the most famous evil site in china,and they developed the eariliest rascal software and forced to install in every chinese computer and even developed this a industrial.now ,with ca right ,they will persecute all good people all over the world and not only chinese.
Comment 129 Harly.He 2010-02-23 21:11:49 PST
**** the CNNIC. All the cn people wants butcher them. ****!
Comment 130 Jack 2010-02-26 15:57:00 PST
I'd like to point out that, some posts above are not by normal Chinese users, but by the so-called "50 Cent Party" [1] .  For example, someone who appeared to fiercely attacked CNNIC but quickly converted and made dirty comments about "your wife", and other dirty comments above.  Their purpose is just to incite hatred against normal Chinese users and turn around public opinion.  You can conclude these are a couple of their typical tricks, if you classify the remaining posts (by the "50 Cent Party") survived after huge number of normal posts are quickly deleted on Chinese bbs'.

[1] http://en.wikipedia.org/wiki/50_Cent_Party
Comment 131 Jiaji 2010-03-22 23:47:12 PDT
People who comment here are not asking for themselves, I believe most people who see this very page and understand what it says have already had the cert removed.

We are asking for those who use Firefox and don't know all these root and cert things, and _MAYBE_ someday, they opened a mail or a document online with a connection that they considered safe and trusted, and the very next day they were brought away by some Chinese Gestapo and had no idea why. Technical details are not suitable for this problem.

(In reply to comment #118)
> Here follows the recommended approach for users to change the settings of root
> certificate authorities in Mozilla products. This is the best way to disable a
> root certificate authority in your installation of Firefox, Thunderbird, and
> SeaMonkey.
> 
> Root certificates that are included by default have their "trust bits" set for
> various purposes, so that the software in question can use the CA certificates
> to verify certificates for SSL servers, S/MIME email users, and
> digitally-signed code objects without having to ask users for further
> permission or information. 
> 
> Caution: If you turn off the websites trust bit of a commonly used root
> certificate, you may get an "Untrusted Connection" error when you navigate to a
> website that you regularly use. Therefore, it is strongly recommended that you
> note which root certificate you modify, so that you can turn the trust bit back
> on if the change negatively impacts your browsing experience.
> 
> Important: This change will be permanent, such that it can only be changed
> again by you. This change will not be affected by upgrading to newer versions
> of Mozilla software.
> 
> Firefox
> 1. Open the Options/Preferences window:
>    * On Windows: Pull down the Tools menu and select Options…
>    * On Mac: Pull down the Firefox menu and select Preferences...
>    * On Linux: Pull down the Edit menu and select Preferences 
> 2. Select Advanced
> 3. Select Encryption
> 4. Click on View Certificates to open the Certificate Manager
> 5. Select Authorities
>    * Note: The root certificates with "Builtin Object Token" as the 
>      Security Device are the root certificates that are included by 
>      default in Mozilla products. 
> 6. Select the Root Certificate that you want to change
> 7. Click on Edit...
> 8. Unselect the check-boxes indicating the trust bits, then click on OK
> 9. Click on OK in the Certificate Manager
> 10. Close the Options/Preferences window
> 11. Close and restart Firefox 
> 
> Thunderbird
> 1. Open the Options/Preferences window:
>    * On Windows: Pull down the Tools menu and select Options…
>    * On Mac: Pull down the Thunderbird menu and select Preferences...
>    * On Linux: Pull down the Edit menu and select Preferences 
> 2. Select Advanced
> 3. Select Certificates
> 4. Click on View Certificates to open the Certificate Manager
> 5. Select Authorities
>    * Note: The root certificates with "Builtin Object Token" as the 
>      Security Device are the root certificates that are included by 
>      default in Mozilla products. 
> 6. Select the Root Certificate that you want to change
> 7. Click on Edit...
> 8. Unselect the check-boxes indicating the trust bits, then click on OK
> 9. Click on OK in the Certificate Manager
> 10. Close the Options/Preferences window
> 11. Close and restart Thunderbird 
> 
> SeaMonkey
> 1. Open the Preferences window:
>    * On Windows: Pull down the Edit menu and select Preferences
>    * On Mac: Pull down the SeaMonkey menu and select Preferences...
>    * On Linux: Pull down the Edit menu and select Preferences 
> 2. Select Privacy & Security
> 3. Select Certificates
> 4. Click on Manage Certificates to open the Certificate Manager
> 5. Select Authorities
>    * Note: The root certificates with "Builtin Object Token" as the 
>      Security Device are the root certificates that are included by 
>      default in Mozilla products. 
> 6. Select the Root Certificate that you want to change
> 7. Click on Edit...
> 8. Unselect the check-boxes indicating the trust bits, then click on OK
> 9. Click on OK in the Certificate Manager
> 10. Close the Preferences window
> 11. Close and restart SeaMonkey 
> 
> Further details are available here: https://wiki.mozilla.org/CA:UserCertDB
Comment 132 menuvb 2010-03-24 23:50:16 PDT
i can't trust CNNIC,support this suggest that remove it from NSS.
Comment 133 Qian Qian 2010-03-27 12:47:31 PDT
How much money does Mozilla get from CNNIC ? 
I can't believe you guys insisting on putting CNNIC into FF as root CA while so many Chinese users showed their lack-of-trust to this rouge "CA"
Comment 134 lincoln_yeoh 2010-03-31 07:15:14 PDT
The real problem is the following bug is not fixed, and has not been fixed even after 5 years:

