Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

CNNIC Root Inclusion

1,548 views
Skip to first unread message

Eddy Nigg

unread,
Jan 27, 2010, 9:14:03 AM1/27/10
to
I was made aware of some controversial issues regarding the inclusion of
the CNNIC Root. Please see comments
https://bugzilla.mozilla.org/show_bug.cgi?id=476766#c18 and the item
thereafter.

Even though this is mostly a technical forum, Mozilla might have an
opinion in this respect. Kathleen, could you please follow up at the
appropriate channels regarding the claims made as it might affect the
Mozilla CA policy section 4 and 6, maybe also others.

--
Regards

Signer: Eddy Nigg, StartCom Ltd.
XMPP: star...@startcom.org
Blog: http://blog.startcom.org/
Twitter: http://twitter.com/eddy_nigg

Eddy Nigg

unread,
Jan 27, 2010, 9:18:30 AM1/27/10
to
On 01/27/2010 04:14 PM, Eddy Nigg:

> I was made aware of some controversial issues regarding the inclusion
> of the CNNIC Root. Please see comments
> https://bugzilla.mozilla.org/show_bug.cgi?id=476766#c18 and the item
> thereafter.
>
> Even though this is mostly a technical forum, Mozilla might have an
> opinion in this respect. Kathleen, could you please follow up at the
> appropriate channels regarding the claims made as it might affect the
> Mozilla CA policy section 4 and 6, maybe also others.
>

Unfortunately this is some disturbing evidence regarding some of the claims:

http://safebrowsing.clients.google.com/safebrowsing/diagnostic?client=Firefox&hl=en-US&site=cnnic.net.cn

http://www.siteadvisor.com/sites/cnnic.net.cn

http://en.wikipedia.org/wiki/China_Internet_Network_Information_Center#Malware_Production_And_Distribution

Akkad

unread,
Jan 27, 2010, 9:55:38 AM1/27/10
to
On Jan 27, 9:18 am, Eddy Nigg <eddy_n...@startcom.org> wrote:
> On 01/27/2010 04:14 PM, Eddy Nigg:
>
> > I was made aware of some controversial issues regarding the inclusion
> > of the CNNIC Root. Please see comments
> >https://bugzilla.mozilla.org/show_bug.cgi?id=476766#c18and the item

> > thereafter.
>
> > Even though this is mostly a technical forum, Mozilla might have an
> > opinion in this respect. Kathleen, could you please follow up at the
> > appropriate channels regarding the claims made as it might affect the
> > Mozilla CA policy section 4 and 6, maybe also others.
>
> Unfortunately this is some disturbing evidence regarding some of the claims:
>
> http://safebrowsing.clients.google.com/safebrowsing/diagnostic?client...
>
> http://www.siteadvisor.com/sites/cnnic.net.cn
>
> http://en.wikipedia.org/wiki/China_Internet_Network_Information_Cente...

>
> --
> Regards
>
> Signer:  Eddy Nigg, StartCom Ltd.
> XMPP:    start...@startcom.org

Chinese users have started removing CNNIC from root certificates now.
pls see here: https://twitter.com/search?q=CNNIC .This is really a
SECURITY issue. It's for Mozilla's policy #4 $6 #7 #10

I konw what Liu Yan cares. You can except instructions to remove CNNIC
blocked or removed in China very soon.

Nelson Bolyard

unread,
Jan 27, 2010, 12:11:29 PM1/27/10
to
On 2010-01-27 06:18 PST, Eddy Nigg wrote:
> On 01/27/2010 04:14 PM, Eddy Nigg:
>> I was made aware of some controversial issues regarding the inclusion
>> of the CNNIC Root. Please see comments
>> https://bugzilla.mozilla.org/show_bug.cgi?id=476766#c18 and the item
>> thereafter.
>>
>> Even though this is mostly a technical forum,

It is?

I've seen MANY rants in past years from people who got infected by signed
malware. They were under the mistaken impression that signed software is
software that has been certified by the CA to be virus-free. Of course,
as we know, that's not what a code signing cert means at all. It merely
provides trustworthy identification of the source of the software, and
does not attest to the quality of the software.

I've also seen a lot of confusion in the past over who is the source if
signed software. A lot of people assume that the certificate issuer,
rather than the certificate subject, is the source of the signed software.

Now, we come to the immediate cases to which Eddy provided links:

I cannot determine, from the information presented on those pages, if CNNIC
was itself the source (the signer) of the signed software, or was merely the
issuer of certificates that were used by other subjects to sign malware.
The middle of those 3 links says that CNNIC had links to another site,
tech.sina.com.cn, which on its face seems to be another organization.
This doesn't seem inconsistent with CNNIC's role as a CA.

I think we need to be very careful to avoid getting caught in the trap of
thinking of certificates as attestations of morality or competence, and
thinking of CAs as judges of morality or competence. If we allow the role
of CAs to become defined as being those judges, they will CERTAINLY FAIL.
So, let's define their role as doing something at which they can succeed,
namely attesting to binding of keys to vetted identities.

Eddy Nigg

unread,
Jan 27, 2010, 12:28:00 PM1/27/10
to
On 01/27/2010 07:11 PM, Nelson Bolyard:

> On 2010-01-27 06:18 PST, Eddy Nigg wrote:
>
>>
>>> Even though this is mostly a technical forum,
>>>
> It is?
>

Technical in the sense of policies and CA practices. It's not a
political forum...

> I've seen MANY rants in past years from people who got infected by signed
> malware. They were under the mistaken impression that signed software is
> software that has been certified by the CA to be virus-free. Of course,
> as we know, that's not what a code signing cert means at all. It merely
> provides trustworthy identification of the source of the software, and
> does not attest to the quality of the software.
>

Sure, I think that the issues mentioned are a bit broader and haven't
much to do with code signing certificates per se. Distribution of
malware usually starts at a web site, and this is what the links below say.

I nowhere seen anything about signed software, this is your (wrong)
assumption.

> I think we need to be very careful to avoid getting caught in the trap of
> thinking of certificates as attestations of morality or competence, and
> thinking of CAs as judges of morality or competence. If we allow the role
> of CAs to become defined as being those judges, they will CERTAINLY FAIL.
> So, let's define their role as doing something at which they can succeed,
> namely attesting to binding of keys to vetted identities.
>

That's why I requested to have this handled at the proper channels.
Though I think a discussion specially by the affected parties might be
interesting to have in order to understand more about it. And obviously
there might be members willing to voice their opinion what should be done...

Yuki Sea

unread,
Jan 27, 2010, 2:05:25 PM1/27/10
to
On Jan 28, 1:28 am, Eddy Nigg <eddy_n...@startcom.org> wrote:
> On 01/27/2010 07:11 PM, Nelson Bolyard:
>
> > On 2010-01-27 06:18 PST, Eddy Nigg wrote:
>
> >>> Even though this is mostly a technical forum,
>
> > It is?
>
> Technical in the sense of policies and CA practices. It's not a
> political forum...
>
> > I've seen MANY rants in past years from people who got infected by signed
> > malware.  They were under the mistaken impression that signed software is
> > software that has been certified by the CA to be virus-free.  Of course,
> > as we know, that's not what a code signing cert means at all.  It merely
> > provides trustworthy identification of the source of the software, and
> > does not attest to the quality of the software.
>
> Sure, I think that the issues mentioned are a bit broader and haven't
> much to do with code signing certificates per se. Distribution of
> malware usually starts at a web site, and this is what the links below say.
>
> > I cannot determine, from the information presented on those pages, if CNNIC
> > was itself the source (the signer) of the signed software,
>
> I nowhere seen anything about signed software, this is your (wrong)
> assumption.
>
> > I think we need to be very careful to avoid getting caught in the trap of
> > thinking of certificates as attestations of morality or competence, and
> > thinking of CAs as judges of morality or competence.  If we allow the role
> > of CAs to become defined as being those judges, they will CERTAINLY FAIL.
> > So, let's define their role as doing something at which they can succeed,
> > namely attesting to binding of keys to vetted identities.
>
> That's why I requested to have this handled at the proper channels.
> Though I think a discussion specially by the affected parties might be
> interesting to have in order to understand more about it. And obviously
> there might be members willing to voice their opinion what should be done...
>
> --
> Regards
>
> Signer:  Eddy Nigg, StartCom Ltd.
> XMPP:    start...@startcom.org

If we include this cert, PRC government can hijack any SSL session
WITHOUT any warming to user.
PRC government always monitor online activities of chinese pro-
democracy people.
You know what Google's happening.

We need to protect the user whether this is political or not.

Warren

unread,
Jan 27, 2010, 9:27:03 PM1/27/10
to
On Jan 28, 1:11 am, Nelson Bolyard <NOnelsonS...@NObolyardSPAM.me>
wrote:

> On 2010-01-27 06:18 PST, Eddy Nigg wrote:
>
> I've also seen a lot of confusion in the past over who is the source if
> signed software.  A lot of people assume that the certificate issuer,
> rather than the certificate subject, is the source of the signed software.
>
> Now, we come to the immediate cases to which Eddy provided links:
>
> I cannot determine, from the information presented on those pages, if CNNIC
> was itself the source (the signer) of the signed software, or was merely the
> issuer of certificates that were used by other subjects to sign malware.
> The middle of those 3 links says that CNNIC had links to another site,
> tech.sina.com.cn, which on its face seems to be another organization.
> This doesn't seem inconsistent with CNNIC's role as a CA.
>
> I think we need to be very careful to avoid getting caught in the trap of
> thinking of certificates as attestations of morality or competence, and
> thinking of CAs as judges of morality or competence.  If we allow the role
> of CAs to become defined as being those judges, they will CERTAINLY FAIL.
> So, let's define their role as doing something at which they can succeed,
> namely attesting to binding of keys to vetted identities.

I agree with Eddy. We are not talking about who signed this software.

I am a Chinese internet user. CNNIC has produced a software called
CNNIC_Zhong_Wen_Shang_Wang which is well-known malware software in
China. Beside, I remembered that this software is signed by Verisign,
need to confirm, because CNNIC is not a trusted root CA at that time.

This software are usually installed by users' mistake activity. After
installed, pop-up windows, ADs, force IE homepage and etc. are all
coming. And it's very difficult to uninstall.

I don't know whether current verison of this software is still
malware. But you can also found some infomation from google by
searching "cnnic malware" (without quotes), or you can found some
Chinese people around you to search "CNNIC 中文上网" (
http://www.google.com/search?hl=en&source=hp&q=CNNIC+%E4%B8%AD%E6%96%87%E4%B8%8A%E7%BD%91&aq=f&aql=&aqi=&oq=
). Almost all results are relative to "How can I uninstall the d*mn
CNNIC_Zhong_Wen_Shang_Wang".

I don't know whether this certificate will be used for phishing SSL
session in future. But I think the worries are reasonable, because of
the internet censorship in China and GFW project.
Given this organization's past behavior, I personally untrust this
certificate.

http://en.wikipedia.org/wiki/Internet_censorship_in_the_People%27s_Republic_of_China

http://en.wikipedia.org/wiki/Golden_Shield_Project (GFW)

Mike Chen

unread,
Jan 28, 2010, 1:24:38 AM1/28/10
to
> Chinese people around you to search "CNNIC 中文上网" (http://www.google.com/search?hl=en&source=hp&q=CNNIC+%E4%B8%AD%E6%96%...

> ). Almost all results are relative to "How can I uninstall the d*mn
> CNNIC_Zhong_Wen_Shang_Wang".
>
> I don't know whether this certificate will be used for phishing SSL
> session in future. But I think the worries are reasonable, because of
> the internet censorship in China and GFW project.
> Given this organization's past behavior, I personally untrust this
> certificate.
>
> http://en.wikipedia.org/wiki/Internet_censorship_in_the_People%27s_Re...
>
> http://en.wikipedia.org/wiki/Golden_Shield_Project   (GFW)

Totally agree.

CAs issues certificates to bring people trust, how can people trust
websites signed by a non-trusted CA issuer?
Some say it's about politic, and yes, it can and eventually will be
used by government for censorship. CNNIC is directly controlled by PRC
government, that's make no sense that CNNIC can issue with justice.

What can be a nightmare is one day I figure out that Gmail's
certificate is issued by CNNIC and my browser trusts it. THAT SHOULD
NEVER EVER HAPPEN.

So please checkout what people are saying about CNNIC on twitter. A
not trusted organization should never be trust by browsers.

Nelson Bolyard

unread,
Jan 28, 2010, 1:40:01 AM1/28/10
to
On 2010-01-27 09:28 PST, Eddy Nigg wrote:
> On 01/27/2010 07:11 PM, Nelson Bolyard:
>> On 2010-01-27 06:18 PST, Eddy Nigg wrote:
> I think that the issues mentioned are a bit broader and haven't
> much to do with code signing certificates per se. Distribution of
> malware usually starts at a web site, and this is what the links below say.
>>> http://safebrowsing.clients.google.com/safebrowsing/diagnostic?client=Firefox&hl=en-US&site=cnnic.net.cn
>>>
>>> http://www.siteadvisor.com/sites/cnnic.net.cn
>>>
>>> http://en.wikipedia.org/wiki/China_Internet_Network_Information_Center#Malware_Production_And_Distribution
>>>
>> I cannot determine, from the information presented on those pages, if CNNIC
>> was itself the source (the signer) of the signed software,
>
> I nowhere seen anything about signed software, this is your (wrong)
> assumption.

Well, if that's the case, then the protests being lodged against CNNIC as
an issuer of SSL server certs are all the more absurd. The issuance of
an SSL server cert doesn't attest to the morality or competence of the
business dealings of the operator of the SSL server. It only attests
to the pairing or "binding" of the certified name to the certified public
key.

>> I think we need to be very careful to avoid getting caught in the trap of
>> thinking of certificates as attestations of morality or competence, and
>> thinking of CAs as judges of morality or competence. If we allow the role
>> of CAs to become defined as being those judges, they will CERTAINLY FAIL.
>> So, let's define their role as doing something at which they can succeed,
>> namely attesting to binding of keys to vetted identities.
>>
>
> That's why I requested to have this handled at the proper channels.
> Though I think a discussion specially by the affected parties might be
> interesting to have in order to understand more about it. And obviously
> there might be members willing to voice their opinion what should be done...

But my point is that any arguments that are based on the presence of malware
are irrelevant and should not be considered in whether or not
the CA acted properly as a CA. If the CA's cert properly indicated the
name of the party who should be held responsible for the malware, then
IMO the CA did its job admirably and should not be punished for the job
it did as a CA.

Xuqing Kuang

unread,
Jan 28, 2010, 1:50:15 AM1/28/10
to
Yeah.

I hope the CA certification could be remove from firefox as soon as
possible.

It makes the Chinese people in the insecurity place.

Xuqing


On Jan 27, 10:14 pm, Eddy Nigg <eddy_n...@startcom.org> wrote:
> I was made aware of some controversial issues regarding the inclusion of

> theCNNICRoot. Please see commentshttps://bugzilla.mozilla.org/show_bug.cgi?id=476766#c18and the item


> thereafter.
>
> Even though this is mostly a technical forum, Mozilla might have an
> opinion in this respect. Kathleen, could you please follow up at the
> appropriate channels regarding the claims made as it might affect the
> Mozilla CA policy section 4 and 6, maybe also others.
>
> --
> Regards
>
> Signer:  Eddy Nigg, StartCom Ltd.

> XMPP:    start...@startcom.org

Eddy Nigg

unread,
Jan 28, 2010, 6:43:24 AM1/28/10
to
On 01/28/2010 08:40 AM, Nelson Bolyard:

> Well, if that's the case, then the protests being lodged against CNNIC as
> an issuer of SSL server certs are all the more absurd.
>

Nelson, before commenting I suggest to read the concerns which were
raised at the comments posted at the bugs in order to understand what
they are. Those are starting from:

https://bugzilla.mozilla.org/show_bug.cgi?id=476766#c18

and

https://bugzilla.mozilla.org/show_bug.cgi?id=542689

> But my point is that any arguments that are based on the presence of malware
> are irrelevant and should not be considered in whether or not
> the CA acted properly as a CA.

This is not the issue, but it was provided by the concerned parties as
part of their "evidence" to confirm those concerns. The claims are
raised in the bug entries and at other places such as twitter and I
believe Mozilla and the community should at least listen to them and
consider if and how they are relevant regarding the root inclusion here.
Apparently there might be issues with the inclusion of this CA root
which we haven't considered here (because nobody raised any concern at
that time).

If the claims are correct, than this might be a serious cause for
concern and which might affect Mozilla policy requirements directly.
However I asked Kathleen to find the appropriate channels regarding
these claims because it's not something we've ever dealt with here.

doggie

unread,
Jan 28, 2010, 7:05:41 AM1/28/10
to
On Jan 27, 10:14 pm, Eddy Nigg <eddy_n...@startcom.org> wrote:
> I was made aware of some controversial issues regarding the inclusion of
> the CNNIC Root. Please see commentshttps://bugzilla.mozilla.org/show_bug.cgi?id=476766#c18and the item

> thereafter.
>
> Even though this is mostly a technical forum, Mozilla might have an
> opinion in this respect. Kathleen, could you please follow up at the
> appropriate channels regarding the claims made as it might affect the
> Mozilla CA policy section 4 and 6, maybe also others.
>
> --
> Regards
>
> Signer:  Eddy Nigg, StartCom Ltd.
> XMPP:    start...@startcom.org

Totally agreed.

I really hate CNNIC. They do evil.

crewlay

unread,
Jan 28, 2010, 7:50:16 AM1/28/10
to Nelson Bolyard, dev-secur...@lists.mozilla.org
On Thu, Jan 28, 2010 at 2:40 PM, Nelson Bolyard <NOnels...@nobolyardspam.me> wrote:
On 2010-01-27 09:28 PST, Eddy Nigg wrote:
> On 01/27/2010 07:11 PM, Nelson Bolyard:
>> On 2010-01-27 06:18 PST, Eddy Nigg wrote:
> I think that the issues mentioned are a bit broader and haven't
> much to do with code signing certificates per se. Distribution of
> malware usually starts at a web site, and this is what the links below say.
>>> http://safebrowsing.clients.google.com/safebrowsing/diagnostic?client=Firefox&hl=en-US&site=cnnic.net.cn
>>>
>>> http://www.siteadvisor.com/sites/cnnic.net.cn
>>>
>>> http://en.wikipedia.org/wiki/China_Internet_Network_Information_Center#Malware_Production_And_Distribution
>>>
>> I cannot determine, from the information presented on those pages, if CNNIC
>> was itself the source (the signer) of the signed software,
>
> I nowhere seen anything about signed software, this is your (wrong)
> assumption.

Well, if that's the case, then the protests being lodged against CNNIC as
an issuer of SSL server certs are all the more absurd.  The issuance of
an SSL server cert doesn't attest to the morality or competence of the
business dealings of the operator of the SSL server.  It only attests
to the pairing or "binding" of the certified name to the certified public
key.


Is also very absurd to directly built such a notorious hated certificate into the widely accepted open-source software in prc, almost everyone are looking for method how to remove it after being aware of the bulletin for either potential ssl hijack or consistent disgusted with cnnic, and it's so simple to prove that either protest poll or something similar.
 
>> I think we need to be very careful to avoid getting caught in the trap of
>> thinking of certificates as attestations of morality or competence, and
>> thinking of CAs as judges of morality or competence.  If we allow the role
>> of CAs to become defined as being those judges, they will CERTAINLY FAIL.
>> So, let's define their role as doing something at which they can succeed,
>> namely attesting to binding of keys to vetted identities.
>>
>
> That's why I requested to have this handled at the proper channels.
> Though I think a discussion specially by the affected parties might be
> interesting to have in order to understand more about it. And obviously
> there might be members willing to voice their opinion what should be done...

But my point is that any arguments that are based on the presence of malware
are irrelevant and should not be considered in whether or not
the CA acted properly as a CA.  If the CA's cert properly indicated the
name of the party who should be held responsible for the malware, then
IMO the CA did its job admirably and should not be punished for the job
it did as a CA.

_______________________________________________
dev-security-policy mailing list
dev-secur...@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Johnathan Nightingale

unread,
Jan 28, 2010, 11:07:09 AM1/28/10
to dev-secur...@lists.mozilla.org
On 27-Jan-10, at 9:14 AM, Eddy Nigg wrote:

> I was made aware of some controversial issues regarding the
> inclusion of the CNNIC Root. Please see comments https://bugzilla.mozilla.org/show_bug.cgi?id=476766
> #c18 and the item thereafter.
>
> Even though this is mostly a technical forum, Mozilla might have an
> opinion in this respect. Kathleen, could you please follow up at the
> appropriate channels regarding the claims made as it might affect
> the Mozilla CA policy section 4 and 6, maybe also others.


So, I have a couple reactions here:

1) We have never claimed as a matter of policy that our PKI decisions
can protect people from malicious governments. It's just not a
plausible promise for us to make.
2) I think, regardless of government ties, we'd carefully review and
might well yank trust for any CA that was complicit in MitM attacks.
3) CNNIC complied with our root addition policy, they are in the
product presently, so this isn't a question of approval, this is a
question of whether we should review.

It feels to me like that makes our next step clear, here. It won't
help to tally up the complainants (there will be many), and it won't
help to demand assurances from CNNIC (since the alleged governmental
pressure would trump those anyhow). It certainly won't help to cite
wikipedia.

If there's truth to the allegation, here, then it should be possible
to produce a cert. It should be possible to produce a certificate,
signed by CNNIC, which impersonates a site known to have some other
issuer. A live MitM attack, a paypal cert issued by CNNIC for example.
If anyone in a position to produce such a thing needs help
understanding the mechanics of doing so, I'm sure this forum will help
them.

SSL makes tampering visible to its victims. The certificate has to
actually make it to my client before I can decide to trust it. By all
means, let's arm people with the knowledge to detect and record such
instances. But I don't see any clear step we can take until then.

Does that seem dismissive? I really hope not. I really don't want us
to trust CAs that we can't actually trust, but I don't want our root
program choosing favourites in political debates either.

J

---
Johnathan Nightingale
Human Shield
joh...@mozilla.com

aasa0001 shadewither

unread,
Jan 28, 2010, 3:07:51 PM1/28/10
to
As a Chinese citizen, let me elaborate two reasons why I do not trust
CNNIC Root.

1. CNNIC do evil.
Because CNNIC did much evil before, including spreading the malware
mentioned above.

It is apparently pointless for to trust CNNIC.

2. CNNIC cannot do their job well.
A few weeks ago, CNNIC announced that .cn suffix (which is under
administration of CNNIC) is not longer available to individuals.
Soon after CNNIC attained a sharp decrease of .cn domain names, and
had to revoke the preposterous decision.

CNNIC so easily scewed up its primary duty, it might fail in other
duties.

So it's a Root CA with an incompetent and (potentially) wicked
organization named CNNIC behind.
Why would we Chinese bother to believe in it?

There is no political points above, right? It's all about common sense/
feelings.
I did not read Mozilla CA policies, however, if it conflicts with what
I addressed, I would suggest that those policies be reviewed.

Paul Wang

unread,
Jan 28, 2010, 4:22:36 PM1/28/10
to
On 1月29日, 上午4时07分, aasa0001 shadewither <shdw...@gmail.com> wrote:
> As a Chinese citizen, let me elaborate two reasons why I do not trust
> CNNIC Root.
>
> 1. CNNIC do evil.
> Because CNNIC did much evil before, including spreading the malware
> mentioned above.
>
> It is apparently pointless for to trust CNNIC.
>
> 2. CNNIC cannot do their job well.
> A few weeks ago, CNNIC announced that .cn suffix (which is under
> administration of CNNIC) is not longer available to individuals.
> Soon after CNNIC attained a sharp decrease of .cndomain names, and

> had to revoke the preposterous decision.
>
> CNNIC so easily scewed up its primary duty, it might fail in other
> duties.
>
> So it's a Root CA with an incompetent and (potentially) wicked
> organization named CNNIC behind.
> Why would we Chinese bother to believe in it?
>
> There is no political points above, right? It's all about common sense/
> feelings.
> I did not read Mozilla CA policies, however, if it conflicts with what
> I addressed, I would suggest that those policies be reviewed.

