当 网络安全核心机制遇到流氓政府
我不想谈任何互联网话题,但是这次(CNNIC 根证书)事件已经直接威胁到我们所有人,我们不应该沉默。“通往朝鲜的路,是每一个沉默的中国人铺就的。”——某推友。

基于非对称加密技术的数字证书机制是互联网安全的核心屏障,所 有工业标准安全技术,包括https,S/MIME和ftps,都基于它。因为这道屏障,当我们用https浏览Gmail时,当我们用https使用 Google Reader时,当我们使用在线SSL代理时,我们有理由相信,我们的隐私和通信不会被某独裁政府、党或它们的审查机构看到。现在,某流氓政府控制下的 CNNIC正试图在这道屏障下放置一个巨型核弹。

事实上,在这个流氓国家,SSL早已不是绝对安全的。当你使用 网银、支付宝之类服务时,银行网站已经在你的计算机上安装了根证书,而这个流氓国家政府、党和它能够控制的国内一切公司、机构和组织,都是不可信赖的。没 人可以确定,某一天这个独裁政权会不会通过其能够控制的根证书对一个普通公民或“异见人士”进行中间人攻击。

除此之外,独裁政权还有其它手段,它可以冒充身份向国外CA申 请某域名的SSL证书,大多数CA提供一种“Rapid SSL”证书,这种证书申请只需验证域名管理员邮件,全过程只需几分钟。窃取邮件可比窃取私钥容易多了,特别是对这个人类历史上最无耻、最流氓的政权和它 庞大的统治机构而言。

然而,如果CNNIC成为操作系统和浏览器内置信任CA,这依 然对我们网络安全有无法想象巨大影响。

I.它使GFW和GOV窃听SSL的成本降为0,并且几乎可以 攻击所有操作系统和浏览器计算机。

II.虽然这种中间人攻击很容易被发现,但对流氓政权而言这不 是问题。某一天流氓政权可能会立法称“国家使用CNNIC作为官方CA,对所有SSL通讯依法审查和管理”,把中间人攻击合法化、普遍化,就像企业网关审 查SSL的防火墙一样。不要以为这是天方夜谭,我们本来就生存在局域网中。

III.另外,工信部、CNNIC等部委可能联合出台规定,要 求“所有在中国大陆运营的https网站必须使用CNNIC或其它国内CA签发的SSL证书”,对境外网站SSL证书实行白名单制度,未备案的一律封锁。 ——就像它们现在想采取的域名白名单制度一样。(这一条很可能发生,搞不好某天CCAV就报道“淫秽色情非法网站利用加密技术逃避打击,网络专家表示, SSL证书领域亟待有效监管。”)


我曾不止一次感到何其幸运,互联网一切不是中国发明的。虽然 OSI模型和TCP/IP设计协议缺乏安全性考虑导致容易被流氓政府审查和阻断,它依然建立了了一个开放的,分布式的,任何人、机构和国家不可能真正封锁 的Internet;虽然DNS协议是现在互联网安全中最弱的一环,虽然中国已经有了许多根域名DNS镜像服务器,整个互联网基石——13台根域名DNS 服务器——仍然全部在国外;虽然SSL/TLS协议有很多不足,它仍然是最好的安全技术,所有的浏览器内置根CA都是国外。——现在,我的最后一个庆幸可 能要破灭了,流氓政府下属机构正在威胁整个互联网核心安全机制。


然而,我们无须绝望,我们相信民众的力量,相信自由是无法阻挡 的。某流氓政权采取的一切审查措施必将随着其本身一起灭亡。当这一天最终来临——它必将来临——时,中国网民必将感到欣慰——在几十年里他们几乎都在自由 与专制斗争的第一线。

现在,你要做的是(如果你还没有做),移 除和禁用计算机所有操作系统和浏览器中的CNNIC根证书

附上一段慷慨陈述的话,来自 Bugzilla@Mozilla 关 于 Add CNNIC CA Root Certificate 讨论里一位lihlii同学,它说出了所有中国网民、所有中国民众、乃至全世界所有热爱自 由人们的心声。

(更多中国民众呼声见这 里

1. Is it considered by CNNIC as "service on technology and research" to spread
malware with administrative power to spy on Internet users?

2. Is it considered by CNNIC as "service on technology and research" to ban
personal website registration in the .cn domain space [1][2][17]?

3. CNNIC banned the DNS resolving of a lot of independent websites, such as
bulllog.cn [1][2].  Is this considered by CNNIC as your way of "service" of
"registry for Chinese Domain Name"[4]?  Is this considered by CNNIC as "the
similar role as VeriSign"[4]?