https://bugzilla.mozilla.org/show_bug.cgi?id=286107

Quote:
Ian Grigg      2005-03-15 12:14:26 PST

#4.  I'd agree with that. 
 
The critical change is when a new cert comes in signed by a *different* CA.  In 
the event that this is a bad situation, both CAs can disclaim by pointing the 
finger at each other.  The bad CA just shrugs and says "I followed my 
established and audited procedures...."  In practice, even a little finger 
pointing will break any semblance of CAs backing up their words. 
--

The issues brought up in the rest of the discussion in that Bug report can easily be solved by allowing the browser to keep track of more than one cert or CA per site, and also allow the option of stuff like "allow any by this CA cert for this site".
Comment 135 Jiaji 2010-04-05 01:02:46 PDT
(In reply to comment #133)
> How much money does Mozilla get from CNNIC ? 
> I can't believe you guys insisting on putting CNNIC into FF as root CA while so
> many Chinese users showed their lack-of-trust to this rouge "CA"

In fact the PR dep't of CNNIC is at work now, most prominent Chinese IT websites and forums got the order to block the mention of deleting their root, I hope Mozilla is not as easily corruptible.
Comment 136 snovian 2010-04-16 00:15:51 PDT
China has a continuing history for DNS phishing and hijacking and CNNIC is an
official department of China government. CNNIC has a hisotry of malware
distribution. I am very surprised Mozilla will include CNNIC root certificate
in a browser product whose safety is a big concern for its large user base.
Please consider removing this certificate before a potentially MitM attack on a
large scale could occur in foreseeable future.

================================
As a Chinese, I experienced the CNNIC's Trojan attacks. We have developed a number of tools to remove all CNNIC implanted Trojan which in our computer.
Today, if Mozilla think that CNNIC trustworthy, then the large number of Chinese people will back into danger of being attacked.
As a responsible company, Mozilla should remove the CNNIC root certificate from  Firefox and other products.
Comment 137 Louie Wong 2010-05-19 23:52:20 PDT
I swear to God the following is true:

I ever brought a domain name from CNNIC,someday the CNNIC stop all the DNS resolve to make investigate.Everybody own a CN domain name knows this story.There are too much such stories.The CNNIC change the DNS record of twitter,youtube,a lot of sites.

> twitter.com
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

Name:    twitter.com
Address:  46.82.174.68

> twitter.com
Server:  ns.bta.net.cn(It's a dns server under CNNIC control)
Address:  202.96.0.133

Non-authoritative answer:
Name:    twitter.com
Address:  243.185.187.39

You can google "cnnic crack" OR "cnnic fake" for further information.

We can prove the pass but we can't prove the future.We can't prove CNNNIC use the root CA to do dirty things and we are not computer scientist.But if the weather is going to rain,everybody has the right to take an umbrella,even they can't prove it,even they are not meteorologists.

If you have sex with a hooker,you must take condoms,right?We are not trying to hurt anybody,We just protect ourselves.

Mozilla company,I sincerely beg,if you refuse to remove it,please give us an umbrella or condom instead.
Comment 138 scy 2010-05-20 01:32:01 PDT
I signed up simply to say CNNIC is responsible for the Great Firewall of China
and WE WILL NEVER TRUST CNNIC, NEVER!!! I am not a rude person but I would say
**** YOU CNNIC, **** YOU! You have ruined my computer with your malwares, and
you are now censoring the whole internet in China. In my eyes, you and the
goverment are the same **** thing. Damn all of you in CNNIC. For those
people who doubt what I said, google it. Talk to anybody who is in China and
find out the correct answer.**** CNNIC or it will **** you dadly one day.
Comment 139 iwantit 2010-05-24 22:06:47 PDT
Mozilla violates the rules first.

https://wiki.mozilla.org/CA:How_to_apply

The CA inclusion process requests public discussion.
However, the CNNIC Root Inclusion Request discussed by only a few people, and without any Chinese. see

http://groups.google.com/group/mozilla.dev.security.policy/browse_thread/thread/10239cabe69283f4/f7284db193f299af?lnk=gst&q=CNNIC+Root+Inclusion+Request#f7284db193f299af

I think PUBLIC DISCUSSION means public involved, not discussion in the public place, i.e. google groups.