As you may all know, I or anyone in mainland China uses proxy network,
probably "traveled around the world" to get around the GFW, and
finally get here in the mailing list. So I think the Firefox people
should understand how painful it is for us to live in the shadow of
GFW, and why people are so upset about CNNIC's root cert getting
trusted.

I'm not sure whether it is a smart move to get involve into political
debates as Johnathan said. But I'm sure getting rid of CNNIC's cert
from the trust list is the right thing to do. Millons of Chinese
Firefox users will thank Firefox for its justice. Google stood out, I
thank them! We thank them! We think they are great! If firefox can
remove CNNIC from the trust list, we will thank you too!

Is there anyone who agree with me? Come on, give me some love.

Sincerely,
Wenbo Wang

tophits

unread,
Jan 28, 2010, 4:47:03 PM1/28/10
to lihlii-g
After a second thought, I found that even if Firefox didn't add CNNIC
root certificate as built-in object, CNNIC still can issue a false
gmail.com certificate signed by its CNNIC SSL secondary CA certificate
signed by Entrust.net root CA. The browser will still accept the
forged gmail.com certificate without any warning.

So the inclusion of CNNIC Root CA certificate in Firefox is almost
equivalent to the endorsement by Entrust.net to sign the CNNIC SSL
secondary CA certificate, which CNNIC already acquired years ago.

Thus, it is in fact a serious security design flaw in the way that the
browser handles SSL certificates in the userage scenario. I suggest
the following measures to be taken:

1. Display clear warning message of certificate change, which is
possibly a result of MITM attack with a forged certificate. Firefox
should include the addon Certificate Patrol [1] as a built-in module.

2. Eye-catching display of certificate signing path for HTTPS
connections, e.g. in the address bar or a floating warning bar like
that of an addon installation. Because general non-expert users even
don't know how to check the certificate signing path.

It's a big problem, as you can see the PR China government is actively
involved in cyber attacks against its citizens. Their secret agents
used trojan-horse attacks to intrude gmail and Google services
successfully[2]. They have clear intention to intercept, snoop or
spoof SSL connections. There are successful MITM attack experiments
done on Internet and Tor network, by forging a certificate which the
general public users won't notice at all because the browser silently
accepted it.

It's a real threat to the trust model of PKI. We should have prompt
countermeasures and actions.

References:

[1] Certificate Patrol http://patrol.psyced.org/
https://addons.mozilla.org/en-US/firefox/addon/6415
[2] Kim Zetter: Google Hack Attack Was Ultra Sophisticated, New
Details Show; January 14, 2010, 8:01 pm; http://www.wired.com/threatlevel/2010/01/operation-aurora/

Paul Wang

unread,
Jan 28, 2010, 6:17:11 PM1/28/10
to
> [1] Certificate Patrolhttp://patrol.psyced.org/https://addons.mozilla.org/en-US/firefox/addon/6415

> [2]Kim Zetter: Google Hack Attack Was Ultra Sophisticated, New
> Details Show; January 14, 2010, 8:01 pm;http://www.wired.com/threatlevel/2010/01/operation-aurora/

Thank you Tophits, for supporting us who are under monitor and
severely limited regarding internet freedom.
I maybe risking my personal freedom to discuss with you here.
Freedom is the spirit of Opensource anyway, isn't it?
If even the SSL fail to protect us, then we can lose the only privacy
or freedom we have left.
I guess I can still remove CNNIC and Entrust.net from trust list
mannually anyway. But disasters could happen to general users who
"accidently" said something the government don't like to hear. It's
horrible even thinking about it. People's privacy and freedom of
speech is all I concerned about.
Displaying warning and signing path sounds like a good idea, better
than silently nothing. Thank you again.

Sincerely,
Wenbo Wang

Eddy Nigg

unread,
Jan 28, 2010, 6:29:17 PM1/28/10
to
On 01/28/2010 06:07 PM, Johnathan Nightingale:

Thanks Johnathan for your response and guidance. I believe there isn't
an easy solution unfortunately for those affected and neither for
Mozilla. I think it's correct that we should stick to the technical
requirements and facts, but act upon them swiftly if any evidence is
presented that might infringe on the Mozilla CA policy.

Currently section #4 of the policy come to mind, in particular
"knowingly issue certificates that appear to be intended for fraudulent
use." If CNNIC is directly branded by anti-virus and other safe-guarding
groups as a source for distributing mal-ware, there might be a problem.

Additionally section #6 calls for "provide some service relevant to
typical users of our software products", apparently for some this root
presents for them a disservice. I don't know how to evaluate that or
what to recommend, but I believe it's worth to look at it and listen
carefully to complaints.

More disturbing however is, that apparently this news group can't be
accessed according to
https://bugzilla.mozilla.org/show_bug.cgi?id=476766#c28
This makes participation here difficult and I wonder if this happened on
purpose. Such a fact would have made our process and public comments
period void of any value and if the allegations are correct we could
call for annulling the previous decision taken here. The purpose of the
public comments period is to voice amongst others the concerns we are
hearing today. If those rights were withheld for a large group affected
by this root inclusion and/or the proceedings here were not known to
them, it could present a valid reason to reconsider the previously made
decision.

陈少举

unread,
Jan 28, 2010, 8:24:33 PM1/28/10
to
agree

David E. Ross

unread,
Jan 28, 2010, 10:11:06 PM1/28/10
to

On reviewing bug #476766, I see in comment #5 Liu Yan's (the applicant)
assertion: "CNNIC is not a Chinese Government organization."

However, later comments by users in China seem to indicate the contrary.
Comment #18 states: "CNNIC is an infamous organ of the Chinese
Communist government to monitor and control the Internet in China."
Comment #23 states: "...CNNIC is infamous in China and it has a lot of
connections with the government..." Comment #24 states: "It has very
closed tie with Chinese government and CPC (or CCP [Chinese Communist
Party?])."

If any of these comments are true, then the application violates the
second bullet under section 6 of the Mozilla CA Certificate Policy: >
We require that all CAs whose certificates are distributed with our
software products:
>
> * publicly disclose information about their policies and business practices
That is, the relationship between CCNIC and the government or political
structure of China -- a business practices -- has not been publicly
disclosed.

I am further concerned about the fact that individuals inside China are
blocked from participating in this discussion, perhaps by the "great
firewall". If CCNIC indeed operates independently of the government and
political structure of China and is indeed worthy of the trust implied
by having its root certificate in the NSS database, then why would
anyone object to a discussion of this issue?

--

David E. Ross
<http://www.rossde.com/>.

Anyone who thinks government owns a monopoly on inefficient, obstructive
bureaucracy has obviously never worked for a large corporation. © 1997

LionheartZhang

unread,
Jan 29, 2010, 1:04:06 AM1/29/10
to
> [1] Certificate Patrolhttp://patrol.psyced.org/https://addons.mozilla.org/en-US/firefox/addon/6415

> [2] Kim Zetter: Google Hack Attack Was Ultra Sophisticated, New
> Details Show; January 14, 2010, 8:01 pm;http://www.wired.com/threatlevel/2010/01/operation-aurora/

+1,Should use a more compelling way to prompt the user to change any
of the relevant certificate
CNNIC is a puppet for the PRC Government to provide all facilities, we
do not believe CNNIC. I have canceled CNNIC ROOT and the related
certificate of trust option, but not everyone know how to do it. Since
the issuance of certificates for the CNNIC, I have canceled the trust
of Entrust, I would rather give up their certificates and use Entrust
on any website, I do not want this list continues to grow.
I'm just an ordinary Chinese netizens, the main purpose is to obtain
information and knowledge, but the PRC Government do everything
possible to intercept them. The SSL certificate is used to attack no
one will be surprised, there is a certain web-based Chinese netizens
think that this is a matter of course will be happen.

makrober

unread,
Jan 29, 2010, 2:42:33 AM1/29/10
to dev-secur...@lists.mozilla.org, Johnathan Nightingale
Johnathan Nightingale wrote:
> 1) We have never claimed as a matter of policy that our PKI decisions
> can protect people from malicious governments. It's just not a plausible
> promise for us to make.

With due respect, "never have made the promise" just doesn't cut it in
my eyes. To turn it around: never was there any warning to the user base
that there is some "special class" of miscreants that Mozilla would not
protect the users from. This can be explained (but not excused) by the
mindset of those that instituted the process: in their minds, "governments",
by definition, can't be miscreants. I and (as that discussion on bugzilla
demonstrates) many, many, others do not share this mindset.

Perhaps it is time to review the process. It would be smart to take Mozilla
out of the trust business. At the very least, all root certificates that
are included should not be trusted until the user explicitly turns those he
or she knows and trusts (and needs for his or her transactions) on.

MacRober

Justin Dolske

unread,
Jan 29, 2010, 4:39:31 AM1/29/10
to
On 1/28/10 8:07 AM, Johnathan Nightingale wrote:

> If there's truth to the allegation, here, then it should be possible to
> produce a cert. It should be possible to produce a certificate, signed
> by CNNIC, which impersonates a site known to have some other issuer. A
> live MitM attack, a paypal cert issued by CNNIC for example. If anyone
> in a position to produce such a thing needs help understanding the
> mechanics of doing so, I'm sure this forum will help them.

As a related aside...

It would be an interesting experiment to create an addon to crowd-source
checking for such certs. Not as a CNNIC-specific issue, but any case of
valid certs for a site coming from an unexpected CA. It could also be
easily to just store a local record of certs you've encountered, and
warn you when a site's cert has changed.

Justin

Eddy Nigg

unread,
Jan 29, 2010, 7:28:08 AM1/29/10
to
On 01/29/2010 09:42 AM, makrober:

> Johnathan Nightingale wrote:
>> 1) We have never claimed as a matter of policy that our PKI decisions
>> can protect people from malicious governments. It's just not a
>> plausible promise for us to make.
>
> With due respect, "never have made the promise" just doesn't cut it in
> my eyes.


Even though I agree with you that there is an understanding that the
security decisions taken at Mozilla, being it by fixing flaws or here at
this group with admitting CAs, are made to protect and provide
reasonable security to the users, I'm ignoring the rest of your message
as a distraction from the problem at hand. If you feel you would like to
discuss your idea, lets do so under a different thread.

Having said that, most CAs disclose in their policies compliance to
local legislation and law. If those laws allow for MITMs, we obviously
should consider this accordingly. In the meantime some more comments
have been posted at the various bugs, I'd like to highlight one of them
since there is some relevance to the above:

On CNNIC website, it's clearly stated that CNNIC is directly administrated by
both "Ministry of Industry and Information Technology of the PRC" and Chinese
Academy of Sciences (budget controlled by the government).

You are right, CNNIC is not a government, but it's directly managed by the
government and did everything that Chinese government asked it to do.

tophits

unread,
Jan 29, 2010, 12:28:40 PM1/29/10
to lihlii-g
There are several related addons for Firefox for similar purposes. I
hope they will be included as core modules in Firefox soon.

Certificate Patrol [1] warns users with pop-up window whenever the
certificate of a website changes. But it's not updated to be
compatible with the newest 3.6 version of Firefox yet.

Perspectives [2] tries to verify the certificate of a website from
various notary sources. It's a good idea, but I tested and found it
not functional or the notary services are not stable enough yet.

At least I think the user interface of Firefox should be improved to
address such security threats of false certificate MITM attack against
SSL. Many Chinese programmers believe (or suspect) that the PRC
government already started to do such MITM attacks. This is why the
inclusion of CNNIC root certificate caused an Internet protest to
remove it from the browser and OS certificate storage. A simple
google search [3] will tell you what most Chinese programmers think
about this. Most of them are discussing how to remove or disable this
newly added root CA! :)

Technically speaking, even if CNNIC root CA is not included as a
builtin object of Firefox, it CAN still issue false certificates with
their legitimate secondary CA certificate signed by Entrust.net, to
intercept SSL connections with websites like gmail.com while the
browse won't show any warning about this. The surprise and opposition
in the Chinese technical community reflects the security concerns of
the Chinese Internet users and showed what a reputation CNNIC has
accumulated with their actual behaviors over the past years. This
even eroded the user trust on Entrust.net and Firefox, because
Entrust.net issued a secondary CA certificate to CNNIC. Many
programmers suggested to remove the root CA certificates of
Entrust.net together.

I agree with some comments here, that the key issue is: A secure
browser should tell the users clearly what they're trusting, and let
them choose whether to trust or not.

Whether a root CA is trustworthy or not, that's the social judgement,
a part of the trust model that a browser should not and can't
determine. The browser should provide an easy and clear UI for the
users to make the decision.


References:

[1] Certificate Patrol https://addons.mozilla.org/en-US/firefox/addon/6415
[2] Perspectives : Firefox Extension http://www.cs.cmu.edu/~perspectives/firefox.html
[3] Google search: CNNIC 证书 http://www.google.com/search?q=CNNIC+%E8%AF%81%E4%B9%A6

>> 苹果下的FIREFOX如何删除CNNIC的根证书 - Jan 27 - [ Translate this page ]
更正:http://www.cnnic.cn/download/crl/CRL1.crl 这里是CNNIC的根证书的证书吊销列表,我不知道如何
创建自己的不信任列表,谁知道创建证书吊销列表? ...
https://www.zuola.com/weblog/?p=1454

如何阻止不信任的CNNIC 证书<< scavin weblog - [ Translate this page ]
2010年1月27日 ... 是的,CNNIC 这个完全不可信任的有关部门,竟然诱惑微软将其列为根证书发布者,这个消息太可怕了。并且
Firefox 也信任了CNNIC 证书,这是疯狂的事情, ...
blog.lzzxt.com/394

玩聚SR | 如何阻止不信任的CNNIC 证书| 52个推荐者- 热文快照 - [ Translate this page ]
《如何阻止不信任的CNNIC 证书》的热文快照: 是的,CNNIC 这个完全不可信任的有关部门,竟然诱惑微软将其列为根证书发布者,这个消息太可
怕了。
sr.ju690.com/meme/item/59498

阻止不信任的CNNIC 证书.docx - 下载- 共享资料 - [ Translate this page ]
阻止不信任的CNNIC 证书.docx,下载,IT资料,解决方案. ... 说明: CNNIC被微软、FireFox加入根证书,这是非常可怕的
事情,所以我们要删除! ...
ishare.iask.sina.com.cn/f/6665520.html

Nabble - GFans - 如何阻止不信任的CNNIC 证书 - [ Translate this page ]
4 posts - 2 authors - Last post: yesterday
如何阻止不信任的CNNIC 证书. 这是非常非常重要的,一定要做好。这比放病毒和流氓软件更加重要! Sent to you by 夜の猫
via Google Reader: 如何阻止 ...
old.nabble.com/如何阻止不信任的-CNNIC-证书-td27342964.html

Firefox和微软已将CNNIC添加到根证书列表中,如何阻止CNNIC 证书 ... - [ Translate this page ]
2010年1月28日 ... SummerWa 写道Microsoft和Firefox已经将CNNIC作为根证书颁发机构添加到证书列表中:
Microsoft | 有关最新互联网资讯的IT博客.
http://www.pcstar.org.ru/main/2010-01/632-firefox-microsoft-cnnic-root-certificates.html

David E. Ross

unread,
Jan 29, 2010, 10:31:15 AM1/29/10
to

But the applicant (Liu Yan) asserted in comment #5 of bug #476766:


"CNNIC is not a Chinese Government organization."

This is the point of my earlier response in this thread.

tophits

unread,
Jan 29, 2010, 3:40:24 PM1/29/10
to
Liu Yan said [4][5], "obviously CNNIC is not a government", but "just
offers service on technology and research"[4].

1. Is it considered by CNNIC as "service on technology and research"
to spread malware with administrative power to spy on Internet users?

2. Is it considered by CNNIC as "service on technology and research"
to ban personal website registration in the .cn domain space [1][2]
[17]?

3. CNNIC banned the DNS resolving of a lot of independent websites,
such as bulllog.cn [1][2]. Is this considered by CNNIC as your way of
"service" of "registry for Chinese Domain Name"[4]? Is this
considered by CNNIC as "the similar role as VeriSign"[4]?

4. Is CNNIC "qualified with the international criteria"[4] as a
trustworthy certificate authority?

5. Why did Liu Yan try to mask the real face of the PRC governmental
nature of CNNIC [5]? Why did he even tried to hide the application by
setting the bug report to "Restricted Visibility"[6] at first?

6. Liu Yan said: "CA is a new operation for CNNIC to protect Internet
security"[5]. Is it considered by CNNIC as "operation to protect
Internet security" by spreading unremovable malware to spy on users'
Internet activities exploiting security flaws of the browsers, as
CNNIC did [9][18]?

Liu Yan further claimed that "the WebTrust audit for government is
much simpler compared to company"[4].

So do you think CNNIC is a government or not? If CNNIC is controlled
by the PRC government, why don't you dare to clearly admit it, but
misled the readers by posing as a "just offers service on technology
and research" [4]? What's the motivation to hide the real identity of
CNNIC? :)

Liu Yan said: "There is no possible for us to monitor the user's
actions or do some attacks. I think every technical personnel knows
that."[4]

Unfortunately, this is an arrant lie. CNNIC not only DID "monitor the
users' actions" with intentionally spreaded malware [9], but also
cooperated actively with the PRC government to crack down independent
blogs and websites [1][2][17]. It's also highly possible that they
may actively cooperate in MITM attacks with such a government which
attacked [15][16] its citizens, as well as dozens of companies and
many computers of foreign civil organizations and government offices
[10][11].

Further, Is PRC government a decent government?

Should a government put all their citizens in an information jail by
building a GFW (Great Firewall) [7][8][14] to block their access to
Internet?
Should a government enforce news and speech censorship [14] on all the
websites including search engines to block criticism on the crimes
they committed?
Should a government jail journalists and writers for their free speech
[14]?
Should a government kill the college students and citizens with guns,
and roll over the bodies of college students with tanks? [19]
Should a government cheat the world by hiding information about SARS
and melamine contaminated milk[3] which caused repetitive man-made
disasters, and further punish those who told the truth?

Is this PRC government a real government, or is it a maffia group? :)

Liu Yan claimed that the CNNIC is a subordinate of "Chinese Academy of
Sciences". Let's take a look at what kind of "research" the "Chinese
Academy of Sciences" has done before. :)

The Institute of Acoustics, Chinese Academy of Sciences closely
cooperated with the PRC government in Internet censorship. Same as
CNNIC which "takes orders from the Ministry of Information Industry
(MII)" [26], they developed some natural language machine
understanding algorithms for Internet text censorship [25]. The
target of their research is to distinguish speeches of the opponents
of the government from those of the proponents, which general keyword
based filtering can't achieve. Their "research" was already deployed
in the censorware "Green Dam"[22][23], which was orderd by the MII to
be installed on each new PC in manufacturing process. Although this
plan failed, they must have started some other plots to achieve the
same goal.

> 根据“绿坝-花季护航“软件官方网站(http://www.lssw365.net)的介绍:
>
>   2008年7月,在工业和信息化部的直接领导下,两家成交供应商项目负责人和主要项目人员共同组成绿色上网过滤软件项目工作组,全面负责“绿坝·花季护航”绿色软件的研发、推广及相关服务工作。[...]更好的配合第三方监测机构的监测工作,确保绿色上网过滤软件项目的顺利实施。 [20]
>
> According to the official website of "Green Dam - Youth Escort" (http://www.lssw365.net):
> In July of 2008, under the direct administration of the Ministory of Industry and Information, the project managers and major staffs of the two chosen suppliers formed a green Internet filtering software project workgroup which was in full charge of development, deployment and relative services of the "Green Dam - Youth Escort" green software. [...] for better cooperation in monitoring the web with third party monitoring organs (of the government) to ensuresuccessful implementation of the green Internet filtering software project. [20]

> 链接:http://www.ccgp.gov.cn/gzdt/366770.shtml
>
>   2008年5月,工信部发布了一份《“绿色上网过滤软件产品一年使用权及相关服务采购”竞争性谈判结果的公告》:
> 一、采购人:中华人民共和国工业和信息化部
> [...]
> 四、成交供应商:郑州金惠计算机系统工程有限公司、北京大正语言知识处理科技有限公司 [...]
>     北京大正语言知识处理科技有限公司成交19,900,000元整(大写:壹仟玖佰玖拾万元)。[21]
>
> Link: http://www.ccgp.gov.cn/gzdt/366770.shtml
> In May 2008, The Ministry of Industry and Information issued an "Announcement of Competitive Negotiation Results for '[Governmental] Purchase of One Year Usage Licence and Related Services of Green Internet Filtering Software Product'"
>
> A. Purchaser: Ministry of Industry and Information, PRC
> [...]
> D. Chosen Supplier: Jinhui Computer System Engineering Inc., Zhengzhou City. Beijing Dazheng Language and Knowledge Processing Technology Inc. [...]
> Beijing Dazheng Language and Knowledge Processing Tech. Inc. got a project valued 19,900,000 CNY (About 2.9 million USD). [21]

> [...] 与中科院声学所合作注册成立了北京大正语言知识处理研究院 [20][21]
>
> [...] established the Beijing Dazheng Language and Knowledge Processing Tech. Inc. together with the Institute of Acoustics, Chinese Academy of Sciences. [20[21]

> @gonewater: 绿坝软件两开发商之一北京大正的董事长陈小盟,[...]其在中科院声学所主持开发的HNC网络信息过滤器,2003年实现了语义分析与过滤,并被率先运用在反轮子战线上 #greendam [21][24]
>
> @gonewater [a twitter user]: As the chairman of the board of Beijing Dazheng company which is one of the two developers of the "Green Dam" software, he was in charge of the development of HNC Internet Information Filter at the Institute of Acoustics, Chinese Academy of Sciences. The filter achieved semantic analysis and filtering in 2003 and was used primarily in the battle against the Falungong [27]. [21][24]

> 郑州金惠计算机系统工程有限公司和北京大正语言知识处理有限公司,他们是该软件的联合开发者,前者主要负责图像过滤,后者主要负责文字过滤。[21] - 南方周末记者 胡贲 实习生 郭仕鹏 2009-06-10 23:45:12
>
> Zhengzhou Jinhui Computer System Engineering Inc. and Beijing Dazheng Language and Knowledge Processing Tech. Inc. teamed up in the development of the filtering software. The former one was responsible for the image filtering part, while the later one was responsible for the text filtering part. [21] - Report on the newspaper "Southern Weekend" by Ben Hu, 10 June 2009.

