Closed Bug 836747 Opened 11 years ago Closed 11 years ago

consider removal of CNNIC CA

Categories

(NSS :: CA Certificates Code, task)

Product:
NSS
Component:
CA Certificates Code
Type:
task
Priority:
Not set
Severity:
critical

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 542689

People

(Reporter: calestyo, Unassigned)

Details

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0 Iceweasel/18.0.1
Build ID: 20130118223732

Steps to reproduce:

To be hones, I think Mozilla's behaviour and policy in case of selecting new CAs and dropping old ones in case they prove to be not trustworthy (turktrust and friends cases) is quite questionable, to be diplomatic.

On such case it that CNNIC has ever been accepted as a root CA.


For many years now it is known that "forces" in China are heavily involved in cyber attacks.
Many security experts claim that either government or the liberation army are directly or at least indirectly involved, as the attacks are so sophisticated that it's unlikely they could be done by individuals.

Now Mozialla has added CNNIC to the CA store, which - given how awkwardly broken the whole X.509 system is - makes all people (using Mozilla) worldwide vulnerable in case CNNIC would intentionally issue fraudulent certificates.
Not just Chinese people cold be attacked with forged certs but anyone in the world, as it's "easy" to place man in the middle attacks (and the like) with such fraudulent certificates.

Given that you block other CAs like CAcert (which have to some extent also a trust problem) this seems quite outrageous.


Even if CNNIC wasn't some agency directly controlled by Chinese government, one can expect that the government has enough influence to pressure any non-governmental CA in China to help with such attacks.

And the list of cyber-attacks likely originating from China is long:
- The attacks against Google.
- The just revealed attacks against the NY Times.
- The "attacks" against github (https://lwn.net/Articles/535149/).


Of course one can argue that each country could possible pressure CAs within it's borders to help in attacks (e.g. also the US or Germany), but I guess it's a difference when the CA is located in a real democracy, where it would have at least some good chances to go to court and/or make it public.


Especially outside Chine, CNNIC has likely little to no importance at all and it doesn't seem reasonable that all other people have to pay for China not bein a democracy.

For that reason I suggest to completely remove the CNNIC CA certs from Mozilla as soon as possible.
If this seems to be not feasible for technical (or more likely, political reasons) one should at least disable them per default.


I intentionally marked this bug as private, and would prefer it not to be published, even when it is resolved; for obvious reasons.
btw: Obviously one should remove other CAs from countries who have questionable trustworthiness (e.g. Iran, Syria, North Korea) too.
But on a short glance I haven't found such.
Severity: normal → critical
Christoph, normally the Mozilla project discusses policy issues such as this in public. As far I can tell this is not actually a "bug" to be fixed, but a request to consider some other CA policy.

I think we would like to mark this bug INVALID and ask you to start this discussion in the appropriate public forum (mozilla.dev.security.policy) https://lists.mozilla.org/listinfo/dev-security-policy

Is there a particular reason you'd like this bug to remain private?
Phew well... "not a bug"... it at least has some potentially heavy implication on anyone's security.

I think discussion this is kinda ... politics... as from a security POV things should be clear.
But I would rather like to see such a discussion to be initiated by some of you guys, than the whole thing being forgotten completely.
As I saw CNNIC tries to get an EV root cert in... which would open them completely all doors.


Well I guess it's well known that the Chinese regime isn't all to friendly to its critics; given that they'd probably read along,.. one could possibly risk sanctions from their side.
CNNIC has followed our policy and passed the required audits, beyond that we can't do much without proof they've mis-used their CA status. As much as we might have misgivings about where CNNIC is based, I'm sure residents of many other countries are equally mistrustful of American-based CAs like VeriSign which could theoretically be compromised by US spooks. This points out the weaknesses of today's PKI system, which was invented in the 90s but without the foresight of what happens when the Internet gets to the scale it is today.

In the short term capture a fraudulent cert issued by CNNIC or any other CA and we have grounds to take action. Run an addon like CertPatrol to help detect this kind of potential attack.

In the medium term we're adding support for Cert pinning which will help detect and report on attacks of the kind feared.

In the long term we're in discussions with browser makers and others on fixes to or alternatives to today's PKI regime (for example, Adam Langley's "Certificate Transparency" proposal).
Group: core-security
Status: UNCONFIRMED → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
Well to be honest, Daniel, all this sounds like hiding behind poor excuses.

If CNNIC would be misused to perform attacks, then surely only in a very very limited and selective way so than noone notices.

You're right, and I've said that before, that people may also mistrust US-based CAs (or those from more or less any other countries),... but putting the US on the same level as China is ridiculous; of course not everything with respect to privacy, surveillance and security laws goes right in the US, but in no way this can be compared to the suppression in China... and in the US you at least still have independent courts.


I guess it should be clear to everybody, that the current system has failed and is only continued because there is no easy way to abolish it immediately.
It's quite concerning that browser manufacturers keep highly questionable CAs (especially very small ones for which one can easly doubt that have the means to provide adequate security)...
And keeping CAs like CNNIC is simply naive... sometimes, common sense is a better mean than strictly following a policy. And common sense would tell: Don't trust the government controlled CA from a country who everyone knows for suppression and cyber attacks.

And to be further honest: When I read things like "In the short term capture a fraudulent cert issued by CNNIC or any other CA and we have grounds to take action." makes me wonder whether security itself is understood... cause even if one would catch such a case... it would already be too late (for the victim).



Regarding your mentioning of PKI systems...

I'm surprised that Mozilla's security experts think PKI == X.509.
There is a PKI available (of about the same age as X.509) which never had the flawed design of being purely strictly hierarchic.
But AFAIR, Mozilla still blocks OpenPGPs implementation in browsers.
Solving the X.509 problem is "easy"... the only real way is an meshed PKI as OpenPGP provides it.
And users need to personally set up trust relations for their really important stuff (online banking, etc.) and other things need a system of multiple signatures from CAs where a certain number needs to be reached to get trust; just as OpenPGP does for years.

I use CertPatrol,.. but it provides only very very limited help,... even for advanced users.


Just my 2ct.
btw: Even if you say you cannot remove them for political reasons, because they fit the policy.

Just add a requirement to the policy which is only met by CAs from free/democratic countries.
You need to log in before you can comment on or make changes to this bug.