Mozilla voilates the process in the first place. The inclusion process is illegal. And now, so many people have shown their options, removing CNNIC root CA. The mozilla guys should remove the CNNIC root CA.
Comment 140 zealic 2010-06-01 00:05:35 PDT
I do not trust CNNIC CA, please remove it; otherwise, I would switch to Chrome.

CNNIC is a government organization, chinese people not trust it.

I'm afraid of MITM!
Comment 141 Gervase Markham [:gerv] 2010-06-01 09:34:40 PDT
Chrome also trusts CNNIC on all platforms.

Gerv
Comment 142 Dan 2010-06-01 15:11:38 PDT
Actually last I checked, Chrome uses IE settings* when applicable (proxy, certificates, root authorities, etc) so it's more accurate to say Chrome trusts IE, which trusts CNNIC.  Following instructions on the 'net for blocking CNNIC from IE should also block it in Chrome.

* - These are technically supposed to be Windows system-wide settings, but few apps honor them in my experience.
Comment 143 Daniel Veditz [:dveditz] 2010-06-04 09:46:30 PDT
(In reply to comment #120)
> Deleting the CNNIC certificate will revert you to the same exact situation you
> were in before its inclusion in Mozilla.

If you mark it untrusted (see comment 118) you are actually in better shape than before. CNNIC certs _already_ worked because they chained to the trusted Entrust root. Now that CNNIC's root is in the browser you can easily untrust it rather than having to choose between untrusting all of Entrust or allowing CNNIC certs.
Comment 144 lee chun lok 2010-08-30 01:26:37 PDT
It seems that some of the guys here are full of preconception.
I thought Americans honor tolerance and understanding, but it seems that I was wrong.

>I do not trust CNNIC CA, please remove it; otherwise, I would switch to Chrome.
>CNNIC is a government organization, chinese people not trust it.
>I'm afraid of MITM!

Nice work, I beg you work for Li Hongzhi.
I hope you are paid well.
Comment 145 alpha.mm 2010-09-05 23:17:28 PDT
Well, you've deviated from this topic.
Because 
(1) CNNIC is wholly supervised by MIIT (as its self-intro says), and MIIT is a department of Chinese Gov, and Chinese Gov has been reported to try to monitor privacy by forcing software-creator to leave backdoor for them; And
(2) CNNIC once release a malicious software that is painstaking to uninstall;
Then it is reasonable to question the qualification of CNNIC as root cert.
It is not "full of preconception", but only a little early afraid.

And it is you that is "full of preconception" by suggesting that people above are working for Li xxxxxxx.
In the same absurd logic, can I beg you work for Chinese Gov and hope you are paid well?

(In reply to comment #144)
> It seems that some of the guys here are full of preconception.
> I thought Americans honor tolerance and understanding, but it seems that I was
> wrong.
> 
> >I do not trust CNNIC CA, please remove it; otherwise, I would switch to Chrome.
> >CNNIC is a government organization, chinese people not trust it.
> >I'm afraid of MITM!
> 
> Nice work, I beg you work for Li Hongzhi.
> I hope you are paid well.
Comment 146 lee chun lok 2010-09-06 02:49:03 PDT
(In reply to comment #145)
> Well, you've deviated from this topic.
> Because 
> (1) CNNIC is wholly supervised by MIIT (as its self-intro says), and MIIT is a
> department of Chinese Gov, and Chinese Gov has been reported to try to monitor
> privacy by forcing software-creator to leave backdoor for them; And
> (2) CNNIC once release a malicious software that is painstaking to uninstall;
> Then it is reasonable to question the qualification of CNNIC as root cert.
> It is not "full of preconception", but only a little early afraid.
> 
> And it is you that is "full of preconception" by suggesting that people above
> are working for Li xxxxxxx.
> In the same absurd logic, can I beg you work for Chinese Gov and hope you are
> paid well?
> 
> (In reply to comment #144)
> > It seems that some of the guys here are full of preconception.
> > I thought Americans honor tolerance and understanding, but it seems that I was
> > wrong.
> > 
> > >I do not trust CNNIC CA, please remove it; otherwise, I would switch to Chrome.
> > >CNNIC is a government organization, chinese people not trust it.
> > >I'm afraid of MITM!
> > 
> > Nice work, I beg you work for Li Hongzhi.
> > I hope you are paid well.

One of the guys above barked at me, saying I work for the Chinese government for 5 cents, so I was using his "logic".  