> 中国科学院声学研究所HNC研究团队集多年从事自然语言理解处理的核心技术,成功研发出具有语义理解特点的“网络不良信息检测系统”,将为净化网络世界的内容做出贡献。目前这一系统主要针对网络上出现的色情、反动、低俗等不良信息,根据指定的网站自动进行内容下载、检测并给检测报告。不同于以往的基于关键字词的检测系统,能够区分出不良信息和批判不良信息的网页内容,对不能做出判断的内容还能提出警告,供人工判别。[25]
>
> The HNC research team of the Institute of Acoustics, Chinese Academy of Sciences combined the core techniques they acquired through many years of research they did on natural language understanding and processing and successfully developed a "Internet Bad Information Detection System" featuring semantic understanding capabilities. It will contribute to the clean-up of the content in the Internet world. Currently this system is primarily targeted at erotic, counter-revolutionary and vulgar information appeared on the Internet. It can download content automatically from specified websites, detect and present reports. Deferent from previous keyword based detection systems, it can distinguish web pages of bad information from criticisms against bad information. For those pages that it fails to judge, it can raise a warning message for human judgement. [25]


References:

[1] Bullog.cn http://en.wikipedia.org/wiki/Bullog.cn
[2] 牛博网 http://zh.wikipedia.org/wiki/%E7%89%9B%E5%8D%9A%E7%BD%91
[3] 2008 Chinese milk scandal / Censorship
http://en.wikipedia.org/wiki/2008_Chinese_milk_scandal#Censorship
[4] Liu Yan: Every technical personnel knows that; 2010-01-28 17:40:47
PST; https://bugzilla.mozilla.org/show_bug.cgi?id=476766#c29
[5] Liu Yan: CNNIC is not a Chinese Government organization;
2009-02-15 23:01:59 PST; https://bugzilla.mozilla.org/show_bug.cgi?id=476766#c5
[6] Kathleen Wilson: This bug is set for Restricted Visibility;
2009-02-11 11:43:10 PST; https://bugzilla.mozilla.org/show_bug.cgi?id=476766#c4
[7] Golden Shield Project http://en.wikipedia.org/wiki/Golden_Shield_Project
[8] 金盾工程 http://zh.wikipedia.org/wiki/%E9%87%91%E7%9B%BE%E5%B7%A5%E7%A8%8B
[9] China Internet Network Information Center; / Malware Production
And Distribution; http://en.wikipedia.org/wiki/CNNIC#Malware_Production_And_Distribution
[10] GhostNet; http://en.wikipedia.org/wiki/Ghostnet
[11] 幽灵网; http://zh.wikipedia.org/wiki/%E5%B9%BD%E7%81%B5%E7%BD%91
[12] David Drummond, SVP, Corporate Development and Chief Legal
Officer: A new approach to China; http://www.webcitation.org/5n92WuwKT
= http://googleblog.blogspot.com/2010/01/new-approach-to-china.html
[13] 中华人民共和国网络审查;
http://zh.wikipedia.org/zh-cn/%E4%B8%AD%E5%8D%8E%E4%BA%BA%E6%B0%91%E5%85%B1%E5%92%8C%E5%9B%BD%E7%BD%91%E7%BB%9C%E5%AE%A1%E6%9F%A5
[14] Internet censorship in the People's Republic of China;
http://en.wikipedia.org/wiki/Internet_censorship_in_the_People's_Republic_of_China
[15] 极光行动; http://zh.wikipedia.org/wiki/%E6%9E%81%E5%85%89%E8%A1%8C%E5%8A%A8
[16] Operation Aurora; http://en.wikipedia.org/wiki/Operation_Aurora
[17] CNNIC Halts Website Domain Name Registration For Individuals In
China;
December 15, 2009;
http://www.chinatechnews.com/2009/12/15/11208-cnnic-halts-website-domain-name-registration-for-individuals-in-china
[18] 中国互联网络信息中心;
http://zh.wikipedia.org/wiki/%E4%B8%AD%E5%9C%8B%E4%BA%92%E8%81%AF%E7%B6%B2%E7%B5%A1%E4%BF%A1%E6%81%AF%E4%B8%AD%E5%BF%83#.E7.88.AD.E8.AD.B0
[19] Tiananmen Square protests of 1989; http://en.wikipedia.org/wiki/Tiananmen_Square_protests_of_1989
[20] Reports about Green Dam; https://groups.google.com/group/lihlii/msg/cff76953d4508ad7
[21] Analysis of the Green Dam Censorware System;
https://groups.google.com/group/lihlii/msg/64b28befc01f8394
[22] Green Dam Youth Escort; http://en.wikipedia.org/wiki/Green_Dam
[23] 绿坝·花季护航; http://zh.wikipedia.org/zh-cn/%E7%B6%A0%E5%A3%A9%C2%B7%E8%8A%B1%E5%AD%A3%E8%AD%B7%E8%88%AA
[24] 中科院声学所主持开发的HNC网络信息过滤器,2003年实现了语义分析与过滤,并被率先运用在反轮子战线上;
http://twitter.com/rmack/statuses/2090288450
[25] jiangzuyu: 中科院声学所成功研发网络不良信息检测系统; 网脉e代社区论坛; 2009-2-12 10:43;
http://www.webcitation.org/5n9L4Z4mq = http://community.wm360.cn/space/index.php/viewthread-67157.html
[26] CNNIC takes orders from the Ministry of Information Industry
(MII) to conduct daily business; https://bugzilla.mozilla.org/show_bug.cgi?id=476766#c14
[27] Falun Gong / Continued protests and statewide suppression;
http://en.wikipedia.org/wiki/Falun_Gong#Continued_protests_and_statewide_suppression

tophits

unread,
Jan 29, 2010, 4:06:05 PM1/29/10
to
Some corrections:

> 6. Liu Yan said: "CA is a new operation for CNNIC to protect Internet security"[5]. Is it considered by CNNIC as "operation to protect Internet security" by spreading unremovable malware to spy on users' Internet activities exploiting security flaws of the browsers, as CNNIC did [9][18]?

by spreading unremovable malware exploiting security flaws of the
browsers to spy on users' Internet activities

> So do you think CNNIC is a government or not? If CNNIC is controlled by the PRC government, why don't you dare to clearly admit it, but misled the readers by posing as a "just offers service on technology and research" [4]? What's the motivation to hide the real identity of CNNIC? :)

by posing as an organization which "just offers service on technology
and research"

> @gonewater [a twitter user]: As the chairman of the board of Beijing Dazheng company which is one of the two developers of the "Green Dam" software,

Xiaomeng Chen, as the chairman of the board of Beijing Dazheng company


which is one of the two developers of the "Green Dam" software,

> developed a "Internet Bad Information Detection System" featuring semantic understanding capabilities. It will contribute to the clean-up of the content in the Internet world.

developed an "Internet Bad Information Detection System" featuring


semantic understanding capabilities. It will contribute to the

purification of contents in the Internet world.

> Currently this system is primarily targeted at erotic, counter-revolutionary and vulgar information appeared on the Internet.

Currently this system is primarily targeted at erotic, reactionist
[means anti Communist Party of China] and vulgar information appeared
on the Internet.

Wenbo Wang

unread,
Jan 29, 2010, 5:29:33 PM1/29/10
to
On 1月30日, 上午1时28分, tophits <wan...@gmail.com> wrote:
> I agree with some comments here, that the key issue is: A secure
> browser should tell the users clearly what they're trusting, and let
> them choose whether to trust or not.
>
> Whether a root CA is trustworthy or not, that's the social judgement,
> a part of the trust model that a browser should not and can't
> determine. The browser should provide an easy and clear UI for the
> users to make the decision.

Good point! You've made it so clear to me. *Applaud*

BRs
Wenbo Wang

tophits

unread,
Jan 29, 2010, 5:47:14 PM1/29/10
to lihlii-g
Dear Johnathan,

Do you think certificates from liars should be included in Firefox? :)

> Jonathan: might well yank trust for any CA that was complicit in MitM attacks.

Does the word "was" mean that until the MitM attack happened, any
organizations
can put their root CA certificates in Firefox provided that they can
buy
endorsement "services" from accountant companies like Ernst&Young [1]
to
acquire "trust" from webtrust.org?

The real concern of many Chinese programmers is not about "was", but
"may", as
CNNIC already "DID" quite some dirty things before! Now it's a new
capability
that the inclusion of root certificate of CNNIC will grant to the PRC
government.

Anyway, since they already got secondary CA certificate issued by
Entrust.net,
adding CNNIC as root CA is not introducing more problems. But this
discussion
is an alert on the trust model of PKI when we face a rogue government
and their
minion organizations.

We should improve the browser to ask for permissions from the end
users to
grant trust to each root CA when it's used in each session (not only
at the
first time), clearly display the certificate signing path, and warn
them of any
change in certificates (to be alert of a MitM attack). This seems
paranoiac
but it's because we're facing real threats of attacks from a powerful
rogue
government, from which even big companies like Google and well
equipped
government offices suffered.

The security model of SSL was practically in danger because of the
design flaws
of the browser to place blind trust on root CAs without consent from
the
users. Since the CA certificates of rogue government agencies were
added, we
should consider Firefox as a rogue government controlled browser in
the default
configuration.

[1] https://cert.webtrust.org/SealFile?seal=935&file=pdf

tophits

unread,
Jan 29, 2010, 6:21:30 PM1/29/10
to lihlii-g
Dear Eddy,

Please notice the fact that there is no such thing as "law" in PRC.
All that exist are "rules".
Those companies who do evil things in China always say that they need
to comply with local "laws". That's not true.

There is no LAW in PR China, but only RULES determined completely by
the 9-person "Standing Committee of Central Political Bureau" of the
Chinese Communist Party (CCP). There is no legal legislation, but all
rules are determined by the CCP. The "People's Delegation Congress"
is only a "rubber seal" to pretend to pass the "rules" made by the
CCP.

--- Comment #37 from Eddy Nigg (StartCom) <eddy...@startcom.org>
2010-01-29 15:12:13 PST ---
(In reply to comment #36)


> > Jonathan: might well yank trust for any CA that was complicit in MitM attacks.
> >

> > lihlii:


> > Does the word "was" mean that until the MitM attack happened, any organizations
> > can put their root CA certificates in Firefox provided that they can buy
> > endorsement "services" from accountant companies like Ernst&Young [1] to
> > acquire "trust" from webtrust.org?

Again, Bugzilla should not be used for advocacy! Nevertheless a short
reply. I
know Ernst & Young and have performed audits with them myself. Hence
I'm
trusting their attestation.

However it's common for CAs to comply to local laws and there might be
a
problem if the law would allow MITM attacks on its citizens. This
would be
counter to the Mozilla CA policy, even if a notable auditor audited
the CA and
the CA has disclosed its adherence to the local laws correctly.

tophits

unread,
Jan 29, 2010, 8:17:06 PM1/29/10
to lihlii-g, 网络安全
J:

we'd carefully review and might well yank trust for any CA that was
complicit in MitM attacks.

L:
The problem is that, CNNIC might have already aided some MitM attacks
with their secondary CA certificate signed by Entrust.net root CA
before CNNIC was added as root CA. Because the MitM attack is
difficult to be carried out on a large scale, the PRC government
mainly targeted at specific users (such as highly sensitive political
dissidents) who often lack of knowledge to check the server
certificate to determine whether it's real.

All we're worried about is "trust". Can we put a CA certificate that
many Chinese programmers don't trust at all into the release package?
What will be the consequences?

The repetitive hijacking of gmail accounts of dissidents by the PRC
government secret agents (Political Defend Police like Starsi of
former East Germany) might be achieved with SSL hijacking, besides
trojan-horse phishing email.

I think it's a detriment to the user trust on Firefox to add CNNIC
(notorious in Chinese programmers community, while powerful enough to
buy whatever certificates they need) root CA. Yet it's not safe by
simply removing it. There should be a way to return the ability and
authority of judging whether to trust a CA to the users, not
unconditionally decided by the browser as it's implemented now.
Currently an experienced user can inspect the certificate signing
chain to check whether the root CA is trustworthy; while layman users
need more help from an improved UI to alert them of possible
vulnerabilities and guide them through steps to check the certificate
chain of the HTTPS session.

Furthermore, some Chinese programmers observed [3] that the
certificates of google.com was modified several times after 18 Nov.
2009.
Three abnormal changes of certificates were observed [2]:

CN: mail.google.com
18 Nov. 2009 from: Thawte SGC CA, valid from 2009/3/25 to 2010/3/25
to: Google Internet Authority, valid from 2009/11/12
to 2010/11/12

18 Nov. 2009 from: Google Internet Authority, valid from 2009/11/12
to 2010/11/12
to: Thawte SGC CA, valid from 2009/3/25 to 2010/3/25

28 Dec. 2009 from: Thawte SGC CA, valid from 2009/3/25 to 2010/3/25
to: Thawte SGC CA, valid from 2009/12/18 to
2011/12/18

CN: *.google.com
19 Jan. 2010 from: Google Internet Authority, valid from 2009/11/12
to 2010/11/12
to: Google Internet Authority, valid from 2009/12/22
to 2010/12/22

Google's announcement[1] declared that "in mid-December [2009], we
detected a highly sophisticated and targeted attack on our corporate
infrastructure originating from China that resulted in the theft of
intellectual property from Google". Taking these strange certificate
changes into consideration together with the Google announcement, we
suspect that the "intellectual property" might include private keys to
sign the google certificates. This might be the answer to why google
changed certificates in an abnormal frequency.

This also alert us of possible cyber attacks making use of CA
certificates and exploiting the inadequate certificate validation in
current browser user interaction. Although the inclusion of an
untrustworthy CNNIC root CA won't make the situation worse, it really
alert us to review the pyramid trust model of PKI and design flaws of
unconditional trust of root CAs in browsers.

The trust model is unreasonable, in that the trust propagates in a
forced, involuntary way: Ernst & Young trusts CNNIC because it trusts
those special paper sheets marked with "In God We Trust" ;P,
webtrust.org trusts CNNIC because it trusts Ernst & Young; Mozilla
Firefox project or Microsoft trust CNNIC because they trust
webtrust.org; the browser users trust CNNIC because the they trust the
browser. But the users in fact don't trust CNNIC at all! The result
is: the users were forced to trust CNNIC silently. Experienced users
take the trouble to remove or disable the CNNIC certificates, while
the majority of non-technical users just don't know they're trusting
CNNIC because of their browser!


References:

[1] David Drummond, SVP, Corporate Development and Chief Legal

[2] zuola: 关于GMAIL安全证书的疑问 https://groups.google.com/group/lihlii/browse_frm/thread/92be93b6648af29/
[3] Google 的证书更新了 可能是因为数字证书密钥被窃 警惕假冒数字证书
https://groups.google.com/group/lihlii/browse_frm/thread/5f9dbff575fa9579/

Nelson Bolyard

unread,
Jan 30, 2010, 2:05:06 PM1/30/10
to
On 2010-01-28 19:11 PST, David E. Ross wrote:

> On reviewing bug #476766, I see in comment #5 Liu Yan's (the applicant)
> assertion: "CNNIC is not a Chinese Government organization."
>
> However, later comments by users in China seem to indicate the contrary.
> Comment #18 states: "CNNIC is an infamous organ of the Chinese
> Communist government to monitor and control the Internet in China."
> Comment #23 states: "...CNNIC is infamous in China and it has a lot of
> connections with the government..." Comment #24 states: "It has very
> closed tie with Chinese government and CPC (or CCP [Chinese Communist
> Party?])."

First, those statements are accusatory in nature. They lack proof.
Second, even if true, it's not clear that those statements disqualify
CNNIC. Other CAs that Mozilla has admitted to the root list also have
government ties with their respective governments, IINM, and we have not
disqualified them.

So, I conclude that the writers of the above comments are people who dislike
the Chinese government. But like or dislike of the Chinese government is
not a basis of acceptance nor rejection of CAs under Mozilla policy, is it?

Let's be very careful not to allow this discussion group to become a forum
for discussion of Chinese government policies. Whether you or I like it or
hate it, the Chinese government's great firewall is no basis for acceptance
or rejection of any Chinese CA, IMO. If Mozilla decides that it IS, then
IMO, Mozilla should reject all Chinese CAs, and not consider them one by
one, because the issue is the action of the government.

> If any of these comments are true, then the application violates the
> second bullet under section 6 of the Mozilla CA Certificate Policy:

I'm not so sure.

> We require that all CAs whose certificates are distributed with our

> software products publicly disclose information about their policies and
> business practices

Let's imagine, just for the sake of discussion, that CNNIC is wholly owned
by the Chinese government. Is that a policy? Is that a business practice?

> That is, the relationship between CCNIC and the government or political
> structure of China -- a business practices -- has not been publicly
> disclosed.

I disagree that it is necessarily a policy or practice.

Further, in the PRC, ALL business is done at the pleasure of the government.
The larger the business, the more far reaching it is in scope, the more
that government will watch over it to ensure that it doesn't step over the
unwritten unspoken line. This is known to every citizen in China. It is
not written as a business policy anywhere, anymore than it is written that
all employees must breathe.

> I am further concerned about the fact that individuals inside China are
> blocked from participating in this discussion, perhaps by the "great
> firewall". If CCNIC indeed operates independently of the government and
> political structure of China and is indeed worthy of the trust implied
> by having its root certificate in the NSS database, then why would
> anyone object to a discussion of this issue?

Why are those things related?

Why is ANYTHING other than a CAs honesty regarding certification of bindings
of names to public keys, and its scope being wide enough to be of value to a
significant part of Mozilla's user base, at issue in determining it
acceptability?

This newsgroup is NOT the place for discussion of international politics.
Discussion of a government's positions on human rights, great firewalls,
etc. have no place here, IMO. because they are not relevant, IMO, to the
operation and acceptability of a CA.

Eddy Nigg

unread,
Jan 30, 2010, 3:42:17 PM1/30/10
to
On 01/30/2010 09:05 PM, Nelson Bolyard:

> This newsgroup is NOT the place for discussion of international politics.
>

Correct.

> Discussion of a government's positions on human rights, great firewalls,
> etc. have no place here, IMO. because they are not relevant, IMO, to the
> operation and acceptability of a CA.
>

The relevance starts, when as a matter of local legislation and law, CAs
could and would assist to or perform themselves MITM attacks or would
assist to what we could consider fraudulent and harmful intent and
knowingly wrongful issuance of certificates. This would be in fact
clearly against the Mozilla CA policy.

What some reporters try to say is, that the known politics and alleged
behavior of the Chinese government and associated organizations and
tools are used for various purposes which could fall under the above
mentioned. I can understand that facts are hard to come by, specially
because of the nature of government.

The Chinese Firewall are a matter of local legislation, it's not against
their laws. However it's still a problematic practice in the view of the
Western hemisphere. The recent incidents with Google and many other
American companies might be testimonial and supportive evidence of other
very disturbing practices. Now, if this same establishment and its
legislation runs a CA (by proxy and/or third party), the same local laws
which allows for the former, might allow for MITM attacks and other
fraudulent issuance (in our eyes). This might be a problem directly
affecting the users of Mozilla products and against what the Mozilla
policy calls for (and is intended).

The close relationship between the CA and the political structure in
China could be viewed in itself as problematic! If this is a fact, than
this fact was perhaps not sufficiently disclosed here at the public
discussion and any such relationship was even denied.

(It must be clear that some CAs are more independent from governments
and might have different locations of operations, whereas some are
tightly associated or even operated by governments. For my taste I have
a huge dislike of any association with governments at all. I made that
clear previously at other occasions. But the Mozilla CA policy doesn't
care about this, hence it remains my personal point of view.)

Wenbo Wang

unread,
Jan 30, 2010, 4:40:28 PM1/30/10
to
On 1月31日, 上午3时05分, Nelson Bolyard <NOnelsonS...@NObolyardSPAM.me>
wrote:

> Let's be very careful not to allow this discussion group to become a forum
> for discussion of Chinese government policies.   Whether you or I like it or
> hate it, the Chinese government's great firewall is no basis for acceptance
> or rejection of any Chinese CA, IMO.  If Mozilla decides that it IS, then
> IMO, Mozilla should reject all Chinese CAs, and not consider them one by
> one, because the issue is the action of the government.
>

Who cares if all Chinese CAs get rejected. We just hope firefox to be
safer for Chinese users.

>
> Further, in the PRC, ALL business is done at the pleasure of the government.
> The larger the business, the more far reaching it is in scope, the more
> that government will watch over it to ensure that it doesn't step over the
> unwritten unspoken line.  This is known to every citizen in China.  It is
> not written as a business policy anywhere, anymore than it is written that
> all employees must breathe.
>

If the above is true, then how could anyone but the government itself
know where the line is? Can you smell it? Is it a round shape or a
square shape? No offence, but I mean it could be anything the
government want, whenever they want, however they want. How could
anybody trust anything like that?

Maybe I'm not so familiar with Mozilla's CA acceptance policy, but I
know such kind of CA cannot be trust, and I know it in a tragic
"unwritten unspoken way".
And you know a lot about China, BTW. :)

BRs
Wenbo Wang

anonymous chineseguy

unread,
Jan 31, 2010, 12:40:24 AM1/31/10
to
While we talking about those, please keep in mind: even Google groups
has been walled( a Chinese internet terminology, means the a website
is blocked by GFW ), and that's why the topic is beginning in
bugzilla. We're all talking behind proxies. Though that protects us
from being jailed with the name of defaming government - and there
has been many case.
CNNIC said it isn't a government organization, it is a completely
lying. In China, NGOs is never clearly allowed to be exist. All of
them either has to be pretend to be a for-profit corporation, either
has to find a government allowed organization and beg to affiliate
under it, so the government can control it, either by give a tax which
cannot afford( you can google "Xu zhi yong" ), or directly order its
superior to close it.
Let's look at a sample. Dec 2009, when china government decide to
"clear sex information on internet" ( and of course, in the same time
ten of thousands of normal BBS & websites is closed. YOU KNOW WHY),
CNNIC quickly make a statement ".cn domain NEVER allowed personal
registration", while Chinese people has registered hundreds of
thousands of personal dot-cn domains? And after a main while they make
another decision of white-list name resolving?
If that's not government dominated organization, that definition can
be eliminated, I think.

Anonymously,
A Chinese guy

tophits

unread,
Jan 31, 2010, 3:49:31 AM1/31/10
to lihlii-g, 网络安全
On Jan 30, 8:05 pm, Nelson Bolyard <NOnelsonS...@NObolyardSPAM.me>
wrote:

> First, those statements are accusatory in nature.  They lack proof.

Lack proof? Or you simply close your eyes and refuse to see the
proves? :)

> CNNIC.  Other CAs that Mozilla has admitted to the root list also have
> government ties with their respective governments, IINM, and we have not
> disqualified them.

Other CAs are tied with governments, but CNNIC is tied with a mafia
group, NOT a government. :)

> So, I conclude that the writers of the above comments are people who dislike
> the Chinese government.  But like or dislike of the Chinese government is
> not a basis of acceptance nor rejection of CAs under Mozilla policy, is it?

Google also doesn't like the "Chinese government", do they? So they
don't have "basis" of this announcement [1].

> Let's be very careful not to allow this discussion group to become a forum
> for discussion of Chinese government policies.   Whether you or I like it or

It IS about policy, trust and security of the whole framework of PKI!
It will not only breach the web security of Chinese users, but also
users worldwide! Be alert of the consequences.

> hate it, the Chinese government's great firewall is no basis for acceptance
> or rejection of any Chinese CA, IMO.  If Mozilla decides that it IS, then

The fact is that the acceptance is not based on adequate publicity and
discussion. The information behind is not fully revealed. The end
users especially the Chinese programmers are in effect excluded from
the discussion because only lately they discovered the new certificate
from Microsoft and Firefox updates. This is why we raised this
question against the trust in CNNIC.

> IMO, Mozilla should reject all Chinese CAs, and not consider them one by
> one, because the issue is the action of the government.

In fact we should reject any CA that has bad credit records. Just as
a credit card company won't issue a credit to a person who often
cheats.

> Let's imagine, just for the sake of discussion, that CNNIC is wholly owned
> by the Chinese government.  Is that a policy?  Is that a business practice?

The Chinese Communist Party government is not qualified as a root CA
administration, because it is building the biggest information jail to
intercept and cheat in DNS resolving, attack citizens all over the
world by trojan-horse phishing email and intrude companies and
governmental computers illegally. It's a criminal group.

> Further, in the PRC, ALL business is done at the pleasure of the government.
> The larger the business, the more far reaching it is in scope, the more
> that government will watch over it to ensure that it doesn't step over the
> unwritten unspoken line.  This is known to every citizen in China.  It is

CA doesn't need to be a "large business", but a trustworthy business.
That's it. We Chinese know better the Chinese government and CNNIC,
and how the business should be in China. :)

> Why is ANYTHING other than a CAs honesty regarding certification of bindings
> of names to public keys, and its scope being wide enough to be of value to a

CNNIC can't be linked with the word "honest" in the loosest sense.