4. Is CNNIC "qualified with the international criteria"[4] as a trustworthy
certificate authority?

5. Why did Liu Yan try to mask the real face of the PRC governmental nature of
CNNIC [5]?  Why did he even tried to hide the application by setting the bug
report to "Restricted Visibility"[6] at first?

6. Liu Yan said: "CA is a new operation for CNNIC to protect Internet
security"[5].  Is it considered by CNNIC as "operation to protect Internet
security" by spreading unremovable malware to spy on users' Internet activities
exploiting security flaws of the browsers, as CNNIC did [9][18]?

Liu Yan further claimed that "the WebTrust audit for government is much simpler
compared to company"[4].

So do you think CNNIC is a government or not?  If CNNIC is controlled by the
PRC government, why don't you dare to clearly admit it, but misled the readers
by posing as a "just offers service on technology and research" [4]?  What's
the motivation to hide the real identity of CNNIC? :)

Liu Yan(注:为在Mozilla社区发帖的CNNIC雇员) said: "There is no possible for us to monitor the user's actions or do
some attacks. I think every technical personnel knows that."[4]

Unfortunately, this is an arrant lie.  CNNIC not only DID "monitor the users'
actions" with intentionally spreaded malware [9], but also cooperated actively
with the PRC government to crack down independent blogs and websites
[1][2][17].  It's also highly possible that they may actively cooperate in MITM
attacks with such a government which attacked [15][16] its citizens, as well as
dozens of companies and many computers of foreign civil organizations and
government offices [10][11].

Further, Is PRC government a decent government?

Should a government put all their citizens in an information jail by building a
GFW (Great Firewall) [7][8][14] to block their access to Internet?
Should a government enforce news and speech censorship [14] on all the websites
including search engines to block criticism on the crimes they committed?
Should a government jail journalists and writers for their free speech [14]?
Should a government kill the college students and citizens with guns, and roll
over the bodies of college students with tanks? [19]
Should a government cheat the world by hiding information about SARS and
melamine contaminated milk[3] which caused repetitive man-made disasters, and
further punish those who told the truth?

Is this PRC government a real government, or is it a maffia group? :)

Liu Yan claimed that the CNNIC is a subordinate of "Chinese Academy of
Sciences".  Let's take a look at what kind of "research" the "Chinese Academy
of Sciences" has done before. :)

The Institute of Acoustics, Chinese Academy of Sciences closely cooperated with
the PRC government in Internet censorship.  Same as CNNIC which "takes orders
from the Ministry of Information Industry (MII)" [26], they developed some
natural language machine understanding algorithms for Internet text censorship
[25].  The target of their research is to distinguish speeches of the opponents
of the government from those of the proponents, which general keyword based
filtering can't achieve.  Their "research" was already deployed in the
censorware "Green Dam"[22][23], which was orderd by the MII to be installed on
each new PC in manufacturing process.  Although this plan failed, they must
have started some other plots to achieve the same goal.

Jonathan: might well yank trust for any CA that was complicit in MitM attacks.

Does the word "was" mean that until the MitM attack happened, any organizations
can put their root CA certificates in Firefox provided that they can buy
endorsement "services" from accountant companies like Ernst&Young [1] to
acquire "trust" from webtrust.org?

The real concern of many Chinese programmers is not about "was", but "may", as
CNNIC already "DID" quite some dirty things before!  Now it's a new capability
that the inclusion of root certificate of CNNIC will grant to the PRC

Anyway, since they already got secondary CA certificate issued by Entrust.net,
adding CNNIC as root CA is not introducing more problems.  But this discussion
is an alert on the trust model of PKI when we face a rogue government and their
minion organizations.

We should improve the browser to ask for permissions from the end users to
grant trust to each root CA when it's used in each session (not only at the
first time), clearly display the certificate signing path, and warn them of any
change in certificates (to be alert of a MitM attack).  This seems paranoiac
but it's because we're facing real threats of attacks from a powerful rogue
government, from which even big companies like Google and well equipped
government offices suffered.

The security model of SSL was practically in danger because of the design flaws
 of the browser to place blind trust on root CAs without consent from the
users.  Since the CA certificates of rogue government agencies were added, we
should consider Firefox as a rogue government controlled browser in the default


看到这种贴子仍不住愤怒了. 这个作者小野没有任何依据就写文章乱骂,而转贴他的文章的人更属没有脑子,不懂得如何思考的人.