I really don't understand why any Chinese would like to harm their own government's reputation while they can always resolve their problems at home. 
That looks very strange to me.
Comment 147 Albert.Chen 2010-09-06 03:15:00 PDT
(In reply to comment #146)
> (In reply to comment #145)
> > Well, you've deviated from this topic.
> > Because 
> > (1) CNNIC is wholly supervised by MIIT (as its self-intro says), and MIIT is a
> > department of Chinese Gov, and Chinese Gov has been reported to try to monitor
> > privacy by forcing software-creator to leave backdoor for them; And
> > (2) CNNIC once release a malicious software that is painstaking to uninstall;
> > Then it is reasonable to question the qualification of CNNIC as root cert.
> > It is not "full of preconception", but only a little early afraid.
> > 
> > And it is you that is "full of preconception" by suggesting that people above
> > are working for Li xxxxxxx.
> > In the same absurd logic, can I beg you work for Chinese Gov and hope you are
> > paid well?
> > 
> > (In reply to comment #144)
> > > It seems that some of the guys here are full of preconception.
> > > I thought Americans honor tolerance and understanding, but it seems that I was
> > > wrong.
> > > 
> > > >I do not trust CNNIC CA, please remove it; otherwise, I would switch to Chrome.
> > > >CNNIC is a government organization, chinese people not trust it.
> > > >I'm afraid of MITM!
> > > 
> > > Nice work, I beg you work for Li Hongzhi.
> > > I hope you are paid well.
> 
> One of the guys above barked at me, saying I work for the Chinese government
> for 5 cents, so I was using his "logic".  
> 
> I really don't understand why any Chinese would like to harm their own
> government's reputation while they can always resolve their problems at home. 
> That looks very strange to me.

Please just face the questions.

If your so called 'logic' is just something like 'I beg you work for Li Hongzhi', then shut up.
Comment 148 lee chun lok 2010-09-07 05:22:52 PDT
I answered the question already. I hope you can read.
Comment 149 lee chun lok 2010-09-07 05:24:40 PDT
I am just a nobody. If you think being rude to me can archive anything, then you can continue.
Comment 150 lee chun lok 2010-09-07 05:25:49 PDT
and BTW why do you think I should be treated like that?
Comment 151 Albert.Chen 2010-09-07 06:06:27 PDT
3 consecutive posts...So excited huh? 

Your answer just made me laugh...And I hope you can read...

It's a difficult period in the economic crisis, and thank you, deeply, for your joke XD
Comment 152 lee chun lok 2010-09-07 08:44:08 PDT
That explains your attitude.
Comment 153 Johnathan Nightingale [:johnath] 2010-09-07 08:45:09 PDT
Bugzilla is not a discussion forum. Take it elsewhere.
Comment 154 Moses 2010-09-07 09:00:44 PDT
The discussion here is helpless and useless, this bug should be closed now.
Comment 155 Julian Mehnle 2010-09-07 09:37:42 PDT
lee chun lok just cleared this bug report's entire CC list.  Can someone please stop this vandal?
Comment 156 Gervase Markham [:gerv] 2010-09-07 09:42:58 PDT
Account disabled. However, no-one needs to be CCed on this bug because it is
now RESOLVED INCOMPLETE - that is, if further specific information of
wrongdoing is produced, as explained in comment #5 and other comments, it can
be reopened. Otherwise, it is closed. 

Gerv
Comment 157 Eddy Nigg (StartCom) 2010-09-07 12:39:52 PDT
I just wonder how somebody with no permission can remove others that are CC'd. Gerv, perhaps some thought for improvement?
Comment 158 Gervase Markham [:gerv] 2010-09-08 07:38:15 PDT
Eddy: people with no permissions can change the CC list, and add comments. That's all. This is the first time I've seen someone clear the entire thing, and the person concerned tells me by email it was accidental (he is unfamiliar with Bugzilla), not malicious. So I don't think it's worth changing the software.

Gerv
Comment 159 vliu.mtl.qc 2010-09-12 10:27:11 PDT
Hi everyone,

I roughly glanced through your comments on this web page, as well as those on another page presenting on the topic of bug 476766--https://bugzilla.mozilla.org/show_bug.cgi?id=476766#c18. I agree with all those who advocate for the complete removal of CNNIC CA Root from Firefox--I was suddenly "shot dead" while I was accessing my PayPal personal page via FF the other day--my newly-purchased laptop suddenly shut down itself while I was still online. I suppose that I was MITM-attacked from CNNIC. I tried to delete the CNNIC root from the certificate list, but it resurrected itself while I opened another FF web page. So could anyone tell me how to delete it in a permanent way, pls.?

Thanking you in advance.

Vincent LIU
Comment 160 Kathleen Wilson 2010-09-13 10:56:28 PDT
Dear Vincent LIU,

Would you please do the following?
1) Go back to the web page (eg PayPal personal page where you experienced the problem) via Firefox.
2) Click on the lock icon at the bottom right corner of the FF window.
3) Click on “View Certificate”
4) Click on “Export…”
5) Save the file, then attach it to this bug. If you can’t attach it to the bug, please send it to me via email.