> This newsgroup is NOT the place for discussion of international politics.
> Discussion of a government's positions on human rights, great firewalls,
> etc. have no place here, IMO. because they are not relevant, IMO, to the
> operation and acceptability of a CA.

They're closely related. It's not only about GFW, but about hijacking
Internet communication, cheating, phishing, trojan-horse attack and
intrusion. These were all done by the CCP government and CNNIC DID
intentionally spread malware that spied on users!

tophits

unread,
Jan 31, 2010, 3:58:45 AM1/31/10
to lihlii-g
On Jan 30, 9:42 pm, Eddy Nigg <eddy_n...@startcom.org> wrote:
> The relevance starts, when as a matter of local legislation and law, CAs
> could and would assist to or perform themselves MITM attacks or would
> assist to what we could consider fraudulent and harmful intent and
> knowingly wrongful issuance of certificates. This would be in fact
> clearly against the Mozilla CA policy.

I agree mostly with Eddy. But I must point out that there is no "law"
in PR China. Everything that is called a "law" is in fact "rules"
determined by the CCP officials at their own will and can be broken or
changed at any time they like.

Any statement that talks about "law" in China is in fact based on a
false premise.

> The Chinese Firewall are a matter of local legislation, it's not against
> their laws. However it's still a problematic practice in the view of the

The GFW itself in fact is even NEVER compliant to any Chinese "laws"
made by the CCP government itself! This is why the CCP government
never admitted that its existence! :) Please, please don't say that
GFW is based on "local legislation", it's even against the "rules"
made by the CCP government itself!

The official declaration of the PRC government is: The Internet in
China is completely free. There is no censorship. full stop.

If you can trust such a "government", good luck to you! :)

Jack

unread,
Feb 1, 2010, 2:40:12 AM2/1/10
to
As many have pointed out above, the trust of root certificate is
immediately jeopardized when MITM attack is waged. - Unfortunately
MITM attack is already widely deployed in China. The Harvard study
"Empirical Analysis of Internet Filtering in China" repeated
documented this:

"the authors prepared screenshots documenting the September 2002
redirection of requests for google.com to other search engines."
"some newer forms of Chinese filtering -- namely, redirection of a
request for a sensitive web site to another web site"
"DNS Filtering/Redirection and Its Implications"
"For some 1,043 of sites tested, we confirmed that DNS servers in
China report a web server other than the official web sever actually
designated via each site's authoritative name servers."
http://cyber.law.harvard.edu/filtering/china/
http://cyber.law.harvard.edu/filtering/china/appendix-tech.html#dns

Some "50 cent party" (to save your google trip: it's the thousands of
people Chinese Communist Party pays to defend itself on the internet)
may claim CNNIC is not the same institute who launched these MITM
attacks. But I trust the Mozilla developers are not so naive to
believe CNNIC can violate the Party's order, or the billion-dollar
Great Firewall involving numerous technical institutes were
accomplished by those institutes voluntarily - and most those
institutes look just like CNNIC.
In fact, the very DNS servers doing MITM attack as documented by the
Harvard study above are either closely related to CNNIC or another
innocent-looking "non-government" institute, because in China all
shiny hats are worn by the same Party.

So, if this root certificate crisis is not properly addressed, it's
very likely that in a couple years, the relatives of some Tibetan or
Falun Gong, or home church followers would sue Microsoft and Mozilla
in U.S. for assisting the Chinese Communist regime to steal their
email passwords using faked websites and certificates so could login
to their real accounts later leading to their imprisonment, just like
someone did against yahoo (http://www.rsf.org/Yahoo-settles-lawsuit-by-
families.html).

Gervase Markham

unread,
Feb 1, 2010, 5:48:02 AM2/1/10
to
On 29/01/10 09:39, Justin Dolske wrote:
> It would be an interesting experiment to create an addon to crowd-source
> checking for such certs. Not as a CNNIC-specific issue, but any case of
> valid certs for a site coming from an unexpected CA.

It would certainly be interesting to know if a particular site had a
cert from a different issuer depending on where in the world you were.

However, I strongly suspect that any government which was putting
pressure on a CA to issue certs for surveillance purposes would use
those certs only in very limited circumstances - for precisely the
reason Johnath outlines. You have to send the cert to the browser, and
someone is eventually going to notice.

> It could also be
> easily to just store a local record of certs you've encountered, and
> warn you when a site's cert has changed.

It would be easy. See the "Connection Repeatability" section of this
article:
http://www.gerv.net/security/self-signed-certs/
for my explanation of why it's not a good idea for Firefox to do this by
default.

Gerv

Gervase Markham

unread,
Feb 1, 2010, 5:50:59 AM2/1/10
to
On 29/01/10 07:42, makrober wrote:
> Johnathan Nightingale wrote:
>> 1) We have never claimed as a matter of policy that our PKI decisions
>> can protect people from malicious governments. It's just not a
>> plausible promise for us to make.
>
> With due respect, "never have made the promise" just doesn't cut it in
> my eyes. To turn it around: never was there any warning to the user base
> that there is some "special class" of miscreants that Mozilla would not
> protect the users from. This can be explained (but not excused) by the
> mindset of those that instituted the process: in their minds,
> "governments",
> by definition, can't be miscreants. I and (as that discussion on
> bugzilla demonstrates) many, many, others do not share this mindset.

Anyone who is concerned about government surveillance of their
activities needs to take rather more care about the security of their
software than the average person. The default configuration of any
mass-market security software is unlikely to be suitable for their
needs. Given that, I don't think it's unreasonable to expect them to
deactivate certs from entities they don't trust. (And this will be a
different set of certs for different people.)

> Perhaps it is time to review the process. It would be smart to take Mozilla
> out of the trust business. At the very least, all root certificates that
> are included should not be trusted until the user explicitly turns those he
> or she knows and trusts (and needs for his or her transactions) on.

That is an utterly impractical suggestion, and would be
counter-productive - faced with a barrage of "please approve me"
requests, users would either a) click "Yes", "Yes", "Yes" or b) abandon
Firefox for a browser which didn't irritate them nearly so much.

Gerv

Gervase Markham

unread,
Feb 1, 2010, 5:56:34 AM2/1/10
to
On 28/01/10 12:50, crewlay wrote:
> Is also very absurd to directly built such a notorious hated certificate
> into the widely accepted open-source software in prc, almost everyone
> are looking for method how to remove it after being aware of the
> bulletin for either potential ssl hijack or consistent disgusted with
> cnnic, and it's so simple to prove that either protest poll or something
> similar.

If you wish to create and publicise a web page which details how to
disable roots in Firefox in general, and CNNIC's root in particular,
then you have every freedom to do that.

Without evidence of wrongdoing, there is nothing to provoke us to
action. I'm sure you'd want a similar standard of proof to be applied if
you were accused of something.

Also, I think "notorious hated certificate" is hyperbole. The latest
NetCraft statistics show CNNIC has signed the certs of 30 websites - a
tiny fraction. Of course, NetCraft's coverage may be incomplete.

Gerv

makrober

unread,
Feb 1, 2010, 8:29:34 AM2/1/10
to dev-secur...@lists.mozilla.org
Gervase Markham wrote:

> Anyone who is concerned about government surveillance of their
> activities needs to take rather more care about the security of
> their software than the average person.

For those defining and implementing technical infrastructure of
protection and security, it is worth giving a bit of thought to
the following issues:

1) what defines a "government"?

2) why should such participants be, by definition, exempt from the
the list of potential miscreants?

3) If we allow a certain class of miscreants to be exempt from
the security our software offers, how do we make sure that the
user base understands that there are such exemptions?

MacRober

tophits

unread,
Feb 1, 2010, 8:49:22 AM2/1/10
to lihlii-g
Dear Gervase,

There are many evidences that CNNIC is not trustable. It's not a
"hyperbole".
Please do some investigation before you conclude.

There can be a lot of websites signed by CNNIC CA. This says nothing
about whether it's trustable or not.
There are more websites that you can count that carries certain
malware. Is the number a proof that the malware is trustable?

tophits

unread,
Feb 1, 2010, 8:51:44 AM2/1/10
to
On Feb 1, 11:48 am, Gervase Markham <g...@mozilla.org> wrote:
> However, I strongly suspect that any government which was putting
> pressure on a CA to issue certs for surveillance purposes would use
> those certs only in very limited circumstances - for precisely the

Gerv, you're missing the case when a rogue government is trying to
intercept public websites like gmail.
Then the users in China might get a different fake certficate of
mail.google.com!

tophits

unread,
Feb 1, 2010, 8:54:36 AM2/1/10
to
Do you mean this by the Mozilla policy? It's really irresponsible to
talk about user's security like this.

tophits

unread,
Feb 1, 2010, 9:03:39 AM2/1/10
to lihlii-g, 网络安全
Now I conclude that it's a waste of time to convince the Mozilla guys
of the level of danger that the inclusion of a rogue CA will cause to
the users. Let them ruin the reputation of Firefox. Let them pretend
that it's not a problem. :)

It's more efficient to start trying to make Certificate Patrol or
something alike into a better addon for the defective certificate
manager of Firefox. At least we can help those prudent people who
treasure their privacy and security.

The new addon should help the users to remove rogue CAs and immune the
browser from accepting them in the future.
Surely the immunity list should be editable by the user. Let's bring
full control of trust back to the users.

tophits

unread,
Feb 1, 2010, 9:06:17 AM2/1/10
to
Dear Gervase,

Do you think "average person" can live with malware that is
unremovable from their system once installed, and spy on their web
activities?

If your answer is "yes", then you go with CNNIC. :)

On Feb 1, 11:50 am, Gervase Markham <g...@mozilla.org> wrote:

Test Test

unread,
Feb 1, 2010, 9:54:24 AM2/1/10
to
CNNIC is absolutely an evil.
If firefox trusts CNNIC, then I think the words "We believe that the
internet should be public, open and accessible." should be removed
from mozilla home page.

tophits

unread,
Feb 1, 2010, 10:24:31 AM2/1/10
to lihlii-g
Chinese users started a vote page here to remove CNNIC CA from default
installations:
https://spreadsheets.google.com/viewform?formkey=dGctTVY0Y3VxX3lrXzZoeG90WDFBVXc6MA

And here is the vote result:
https://spreadsheets.google.com/pub?key=tg-MV4cuq_yk_6hxotX1AUw&output=html

Currently,
376 users don't trust CNNIC.
4 users don't know whether to trust CNNIC.
3 users trust CNNIC.

If you can read Chinese and do a simple google search of "CNNIC 根证书
(root certificate in Chinese)" and you will see how the Chinese users
react to this new addition. If you can't read Chinese, Google
translate can help to understand more or less the content.

Please read this machine translation of some Chinese blogs to evaluate
the possible consequences of adding CNNIC as root CA:

When network security mechanisms encountered in the core of rogue
government
http://translate.google.com/translate?js=y&prev=_t&hl=en&ie=UTF-8&layout=1&eotf=1&u=http://oogami.name/799/&sl=zh-CN&tl=en

CNNIC CA: far the most the most serious safety warning!
http://translate.google.com/translate?js=y&prev=_t&hl=en&ie=UTF-8&layout=1&eotf=1&u=http://autoproxy.org/zh-CN/node/66&sl=zh-CN&tl=en

CNNIC, I do not trust you! - Drive CNNIC out of "trusted root
certificate"
http://translate.google.com/translate?js=y&prev=_t&hl=en&ie=UTF-8&layout=1&eotf=1&u=http://felixcat.net/2010/01/throw-out-cnnic/&sl=zh-CN&tl=en

fire alarm, theft prevention, anti-CNNIC, remove the root certificate
CNNIC way!
http://translate.google.com/translate?hl=en&sl=zh-CN&tl=en&u=http://www.google.com/search%3Frlz%3D1C1GPCK_en___NL364%26sourceid%3Dchrome%26ie%3DUTF-8%26q%3D%25E9%2598%25B2%25E7%2581%25AB%25E9%2598%25B2%25E7%259B%2597%25E9%2598%25B2%25E7%259B%2591%25E6%258E%25A7%25E9%2598%25B2CNNIC,%25E5%2588%25A0%25E9%2599%25A4CNNIC%25E6%25A0%25B9%25E8%25AF%2581%25E4%25B9%25A6%25E7%259A%2584%25E6%2596%25B9%25E6%25B3%2595%25EF%25BC%2581

Chinese netizens launched action against the root certificate CNNIC
http://translate.google.com/translate?hl=en&sl=zh-CN&tl=en&u=http://www.rfa.org/mandarin/yataibaodao/CNNIC-01292010114844.html

Why Internet users do not trust the root certificate of CNNIC
http://translate.google.com/translate?hl=en&sl=zh-CN&tl=en&u=http://allinfa.com/cnnic-root-certification.html

how to remove the root certificate of CNNIC under FIREFOX Apple
http://translate.google.com/translate?hl=en&sl=zh-CN&tl=en&u=http://www.zuola.com/weblog/%3Fp%3D1454

Treated the same as the Green Dam [1], the CNNIC root certificate from
your computer to expel
http://translate.google.com/translate?hl=en&sl=zh-CN&tl=en&u=http://hi.baidu.com/litiejun/blog/item/8c6d38d8409a3f3e32fa1c73.html
[1] Green Dam Youth Escort http://en.wikipedia.org/wiki/Green_Dam_Youth_Escort

How to prevent a CNNIC not trusted certificate
http://translate.google.com/translate?hl=en&sl=zh-CN&tl=en&u=http://blog.lzzxt.com/394

On Feb 1, 11:50 am, Gervase Markham <g...@mozilla.org> wrote:

Simon

unread,
Feb 1, 2010, 11:06:16 AM2/1/10
to
Hi Gerv,
I am from China. I just don't trust CNNIC. But I agree with what
you said.We indeed could not find any evidence to prove it.But I
reserve that rights to reject it. People outside China just can not
understand things happening in China. It is the coldest winter days
from 2009 till now. I dont want to argue about the politics.We just
want Firefox listen to users from China ,that CNNIC may not do
anything bad in CA problem by now (but it did lots of other bad
things),but as it is under GOV control, no one knows what it would do
when GOV asks it to. You said "CNNIC is innocent until proven guilty
- an important cornerstone of justice",it is right for the criminal
judge, but not for CNNIC CA. It is too late when it does something
wrong ,maybe,no one even notice what it has done because Firefox
trusts it. So for that situation,how am I supposed to provide any
evidence?

Best wishes,
Simon.

PS. It take me 15 minutes to post my reply here. The proxy is so slow.
I can not access google group directly due to the GFW.

Johnathan Nightingale

unread,
Feb 1, 2010, 12:44:43 PM2/1/10
to makrober, dev-secur...@lists.mozilla.org
On 1-Feb-10, at 8:29 AM, makrober wrote:

> Gervase Markham wrote:
>
>> Anyone who is concerned about government surveillance of their
>> activities needs to take rather more care about the security of
>> their software than the average person.
>

> For those defining and implementing technical infrastructure of
> protection and security, it is worth giving a bit of thought to
> the following issues:
>
> 1) what defines a "government"?
>
> 2) why should such participants be, by definition, exempt from the
> the list of potential miscreants?
>
> 3) If we allow a certain class of miscreants to be exempt from
> the security our software offers, how do we make sure that the
> user base understands that there are such exemptions?


These are are a heady mix of non-sequitur and strawman, and I sort of
think you know they are.

I am certainly not proposing to give government CAs carte blanche, nor
(I'm quite sure) are others on this thread. No one but you is talking
about exempting anyone. What we have said is that, on the one hand,
the reality is that a motivated government is a sufficiently
formidable opponent that technological measures are unlikely to be
sufficient on their own, and, on the other hand, that our CA program
is governed by a set of policies which don't particularly care about a
CA's affiliations, they care about a CAs behaviour.

Show us that the CA is mis-issuing, or otherwise contravening our CA
policy. Discussions about their wikipedia page or opinions about the
communist party or (heaven help us) the definition of government are
profoundly off topic for this newsgroup, much less this thread.

J

---
Johnathan Nightingale
Human Shield
joh...@mozilla.com


Eddy Nigg

unread,
Feb 1, 2010, 12:48:02 PM2/1/10
to
I left a similar comment at the bug
https://bugzilla.mozilla.org/show_bug.cgi?id=476766#c56

As a member of the team that reviews regularly CA inclusion requests, I
believe that if the allegations and concerns would have been raised
during the public discussion, the request to include this CA root would
have been looked at more into depth and might have been put on ice for a
while in order to learn more about it and its implications.

Now that we are after the fact of the inclusion, removal of a root
requires some specific evidence. Additionally it appears that this root
is also cross-signed by another notable CA, removal of the root wouldn't
produce the desired result.

I suggest to walk the extra mile and raise the claims and allegations
made with the CA which cross-signed this root for a better
understanding. This understanding might help to evaluate and perhaps
also refute the claims and concerns made for the benefit of all
parties. Maybe also a statement from that CA would perhaps help to
understand which controls are in place to prevent actual misuse on part
of CNNIC.

Special note to Kathleen: I'm a bit surprised to learn that some CA
roots which are requested to be included are already cross-signed by
another already trusted CA. I would like to suggest and request to have
such facts disclosed properly during the information gathering phase.
Could you make this part of the information you gather before the
discussion here?

tophits

unread,
Feb 1, 2010, 12:56:49 PM2/1/10
to lih...@googlegroups.com, 网络安全
On Feb 1, 6:44 pm, Johnathan Nightingale <john...@mozilla.com> wrote:
> is governed by a set of policies which don't particularly care about a
> CA's affiliations, they care about a CAs behaviour.

Dear Johnathan,

1. Do the "policies" include consideration of the previous behaviours
of an application of a CA?

2. Do the "policies" exclude organizations who intentionally spread
unremovable malware, who actively aided to crack down freedom of
speech making use of their control over DNS registration as qualified
root CA?

3. Considering the behaviours that CNNIC did, why do you think they're
qualified but many Chinese users don't think CNNIC is a qualified CA?
What's wrong with the Chinese people [1]?

[1] Chinese users started a vote page here to remove CNNIC CA from
default
installations https://groups.google.com/group/mozilla.dev.security.policy/msg/6fd806b92d1e5eb1

tophits

unread,
Feb 1, 2010, 12:40:56 PM2/1/10
to
People who were blocked from access to usenet newsgroups or mozilla security discussion group [1] can try to subscribe to the mailing list [2], so you can receive and post messages to the same group.

You can also try to access the mozilla.dev.security.policy group through the usenet news server news.mozilla.org.  You can configure your news client (Thunderbird, Outlook Express, Windows Live Mail, MS Office Outlook, etc.) to access usenet newsgroups.  But seems messages posted through the googlegroups is not synchronized to news.mozilla.org yet.

For completeness of the discussion thread, I copy mine and related messages from the Mozilla Bugzilla page [4].

References:

[1] https://groups.google.com/group/mozilla.dev.security.policy/
[2] https://lists.mozilla.org/listinfo/dev-security-policy
[3] http://www.mozilla.org/community/developer-forums.html
[4] https://bugzilla.mozilla.org/show_bug.cgi?id=476766


lihlii 2010-01-27 05:32:14 PST
Please remove this root CA!  We Chinese users don't trust CNNIC.

Liu Yan said: 2)CNNIC is not a Chinese Government organization.

He is cheating!  CNNIC is an infamous organ of the Chinese Communist government
to monitor and control the Internet in China.  For secrete reasons they even
distributed spyware by making advantage of their administration privilege:

http://en.wikipedia.org/wiki/China_Internet_Network_Information_Center#Malware_Production_And_Distribution

They're one of the tools used by the CCP government to censor the Internet
users.  If CNNIC root certificate is added by default as Builtin Object, they
can forge verified gmail certificates to cheat the Chinese users by using MITM
attack against the SSL protocol.

Please be alert of CCP government agents.

We object the adding of such untrusty CA to the Firefox Project!  Please see
the reaction of the users:

https://twitter.com/#search?q=CNNIC
superjet 2010-01-27 06:08:28 PST
From McAfee siteadvisor about cnnic.net.cn:
...
When we tested this site we found links to tech.sina.com.cn, which we found to
be a distributor of downloads some people consider adware, spyware or other
potentially unwanted programs.
...

http://www.siteadvisor.com/sites/cnnic.net.cn
[reply] [-]Comment 20Eddy Nigg (StartCom) 2010-01-27 06:16:24 PST
I've posted a message to the mozilla.dev.security.policy mailing list under the
title CNNIC Root Inclusion. Please join and add your comments there.

Unfortunately you are bit late - a public discussion was held at that mailing
list according to the processes of CA root inclusions of Mozilla. Your concerns
could have been heard at that time and addressed accordingly.
[reply] [-]Comment 21Yuki Sea 2010-01-27 11:03:25 PST
If we include this cert, PRC government can hijack any SSL session WITHOUT any
warming to user.
PRC government always monitor online activities of chinese pro-democracy
people.
You know what's Google happening.

We need to protect the user whether it is political or not.
[reply] [-]Comment 22T4 2010-01-28 04:28:55 PST
I DO NOT trust CNNIC. 
Most of the Chinese INTRANET(behind GFW) users know that CNNIC is full of
UNREMOVABLE IE toolbars and lies.
[reply] [-]Comment 23Roger Ye 2010-01-28 06:06:19 PST
As a Shanghai resident, I totally agree with lihlii in Comment 18 and Yuki Sea
in Comment 21, CNNIC is infamous in China and it has a lot of connections with
the government and GFW, I think there's no need to provide more evidence as we
all know what GFW is, and the recent incident happened to Google China says its
all.

Seriously, please take CNNIC out of the trusted Root CA list.

This bug should be reopen as rejected and the changes should be rollback.

Thanks
[reply] [-]Comment 24Bing Xie 2010-01-28 06:29:27 PST
Mozilla should really reconsider the decision or most Chinese users will no
longer use Mozilla products.

Being a former Chinese resident, I still remembered years ago CNNIC
automatically installed their UNREMOVABLE system drivers to our systems by
using IE 6 bugs. CNNIC is really a gangster.

It has very closed tie with Chinese government and CPC (or CCP).

I'm seriously worried that CNNIC will use this to help Chinese government to
hijack SSL seesions to monitor user activities.
[reply] [-]Comment 25Ruogu Ding 2010-01-28 14:38:51 PST
It is incredible that CNNIC is taken as "authority". I just cannot trust in an
organization who spreads unwanted adwares. Who can guarantee CNNIC  . Almost
everyone I know who concerns computer network and security is against this
update.
[reply] [-]Comment 26Ruogu Ding 2010-01-28 14:47:10 PST
Excuse me, I meant, who can guarantee CNNIC would not certificate gmaiI.com as
gmail.com and phish my gmail password?

Also, please be reminded that discussion is going on here, though I cannot
access in the GFW:
http://www.mozilla.org/community/developer-forums.html#dev-security-policy
[reply] [-]Comment 27Eddy Nigg (StartCom) 2010-01-28 14:49:43 PST
You can use Google Groups at
http://groups.google.com/group/mozilla.dev.security.policy/browse_thread/thread/17be3bd7e0b33e8c#
(doesn't this work for you?)
[reply] [-]Comment 28Ruogu Ding 2010-01-28 14:59:05 PST
It doesn't work, while other groups work.
Bing Xie 2010-01-28 21:41:13 PST
Liu Yan, are you kidding?

On CNNIC website, it's clearly stated that CNNIC is directly administrated by
both "Ministry of Industry and Information Technology of the PRC" and Chinese
Academy of Sciences (budget controlled by the government).

You are right, CNNIC is not a government, but it's directly managed by the
government and did everything that Chinese government asked it to do.

