Chinese Certificate Authority CNNIC Is Dropped From Google Products 176
eldavojohn writes A couple weeks ago, Google contacted the CNNIC (China's CA) to alert them of a problem regarding the delegated power of issuing fraudulent certificates for domains (in fact this came to light after fraudulent certificates were issued for Google's domains). Following this, Google decided to remove the CNNIC Root and EV CA as trusted CAs in its Chrome browser and all Google products. Today, the CNNIC responded to Google: "1. The decision that Google has made is unacceptable and unintelligible to CNNIC, and meanwhile CNNIC sincerely urge that Google would take users' rights and interests into full consideration. 2. For the users that CNNIC has already issued the certificates to, we guarantee that your lawful rights and interests will not be affected." Mozilla is waiting to formulate a plan.
Good. +1 for Google. (Score:5, Insightful)
If a CA clearly can't be trusted, then it has absolutely no business being trusted. This is a good thing, and despite the upheaval it will cause for people requiring new certs (if you want chrome to like the site), it will only improve security by making CA's aware that if they mess about, or don't vet properly, then their business is basically gone.
Of course, the only really secure way is to drop all CA's everywhere, and directly exchange certs with whoever you deal with (banks, etc, etc by going into a branch. Hugely impractical though).
Re:Good. +1 for Google. (Score:5, Interesting)
The fact that ANY root CA can issue Google domain certificate (or whatever domain they want) is bonkers. Nowadays, there are simply too many root CAs to be able to trust them all, if we ever really could. There used to be just a handful. Have you looked at your local CA store? There's hundreds of them nowadays! Did you know the Hong Kong Post Office is a root CA (Hongkong Post Root CA 1)? Doesn't that make you feel warm, fuzzy, and secure, knowing that the fine folks at that establishment could issue a fraudulent certificate for any website in the world?
This system needs to be fixed, or at least seriously updated. It just hasn't scaled well in the reality of today's world. I don't think we need to go to the extreme of exchanging private certs. Let's face it, that will never, ever happen anyhow. But we do need more assurances than we have now.
Re: (Score:2)
>Doesn't that make you feel warm, fuzzy, and secure, knowing that the fine folks at that establishment could issue a fraudulent certificate for any website in the world?
I was under the impression that the CA only gets used for verification *if* the site's cert claims to be from that CA.
Re: (Score:2, Informative)
Re: (Score:3)
I was under the impression that the CA only gets used for verification *if* the site's cert claims to be from that CA.
How often do you stop and look at which CA signed the certificate for the HTTPS site you're using?
As long as the certificate is signed by a CA certificate the browser has in its CA store, the browser won't show any warnings. Browser makers are also notoriously bad at checking if certificates are on Certificate Revocation Lists (CRLs), of which each CA has (at least?) one.
Re:Good. +1 for Google. (Score:5, Informative)
This is why so many variants of adware that sneak their certs into the root CA list and then create a local loopback proxy is so common -- nobody looks at what key is presented. If the lock icon is green... good enough.
Re: (Score:2)
>>How often do you stop and look at which CA
Every time. There are addons that do exactly that. Use them.
Re: (Score:3)
That any of the "trusted" CAs could issue a cert for any site is why we should all be using the Certificate Patrol or another equivalent plugin that also notifies when ANY certificates change instead of just blindly accepting them. It adds a little admin to browsing the web as I have to accept/reject expired certificates.
In a number of cases it has alerted me when on client sites that they perform SSL inspection so that I can avoid using anything sensitive like banking.
Re: (Score:2)
Great for small sites, but doesn't work for giant sites like the Google properties.
Re: (Score:3)
Certificate Patrol is worthless for anyone who uses Google services, which mints new certificates and expires old ones on a near daily basis. You're notified nearly every time you visit their site, which eliminates the value of the warning in the first place. Google has apparently decided that it's more secure to have rapidly-expiring certificates in lieu of long-term certificates that may have to be revoked, probably partially because they don't have an effective revocation system in place.
More criticall
Re: (Score:2)
The issue is that browsers and OS makers, not being a bunch of unprofessional amateurs, need policies that are more precise than "warm and fuzzy". So the CA system has very clearly written policies, audits, best practices and so on. If you pass them you can be a CA.