Also, please see Comment #118 for instructions to disable the root in your Firefox browser.

Kathleen
Comment 161 W. Jiang 2010-09-21 05:09:03 PDT
I just left my comments on bug 476766 to support my fellow Chinese FF users to remove CNNIC ROOT CA immediately. CNNIC was not, is not and will not be trustworthy at all for Chinese people. Please consider such action seriously because it could be too late if someone would have been persecuted because of the inclusion of CNNIC ROOT CA. I am also disappointed for FF team not to re-consider the decision of bug 476766 again even after so many Chinese users have argued against that. Because of GFW-Great Firewall-imposed by Chinese government through CNNIC and ISPs, Chinese users-who FF should have relied on-had not chance to make their voice before that decision. We can only notice it after the wrong thing has been done. You FF developers were wrong for once, but please, never be wrong for twice. Remove CNNIC ROOT CA immediately as requested by my fellow Chinese users. We are truly concerning our own safety in mainland China and it is urgent issue for all of us. Even as I am not in China at present, I am still afraid of internet censorship and persecution from Chinese government if I would return. So please understand our concerns and ACT NOW!

As well said by some comments above, most of us who are able to post comments here are of good knowledge of computers too. But those who know few about computer cannot understand what we are talking here and don't know how to deal with the issue. What those guys know is that FF will tells them certain websites are authenticated. With the inclusion of CNNIC ROOT CA, those Chinese Internet uses will involuntarily expose their privacy to government agency and they even are unaware of such leak.  We here are voicing for all those Chinese users. So please, listen to us because it is a REAL and SERIOUS issue for Chinese people.

Thank you
Comment 162 dareblaze 2010-09-25 03:14:22 PDT Comment hidden (advocacy)
Comment 163 beta 2010-12-18 08:17:58 PST Comment hidden (advocacy)
Comment 164 David E. Ross 2010-12-18 11:38:11 PST
I had been tracking this bug report (despite it being closed) because I agree the CNNIC root should indeed be removed from NSS.  However, the hysterical tone of some comments and the crude language of others means that I will no longer care about this.  

For my own use, I have turned off all trust bits for this root.
Comment 165 anton.bugs@gmail.com 2011-03-24 22:05:35 PDT
There is a new evidence that china do run MITMA:
http://www.theregister.co.uk/2011/03/23/facebook_traffic_china_telecom/
"Tuesday's diversion appeared to affect only traffic traveling between AT&T users and Facebook"

As you can see, Chinese are not only one who can be compromised using that bogus CA.
Comment 166 duyang.seu 2011-08-16 09:18:05 PDT Comment hidden (advocacy)
Comment 167 Shuai MU 2012-02-20 04:06:44 PST Comment hidden (advocacy)
Comment 168 ZHANG Le 2013-01-31 11:56:32 PST
In case you are not aware of:
http://news.ycombinator.com/item?id=5124784

BTW, just FYI, I think part of the reason why this bug has become quiet is that many Chinese users don't care about this anymore, they have switched to Chrome.
Comment 169 Erwann Abalea 2013-01-31 12:12:17 PST
(In reply to ZHANG Le from comment #168)
> In case you are not aware of:
> http://news.ycombinator.com/item?id=5124784

This has nothing to do with CNNIC as a CA.

> BTW, just FYI, I think part of the reason why this bug has become quiet is
> that many Chinese users don't care about this anymore, they have switched to
> Chrome.

Chrome uses the OS' trust store if available, or Firefox' one under Linux. So there's no change here.
Firefox also respects HSTS, just like Chrome does, it only doesn't "pre-pin" HSTS parameters.

You're free to disallow CNNIC on your installation, it's way better than delete the CA. So far, CNNIC hasn't behaved badly as a CA, if it ever does it will be untrusted.
Comment 170 ZHANG Le 2013-01-31 12:19:29 PST
FWIW, someone said Entrust had unsigned CNNIC CA.
http://www.chromechina.com/news/24415.html (Sorry this is in Chinese)
IMHO it makes sense to remove it, if that's the case.
Comment 171 Albert.Chen 2013-01-31 13:18:32 PST
@ZHANG Le 

Do not agree BTW part. FF is still very popular and so far no other browser can compete FF in extensibility.