We don't care whether CNNIC is going to hijack SSL sessions directly for the
agents or not. The problem is when government order CNNIC to issue dodgy
certificates to play the MITM games, CNNIC simply can't say no.
Eddy Nigg (StartCom) 2010-01-29 06:05:03 PST
Johnath, there appears to be a problem accessing the mailing list. Can somebody
look into this?
[reply] [-]Comment 33lihlii 2010-01-29 12:41:57 PST
http://groups.google.com/group/mozilla.dev.security.policy/msg/c8b17194941a744d

Liu Yan said [4][5], "obviously CNNIC is not a government", but "just offers
service on technology and research"[4].

1. Is it considered by CNNIC as "service on technology and research" to spread
malware with administrative power to spy on Internet users?

2. Is it considered by CNNIC as "service on technology and research" to ban
personal website registration in the .cn domain space [1][2][17]?

3. CNNIC banned the DNS resolving of a lot of independent websites, such as
bulllog.cn [1][2].  Is this considered by CNNIC as your way of "service" of
"registry for Chinese Domain Name"[4]?  Is this considered by CNNIC as "the
similar role as VeriSign"[4]?

4. Is CNNIC "qualified with the international criteria"[4] as a trustworthy
certificate authority?

5. Why did Liu Yan try to mask the real face of the PRC governmental nature of
CNNIC [5]?  Why did he even tried to hide the application by setting the bug
report to "Restricted Visibility"[6] at first?

6. Liu Yan said: "CA is a new operation for CNNIC to protect Internet
security"[5].  Is it considered by CNNIC as "operation to protect Internet
security" by spreading unremovable malware to spy on users' Internet activities
exploiting security flaws of the browsers, as CNNIC did [9][18]?

Liu Yan further claimed that "the WebTrust audit for government is much simpler
compared to company"[4].

So do you think CNNIC is a government or not?  If CNNIC is controlled by the
PRC government, why don't you dare to clearly admit it, but misled the readers
by posing as a "just offers service on technology and research" [4]?  What's
the motivation to hide the real identity of CNNIC? :)

Liu Yan said: "There is no possible for us to monitor the user's actions or do
some attacks. I think every technical personnel knows that."[4]

Unfortunately, this is an arrant lie.  CNNIC not only DID "monitor the users'
actions" with intentionally spreaded malware [9], but also cooperated actively
with the PRC government to crack down independent blogs and websites
[1][2][17].  It's also highly possible that they may actively cooperate in MITM
attacks with such a government which attacked [15][16] its citizens, as well as
dozens of companies and many computers of foreign civil organizations and
government offices [10][11].

Further, Is PRC government a decent government?

Should a government put all their citizens in an information jail by building a
GFW (Great Firewall) [7][8][14] to block their access to Internet?
Should a government enforce news and speech censorship [14] on all the websites
including search engines to block criticism on the crimes they committed?
Should a government jail journalists and writers for their free speech [14]?
Should a government kill the college students and citizens with guns, and roll
over the bodies of college students with tanks? [19]
Should a government cheat the world by hiding information about SARS and
melamine contaminated milk[3] which caused repetitive man-made disasters, and
further punish those who told the truth?

Is this PRC government a real government, or is it a maffia group? :)

Liu Yan claimed that the CNNIC is a subordinate of "Chinese Academy of
Sciences".  Let's take a look at what kind of "research" the "Chinese Academy
of Sciences" has done before. :)

The Institute of Acoustics, Chinese Academy of Sciences closely cooperated with
the PRC government in Internet censorship.  Same as CNNIC which "takes orders
from the Ministry of Information Industry (MII)" [26], they developed some
natural language machine understanding algorithms for Internet text censorship
[25].  The target of their research is to distinguish speeches of the opponents
of the government from those of the proponents, which general keyword based
filtering can't achieve.  Their "research" was already deployed in the
censorware "Green Dam"[22][23], which was orderd by the MII to be installed on
each new PC in manufacturing process.  Although this plan failed, they must
have started some other plots to achieve the same goal.

> 根据“绿坝-花季护航“软件官方网站(http://www.lssw365.net)的介绍
>
>   2008年7月,在工业和信息化部的直接领导下,两家成交供应商项目负责人和主要项目人员共同组成绿色上网过滤软件项目工作组,全面负责“绿坝·花季护航”绿色软件的研发、推广及相关服务工作。[...]更好的配合第三方监测机构的监测工作,确保绿色上网过滤软件项目的顺利实施。 [20]
>
> According to the official website of "Green Dam - Youth Escort" (http://www.lssw365.net):
> In July of 2008, under the direct administration of the Ministory of Industry and Information, the project managers and major staffs of the two chosen suppliers formed a green Internet filtering software project workgroup which was in full charge of development, deployment and relative services of the "Green Dam - Youth Escort" green software. [...] for better cooperation in monitoring the web with third party monitoring organs (of the government) to ensuresuccessful implementation of the green Internet filtering software project. [20]

> 链接:http://www.ccgp.gov.cn/gzdt/366770.shtml
>   
>   2008年5月,工信部发布了一份《“绿色上网过滤软件产品一年使用权及相关服务采购”竞争性谈判结果的公告》:
> 一、采购人:中华人民共和国工业和信息化部
> [...]
> 四、成交供应商:郑州金惠计算机系统工程有限公司、北京大正语言知识处理科技有限公司 [...]
>     北京大正语言知识处理科技有限公司成交19,900,000元整(大写:壹仟玖佰玖拾万元)。[21]
>
> Link: http://www.ccgp.gov.cn/gzdt/366770.shtml
> In May 2008, The Ministry of Industry and Information issued an "Announcement of Competitive Negotiation Results for '[Governmental] Purchase of One Year Usage Licence and Related Services of Green Internet Filtering Software Product'"
>
> A. Purchaser: Ministry of Industry and Information, PRC
> [...]
> D. Chosen Supplier: Jinhui Computer System Engineering Inc., Zhengzhou City. Beijing Dazheng Language and Knowledge Processing Technology Inc. [...]
> Beijing Dazheng Language and Knowledge Processing Tech. Inc. got a project valued 19,900,000 CNY (About 2.9 million USD). [21]

> [...] 与中科院声学所合作注册成立了北京大正语言知识处理研究院 [20][21]
>
> [...] established the Beijing Dazheng Language and Knowledge Processing Tech. Inc. together with the Institute of Acoustics, Chinese Academy of Sciences. [20[21] 

> @gonewater: 绿坝软件两开发商之一北京大正的董事长陈小盟,[...]其在中科院声学所主持开发的HNC网络信息过滤器,2003年实现了语义分析与过滤,并被率先运用在反轮子战线上 #greendam [21][24]
>
> @gonewater [a twitter user]: As the chairman of the board of Beijing Dazheng company which is one of the two developers of the "Green Dam" software, he was in charge of the development of HNC Internet Information Filter at the Institute of Acoustics, Chinese Academy of Sciences.  The filter achieved semantic analysis and filtering in 2003 and was used primarily in the battle against the Falungong [27]. [21][24] 

> 郑州金惠计算机系统工程有限公司和北京大正语言知识处理有限公司,他们是该软件的联合开发者,前者主要负责图像过滤,后者主要负责文字过滤。[21] - 南方周末记者 胡贲 实习生 郭仕鹏 2009-06-10 23:45:12
>
> Zhengzhou Jinhui Computer System Engineering Inc. and Beijing Dazheng Language and Knowledge Processing Tech. Inc. teamed up in the development of the filtering software.  The former one was responsible for the image filtering part, while the later one was responsible for the text filtering part. [21] - Report on the newspaper "Southern Weekend" by Ben Hu, 10 June 2009. 

> 中国科学院声学研究所HNC研究团队集多年从事自然语言理解处理的核心技术,成功研发出具有语义理解特点的“网络不良信息检测系统”,将为净化网络世界的内容做出贡献。目前这一系统主要针对网络上出现的色情、反动、低俗等不良信息,根据指定的网站自动进行内容下载、检测并给检测报告。不同于以往的基于关键字词的检测系统,能够区分出不良信息和批判不良信息的网页内容,对不能做出判断的内容还能提出警告,供人工判别。[25]
>
> The HNC research team of the Institute of Acoustics, Chinese Academy of Sciences combined the core techniques they acquired through many years of research they did on natural language understanding and processing and successfully developed a "Internet Bad Information Detection System" featuring semantic understanding capabilities.  It will contribute to the clean-up of the content in the Internet world.  Currently this system is primarily targeted at erotic, counter-revolutionary and vulgar information appeared on the Internet.  It can download content automatically from specified websites, detect and present reports.  Deferent from previous keyword based detection systems, it can distinguish web pages of bad information from criticisms against bad information.  For those pages that it fails to judge, it can raise a warning message for human judgement. [25] 


References:

[1] Bullog.cn http://en.wikipedia.org/wiki/Bullog.cn
[2] 牛博网 http://zh.wikipedia.org/wiki/%E7%89%9B%E5%8D%9A%E7%BD%91
[3] 2008 Chinese milk scandal / Censorship
http://en.wikipedia.org/wiki/2008_Chinese_milk_scandal#Censorship
[4] Liu Yan: Every technical personnel knows that; 2010-01-28 17:40:47 PST;
https://bugzilla.mozilla.org/show_bug.cgi?id=476766#c29
[5] Liu Yan: CNNIC is not a Chinese Government organization; 2009-02-15
23:01:59 PST; https://bugzilla.mozilla.org/show_bug.cgi?id=476766#c5
[6] Kathleen Wilson: This bug is set for Restricted Visibility; 2009-02-11
11:43:10 PST; https://bugzilla.mozilla.org/show_bug.cgi?id=476766#c4
[7] Golden Shield Project http://en.wikipedia.org/wiki/Golden_Shield_Project
[8] 金盾工程 http://zh.wikipedia.org/wiki/%E9%87%91%E7%9B%BE%E5%B7%A5%E7%A8%8B
[9] China Internet Network Information Center; / Malware Production And
Distribution; 
http://en.wikipedia.org/wiki/CNNIC#Malware_Production_And_Distribution
[10] GhostNet; http://en.wikipedia.org/wiki/Ghostnet
[11] 幽灵网; http://zh.wikipedia.org/wiki/%E5%B9%BD%E7%81%B5%E7%BD%91
[12] David Drummond, SVP, Corporate Development and Chief Legal Officer: A new
approach to China; http://www.webcitation.org/5n92WuwKT =    
http://googleblog.blogspot.com/2010/01/new-approach-to-china.html
[13] 中华人民共和国网络审查;
http://zh.wikipedia.org/zh-cn/%E4%B8%AD%E5%8D%8E%E4%BA%BA%E6%B0%91%E5%85%B1%E5%92%8C%E5%9B%BD%E7%BD%91%E7%BB%9C%E5%AE%A1%E6%9F%A5
[14] Internet censorship in the People's Republic of China;
http://en.wikipedia.org/wiki/Internet_censorship_in_the_People's_Republic_of_China
[15] 极光行动; http://zh.wikipedia.org/wiki/%E6%9E%81%E5%85%89%E8%A1%8C%E5%8A%A8
[16] Operation Aurora; http://en.wikipedia.org/wiki/Operation_Aurora
[17] CNNIC Halts Website Domain Name Registration For Individuals In China;
December 15, 2009;
http://www.chinatechnews.com/2009/12/15/11208-cnnic-halts-website-domain-name-registration-for-individuals-in-china
[18] 中国互联网络信息中心;
http://zh.wikipedia.org/wiki/%E4%B8%AD%E5%9C%8B%E4%BA%92%E8%81%AF%E7%B6%B2%E7%B5%A1%E4%BF%A1%E6%81%AF%E4%B8%AD%E5%BF%83#.E7.88.AD.E8.AD.B0
[19] Tiananmen Square protests of 1989;
http://en.wikipedia.org/wiki/Tiananmen_Square_protests_of_1989
[20] Reports about Green Dam;
https://groups.google.com/group/lihlii/msg/cff76953d4508ad7
[21] Analysis of the Green Dam Censorware System;
https://groups.google.com/group/lihlii/msg/64b28befc01f8394
[22] Green Dam Youth Escort; http://en.wikipedia.org/wiki/Green_Dam
[23] 绿坝·花季护航;
http://zh.wikipedia.org/zh-cn/%E7%B6%A0%E5%A3%A9%C2%B7%E8%8A%B1%E5%AD%A3%E8%AD%B7%E8%88%AA
[24] 中科院声学所主持开发的HNC网络信息过滤器,2003年实现了语义分析与过滤,并被率先运用在反轮子战线上;
http://twitter.com/rmack/statuses/2090288450
[25] jiangzuyu: 中科院声学所成功研发网络不良信息检测系统; 网脉e代社区论坛; 2009-2-12 10:43;
http://www.webcitation.org/5n9L4Z4mq =
http://community.wm360.cn/space/index.php/viewthread-67157.html
[26] CNNIC takes orders from the Ministry of Information Industry (MII) to
conduct daily business; https://bugzilla.mozilla.org/show_bug.cgi?id=476766#c14
[27] Falun Gong / Continued protests and statewide suppression;
http://en.wikipedia.org/wiki/Falun_Gong#Continued_protests_and_statewide_suppression
lihlii 2010-01-29 13:57:49 PST
Dear Johnathan,

Do you think certificates from liars should be included in Firefox? :)
[reply] [-]Comment 36lihlii 2010-01-29 14:43:18 PST
Jonathan: might well yank trust for any CA that was complicit in MitM attacks.

lihlii:
Does the word "was" mean that until the MitM attack happened, any organizations
can put their root CA certificates in Firefox provided that they can buy
endorsement "services" from accountant companies like Ernst&Young [1] to
acquire "trust" from webtrust.org
?

The real concern of many Chinese programmers is not about "was", but "may", as
CNNIC already "DID" quite some dirty things before!  Now it's a new capability
that the inclusion of root certificate of CNNIC will grant to the PRC
government.

Anyway, since they already got secondary CA certificate issued by Entrust.net,
adding CNNIC as root CA is not introducing more problems.  But this discussion
is an alert on the trust model of PKI when we face a rogue government and their
minion organizations.

We should improve the browser to ask for permissions from the end users to
grant trust to each root CA when it's used in each session (not only at the
first time), clearly display the certificate signing path, and warn them of any
change in certificates (to be alert of a MitM attack).  This seems paranoiac
but it's because we're facing real threats of attacks from a powerful rogue
government, from which even big companies like Google and well equipped
government offices suffered.

The security model of SSL was practically in danger because of the design flaws
 of the browser to place blind trust on root CAs without consent from the
users.  Since the CA certificates of rogue government agencies were added, we
should consider Firefox as a rogue government controlled browser in the default
configuration.

[1] https://cert.webtrust.org/SealFile?seal=935&file=pdf
Eddy Nigg (StartCom) 2010-01-29 15:12:13 PST
(In reply to comment #36)
> Jonathan: might well yank trust for any CA that was complicit in MitM attacks.
> 
> lihlii:
> Does the word "was" mean that until the MitM attack happened, any organizations
> can put their root CA certificates in Firefox provided that they can buy
> endorsement "services" from accountant companies like Ernst&Young [1] to
> acquire "trust" from webtrust.org?

Again, Bugzilla should not be used for advocacy! Nevertheless a short reply. I
know Ernst & Young and have performed audits with them myself. Hence I'm
trusting their attestation.

However it's common for CAs to comply to local laws and there might be a
problem if the law would allow MITM attacks on its citizens. This would be
counter to the Mozilla CA policy, even if a notable auditor audited the CA and
the CA has disclosed its adherence to the local laws correctly.

> 
> The real concern of many Chinese programmers is not about "was", but "may", as
> CNNIC already "DID" quite some dirty things before!  Now it's a new capability
> that the inclusion of root certificate of CNNIC will grant to the PRC
> government.

I think Johnathan made it clear that Mozilla is sensible to this concern. 

> Anyway, since they already got secondary CA certificate issued by Entrust.net,
> adding CNNIC as root CA is not introducing more problems.

Thanks for notifying on that. In this case there is indeed not much more to do
here - on the other hand, there is another entity responsible in case anything
bad should happen in the future and as long their CA is cross-signed by another
CA.

> The security model of SSL was practically in danger because of the design flaws
>  of the browser to place blind trust on root CAs without consent from the
> users.

This has nothing to do with what you reported and discussions on this should be
held elsewhere. For me this is a non-starter and a distraction from the
original concern. Please keep advocacy for new ideas out of this bug.
[reply] [-]Comment 38Eddy Nigg (StartCom) 2010-01-29 15:40:45 PST
(In reply to comment #29)
> In addition, CNNIC only offers server certificate now. The technology and
> authentication of issuing certificates is qualified with the international
> criteria. There is no possible for us to monitor the user's actions or do some
> attacks. I think every technical personnel knows that.

I'm sorry, but that's nonsense. Probably not every employee at the CA is able
to create certificates for attacking a certain target, depending on the
controls in place. But with the necessary authority, CAs indeed could issue
certificates wrongfully which could be used for MITM attacks. Not admitting
this fact shows either a lack of knowledge or just blunt denial. Neither helps
your cause either.

As such, the concerns which were raised are regarding web server certificates
and interception of traffic.
[reply] [-]Comment 39lihlii 2010-01-29 17:14:39 PST
J:
we'd carefully review and might well yank trust for any CA that was complicit
in MitM attacks.

L:
The problem is that, CNNIC might have already aided some MitM attacks with
their secondary CA certificate signed by Entrust.net root CA before CNNIC was
added as root CA.  Because the MitM attack is difficult to be carried out on a
large scale, the PRC government mainly targeted at specific users (such as
highly sensitive political dissidents) who often lack of knowledge to check the
server certificate to determine whether it's real.

All we're worried about is "trust".  Can we put a CA certificate that many
Chinese programmers don't trust at all into the release package?  What will be
the consequences?

The repetitive hijacking of gmail accounts of dissidents by the PRC government
secret agents (Political Defend Police like Starsi of former East Germany)
might be achieved with SSL hijacking, besides trojan-horse phishing email.

I think it's a detriment to the user trust on Firefox to add CNNIC (notorious
in Chinese programmers community, while powerful enough to buy whatever
certificates they need) root CA.  Yet it's not safe by simply removing it. 
There should be a way to return the ability and authority of judging whether to
trust a CA to the users, not unconditionally decided by the browser as it's
implemented now.  Currently an experienced user can inspect the certificate
signing chain to check whether the root CA is trustworthy; while layman users
need more help from an improved UI to alert them of possible vulnerabilities
and guide them through steps to check the certificate chain of the HTTPS
session.

Furthermore, some Chinese programmers observed [3] that the certificates of
; the browser users trust CNNIC because
the they trust the browser.  But the users in fact don't trust CNNIC at all! 
The result is: the users were forced to trust CNNIC silently.  Experienced
users take the trouble to remove or disable the CNNIC certificates, while the
majority of non-technical users just don't know they're trusting CNNIC because
of their browser!


References:

[1] David Drummond, SVP, Corporate Development and Chief Legal Officer: A new
approach to China; http://www.webcitation.org/5n92WuwKT =    
http://googleblog.blogspot.com/2010/01/new-approach-to-china.html
[2] zuola: 关于GMAIL安全证书的疑问
https://groups.google.com/group/lihlii/browse_frm/thread/92be93b6648af29/
[3] Google 的证书更新了 可能是因为数字证书密钥被窃 警惕假冒数字证书

[reply] [-]Comment 40Cheng Renquan 2010-01-31 16:50:32 PST
please remove (CNNIC) CA Root Certificate

firefox Users from Singapore,
[reply] [-]Comment 41Jack 2010-02-01 00:04:38 PST
About the extend of MITM attacks already widely deployed in China, one can
refer to the Harvard study "Empirical Analysis of Internet Filtering in China" 
that repeated documented this:

"the authors prepared screenshots documenting the September 2002 redirection of
requests for google.com to other search engines."
"some newer forms of Chinese filtering -- namely, redirection of a request for
a sensitive web site to another web site"
"DNS Filtering/Redirection and Its Implications"
"For some 1,043 of sites tested, we confirmed that DNS servers in China report
a web server other than the official web sever actually designated via each
site's authoritative name servers."
http://cyber.law.harvard.edu/filtering/china/
http://cyber.law.harvard.edu/filtering/china/appendix-tech.html#dns

As mentioned in Comment #30, CNNIC is directly administrated by
"Ministry of Industry and Information Technology of the PRC" (budget controlled
by the government).  So when the government orders CNNIC to issue fake
certificates to perfect its MITM attacks, CNNIC simply can't say no.

So, if this root certificate crisis is not properly addressed, it's very likely
that in a couple years, the relatives of some Tibetan or Falun Gong, or home
church followers would sue Microsoft and Mozilla in U.S. for assisting the
Chinese Communist regime to steal their email passwords using faked websites
and certificates so could login to their real accounts later leading to their
imprisonment, just like someone did against yahoo
(http://www.rsf.org/Yahoo-settles-lawsuit-by-families.html).
lihlii 2010-02-01 03:38:17 PST
Gerv:
> If and when evidence, rather than allegations, is produced of bad certificate
> issuance, we will swiftly consider it.

Please consider it seriously.  General non-programmer users don't even know
there is such a root CA security problem.  They don't know their browser
trusted a notorious CA.  If they knew, they would have reacted by removing it.

Most people even don't know there is a Certificate Patrol addon.  Please
consider make it a built-in function.  The web is in danger of a mafia group
attacking the people who're not equipped with enough knowledge of protecting
themselves.  If Firefox will be a safe browser, it should take security
considerations serious.

Hijacking is done in a national wide scale by the rogue government in PR China.
 Please never wait until the foreseeable crime happens and some innocent people
already harmed by careless decisions of software developers.  Then it's too
late to react.
Jack 2010-02-01 06:56:18 PST
Gerv, is MITMing 1,043 sites already "on a nationwide scale"?  The widely
quoted Harvard study already proved that, see
http://cyber.law.harvard.edu/filtering/china/appendix-tech.html#dns .  If this
happened in UK/US the criminal is already rounded up.  But no, this is in
China, so the criminal is still "innocent" looking just like you and me, or
worse, that criminal now also controls root certificate, ready to complete
deadly attack any second.  We can wait until word spread that certain cert is
faked by CNNIC, but very likely at that time some victims are already tortured
and jailed and their relatives filed lawsuit against Mozilla just like in the
yahoo case (http://www.rsf.org/Yahoo-settles-lawsuit-by-families.html).

Many people do not know how much the never-elected Chinese Communist
"government" can do to average citizens.  See New York Times report
http://www.nytimes.com/2010/01/16/world/asia/16china.html
on how they treated Zhisheng Gao, a Christian lawyer, by "more than a month of
torture that included jabs with an electric baton and the piercing of his
genitals with toothpicks. At the time, he said, his torturers told him he would
be killed if he spoke publicly about his treatment in detention."  And his
"crime"?  He "represented members of underground Christian churches and farmers
whose land had been appropriated by powerful officials. At one point, he
orchestrated a hunger strike by practitioners of Falun Gong."

Now armed with full control of MITM and root certificate, the Party just got a
more powerful weapon to persecute more people like Gao.
lihlii 2010-02-01 07:59:01 PST
It'll be too late when we present the "evidence" of bad certificate hijacking
to you.  At that time, there is no need for you to "swiftly consider" any more,
because it's too "swift". :)

You're denying the facts that countless evidences have been accumulated.  Some
are already presented as above, but you keep ignoring them.  So there is no
good talking with you like this.  We can do better things with our precious
one-time lives.

CNNIC is proven guilty countless times.  But for those people who refuse to
see, it's always innocent.
[reply] [-]Comment 48lihlii 2010-02-01 08:05:55 PST
Gerv:

Even if other organizations or governments convict
people for no crime, we do not. Provide evidence of abuse of the CNNIC root.

lihlii:

Gerv mixed the concept of a criminal law principle of "innocent before
convicted" with security guarding and trust.

Do you lock your doors until you lost your property?  Please think it over.

If Firefox excluded CNNIC Root cert, does it mean that Mozilla Foundation
convicted CNNIC as guilty?