什么叫"流氓政府","流氓政权"? 这样指责一个国际承认的国家政权是凭什么? 有依据吗? 世界上几乎全部国家都承认目前中国政府
的合法性,你一个小民凭什么说他不合法? 联合国说中国共产党不合法了吗? 就算同中国关系时好时坏的西方国家, 敢说中国政府
是"流氓政府"吗? 建议说这种空口无凭的大话,先去问问你们的美国主子, 如果美国人民认为中国政府是"流氓政府",大家再这么说

CNNIC做根证书的做法完全是符合互联网发展与建设的正常做法,而互联网是国际性的, 中国是一个互联网大国, 对世界互联网的发展
做出了很大的贡献, 中国的CNNIC是中国顶级域名的管理者,当然有权限颁发根证书了! 现在大部分根证书都在美国, 为什么大家不指责
美国的霸权主义,侵吞了互联网大部分资源? 中国只拿一个根证书就遭到无理指责? 这样的指责是非常荒谬可笑的, 随便拿到世界上任何
一个国家,去问任何一个国家的公民, 都会认为指责中国很可笑. SSL证书是保证正常的网络通信的加密机制, 但是这种加密机制不能脱离
国家的法律法规的限制, 比方说,如果有人利用SSL加密逃避审查, 而从事恐怖活动, 那么你说国家有关方面应不应该对其破解,解密?
如果说到对公民通信的审查, 美国是最严重的一个国家! 因为美国遭到大量来自境外的恐怖活动,国际恐怖组织的威胁, 所以美国的国家安全
部门必然要加大对网络通信的审查力度,那么为什么大家不非议美国政府, 而要指责中国政府呢?

像SSL, TSL 这些网络加密机制, 美国是老祖宗, 你以为美国不会对其审查,破解,实际上你只是感觉不到而已, 他既然能发明加密机制, 也

发明对应的解密机制, 只是因为某些原因,他不告诉你而已. 因为美国人的计算鸡技术很高, 但是中国在这方面还在迎头赶上, 可能某些专家
的水平并不比民间人士高明多少, 当触及这方面时,很容易就被民间人士感觉到了,所以才哇哇大叫:你侵入了我的邮箱! 你偷看了我的信啊!
你给我的电脑颁发假证书! 其实这是个国际普遍问题, 你在任何一个国家, 比如说你认为美国不安全, 那么去了英国,一样会被英国监督.
大家不是都喜欢用GOOGLE这个邮箱吗? GOOGLE就是美国的公司, 你的信放在美国人的服务器手上, 他早就审得一清二楚了, 如果你的
信里写了什么内容,它甚至可以把它做成关键词加到搜索引擎里去, 别人用google一搜, 你的私人信件就显示在网上了, 这不是笑谈.
只是GOOGLE有原则是要维护私人通信隐私, 所以它不这么做罢了. 但你想想, GOOGLE没这技术吗? 你以为他没胆子这么做吗?

这么想吧, 假如你是本.拉登手下的人, 平时利用GOOGLE同基地的成员交流, 用SSL加密通信, 那么你想一下接下来会发生什么情况?
很快你就被美军逮到了. 因为GOOGLE同美国政府是一家人, 你看GOOGLE一抱怨中国什么的, 美国总统都要出来哼两声, 所以你还告不清楚

所以拉登他们就很聪明, 他们从不用GOOGLE. 为了安全.
所以你们这些海外民运分子讨厌国内的什么根证书啊,什么163邮箱啊, 什么QQ啊, 就同本.拉登讨厌GOOGLE一样, 是一个道理.

但是我还是要说一句, 指责别人是要有事实根据的, 一昧谩骂显示不出任何水平, 只能降低自己的层次. 中国是流氓政府, 那么中国十几亿人怎么
大家守着这个流氓政府,拥护这个流氓政府, 那十几亿人岂不都是流氓了? 你要大家不用这个,不用那个,好像中国出的什么东西都是垃圾, 那大家吃什
穿什么? 一个根证书就被吓成这样, 还说是全体中国人民的心声, 胡说什么呀. 俗话说得好: 你自己心里没鬼,怕什么呀.

所以,中国就是应该设立自己的根证书, 在中国范围内的互联网,就是应该接受中国的管辖,这是任何一个国家通行的原则.中国不但要设立根证书,还要设



注意,这个 ray.bode 是网狗。

2010/2/3 Igood <ray....@gmail.com>
看到这种贴子仍不住愤怒了. 这个作者小野没有任何依据就写文章乱骂,而转贴他的文章的人更属没有脑子,不懂得如何思考的人.
以公民个人身份签署国际人权宪章 http://j.mp/udhr-ss 如无法打开签名网页可发空信给 udhr19...@gmail.com 收到自动回信的签名表格,填写后寄回给 udhr...@gmail.com 即可。请广为传播。


你看看,赵连海,郭永丰,是不是被中共和党国限制了自由?  屁民除了阿谀拍马,哪里还有什么安全感?