I would say the high risk now came from the already identified man-in-the-middle attack to github.com in last 1 or 2 weeks.
Comment 172 Daniel Veditz [:dveditz] 2013-01-31 14:02:48 PST
*** Bug 836747 has been marked as a duplicate of this bug. ***
Comment 173 :Gavin Sharp [email: gavin@gavinsharp.com] 2013-07-25 16:21:58 PDT
*** Bug 897907 has been marked as a duplicate of this bug. ***
Comment 174 Allen Drinkwater 2013-08-27 19:28:27 PDT
(In reply to Johnathan Nightingale [:johnath] from comment #5)
> Bugzilla isn't a place for advocacy, this discussion belongs in the
> mozilla.dev.security.policy newsgroup, as Eddy mentions.
> 
> Having said that - I am very sensitive to the concern here.  In my latest
> posting to that newsgroup, I said, in part:
> 
> 1) We have never claimed as a matter of policy that our PKI decisions can
> protect people from malicious governments. It's just not a plausible promise
> for us to make.
> 2) I think, regardless of government ties, we'd carefully review and might
> well yank trust for any CA that was complicit in MitM attacks.
> 3) CNNIC complied with our root addition policy, they are in the product
> presently, so this isn't a question of approval, this is a question of
> whether we should review.
> 
> It feels to me like that makes our next step clear, here. It won't help to
> tally up the complainants (there will be many), and it won't help to demand
> assurances from CNNIC (since the alleged governmental pressure would trump
> those anyhow). It certainly won't help to cite wikipedia.
> 
> If there's truth to the allegation, here, then it should be possible to
> produce a cert. It should be possible to produce a certificate, signed by
> CNNIC, which impersonates a site known to have some other issuer. A live
> MitM attack, a paypal cert issued by CNNIC for example. If anyone in a
> position to produce such a thing needs help understanding the mechanics of
> doing so, I'm sure this forum will help them.
> 
> SSL makes tampering visible to its victims. The certificate has to actually
> make it to my client before I can decide to trust it. By all means, let's
> arm people with the knowledge to detect and record such instances. But I
> don't see any clear step we can take until then.

Stating something will not help will certainly not help.
Trying to make a bug here and kick everyone out somewhere else, in name of bugzilla does not care the title, will certainly not help.
I see you've got somewhat insane trust chain, you trust a everyone-say-it-is malware publisher. And in my browsing experience that 'everyone' is right. Review your decisions rather than repeating the bugzilla is not the right place for advocacy. That's how i love(d) mozilla.
Till now. best regards.
Comment 175 Adam Borowski 2013-08-28 06:22:46 PDT
Yes, everyone says CNNIC is a malware publisher.  It is, it also takes part of a massive MitM campaign within the Golden Shield project.  It has never been caught issuing false SSL certificates, but because of how hard it is to spot such cases, I'd say you can be quite certain they did it so in at least some targetted cases.

Same applies to Etisalat.

But hey, we recently learned (as opposed to merely suspecting) that the NSA forces US-based companies to do the same.  I would be really surprised if Russia did not do the same, and every two-bit dictatorship out there.  As for "civilised" countries, I'd say they're only "likely" to be in this business.

Thus, singling out CNNIC sadly isn't that good an idea anymore.

We need, urgently, to distrust the whole CA cartel infrastructure, moving to some alternative like DNSSEC+DANE[1] which already is strictly more secure than CAs, but that's not within the scope of this bug.

[1]. DNSSEC suffers from two problems: last mile -- easily solvable by doing validation in the local OS and/or browser, and its reliance on ICANN -- far harder to exploit than CAs, but still giving control to the NSA -- solvable by shipping per-TLD keys.
Comment 176 Yongzhi Pan 2015-03-23 22:40:59 PDT
An incident concerning CNNIC: Revoking Trust in one CNNIC Intermediate Certificate: https://blog.mozilla.org/security/2015/03/23/revoking-trust-in-one-cnnic-intermediate-certificate/
Comment 177 Christoph Anton Mitterer 2015-03-24 06:17:36 PDT
<sarcasm>What a surprise... really no one could have seen that coming</sarcasm>

Oh wait, actually every decent security person could have seen that coming, and Mozilla was even warned.

Now of course I'm a 100% sure that this was just an "accident" - honi soit qui mal y pense!
Or was it not? Does anyone know anything about that intermediate CA? Was it perhaps just created as a straw-man, to draw off attention/responsibility from the root CA?

Well, well, well... I guess that happens when an original open source organisation has just eyes for money and market share - it buys out the security and freedom (e.g. all the ads stuff the finds now it way into mozilla or proprietary codecs) of their users.

Apparently it needs just enough money any literally everyone from every totalitarian country can have it's own CA in Mozilla :)


And is anything going to happen now? No. Just as nothing has happened before to the CAs that forged certificates (e.g. turktrust, IIRC)
Comment 178 qsj 2015-03-24 09:10:01 PDT Comment hidden (abusive)
Comment 179 alex.iroul.chen 2015-03-24 11:46:25 PDT Comment hidden (advocacy)
Comment 180 virushuo 2015-03-25 00:44:16 PDT Comment hidden (advocacy)
Comment 181 cnbeining 2015-04-01 19:27:14 PDT
For developers who does not aware of this, Google and CNNIC "have decided that the CNNIC Root and EV CAs will no longer be recognized in Google products." (http://googleonlinesecurity.blogspot.co.nz/2015/03/maintaining-digital-certificate-security.html)

In this incident, when CNNIC's CAs are intentionally abused(never shall a responsive, or,trained system administrator use a trusted CA to conduct MITM attack to "surveillance" its staffs: it is common sense that a self-signed certificate should be used and manually installed on every device), CNNIC had not shown its professional nor responsive a Root CA should have to solve this error. I would be hard pressed to say that CNNIC is eligible to perform as a responsive CA that should stay in the NSS.