It's all about trust!

But further than that, CNNIC was convicted by the Chinese users as guilty 
with plenty of evidences, but you refused to see.

CNNIC did too many dirty things that it doesn't have the least credit to be a
qualified CA.
[reply] [-]Comment 49lihlii 2010-02-01 08:09:38 PST
With security guarding and trust, it's the reverse principle than the criminal
law: It's about proof of goodness.  If you can't prove you're good, we can't
trust you.  If you can't proof you're secured enough, we can't be safe.

Those who defend a notorious CA using criminal law principles are neither
qualified as a criminal law expert, nor a security expert.
[reply] [-]Comment 50Jack 2010-02-01 08:37:53 PST
Gerv: 
> the Harvard study you reference says nothing about CNNIC or certificates.
> As a Christian myself, I am well aware of the persecutions that Christians and
> others undergo in China, including the case of Zhisheng Gao.

Jack: 

In China in terms of persecutin people there is no distinction between CNNIC,
the great firewall, the Communist Party, or the "government", or the "law". 
Since the Constitution of China said all should follow the leadership of the
Chinese Communist Party.

Take the Gao's case for example, was it the court who sentenced Gao?  No, they
couldn't because Gao didn't violate any law.  Was it the police who tortured
Gao?  Yes, although they have no status power on that without sentencing.  Did
the court sued or sentenced the police who illegally tortured Gao?  No, the
police are proudly taking interviews.  How could all these illegal acts happen,
and without consequence?  There must be one supreme power at China that
supersedes all law or individual institutions, which obviously including the
small cake CNNIC.
lihlii 2010-02-01 08:55:25 PST
Does an organization who intentionally spread malware qualify? :)

lihlii: We have a set of criteria all CAs must meet before being included:
http://www.mozilla.org/projects/security/certs/policy/
[reply] [-]Comment 53lihlii 2010-02-01 08:58:58 PST
Does an organization who intentionally spread malware qualify? :)

gerv:
> lihlii: We have a set of criteria all CAs must meet before being included:
> http://www.mozilla.org/projects/security/certs/policy/

> The evidence you cite in comment 39 of "strange certificate changes"

It's not direct evidence that CNNIC did that. It's a suspicion that the PR
China government stole the private keys of Google so they were forced to change
certificates in an abnormal frequency.  Please, please read my messages
carefully before you reply.

There are already plenty of evidences that you refuse to read!!  How can I say
more about these rubbish?

It's not about "protection from a government", but avoid harm from rogues!  Why
should you add a rogue in a browser and force the users to accept?!

tophits

unread,
Feb 1, 2010, 1:06:18 PM2/1/10
to
I agree mostly with Eddy.

Now removal of the CNNIC Root CA won't solve the problem, but,
practically, it helps to improve sort of security.

The imaginary scene is like this:
Now CNNIC has a secondary CA (CNNIC SSL) issued by Entrust.net, which
is included as root CA in every browser.
If one day CNNIC used its secondary CA to help an MITM attack, by luck
the victim found out, and by luck he kept an evidence successfully,
which for most of the victims attacked by the PR China government it's
impossible, because they're mostly political dissidents, human right
activists who are not computer experts.

If it's not Google that was attacked recently, the public won't know
the range and depth that the PRC government had involved in cyber
attacks against its citizens and international bodies. Though there
are already plenty of reports before the Google announcement, most
people just don't care because they pretend they're safe from the
attacks which were targeted at certain groups of people, just like the
Jews in Nazi Germany. Here Gerv also have the similar attitude:

On Feb 1, 6:48 pm, Eddy Nigg <eddy_n...@startcom.org> wrote:
> I left a similar comment at the bughttps://bugzilla.mozilla.org/show_bug.cgi?id=476766#c56

tophits

unread,
Feb 1, 2010, 1:35:38 PM2/1/10
to lihlii-g, 网络安全
I agree mostly with Eddy. I have more to add:

Now removal of the CNNIC Root CA won't solve the problem, but,

practically, it's about security in the future.

The imaginary crime scene is like this:

Now CNNIC has a secondary CA (CNNIC SSL) issued by Entrust.net, which
is included as root CA in every browser.

If one day CNNIC used its secondary CA to help in a MITM attack, by


luck the victim found out, and by luck he kept an evidence
successfully, which for most of the victims attacked by the PR China
government it's impossible, because they're mostly political

dissidents and human right activists who are not computer experts.
They just see the lock icon on the browser and trust it as "secure
http".

If the victims submit a report to Entrust.net, it might revoke the
secondary CA of CNNIC SSL. Well, it's none of the business of
Firefox, so they're not "provoked" [1] to act either. :)

Then the point comes to explain why CNNIC needs a root CA. They tried
to trick all the browsers to install their root CA. When the PRC
government decided it's the right time to start a new attack on gmail,
they can order CNNIC to forge a gmail certificate with their root CA,
thus unnoticed by most of the users who are not computer experts.

If by luck the victim found out, and by luck he kept an evidence
successfully, he might report to Mozilla project. If the evidence
consists of too many paragraphs, the Mozilla project security managers
might refuse to read such "spams" and the victims will be shamefully
"*losing* supporters" [2]. :) So it's none of the business of
Firefox, thus they're not "provoked" [1] to act again. :)

If the victims gathered the appropriate, precisely the suitable amount
of evidences of attacks CNNIC already DID, and for which we "can act
on"[2], then most of the time the victims already suffered big loss,
even lives. Until then, the security group of Firefox will be
"provoked" to act. :)

If it's not Google that was attacked recently, the public won't know

the range and depth that the PRC government had been involved in cyber


attacks against its citizens and international bodies. Though there
are already plenty of reports before the Google announcement, most
people just don't care because they pretend they're safe from the

attacks which were targeted at certain groups of people like the Jews
in Nazi Germany. Here Gerv also have the similar attitude: these are
not "average person". :)


References:

[1] Gervase Markham: Without evidence of wrongdoing, there is nothing
to provoke us to
action; https://groups.google.com/group/mozilla.dev.security.policy/msg/53f6e132eba7ee1f

[2] Johnathan Nightingale: We don't need 8 paragraph missives, and we
don't need copious linkage to
tangentially related news stories; https://bugzilla.mozilla.org/show_bug.cgi?id=476766#c54

On Feb 1, 6:48 pm, Eddy Nigg <eddy_n...@startcom.org> wrote:

> I left a similar comment at the bughttps://bugzilla.mozilla.org/show_bug.cgi?id=476766#c56

makrober

unread,
Feb 1, 2010, 2:07:20 PM2/1/10
to dev-secur...@lists.mozilla.org
Johnathan Nightingale wrote:
>
> These are are a heady mix of non-sequitur and strawman, and I sort of
> think you know they are.
>

Careful review of the thread will show that I was not the first
to suggest that there is a class of certificate issuers that
should be viewed as "special", and that the product is not
really well equipped to protect its users from miscreants that
belong to that class.

I am not suggesting Mozilla does what it's publishers believe
they can not do. I am only suggesting that users deserve
information and facilities that would make it easier for them
to protect themselves. "Opting in" for all certificates would
be my choice. An installation-time option that would ask users
simply: [do you want to accept all "trusted authorities" that
we trust and have included (default) - or will you approve them
yourself as and when they are invoked] is not a bad second choice.

MacRober

Kyle Hamilton

unread,
Feb 1, 2010, 2:28:21 PM2/1/10
to Eddy Nigg, dev-secur...@lists.mozilla.org
> (It must be clear that some CAs are more independent from governments and
> might have different locations of operations, whereas some are tightly
> associated or even operated by governments. For my taste I have a huge
> dislike of any association with governments at all. I made that clear
> previously at other occasions. But the Mozilla CA policy doesn't care about
> this, hence it remains my personal point of view.)

This is probably going to not help the discussion at hand, but...

I find it ironic that some CAs that are more independent from
governments, which criticize other CAs that are more dependent on
governments, still utilize the X.509/X.500 Directory "Distinguished
Name" concept and cryptographic identity binding certificate format
that was created by the technical arm of the United Nations, which by
definition is made up of governments.

This discussion is and was inevitable, unfortunately, considering that
the only real fix for this -- which is not "remove the trust from the
root" -- is something which has repeatedly been shot down: CA branding
in the browser.

The problem is this: Mozilla reviews CAs for parallels between
Mozilla's policy and the CA's policy, as attested to by a third-party
auditor. These parallels do much to protect the users -- but it means
that any violation of this policy cannot be effectively identified at
the time of violation by any given user who is being attacked. This
means that every action performed by Mozilla is performed *after* the
violation, and then only if the user reports the violation to Mozilla.
(If Mozilla has such a huge marketshare, why are there fewer than one
million bugzilla incidents?) Eddy reported the mis-issued Mozilla
certificate to Mozilla, in late 2008. If he hadn't, would we have
known?

At the core, this turns Mozilla's root-approval team into a police
authority (role of 'investigating incidents'), with no real power to
do anything when violations occur. (How many times in history have
roots been removed from Mozilla because they were shown to have done
something which caused harm to at least one of Mozilla's users? I am
having trouble getting to bugzilla right now, the name that
bugzilla.mozilla.org CNAMEs to can't be found. I saw references to
only 3 bugs at the end of bug 542689, when I was able to get to it
earlier today.)

My thought: If Chinese people (who have managed to learn enough
English to make themselves known, and get past the Great Firewall) are
willing to use as much of their probably-illegally-gained access as it
takes to submit to bugzilla, then given the Chinese government's
record on human-rights abuses the bar has been passed to believe that
there's enough smoke visible to assume a fire -- a fire that (given
that Chinese people can't get access to this newsgroup on Google) we
can't see because our attention is being deflected from it as much as
the government can manage.

But regardless: Because Mozilla's root-approval process is global, and
because different organizations globally have wildly different ideas
as to what they are allowed to do (some by law or legal requirement,
others by reading loopholes into their CPSes, still others by
negligence), I believe that Mozilla's unwillingness to brand the CA in
the browser's chrome has now been shown to be completely counter to
the users' interests.

(Eddy: You might remember that other people accused your CA of being
in cahoots with the Israeli government. Your response was pretty much
exactly what the CNNIC's contact's response was. The only difference
I can see is that you have stated that your business isn't primarily
funded by your government, whereas it's a very big stretch to think
that China's equivalent to the US's National Institute of Science and
Technology isn't funded by its government.)

So. CNNIC's website has been witnessed, outside of China, as having
linked at least once to at least one website which would exploit bugs
in the browser to install malware. This in itself doesn't suggest
anything, unless the malware which was there was in fact signed with a
CNNIC-signed certificate. This is what we don't know, and possibly
can't know.

I don't know if removing the CNNIC would be for or against Mozilla's
users' interests. I do know that letting it stay with the same
(invisible) status as other roots in Mozilla's software lends to it an
incredible weight of power which, I think, it would not be in
Mozilla's users' interests to let them have. This suggests that *it*
being the signer of anything in specific is something worth exposing
to the user.

Since I hate special-casing anything, instead of simply exposing the
fact that it's the CNNIC that signed the certificate thus signed, I
believe that it would be in everyone's (and every CA's, except
possibly for CAs that do things that Mozilla has stated in CA Policy 4
it will not tolerate) best interests to expose branding for the CA
which signed the site's or publisher's or email user's certificate.

I also believe that this is something which is outside of the scope of
any technical standard, and thus is territory within which Mozilla can
and should be the leader among browsers. (In my opinion, Mozilla
needs to make up for the how-many-clicks-again? exception process for
site certificates -- which doesn't even reliably tell which CA signed
the certificate presented.)

Now, I'm going to present the other side of the coin: why I believe
that government-backed CAs are good things.

CAs, in X.509, are all about 'identity'. State governments are the
arbiters of 'identity' -- in essence, they are the ones who keep the
records about whether any given person is under its protection.
Multi-state governmental organizations (such as the United States
Federal government) can be put together to pool certain privileges,
rights, immunities, collective bargaining powers, and
citizenship/identity verification processes, among others. This means
that, as far as CAs go, government CAs (if and only if tied to the
citizenship/identity verification process) are inherently more
authoritative than commercial CAs. (Commercial CAs ask governments
whether someone is who he says he is, via government-issued identity
paperwork and the use of governmental postal services. Governmental
CAs have only to ask another arm of the same government, and could
quite probably have more access to those records than any private CA
is allowed to have.)

And where's the user in all this identity and cryptography talk?
Nowhere. Nowhere in this continuing dialogue is any discussion of the
user's experience. It seems that nobody cares what the user's desired
use-case is, and nobody cares about anything or anyone outside the
ivory tower that is Public Key Infrastructure[tm].

One would think that CAs would be *all for* the branding. Aside from
Eddy, though, I've not seen any CA representative who wants their CA
branded in the chrome. I do not understand this, and my paranoid
nature causes me to think that many more CAs are abusing their status
as "among the elite who are allowed to say who someone is" than are
ever reported here.

Other people have made crowdsourcing and petnaming suggestions. The
only way that these can work is if there is some notion of "identity"
that the user can manipulate, and in order for that to be possible and
workable there needs to be some notion of "identity assurance source"
that the user can manipulate, and the only way that that's useful (in
any kind of cryptographic identity manner) is the presentation of the
CA's identity in the standard chrome of the window.

-Kyle H

tophits

unread,
Feb 1, 2010, 3:07:19 PM2/1/10
to lihlii-g, 网络安全
> Gervase Markham: We can't make the Great Firewall go away by removing CNNIC's root from Firefox. [1]

Inclusion of untrustworthy CNNIC root CA certificate will enhance the
power of the GFW. Then in effect you're the co-builder of the GFW.

Before adding the root CA in each browser, it's difficult for the PR
China government to ban all HTTPS sites that uses international root
CAs.
After adding the CNNIC root CA, one day they can order all websites in
China to use certificates issued by CNNIC root CA, while white list
selected HTTPS websites outside of the GFW. Thus there is less chance
for the Chinese people to penetrate the GFW without notice, just like
what many companies are doing to audit, monitor or ban HTTPS
connections outward.

Now SSL encrypted proxy is the major tool that the Chinese people
depend to penetrate the GFW and join this rubbish spam discussion
after their security was already endangered by the inclusion of a
rogue CA! After the CNNIC root CA is universally deployed, there will
be no voice from real Chinese users to be heard here any more, so you
won't get "spams", and there will never be any "evidences" to reach
your honorable eyes that CNNIC violated the CA policy.
Congratulations!

> Gervase Markham: If you don't trust CNNIC, that's your choice. Switch the root off.

Experienced users take the trouble to remove or disable the CNNIC
certificates, while the majority of non-technical users just don't
know they're trusting CNNIC because of their browser!

What's more, it's especially those who lack of knowledge to remove the
certificates are most susceptible to the MITM attacks from the maffia
group dominating China. If anything bad happened and somebody harmed,
Mozilla Firefox may be a complicity. Be warned.

Why don't you say this? "If you trust CNNIC, that's your choice.
Install their root CA"

In fact, for the previous years, CNNIC distributed malware trying to
control all the Internet users in China. In this malware, it silently
installed their root certificate. You can search on google [3]-[14]
if you know Chinese and see how angrily the users are against CNNIC
for these malware. But it's designed to be hooked in OS kernel
drivers and very difficult to be removed!

Do you think a qualified legal root CA could have tried to deploy
their software using spyware techniques [8] like this?! Are you going
to help them toward success in another way of cheating the users by
hiding their root certificates in a "creditable" opensource browser?

Now I know why CNNIC applied secondary CA certificate from
Entrust.net. It's because Entrust opened local business in China
[15]. Now I think Entrust.net root CA is not trustworthy and I will
also disable it.

References:

[1] Gervase Markham; 2010-02-01 07:09:45 PST;
https://bugzilla.mozilla.org/show_bug.cgi?id=476766#c46
[2] Gervase Markham; 2010-02-01 08:54:09 PST;
https://bugzilla.mozilla.org/show_bug.cgi?id=476766#c51
[3] How do I remove the plug-ins are rogue cnnic-CNNIC;
http://translate.google.com/translate?js=y&prev=_t&hl=en&ie=UTF-8&layout=1&eotf=1&u=http://zhidao.baidu.com/question/29128426.html%3Ffr%3Dqrl%26cid%3D92%26index%3D3%26fr2%3Dquery&sl=zh-CN&tl=en
[4] CNNIC plug-in that the top of a very rogue! Hate it!
http://translate.google.com/translate?hl=en&sl=zh-CN&tl=en&u=http://zhidao.baidu.com/q%3Fword%3D%25C8%25E7%25BA%25CE%25C9%25BE%25B3%25FDcnnic%25A3%25ADCNNIC%25B2%25E5%25BC%25FE%25BA%25DC%25C1%25F7%25C3%25A5%26ct%3D17%26pn%3D0%26tn%3Dikaslist%26rn%3D10%26fr%3Dqrl%26cid%3D87
[5] How can I completely remove the cnnic Chinese Internet rogue
software
http://translate.googleusercontent.com/translate_c?hl=en&sl=zh-CN&tl=en&u=http://zhidao.baidu.com/question/130296199.html%3Fsi%3D7&rurl=translate.google.com&twu=1&usg=ALkJrhgwq_gB9_lYKakl1qlmlw4M4YBfag
[6] Why is the Chinese Internet is a very authoritative CNNIC
published was considered rogue software?
http://translate.googleusercontent.com/translate_c?hl=en&sl=zh-CN&tl=en&u=http://zhidao.baidu.com/question/11828487.html%3Fsi%3D9&rurl=translate.google.com&twu=1&usg=ALkJrhgoco6ZpApeNpmdjViZmm4n48xBCA
[7] CNNIC General website - in Chinese Internet plug-in of the most
rogue of the most shameless plug-in
http://translate.googleusercontent.com/translate_c?hl=en&sl=zh-CN&tl=en&u=http://zhidao.baidu.com/question/6835631.html%3Fsi%3D8&rurl=translate.google.com&twu=1&usg=ALkJrhjSYNXXqjQVmlocwlVLsMQ2622vaw
[8] How do I delete CNNIC Chinese Internet Software
http://translate.google.com/translate?hl=en&sl=zh-CN&tl=en&u=http://zhidao.baidu.com/question/29003437.html%3Ffr%3Dqrl%26cid%3D92%26index%3D4%26fr2%3Dquery

> FSD INLINE HOOK technology, which is a dangerous and powerful hook technology. It is strong because it has a very strong data interception capabilities and hidden the extraordinary ability to make non-specialists find it difficult to existence, and can strongly protect the specified file. The reason is dangerous because of its dependence and complexity of the system are very high, the stability depends entirely on the developer's understanding of the windows operating system kernel, any part of the slightest change can cause a system crash. Because Microsoft did not announce any of the technology interface documentation, and clearly inform the developers to use the regular programming interface, therefore, FSD INLINE HOOK rarely been used in commercial software, is not yet any one of commercial software using this technology. Using this technology, most of them viruses, Trojans, Rootkit programs and other malicious software, such as M...@Rootkit.Drop.gy, I-W...@MM.Trojan.Downloader.zp such as "CNNIC Chinese language Internet" use was mainly FSD INLINE HOOK In order to protect "CNNIC Chinese Internet" will not be unloaded, this low-level, non-public use of technology resulted in an extremely unstable computer users and frequent blue screens, crashes, allowing normal users can not uninstall "CNNIC Chinese Internet" plug-in,

[9] Cnnic (China Internet Network Information Center), Chinese
Internet plug-in is a rogue software? Why are often not carefully
installed, how to prevent it
http://translate.google.com/translate?hl=en&sl=zh-CN&tl=en&u=http://zhidao.baidu.com/question/15465565.html%3Ffr%3Dqrl%26cid%3D87%26index%3D2

> Driven by economic interests of hooliganism, they sell rubbish in the name of the country's flag.

[10] My machine did not know what they are loaded with the software
installed CNNIC every time
http://translate.google.com/translate?hl=en&sl=zh-CN&tl=en&u=http://zhidao.baidu.com/question/13089112.html%3Ffr%3Dqrl%26cid%3D87%26index%3D4

[11] CNNIC! Out of my way!
http://translate.google.com/translate?hl=en&sl=zh-CN&tl=en&u=http://reizhi.cn/2010/01/cnnic-out-of-my-way/

[12] No matter how much trust do Microsoft, firefox, apple, Google
have on CNNIC, I dare not trust, and now what I have to do is to
completely remove CNNIC from trusted root certificate of my computer.
http://translate.google.com/translate?hl=en&sl=zh-CN&tl=en&u=http://blog.zdnet.com.cn/index.php%3Fuid/313976/action/viewspace/itemid/2887306/php/1

[13] User reaction was, "CNNIC Chinese Internet" promulgated software
which has many features in line with the definition of malicious
software by Internet Society of China;
http://translate.google.com/translate?hl=en&sl=zh-CN&tl=en&u=http://article.pchome.net/content-157081.html

[14] CNNIC(中国互联网络信息中心)强制推广中文.cn域名插件 http://www.esuzhou.com/ShowInfoDetail.asp?id=328

> CNNIC chanted against rogue software, while the launch of its rogue software "Chinese domain names, plug-ins." In fact the plug-in by the CNNIC launched the domestic domain plug-in, and among the China's top ten out of the rogue software. The plug-in has a mandatory install (no prompts before installation, the installation process without selection), can not be completely uninstalled after installation characteristics. And has slow down the system speed, rape and user address stopped (forced move of its own search page), automatic plug-in shielding another domain name, forced to modify the system default domain name suffix functions.
[15] http://www.entrust.com.cn/

tophits

unread,
Feb 1, 2010, 3:10:50 PM2/1/10
to lihlii-g, 网络安全
On Feb 1, 6:44 pm, Johnathan Nightingale <john...@mozilla.com> wrote:
> the reality is that a motivated government is a sufficiently  
> formidable opponent that technological measures are unlikely to be  
> sufficient on their own, and, on the other hand, that our CA program  

Is this the technical problem that you must bundle a rogue CA that so
many end users don't trust in your program? :)

tophits

unread,
Feb 1, 2010, 3:19:59 PM2/1/10
to lihlii-g, 网络安全, ge...@mozilla.org
> Gervase Markham [:gerv] 2010-02-01 10:46:23 PST
> [This mid-aired a few hours ago and I only just noticed.]
>
> All new participants here should take note of the fact that there are some
> behaviours expected of Bugzilla commenters:
> https://bugzilla.mozilla.org/page.cgi?id=etiquette.html
> Failure to respect these could result in your account being disabled.

You threat with privilege means nothing to me. I even don't mind the
mighty PRC government, how should I fear your threats to remove my
account? :)

> (In reply to comment #53)


> > Does an organization who intentionally spread malware qualify? :)
>

> As Nelson has said in the newsgroup, a code-signing certificate is not an
> indication of the "goodness" of the code, it is a way to determine who the
> creator of the code is. CAs do not, and never have, done code reviews of all
> code they sign.

Please check the fact carefully! Don't speak blindly! It's not that
CNNIC signed some malware,
but they developed and distributed malware for themselves!!

Why don't you read those pages that I included English translation?
Though they're written in Chinese, the google translate does help you
to understand what it's mainly about.

If you can't read Chinese, why don't you listen to what the Chinese
users' judgement?!

> Do remember that I can't read Chinese, so your references were mostly opaque to
> me.

Why don't you read those pages that I included English translation?
Though they're written in Chinese, the google translate does help you
to understand what it's mainly about.

> You say yourself that "the inclusion of an untrustworthy CNNIC root CA won't
> make the situation worse". So I fail to see how this evidence is relevant to
> their inclusion or not.
That's because itt's already the worst. :) But removing CNNIC root CA
can avoid future bigger disaster.

> I've commented on at least two bits of the evidence you have quoted in this
> bug, and I have set out in detail what evidence we would accept for your

The "evidence" you understood is not what I meant. You never read the
evidence carefully! I feel so tired talking with you like this!

tophits

unread,
Feb 1, 2010, 3:23:58 PM2/1/10
to lihlii-g, 网络安全
> In this malware, it silently installed their root certificate.