Please consider remove this CA at least temporary, to give the community enough time to review its behaviour and, for CNNIC, to conduct internal examine and review.
Comment 182 TianYi ZHU 2015-04-01 19:34:13 PDT
hmm, "I told you so."(In reply to TianYi ZHU from comment #11)

> i regiested an account only to show my support.
> remove it. i don't trust CNNIC.
Comment 183 Kathleen Wilson 2015-04-01 22:18:47 PDT
As we said in our security blog...
https://blog.mozilla.org/security/2015/03/23/revoking-trust-in-one-cnnic-intermediate-certificate/

We have been discussing this in mozilla.dev.security.policy. 

We expect to wrap up our discussion in mozilla.dev.security.policy soon and then post another security blog about it,  in the meantime you can see the plan we are currently discussing here:

https://groups.google.com/d/msg/mozilla.dev.security.policy/czwlDNbwHXM/cOdohhBrBTgJ
which is:
> * Reject certificates chaining to CNNIC with a notBefore date after a
> threshold date
> *  Request that CNNIC provide a list of currently valid certificates, and
> publish that list so that the community can recognize any back-dated certs
> * Allow CNNIC to re-apply for full inclusion, with some additional
> requirements (to be discussed on this list)
> * If CNNIC's re-application is unsuccessful, then their root certificates
> will be removed

and further information here:
https://groups.google.com/d/msg/mozilla.dev.security.policy/czwlDNbwHXM/sj0p6qvYcUMJ

Please follow up in the discussion in mozilla.dev.security.policy, and not in this bug.

Thanks,
Kathleen
Comment 184 Christoph Anton Mitterer 2015-04-02 08:10:44 PDT
Far too little, far too late.

That Mozilla is discussing this now (just because Google did the move), even though many security experts told you here better 5 years ago, is simply outrageous.


Your "plan" sounds like a bad joke either, it reads like "not really doing anything... and possibly removing their certificates if the reapplication should fail".
Since the re-application doesn't really mean much more than doing a big money order[0] this is probably moot.

[0] Or how else is it explained that CAs from totalitarian dictatorships are included which are notoriously known to hack and spy people.
Comment 185 Daniel Veditz [:dveditz] 2015-04-02 10:55:27 PDT
(In reply to Christoph Anton Mitterer from comment #184)
> That Mozilla is discussing this now (just because Google did the move)

Our discussions started long before Google's April 1 announcement as can be seen in the newsgroups links Kathleen provided. If you read Google's announcement carefully they, too, are not going to break existing CNNIC-issued certs right away, and have left open the possibility for CNNIC's re-inclusion. In the end I expect Firefox and Chrome to behave similarly.
Comment 186 Christoph Anton Mitterer 2015-04-02 11:20:35 PDT
It doesn't really change anything whether or not you've started that discussion before.
This bug is now open since more than 5 years, and while you discuss, certificates are probably continued to be forged.
I wonder how many people silently disappeared in some Chinese prisons because the trusted to communicate safely but could be easily attacked.

And, of course, Google's announcement is also extremely weak.
Untrustworthy CAs, or such for which it's extremely likely that they're untrustworthy should be generally removed immediately.
This especially applies to any CAs from totalitarian countries and/or close-to autocracies.

Haven't we had the same case with turktrust? Nothing happened.


And there's e.g. bug #1078764, new certs are silently injected into users configuration.
Comment 187 him 2015-04-02 11:37:23 PDT
> This bug is now open since more than 5 years

This bug was closed five years ago. 

Mozilla cannot be expected to act on unsubstantiated claims. They are now acting on material evidence. Evidence that does not show CNNIC conspired to MiTM users. 

Do I think CNNIC should be removed from the trust store? Yes. Do I think CNNIC has bad reasons to want a trusted root? Most likely. But I don't think we should expect Mozilla to act on speculation.
Comment 188 Julian Mehnle 2015-04-02 11:48:14 PDT
I really have no stake in this, but having followed this issue for years, I've heard this argument too many times now: "Don't expect Mozilla to act on speculation."