Correction: I remember once read about this, but can't confirm it with
evidences. So remove this sentence.

tophits

unread,
Feb 1, 2010, 3:43:18 PM2/1/10
to lihlii-g, 网络安全
I decided not to be continue with these rubbish discussion any more.

It's totally a waste of time to talk with those who ignore "evidences"
that you presented, but keeps speaking in their own imagination, such
as "code signing certificate" bullshit.

I think if Firefox is not going to improve, people can improve it.
It's not easy to maintain a trunk code, but it's easy to maintain and
improve some good addons for security, such as Certificate Patrol.

I think my time is more valuable to contribute to improve the code of
Certificate Patrol than talking in vain. :)

tophits

unread,
Feb 1, 2010, 3:53:01 PM2/1/10
to

Eddy Nigg

unread,
Feb 1, 2010, 5:24:14 PM2/1/10
to
On 02/01/2010 09:28 PM, Kyle Hamilton:

> This is probably going to not help the discussion at hand, but...
>

Probably not...

> I find it ironic that some CAs that are more independent from
> governments, which criticize other CAs that are more dependent on
> governments, still utilize the X.509/X.500 Directory "Distinguished
> Name" concept and cryptographic identity binding certificate format
> that was created by the technical arm of the United Nations, which by
> definition is made up of governments.
>

Huuu, Ahhh, and what has that to do with it?

> This discussion is and was inevitable, unfortunately, considering that
> the only real fix for this -- which is not "remove the trust from the
> root" -- is something which has repeatedly been shot down: CA branding
> in the browser.
>

And how big and intrusive has that branding to be in order for the user
to pay attention? And what would it help really? Does it contain any
background information the user perhaps would need in order to consider
a decision? But there is branding in the UI, it's not intrusive
though....and probably doesn't help a lot either.

> Eddy reported the mis-issued Mozilla
> certificate to Mozilla, in late 2008. If he hadn't, would we have
> known?
>

We know about some incidents, we probably don't know about some
others...overall, there might be few after all.

> (Eddy: You might remember that other people accused your CA of being
> in cahoots with the Israeli government.

The never-ending Mossad conspiracy, yes. :-)

> Your response was pretty much exactly what the CNNIC's contact's response was.

Probably not - StartCom doesn't participate with the Israeli Signature
law (another CA admitted to Mozilla does however) and has no ties
whatsoever to either a political, governmental or any other body in
Israel. Zero, Nada, except the tax authority as being an established
business of course... :-)

Also, as part of its business continuity and disaster recovery, StartCom
has two alternative locations in two different countries which are in
two different continents than its current and it's readily available.
StartCom has a very low following in Israel and doesn't focus on a
particular market, but its independence is hugely important because of
that as a global CA.

Anyway thanks for bringing StartCom into the mix here....

> The only difference I can see ...
>

Think again! StartCom was never accused to spread mal-ware or being a
national TLD or being behind a firewall except its own :-)

> CAs, in X.509, are all about 'identity'.

Is this Kyle writing this mail? Since when does an MITM require
"identities"? What has that to do with web sites and intercepting
traffic thereof? You know what you can do with a faked "identity" if a
particular organ (by state and authority) wants that to happen?

> One would think that CAs would be *all for* the branding. Aside from
> Eddy, though, I've not seen any CA representative who wants their CA
> branded in the chrome. I do not understand this
>

Me either, but I suspect that Verisign would want that too perhaps.

refactor

unread,
Feb 2, 2010, 12:08:46 AM2/2/10
to
CNNIC is not an independent organization, it is controlled by CCP. it
has did some evil thing on Chinese people, I DO NOT trust it.
firefox, please remove it, or I'll remove it by myself.

est

unread,
Feb 2, 2010, 1:40:11 AM2/2/10
to
CNNIC is infamous for its CNNIC Toolbar, it hijacks BHO, with some
very malicious FSD Inline Hook to prevent itself from being
uninstalled. You are lucky to get rid of it without BSOD your system.

李二嫂的猪

unread,
Feb 2, 2010, 2:20:04 AM2/2/10
to

I don't trust CNNIC.

tophits

unread,
Feb 2, 2010, 4:44:21 AM2/2/10
to lihlii-g, 网络安全
Current results of the poll: Do you trust CNNIC as a Root CA:

Trust: 17
Unknow: 26
Don't trust: 1573

On Feb 1, 4:24 pm, tophits <wan...@gmail.com> wrote:
> Chinese users started a vote page here to remove CNNIC CA from default

> installations:https://spreadsheets.google.com/viewform?formkey=dGctTVY0Y3VxX3lrXzZo...
>
> And here is the vote result:https://spreadsheets.google.com/pub?key=tg-MV4cuq_yk_6hxotX1AUw&outpu...

red

unread,
Feb 2, 2010, 5:01:50 AM2/2/10
to
On Jan 29, 11:28 pm, Eddy Nigg <eddy_n...@startcom.org> wrote:
> On 01/29/2010 09:42 AM, makrober:
>
> > Johnathan Nightingale wrote:
> >> 1) We have never claimed as a matter of policy that our PKI decisions
> >> can protect people from malicious governments. It's just not a
> >> plausible promise for us to make.
>
> > With due respect, "never have made the promise" just doesn't cut it in
> > my eyes.
>
> Even though I agree with you that there is an understanding that the
> security decisions taken at Mozilla, being it by fixing flaws or here at
> this group with admitting CAs, are made to protect and provide
> reasonable security to the users, I'm ignoring the rest of your message
> as a distraction from the problem at hand. If you feel you would like to
> discuss your idea, lets do so under a different thread.
>
> Having said that, most CAs disclose in their policies compliance to
> local legislation and law. If those laws allow for MITMs, we obviously
> should consider this accordingly. In the meantime some more comments
> have been posted at the various bugs, I'd like to highlight one of them
> since there is some relevance to the above:
>
Hi,
I'm a Chinese and I absolutely don't trust CNNIC.

But I understand that it's a complex political issue for mozilla.

Mozilla can not disable the CNNIC simply because it's an organization
controlled by CPP (Yes, it is).

Here is my 5 cents.

Do NOT disable CNNIC by default. But add some UI to make disabling
CNNIC very easy. For example, add one menu item "Disable root
certificate I don't trust".

Or just release some API documentation on how to search and disable/
enable certificates. I think some smart Chinese programmers will
release their own addon to simplify the disable action.

Regards,
Chen Bin


> On CNNIC website, it's clearly stated that CNNIC is directly administrated by
> both "Ministry of Industry and Information Technology of the PRC" and Chinese
> Academy of Sciences (budget controlled by the government).
>
> You are right, CNNIC is not a government, but it's directly managed by the
> government and did everything that Chinese government asked it to do.
>

> --
> Regards
>
> Signer:  Eddy Nigg, StartCom Ltd.

> XMPP:    start...@startcom.org

tophits

unread,
Feb 2, 2010, 5:05:26 AM2/2/10
to lihlii-g, 网络安全
Some Chinese programmers wrote an article advocating removal of CNNIC
Root CA certificate. After this blog post got some publicity, their
server suffered DDoS attack and was forced offline.

One popular Chinese blog writer and Internet technology critic William
Long commented on this event: CNNIC begins to
play with the black hands.

These programmers are authors of a Firefox addon Autoproxy which helps
the Chinese users “clime over the Great Firewall of PR China, an
information Berlin Wall.

http://twitter.com/williamlong/status/8530905676
RT @WCM: 同学们,AutoProxy 官网因为 CNNIC 一文被 DDOS 服务器下线,以下是存档: http://tinyurl.com/y8gy3d7
放弃版权,欢迎传播。 //CNNIC开始玩黑的了!
about 5 hours ago from Echofon

tophits

unread,
Feb 2, 2010, 5:13:52 AM2/2/10
to lihlii-g, 网络安全
Another related issue: Please Remove "CNNIC ROOT" root certificate
from NSS
https://bugzilla.mozilla.org/show_bug.cgi?id=542689

https://bugzilla.mozilla.org/show_bug.cgi?id=476766#c60

Jack 2010-02-01 20:28:11 PST
Fact #1: Chinese Communist government has been MITMing at least 1,043
websites.
[1]
Fact #2: Chinese Communist government has tortured and imposed ten-
year
imprisonment to netizens for peaceful online speech [2]
Fact #3: Chinese Communist government is the boss of CNNIC [Comment
#30]

The Mozilla CA Certificate Policy (Version 1.2) [3] states that CA
certificate
can be revoked if "we believe that including a CA certificate (or
setting its
"trust bits" in a particular way) would cause undue risks to users'
security".

Now, if Chinese Communist government want to have root certificate
itself, the
above Mozilla policy will directly apply, since Chinese Communist
government
does massive MITM and tortures and jails people for peaceful online
speech.
Now the question is whether that Mozilla policy applies to CNNIC, an
agency
that Chinese Communist government directly directs and fully controls.

[1] http://cyber.law.harvard.edu/filtering/china/appendix-tech.html#dns
[2] http://www.rsf.org/Yahoo-settles-lawsuit-by-families.html
[3] http://www.mozilla.org/projects/security/certs/policy/

red

unread,
Feb 2, 2010, 5:35:28 AM2/2/10
to
I think the fact is obvious and it's you who don't get others' point.

Most Chinese IT people don't trust CNNIC. To challenge this fact, you
need google or just ask some Chinese IT friend to help you.

So the key point is how Firefox can protect average users when some
root certificate can not be trusted (OK, by some part of average
users)?

I think at least firefox MUST provide some UI to help the AVERAGE user
remove that untrusted certificate very *easily*.

The current UI is absurd, too many mouse clicks to remove some
suspicious certificate.

For me, if the firefox can ban the CNNIC, the sooner, the better.

firefox should at least give average users

Best Regards,
Chen Bin

On Jan 31, 6:05 am, Nelson Bolyard <NOnelsonS...@NObolyardSPAM.me>
wrote:
> On 2010-01-28 19:11 PST, David E. Ross wrote:
>
> > On reviewing bug #476766, I see in comment #5 Liu Yan's (the applicant)
> > assertion: "CNNIC is not a Chinese Government organization."
>
> > However, later comments by users in China seem to indicate the contrary.
> >  Comment #18 states: "CNNIC is an infamous organ of the Chinese


> > Communist government to monitor and control the Internet in China."

> > Comment #23 states: "...CNNIC is infamous in China and it has a lot of
> > connections with the government..."  Comment #24 states: "It has very
> > closed tie with Chinese government and CPC (or CCP [Chinese Communist
> > Party?])."
>
> First, those statements are accusatory in nature.  They lack proof.
> Second, even if true, it's not clear that those statements disqualify
> CNNIC.  Other CAs that Mozilla has admitted to the root list also have
> government ties with their respective governments, IINM, and we have not
> disqualified them.
>
> So, I conclude that the writers of the above comments are people who dislike
> the Chinese government.  But like or dislike of the Chinese government is
> not a basis of acceptance nor rejection of CAs under Mozilla policy, is it?
>
> Let's be very careful not to allow this discussion group to become a forum
> for discussion of Chinese government policies.   Whether you or I like it or
> hate it, the Chinese government's great firewall is no basis for acceptance
> or rejection of any Chinese CA, IMO.  If Mozilla decides that it IS, then
> IMO, Mozilla should reject all Chinese CAs, and not consider them one by
> one, because the issue is the action of the government.
>
> > If any of these comments are true, then the application violates the
> > second bullet under section 6 of the Mozilla CA Certificate Policy:
>
> I'm not so sure.
>
> > We require that all CAs whose certificates are distributed with our
> > software products publicly disclose information about their policies and
> > business practices
>
> Let's imagine, just for the sake of discussion, that CNNIC is wholly owned
> by the Chinese government.  Is that a policy?  Is that a business practice?
>
> > That is, the relationship between CCNIC and the government or political
> > structure of China -- a business practices -- has not been publicly
> > disclosed.
>
> I disagree that it is necessarily a policy or practice.
>
> Further, in the PRC, ALL business is done at the pleasure of the government.
> The larger the business, the more far reaching it is in scope, the more
> that government will watch over it to ensure that it doesn't step over the
> unwritten unspoken line.  This is known to every citizen in China.  It is
> not written as a business policy anywhere, anymore than it is written that
> all employees must breathe.
>
> > I am further concerned about the fact that individuals inside China are
> > blocked from participating in this discussion, perhaps by the "great
> > firewall".  If CCNIC indeed operates independently of the government and
> > political structure of China and is indeed worthy of the trust implied
> > by having its root certificate in the NSS database, then why would
> > anyone object to a discussion of this issue?
>
> Why are those things related?
>
> Why is ANYTHING other than a CAs honesty regarding certification of bindings
> of names to public keys, and its scope being wide enough to be of value to a
> significant part of Mozilla's user base, at issue in determining it
> acceptability?
>
> This newsgroup is NOT the place for discussion of international politics.
> Discussion of a government's positions on human rights, great firewalls,
> etc. have no place here, IMO. because they are not relevant, IMO, to the
> operation and acceptability of a CA.

爬在墙头等红杏

unread,
Feb 2, 2010, 6:26:11 AM2/2/10
to
On Jan 29, 8:28 pm, Eddy Nigg <eddy_n...@startcom.org> wrote:
> On 01/29/2010 09:42 AM, makrober:
>
> > Johnathan Nightingale wrote:
> >> 1) We have never claimed as a matter of policy that our PKI decisions
> >> can protect people from malicious governments. It's just not a
> >> plausible promise for us to make.
>
> > With due respect, "never have made the promise" just doesn't cut it in
> > my eyes.
>
> Even though I agree with you that there is an understanding that the
> security decisions taken at Mozilla, being it by fixing flaws or here at
> this group with admitting CAs, are made to protect and provide
> reasonable security to the users, I'm ignoring the rest of your message
> as a distraction from the problem at hand. If you feel you would like to
> discuss your idea, lets do so under a different thread.
>
> Having said that, most CAs disclose in their policies compliance to
> local legislation and law. If those laws allow for MITMs, we obviously
> should consider this accordingly. In the meantime some more comments
> have been posted at the various bugs, I'd like to highlight one of them
> since there is some relevance to the above:
>
> On CNNIC website, it's clearly stated that CNNIC is directly administrated by
> both "Ministry of Industry and Information Technology of the PRC" and Chinese
> Academy of Sciences (budget controlled by the government).
>
> You are right, CNNIC is not a government, but it's directly managed by the
> government and did everything that Chinese government asked it to do.
>
> --
> Regards
>
> Signer:  Eddy Nigg, StartCom Ltd.
> XMPP:    start...@startcom.org
> Blog:    http://blog.startcom.org/
> Twitter:http://twitter.com/eddy_nigg

Please remove CNNIC from CA ROOT!

doordie

unread,
Feb 2, 2010, 9:05:10 AM2/2/10
to

I am from China too, but I do not think removing CNNIC from CA root is
a good idea.Yes I believe China gov will use this to have MITM
attack,but I too believe CIA will use the same method to hijack
someone's email(for example: people form Al Qaeda). So my suggestion
is to add some default feature to protect firefox users from MITM
attack,like the SSLGuard(https://addons.mozilla.org/zh-CN/firefox/
addon/14916), or show strong warning when SSL Cert has changed.

if do nothing,who can know he has suffered a MITM attack,and then how
to provide the evidence?

wander

unread,
Feb 2, 2010, 9:09:17 AM2/2/10
to
On 1月29日, 上午11时11分, "David E. Ross" <nob...@nowhere.invalid> wrote:
> On 1/28/2010 3:29 PM, Eddy Nigg wrote:
>
>
>
> > On 01/28/2010 06:07 PM, Johnathan Nightingale:

>
> >> 1) We have never claimed as a matter of policy that our PKI decisions
> >> can protect people from malicious governments. It's just not a
> >> plausible promise for us to make.
> >> 2) I think, regardless of government ties, we'd carefully review and

> >> might well yank trust for any CA that was complicit in MitM attacks.
> >> 3) CNNIC complied with our root addition policy, they are in the
> >> product presently, so this isn't a question of approval, this is a
> >> question of whether we should review.
>
> >> It feels to me like that makes our next step clear, here. It won't
> >> help to tally up the complainants (there will be many), and it won't
> >> help to demand assurances from CNNIC (since the alleged governmental
> >> pressure would trump those anyhow). It certainly won't help to cite
> >> wikipedia.
>
> >> If there's truth to the allegation, here, then it should be possible
> >> to produce a cert. It should be possible to produce a certificate,
> >> signed by CNNIC, which impersonates a site known to have some other
> >> issuer. A live MitM attack, a paypal cert issued by CNNIC for example.
> >> If anyone in a position to produce such a thing needs help
> >> understanding the mechanics of doing so, I'm sure this forum will help
> >> them.
>
> >> SSL makes tampering visible to its victims. The certificate has to
> >> actually make it to my client before I can decide to trust it. By all
> >> means, let's arm people with the knowledge to detect and record such
> >> instances. But I don't see any clear step we can take until then.
>
> >> Does that seem dismissive? I really hope not. I really don't want us
> >> to trust CAs that we can't actually trust, but I don't want our root
> >> program choosing favourites in political debates either.
>
> > Thanks Johnathan for your response and guidance. I believe there isn't
> > an easy solution unfortunately for those affected and neither for
> > Mozilla. I think it's correct that we should stick to the technical
> > requirements and facts, but act upon them swiftly if any evidence is
> > presented that might infringe on the Mozilla CA policy.
>
> > Currently section #4 of the policy come to mind, in particular
> > "knowingly issue certificates that appear to be intended for fraudulent
> > use." If CNNIC is directly branded by anti-virus and other safe-guarding
> > groups as a source for distributing mal-ware, there might be a problem.
>
> > Additionally section #6 calls for "provide some service relevant to
> > typical users of our software products", apparently for some this root
> > presents for them a disservice. I don't know how to evaluate that or
> > what to recommend, but I believe it's worth to look at it and listen
> > carefully to complaints.
>
> > More disturbing however is, that apparently this news group can't be
> > accessed according to
> >https://bugzilla.mozilla.org/show_bug.cgi?id=476766#c28
> > This makes participation here difficult and I wonder if this happened on
> > purpose. Such a fact would have made our process and public comments
> > period void of any value and if the allegations are correct we could
> > call for annulling  the previous decision taken here. The purpose of the
> > public comments period is to voice amongst others the concerns we are
> > hearing today. If those rights were withheld for a large group affected
> > by this root inclusion and/or the proceedings here were not known to
> > them, it could  present a valid reason to reconsider the previously made
> > decision.

>
> On reviewing bug #476766, I see in comment #5 Liu Yan's (the applicant)
> assertion: "CNNIC is not a Chinese Government organization."
>
> However, later comments by users in China seem to indicate the contrary.
>  Comment #18 states: "CNNIC is an infamous organ of the Chinese
> Communist government to monitor and control the Internet in China."
> Comment #23 states: "...CNNIC is infamous in China and it has a lot of
> connections with the government..."  Comment #24 states: "It has very
> closed tie with Chinese government and CPC (or CCP [Chinese Communist
> Party?])."
>
> If any of these comments are true, then the application violates the
> second bullet under section 6 of the Mozilla CA Certificate Policy:  >
> We require that all CAs whose certificates are distributed with our
> software products:
>
> >     * publicly disclose information about their policies and business practices

>
> That is, the relationship between CCNIC and the government or political
> structure of China -- a business practices -- has not been publicly
> disclosed.
Actually. They act like a gov department, running like a gov
department,
takes every order from gov and ordinary people in China won't agree
that
they are individual community.

>
> I am further concerned about the fact that individuals inside China are
> blocked from participating in this discussion, perhaps by the "great
> firewall".  If CCNIC indeed operates independently of the government and
> political structure of China and is indeed worthy of the trust implied
> by having its root certificate in the NSS database, then why would
> anyone object to a discussion of this issue?
Normal HTTP connection will be reset by GFW, SSL works.
>
> --
>
> David E. Ross
> <http://www.rossde.com/>.
>
> Anyone who thinks government owns a monopoly on inefficient, obstructive
> bureaucracy has obviously never worked for a large corporation. © 1997

wander

unread,
Feb 2, 2010, 9:23:36 AM2/2/10
to
On 2月1日, 下午11时24分, tophits <wan...@gmail.com> wrote:
> Chinese users started a vote page here to remove CNNIC CA from default
> installations:https://spreadsheets.google.com/viewform?formkey=dGctTVY0Y3VxX3lrXzZo...
>
> And here is the vote result:https://spreadsheets.google.com/pub?key=tg-MV4cuq_yk_6hxotX1AUw&outpu...
And I can't access both address now, even using SSL.

wander

unread,
Feb 2, 2010, 10:09:10 AM2/2/10
to
On 1月28日, 上午1时11分, Nelson Bolyard <NOnelsonS...@NObolyardSPAM.me>
wrote:
> On 2010-01-27 06:18 PST, Eddy Nigg wrote:
>
> > On 01/27/2010 04:14 PM, Eddy Nigg:
> >> I was made aware of some controversial issues regarding the inclusion
> >> of the CNNIC Root. Please see comments
> >>https://bugzilla.mozilla.org/show_bug.cgi?id=476766#c18and the item
> >> thereafter.
>
> >> Even though this is mostly a technical forum,
> Now, we come to the immediate cases to which Eddy provided links:
>
> >http://safebrowsing.clients.google.com/safebrowsing/diagnostic?client...
>
> >http://www.siteadvisor.com/sites/cnnic.net.cn
>
> >http://en.wikipedia.org/wiki/China_Internet_Network_Information_Cente...
>
> I cannot determine, from the information presented on those pages, if CNNIC
> was itself the source (the signer) of the signed software, or was merely the
> issuer of certificates that were used by other subjects to sign malware.
> The middle of those 3 links says that CNNIC had links to another site,
> tech.sina.com.cn, which on its face seems to be another organization.
> This doesn't seem inconsistent with CNNIC's role as a CA.

Well, the tech.sina.com.cn is just a download address, totally
commercial, the code is distribute by
CNNIC. Also, the malware's name contains 'CNNIC' in it.

Raymond

unread,
Feb 2, 2010, 10:29:25 AM2/2/10
to

It's a resonable concern, especially for Chinese people. If the CNNIC
is a good will to show to Beijing, which is understandable. At least
it should only be included in Simplified Chinese edition. And it
should not be installed as default.

Gervase Markham

unread,
Feb 2, 2010, 12:17:51 PM2/2/10
to
On 01/02/10 19:28, Kyle Hamilton wrote:
> This discussion is and was inevitable, unfortunately, considering that
> the only real fix for this -- which is not "remove the trust from the
> root" -- is something which has repeatedly been shot down: CA branding
> in the browser.

And your message doesn't really answer any of the objections which have
shot it down in the past. :-|

Anyone who thinks this is a good idea should go off and write an
extension which does it, as a proof of concept.

If any Chinese person wants to install that extension, they could.

Gerv

Gervase Markham

unread,
Feb 2, 2010, 12:21:40 PM2/2/10
to
On 01/02/10 19:07, makrober wrote:
> I am not suggesting Mozilla does what it's publishers believe
> they can not do. I am only suggesting that users deserve
> information and facilities that would make it easier for them
> to protect themselves. "Opting in" for all certificates would
> be my choice. An installation-time option that would ask users
> simply: [do you want to accept all "trusted authorities" that
> we trust and have included (default) - or will you approve them
> yourself as and when they are invoked] is not a bad second choice.

An important user interface principle is only to ask users to make
decisions that they are capable of making. The decision of whether or
not to trust a particular CA is a decision 99.999% of Firefox users have
no data on which to make. Therefore, we would want all those users to
choose option 1. If you have software where 99.999% of users want it one
way, you don't ask them a question about it. You just make it that way,
and let the 0.001% who care about the problem reconfigure it. By, for
example, removing roots they don't trust.