Mozilla is not a court of law, and presumption of innocence does not apply. Firefox is being developed for its users, not for CAs. What really *should* apply when it comes to including CAs in the root store is the *precautionary principle*.

http://en.wikipedia.org/wiki/Precautionary_principle

It's a basic security concept.
Comment 189 wisicn 2015-04-02 20:59:59 PDT
(In reply to Kathleen Wilson from comment #183)
> As we said in our security blog...
> https://blog.mozilla.org/security/2015/03/23/revoking-trust-in-one-cnnic-
> intermediate-certificate/
> 
> We have been discussing this in mozilla.dev.security.policy. 
> 
> We expect to wrap up our discussion in mozilla.dev.security.policy soon and
> then post another security blog about it,  in the meantime you can see the
> plan we are currently discussing here:
> 
> https://groups.google.com/d/msg/mozilla.dev.security.policy/czwlDNbwHXM/
> cOdohhBrBTgJ
> which is:
> > * Reject certificates chaining to CNNIC with a notBefore date after a
> > threshold date
> > *  Request that CNNIC provide a list of currently valid certificates, and
> > publish that list so that the community can recognize any back-dated certs
> > * Allow CNNIC to re-apply for full inclusion, with some additional
> > requirements (to be discussed on this list)
> > * If CNNIC's re-application is unsuccessful, then their root certificates
> > will be removed
> 
the CNNIC's root CA on how to issue an intermediate certificate process obviously lack of transparency and responsibility, while you still ask the community members to provide you the so called professional  evidence: "We ask your continued patience and request that further input remain professional and focused on providing concrete evidence that can be acted on according to the Mozilla CA Certificate Policy"  
is this sound like a joke?  is this unauthorized digital certificates for several Google domains are professional enough?
And still you give CNNIC a chance to re-apply, without any detailed requirement on the transparency (yes, you said you will discuss this later, but you allowed CNNIC to re-apply already),  meanwhile you chose to only revoke one CNNIC Intermediate Certificate not the root CA, it is fully not acceptable by me and it still hurt the security of the Mozilla products user.
and for your  Request that CNNIC provide a list of balabla,  I will be very very glad to see you will get a buggy English response/Statement from CNNIC like this later:
http://www1.cnnic.cn/AU/MediaC/Announcement/201504/t20150402_52049.htm

at that time, I hope it is not another 5 or 6 years later, I will personally ask you a question, is it hurt to be slapped on the face again and again?
Comment 190 Lu Wei 2015-04-02 22:40:32 PDT
What about another CA named "China Internet Network Information Center EV Certificates Root"? (
4F:99:AA:93:FB:2B:D1:37:26:A1:99:4A:CE:7F:F0:05:F2:93:5D:1E) Is this a variant of CNNIC?
Comment 191 Christoph Anton Mitterer 2015-04-02 22:47:17 PDT
@Lu Wei, this is just the EV version of the forgery CA.
And WoSign is likely the backup CA :=)
Anyway, if these two'd get kicked out, I'm sure the people's liberation army could just by any required certs from many other CAs included in the Mozilla bundle


Honi soit qui mal y pense!
Comment 192 Adam Borowski 2015-04-03 00:08:12 PDT
(In reply to him from comment #187)
> Mozilla cannot be expected to act on unsubstantiated claims. They are now
> acting on material evidence. Evidence that does not show CNNIC conspired to
> MiTM users. 

Except that there's plenty of evidence, just not for SSL.  They partake in massive MitM of non-SSL traffic, as part of the Golden Shield project.  As for SSL, they have been cautious to not get caught -- as the consequences of doing so may mean losing CA inclusion.  Using fraudulent certs against high-value targets is moderately safe: the chances someone spots that the CA changed and connects that to a MitM attempt are really minor.  So, it took until now that such a fraudulent cert has been revealed.
Comment 193 Christoph Anton Mitterer 2015-05-28 18:11:46 PDT
JFTR, with CFCA, another CA controlled by a totalitarian country and it's governmental organisation has been silently injected with FF38.

Requested removal in #1169490.
Comment 194 him 2015-05-28 19:29:28 PDT
(In reply to Christoph Anton Mitterer from comment #193)
> JFTR, with CFCA, another CA controlled by a totalitarian country and it's
> governmental organisation has been silently injected with FF38.
> 
> Requested removal in #1169490.

Yes, silently injected with the application visible only for two years. 

Look, China's bad but don't spread misinformation - Mozilla doesn't 'sneak in' CAs.
Comment 195 Christoph Anton Mitterer 2015-05-28 21:03:38 PDT
(In reply to him from comment #194)
> Look, China's bad but don't spread misinformation - Mozilla doesn't 'sneak
> in' CAs.
It does, cause the proper behaviour would be to ask users whether they want to enable/trust new certificates when they got added.

Right now, one has to manually check either the changelog or the whole list of CAs.
Both annoying and basically not practicable - especially for end-users.

So effectively, it is silent injection.

Note You need to log in before you can comment on or make changes to this bug.