Gerv

Florian Weimer

unread,
Feb 2, 2010, 12:43:05 PM2/2/10
to Eddy Nigg, dev-secur...@lists.mozilla.org
* Eddy Nigg:

> Currently section #4 of the policy come to mind, in particular
> "knowingly issue certificates that appear to be intended for
> fraudulent use." If CNNIC is directly branded by anti-virus and other
> safe-guarding groups as a source for distributing mal-ware, there
> might be a problem.

Presumably, they'd do this with full government approval (if they do
it at all), so it doesn't fit the "fraudulent" requirement.

Florian Weimer

unread,
Feb 2, 2010, 12:47:22 PM2/2/10
to Justin Dolske, dev-secur...@lists.mozilla.org
* Justin Dolske:

> It would be an interesting experiment to create an addon to
> crowd-source checking for such certs.

In general, certification authoritaties do not publish the
certificates they issue. I still hope that this changes at some point
(perhaps due to a Mozilla policy change).

Florian Weimer

unread,
Feb 2, 2010, 12:50:34 PM2/2/10
to dev-secur...@lists.mozilla.org
* David E. Ross:

> But the applicant (Liu Yan) asserted in comment #5 of bug #476766:


> "CNNIC is not a Chinese Government organization."

There might be some sort of language issue here, given this quote from
<http://www.cnnic.net.cn/en/index/0Q/index.htm>:

| China Internet Network Information Center (CNNIC), the state network
| information center of China, was founded as a non-profit organization
| on Jun. 3rd 1997.
|
| CNNIC takes orders from the Ministry of Information Industry (MII) to
| conduct daily business, while it was administratively operated by
| Chinese Academy of Sciences (CAS). Computer Network Information Center
| of Chinese Academy of Sciences takes the responsibility of running and
| administrating CNNIC. CNNIC Steering Committee, a working group
| composed of well-known experts and commercial representatives in
| domestic Internet community supervises and evaluates the structure,
| operation and administration of CNNIC.

So CNNIC's status is highly ambiguous (much like that of ICANN, by the
way).

Jack

unread,
Feb 2, 2010, 2:29:49 PM2/2/10
to
Gerv:

> An important user interface principle is only to ask users to make
> decisions that they are capable of making. The decision of whether or
> not to trust a particular CA is a decision 99.999% of Firefox users have
> no data on which to make. Therefore, we would want all those users to
> choose option 1. If you have software where 99.999% of users want it one
> way, you don't ask them a question about it. You just make it that way,
> and let the 0.001% who care about the problem reconfigure it. By, for
> example, removing roots they don't trust.

The online poll shows essentially all Chinese users don't trust
CNNIC. And Chinese users should constitutes more than 99.999% online
users.
Besides, this does not only affects mainland Chinese users, but also
affects Chinese users in western countries when combined with phishing
email etc. Further, it even affect westerners and anyone that Chinese
government does not like or has special intrest when combined with
phishing email etc, since they can now fake ANY certificate such as
gmail, bank etc without triggering Firefox warning. Don't believe
this is exaggerating, although google didn't disclose the details of
the recent attack from Chinese Communist government, it's clear
advanced techniques were employed, and root certificate will give the
Chinese Communist government one more weapon.

Florian Weimer


> So CNNIC's status is highly ambiguous (much like that of ICANN, by the way).

Some westerner don't know the difference between the non-elected
Chinese Communist government and democratic western countries, so can
easily be fooled by the "50 cent party" [1] . True, US or UK are not
heaven at all, but there is fundamental difference of Chinese
Communist government that westerners need to know:

1. Chinese Communist government supersedes any law, instead they
dictates and rule with law. For example, they threw Zhisheng Gao, a
lawyer himself, to "more than a month of torture that included jabs
with an electric baton and the piercing of his genitals with
toothpicks" for "represented members of underground Christian churches
and farmers whose land had been appropriated by powerful officials."
Gao was never trialed and is now missing. [2] These are millions more
similar cases if you wants to listen to.

2. there is no public election in China (if not counting drawing
ballots for posts out of equal number of pre-selected "candidates"),
even villagers can not choose their own representative. And if they
do? the Chinese Communist government answers with machine guns. [3]

3. ICANN enjoys high autonomy, as long as it doesn't violate laws.
It's never ordered by U.S. government to do MITM attack to websites,
and if that happens, it has the freedom of suing the U.S. government,
as even U.S. president can be disbarred, ordered to court, and fined
[4] . In China, the relationship of Chinese Communist government to
CNNIC is a concept that westerners do not have, because CNNIC can only
do exactly whatever Chinese Communist government orders it to do,
there is no second choice, because Chinese Communist government
dictates and supersedes all law, as explained in 1.

4. In fact, in China it's meaningless to discuss whether an agency is
a government branch, or a research institute, or a "non-government
organization" blabla. because they all have to exactly obey Chinese
Communist government's order, since explained in 1, it supersedes all
law and dictates the law. Any agency that's not persecuted is a
machinary of Chinese Communist government. Otherwise, even if you are
a lawyer yourself and violates no law, you will be batoned, as in
Gao's case.

[1] http://en.wikipedia.org/wiki/50_Cent_Party
[2] http://www.nytimes.com/2010/01/16/world/asia/16china.html
[3] http://www.nytimes.com/2005/12/10/international/asia/10china.html?scp=1&sq=shanwei&st=nyt
[4] http://en.wikipedia.org/wiki/Clinton_v._Jones

xtoaster

unread,
Feb 2, 2010, 3:10:12 PM2/2/10
to
On Feb 1, 6:50 pm, Gervase Markham <g...@mozilla.org> wrote:
>
Hello, Gervase and Everyone:

Why not know sth about cnnic's history first and see why us Chinese
users are so paranoid and eager to get rid of it.

Cnnic started cnnic Chinese domain service plug-in since 2003 and this
little piece of crap evolved into kernel driver protected rouge ware
in 2005-2006 and spread worldwide during 2006-2007. It hides itself as
root-kit and conflict with system drivers causing BSOD and browser
crash. Chinese netizens fought nearly 4 years against this little crap
ware. And thank god it finally RIP. You can take it as a nationwide
war. And also many foreign computers were infected. In 2005, getting
rid of a root-kit is completely a different experience from today's
click and reboot when nearly all AVs are integrated with root-kit
detection .

Worst of all, this creepy little monster is shipped by many program
installers. It could return and turn one's pc experience in to
nightmare at any time. Today, cnnic's root certificate just reminded
many people their horrible experience fighting cnnic root-kit during
those 4 years.

> Anyone who is concerned about government surveillance of their
> activities needs to take rather more care about the security of their
> software than the average person. The default configuration of any
> mass-market security software is unlikely to be suitable for their
> needs. Given that, I don't think it's unreasonable to expect them to
> deactivate certs from entities they don't trust. (And this will be a
> different set of certs for different people.)
> That is an utterly impractical suggestion, and would be
> counter-productive - faced with a barrage of "please approve me"
> requests, users would either a) click "Yes", "Yes", "Yes" or b) abandon

I didn't see anything seriously wrong with your idea. but I have some
question and points to offer:

1. Security is one of the most important reason that people pick
Firefox.
At beginning, Firefox doesn't have much speed advantage, so it used to
promote that the browser is safer than IE. Many IE user didn't realize
how important browser security is for online surfing. And few of
really care about switching to Firefox. But in a few years Firefox's
secured experience overwhelm many users. With Firefox their pcs are
not infected by virus that often.

2. Back doors could be used by CIA to monitor US citizen so should
applications all leave back doors, if not forced to do so? Is back
door thus legitimated? The same question applies to cnnic's case in
china.

3. Is the severity of a vulnerability defined by its sophistication or
the scale of the attack ?
GFW is firewall with tens of millions of people living behind it. It
could affect any/all of these people together with visitors from the
outside. Meanwhile, the million-dollar GFW is the world's most
sophisticated and advanced massive firewall.

4. Which users should be more protected?
"Anyone", "them" may refer to millions of potential users and most of
the existing Chinese users (Chinese Firefox users tends to know more
than CN IE users and they tends to care more about privacy and wall
busting. They feel proud that their browser can protect them even in a
hostile environment.)
There maybe thousand of people who might be affected by cnnic ca
removal but we don't even have any idea how many of them use Firefox.

5. Should a successful open source project be more user-driven or
developer-oriented? No exception for any rules?

> Firefox for a browser which didn't irritate them nearly so much.
>
> Gerv

Your statements sound more persuasive, if Firefox can offer a
permanent easy-to-manage CA blacklist, which will NOT be affected by
program update. So that people will not worry that the cert come back
some day after certain update. But this would only be a secondary
choice.


Actually, we have bigger concerns about this root cert, which make us
more eager to get rid of the root ca.
After the spread of this root CA, the authorities might monopolize the
CA s in domestic network with new regulations forcing people to use it
to achieve certain purpose. You read stories about green damn and blue
shield before? They are not fictions and this could be another scary
version. If we don't take actions and it finally come true, we are all
part of this conspiracy, as there used to be a chance to stop it. but
we skipped willingly.

Taking it out for the majority's benefit or implementing a intuitive
permanent black list is at the code manager's choice, but please do a
favor to show support for your tens of thousands of Chinese users.

Regards

toaster

Eddy Nigg

unread,
Feb 2, 2010, 4:47:07 PM2/2/10
to
On 02/01/2010 07:48 PM, Eddy Nigg:
> I suggest to walk the extra mile and raise the claims and allegations
> made with the CA which cross-signed this root for a better
> understanding. This understanding might help to evaluate and perhaps
> also refute the claims and concerns made for the benefit of all
> parties. Maybe also a statement from that CA would perhaps help to
> understand which controls are in place to prevent actual misuse on
> part of CNNIC.

In continuation and a day later, I've come to the following conclusion
and suggestion:

Kathleen, as per my comment
https://bugzilla.mozilla.org/show_bug.cgi?id=476766#c69 today I would
like to request an official review and repeated comments period
regarding the CNNIC root inclusion.

It's my believe, that if the same allegations and concerns which are
raised today would have been known to us during the comments and review
discussion a couple of month ago, the results might have been a
different one. As a member who regularly participates and reviews CA
root inclusions, I believe that not all facts have been know to us at
that time. This discussion happened fairly recently and I believe it's
our due diligence to follow up on the claims made and review and discuss
them properly.

At this stage it would be good to acknowledge that there is apparently a
problem and that this community is committed to recheck and review the
inclusion of this root - by respecting all parties involved and in an
organized manner. I also believe that the Mozilla CA policy is sensitive
enough that it doesn't require hard and explicit evidence of MITM
attacks and forged certificates to prevent the inclusion of a CA root -
something which is in any case hard to come by. Therefore I'm not
supporting the argument that Mozilla needs a forged certificate issued
by a CA in order to take action (the opposite might be correct, that
mistakenly issued certificates have surfaced and no such actions were
considered, and in the same token, we don't need hard evidence to
consider another action if this would be the correct decision to take).

Therefore I'm supporting redoing part of the inclusion process of the
CNNIC CA root. Probably some of the major points, allegations and
concerns may be gathered in a document and provided towards this discussion.

--
Regards

Signer: Eddy Nigg, StartCom Ltd.

XMPP: star...@startcom.org

tophits

unread,
Feb 2, 2010, 5:24:18 PM2/2/10
to lihlii-g, 网络安全, Johnathan Nightingale
On Feb 2, 10:47 pm, Eddy Nigg <eddy_n...@startcom.org> wrote:
> organized manner. I also believe that the Mozilla CA policy is sensitive
> enough that it doesn't require hard and explicit evidence of MITM
> attacks and forged certificates to prevent the inclusion of a CA root -
> something which is in any case hard to come by. Therefore I'm not

I agree with Eddy on this point. All we were debating by repeated
nonsenses (of me) are focused on this point.

Dear Johnathan,

In your 2008 conference speech [1], you stated:

> The single most important thing
> you can do is find ways to
> capture expensive knowledge so
> that you never pay for the same
> lesson twice

It's well said. The mozilla users worldwide can't risk their security
with a rogue organization of a rogue government which had very bad
history and ultimately no credit. We paid heavy price before. We
can't afford to repeat these lessons.

But in your message [2], you said:

> I don't need news articles about the Chinese government. I don't need long
> essays talking about CNNICs involvement with the government (we have several
> government-based CAs in the product). I *certainly* don't need 500 more "me
> too" comments.
Why don't you say, "I don't need talking about what CNNIC did and is
continuing to do by spreading malware to spy on users, crack down
independent blog websites to suppress free speech on Internet"?

Why don't say that "I don't need talking about the DNS hijacking that
the PR China government is doing on a routine base and CNNIC stated
that it 'takes orders from' such a rogue 'government'"?

Why do you intentionally omit these key evidences which proved that
CNNIC is not trustworthy and not qualified to be a root CA? Do you
know how difficult the Chinese people are trying to be heard in this
discussion because of heavy censorship and state terror to crack down
free speech? Do they feel their anger against the threat of the rogue
government and its minion organs like CNNIC?

As pointed by Jack [3]:

> The Mozilla CA Certificate Policy (Version 1.2) [3] states that CA certificate
> can be revoked if "we believe that including a CA certificate (or setting its
> "trust bits" in a particular way) would cause undue risks to users' security".

Why do you repeatedly insist that there must be an evidence of forged
certificate for Mozilla to decide to take actions?
What's your understanding of the phrase "would cause undue risk"?
Should the policy be changed by you into "have caused undue problem
and captured on scene with evidences of a forged certificate"?


Reference:

[1] Johnathan Nightingale: The Most Important Thing - How Mozilla Does
Security and What You Can Steal; http://www.first.org/conference/2008/papers/nightingale-johnathan-slides.pdf
from http://www.first.org/conference/2008/program/speakers.html#Johnathan_Nightingale

[2] Johnathan Nightingale: We need evidence, not advocacy; 2010-02-02
10:56:24 PST; https://bugzilla.mozilla.org/show_bug.cgi?id=476766#c68

[3] Jack: Now the question is whether that Mozilla policy applies to
CNNIC; 2010-02-01 20:28:11 PST; https://bugzilla.mozilla.org/show_bug.cgi?id=476766#c60

tophits

unread,
Feb 2, 2010, 5:48:43 PM2/2/10
to
On Feb 2, 6:17 pm, Gervase Markham <g...@mozilla.org> wrote:
> If any Chinese person wants to install that extension, they could.
> Gerv

This is in-responsible attitude to security. You can leave Firefox
buggy and say:

Let somebody make some bug fix patches. If the "Chinese person wants
to install that patch, they could".

tophits

unread,
Feb 2, 2010, 5:54:49 PM2/2/10
to lihlii-g, 网络安全
On Feb 2, 4:29 pm, Raymond <raymondchen...@gmail.com> wrote:
> is a good will to show to Beijing, which is understandable. At least
> it should only be included in Simplified Chinese edition. And it
> should not be installed as default.

Raymond, it's very dangerous to suggest this! If the CNNIC root CA is
only included in the Chinese version, then only the Chinese users are
in danger, thus they will be more easily ignored by the other parts of
the world.

It will be welcomed by the PR China mafia group which is misnamed as
"a government". :P

tophits

unread,
Feb 2, 2010, 5:56:29 PM2/2/10
to
On Feb 2, 3:09 pm, wander <wanderhu...@gmail.com> wrote:
> Normal HTTP connection will be reset by GFW, SSL works.

Last time my friend reported that even HTTPS to this group is blocked.

tophits

unread,
Feb 2, 2010, 5:57:32 PM2/2/10
to

It's still fraudulent even approved by a rogue government.

tophits

unread,
Feb 2, 2010, 6:21:21 PM2/2/10
to doordie, lihlii-g, 网络安全

I second to your later point that Firefox should aid the users to be
alert of MITM attacks.
But, still it's important to remove CNNIC root CA certificate.

Because the PRC government planned to roll out the CNNIC root CA to
all mainstream browsers and OS, thus they can carry out the further
steps to force all domestic websites to use certificates from this
root CA, thus they can easily revoke the HTTPS certificates of any
websites that is not obedient, just as how they managed the
registration of .cn domain as a weapon to threat the website owners.

Next, because all browsers have the CNNIC root CA, they have reached
the condition to force Chinese websites to switch to CNNIC root CA,
and block all SSL connections without certificates signed by CNNIC
root CA that cross the GFW, except those listed in their whitelist.
This will in effect enable the PRC government to censor all HTTPS
communications and selectively block most of the anti-censorship
software, like Tor. Many users have made such prediction. [1]

Those who can't read Chinese can use translate.google.com to
understand more or less the content of the Chinese references. I
found for most of the time, the English machine translation of google
is good enough to be comprehensible. Google translate is not too bad
compared with mine. :)

[1] 小野大神: 当网络安全核心机制遇到流氓政府; January 30, 2010; http://oogami.name/799/

tophits

unread,
Feb 2, 2010, 6:22:54 PM2/2/10
to
Current result:
Trust: 17
Unknow: 31
Don't trust: 2006

tophits

unread,
Feb 2, 2010, 7:06:32 PM2/2/10
to
On Feb 2, 6:17 pm, Gervase Markham <g...@mozilla.org> wrote:

> If any Chinese person wants to install that extension, they could.
> Gerv

This is irresponsible attitude to security.  You can put some bugs
into Firefox code and say:

tophits

unread,
Feb 2, 2010, 7:36:52 PM2/2/10
to
I agree mostly with Eddy. I have more to add:

Now removal of the CNNIC Root CA won't solve the problem, but,
practically, it's about security in the future.

The imaginary crime scene is like this:

Now CNNIC has a secondary CA (CNNIC SSL) issued by Entrust.net, which
is included as root CA in every browser.

If one day CNNIC used its secondary CA to help in a MITM attack, by
luck the victim found out, and by luck he kept an evidence
successfully, which for most of the victims attacked by the PR China
government it's impossible, because they're mostly political
dissidents and human right activists who are not computer experts.
They just see the lock icon on the browser and trust it as "secure
http".

If the victims submit a report to Entrust.net, it might revoke the
secondary CA of CNNIC SSL. Well, it's none of the business of
Firefox, so they're not "provoked" [1] to act either. :)

Then the point comes to explain why CNNIC needs a root CA. They tried
to trick all the browsers to install their root CA. When the PRC
government decided it's the right time to start a new attack on gmail,
they can order CNNIC to forge a gmail certificate with their root CA,
thus unnoticed by most of the users who are not computer experts.

If by luck the victim found out, and by luck he kept an evidence
successfully, he might report to Mozilla project. If the evidence
consists of too many paragraphs, the Mozilla project security managers
might refuse to read such "spams" and the victims will be shamefully
"*losing* supporters" [2]. :) So it's none of the business of
Firefox, thus they're not "provoked" [1] to act again. :)

If the victims gathered the appropriate, precisely the suitable amount
of evidences of attacks CNNIC already DID, and for which we "can act
on"[2], then most of the time the victims already suffered big loss,
even lives. Until then, the security group of Firefox will be
"provoked" to act. :)

If it's not Google that was attacked recently, the public won't know
the range and depth that the PRC government had been involved in cyber
attacks against its citizens and international bodies. Though there
are already plenty of reports before the Google announcement, most
people just don't care because they pretend they're safe from the
attacks which were targeted at certain groups of people like the Jews
in Nazi Germany. Here Gerv also have the similar attitude: these are
not "average person". :)


References:

[1] Gervase Markham: Without evidence of wrongdoing, there is nothing
to provoke us to
action; https://groups.google.com/group/mozilla.dev.security.policy/msg/53f6e132eba7ee1f

[2] Johnathan Nightingale: We don't need 8 paragraph missives, and we
don't need copious linkage to
tangentially related news stories; https://bugzilla.mozilla.org/show_bug.cgi?id=476766#c54

On Feb 1, 6:48 pm, Eddy Nigg <eddy_n...@startcom.org> wrote:
> I left a similar comment at the bughttps://bugzilla.mozilla.org/show_bug.cgi?id=476766#c56
>
> As a member of the team that reviews regularly CA inclusion requests, I
> believe that if the allegations and concerns would have been raised
> during the public discussion, the request to include this CA root would
> have been looked at more into depth and might have been put on ice for a
> while in order to learn more about it and its implications.
>
> Now that we are after the fact of the inclusion, removal of a root
> requires some specific evidence. Additionally it appears that this root
> is also cross-signed by another notable CA, removal of the root wouldn't
> produce the desired result.


>
> I suggest to walk the extra mile and raise the claims and allegations
> made with the CA which cross-signed this root for a better
> understanding. This understanding might help to evaluate and perhaps
> also refute the claims and concerns made for the benefit of all
> parties. Maybe also a statement from that CA would perhaps help to
> understand which controls are in place to prevent actual misuse on part
> of CNNIC.
>

> Special note to Kathleen: I'm a bit surprised to learn that some CA
> roots which are requested to be included are already cross-signed by
> another already trusted CA. I would like to suggest and request to have
> such facts disclosed properly during the information gathering phase.
> Could you make this part of the information you gather before the
> discussion here?

tophits

unread,
Feb 2, 2010, 7:44:40 PM2/2/10
to lihlii-g, 网络安全
I found one evidence of a user complaint [1] in 2003 that CNNIC tried
to force users to install their certificate using malicious code on
their website and embedded code slips on countless websites in China
to force the users to install their unremovable malware exploiting
vulnerability of browsers.

[1] 类似于禁止3721的方法,怎么禁止不了cnnic安装证书呢? http://www.webcitation.org/5n9u5hWzP
machine translation:
http://translate.google.com/translate?js=y&prev=_t&hl=en&ie=UTF-8&layout=1&eotf=1&u=http://bbs.blueidea.com/thread-1202502-1-1.html&sl=zh-CN&tl=en

On Feb 1, 9:23 pm, tophits <wan...@gmail.com> wrote:
> > In this malware, it silently installed theirrootcertificate.
>
> Correction: I remember once read about this, but can't confirm it with
> evidences. So remove this sentence.

BeeOnRope

unread,
Feb 2, 2010, 9:03:27 PM2/2/10
to

Granted, but there is often a tension between security principles and
good user experience principles (c.f., Windows Vista). Since the
decision has been made by Mozilla that the vast majority of users are
not capable of determining which root certificates to trust (I agree),
and so Mozilla will include a default set of trusted certificates - a
very important responsibility has been transferred to the Mozilla
developers: that of selecting this default list of trusted root CAs.

Since the security of all SSL protected sites (which practically
speaking means all secure sites) depends on this root CA list, the
policy for admission to this list should be very stringent. The idea
that an arbitrary CA should be "innocent until proven guilty via
presentation of a forged certificate, etc" is absurd. Innocent until
proven guilty makes sense when discussing moving from a neutral
position (e.g., a free person) to one with severe negative
consequences (e.g., an imprisoned or executed person) which cannot
easily be undone. This is why this principal is applied to criminal
prosecution in some countries.

The principle does not make sense, however, when considering elevating
some entity to a privileged position or similar. For example, if I
wanted to become an employee of an intelligence agency, access the
White House, see privileged patient records or whatever, I would be
subject to heavy scrutiny and the burden of proof would be on me to
show that my actions and behaviors were consistent with the role I
wanted to play.

I'm also surprised at the suggestions above that only the "CA related
behaviors" should be evaluated as part of the application. The
implication is that if I am a notorious hacker, who has committed a
variety of hacking related transgressions, DNS spoofing, virus
distribution, whatever, I could still easily be allowed to have my
root certificate trusted by Firefox, if none of my attacks
specifically involved SSL certs? Frankly, that seems absurd. You
don't let someone work at a bank because they've only been involved in
robbing armored cars (but not banks) in the past. I wouldn't expect
Firefox to include the root CA of an institution which had previously
been involved in installation of malware (as alleged above) or other
internet related attacks.

It is loading more messages.
0 new messages