I'm not sure what kind of fix you have in mind, but I suspect it boils down to
Re: (Score:2)
Maybe this could someday be a decent p2p application? Self-sign your cert, then throw your public-key into the wild. Instead of trusting just 1 CA, you can have others w/whom you've directly exchanged the key "endorse" you. More endorsements = more trust. It's not absolute, but at least it's some kind of measure that doesn't plunge from 100%->0% after a single security breach. Maybe if such a system handled dns, as well, it may be possible to reduce the ability to launch a MITM attack? (I'm just ty
Re: (Score:2)
It was tried already. It doesn't work. Nobody wants to be a volunteer CA, which is effectively what the web of trust demands of people.
Re: (Score:2)
It was tried already. It doesn't work. Nobody wants to be a volunteer CA, which is effectively what the web of trust demands of people.
Actually it does work. Just not so well for web sites and servers.
For all their other issues, a CA network works reasonably well for hardware-level communications trust. I can look at the algorithm type selected and trust that math ensures that eavesdropping is hard. I can also have some degree of confidence that the site really is who they say they are... but I also know there is a high risk they may have been hacked or compromised by anyone from government agencies to skript kiddies. There is no need f
Re:Good. +1 for Google. (Score:5, Informative)
WoT doesn't work anywhere. I know it's a popular idea but it doesn't work, period, end of story.
Problem: the PGP web of trust is tiny and has fewer than 4 million keys published to the SKS key pool, EVER. That's pathetic. But of those keys, many are not really connected to the WoT at all. The strong set is only 50k keys. The WoT is a failure, numerically. For comparison: "Yo", an app created as an April fools joke which only lets you send the word "yo" to other users, managed to get 3 million users. The WoT's entire existence has been matched by an April fools.
Problem: the PGP web of trust converts everyone you trust a CA. Unlike real CAs that protect their keys with hardware security modules, are audited, etc, PGP users routinely do things like carrying their private keys through airports on general purpose laptops onto which they install whatever the latest cool toy is. If any of the users you trust are compromised, the entire WoT can be faked through them and your client will accept it. Sure, if you're some kind of crypto guru you can maybe detect this. But most people aren't.
Problem: the "web of trust" is misleadingly named. The graph edges in it are not indicative of social trust. They are in fact reflecting a trust that is more like, "I trust you to protect your private key and do accurate ID verification" which has nothing to do with the more ordinary, human, every day use of the word trust. In your post you mix up these very different kinds of trust, and this is a very frequent but fundamental error. Protecting private keys and doing accurate ID verification are difficult, skilled tasks, whereas what being trustworthy usually means simply requires loyalty.
Problem: the primary criticism of the CA system is that CA's could be coerced by governments via legal means. However the same is true for people in the web of trust - any of those people can be served with a a court order forcing them to sign the governments key.
Problem: the WoT leaks the entire social graph to the entire public. In this day and age, that's unacceptable.
Problem: the WoT has fake keys uploaded to it and there's nothing anyone can do about it. This isn't theoretical, it has happened and routinely fools large numbers of people [ycombinator.com].
In short, after many years I've come to the conclusion that the web of trust has no redeeming qualities at all. It was a neat sounding idea, it was tried, it has failed. It should be taken out the back and quietly shot, so it can't mislead any more people into thinking it's a good idea.
Re: (Score:2)
I'm not sure what kind of fix you have in mind, but I suspect it boils down to "America is more trustworthy when it comes to internet surveillance than Hong Kong". Except we know that's not true. So it seems intractable.
Simple, stick the certs in the DNSSEC records. Then only registrars between you and the root can spoof you. If you don't trust the USA, then pick a registrar in a country you do trust, and now the USA can't spoof your records.
If you want convenience you'll always have to trust somebody, but with the DNSSEC proposal only a few companies could spoof any particular website (with the list being different for each website). The Chinese government couldn't spoof nsa.gov, and the NSA couldn't spoof government.c
Re: (Score:2)
>>registrars between you and the root can spoof you.
Not good.
It would be much better to require two (or more) cert chains at the same time that won't cooperate.
For example, take a cert from USA, North Korea, and India. You could only be spoofed if theese 3 CAs or their intermediary cooperate.
Re: (Score:2)
>>registrars between you and the root can spoof you.
Not good.
It would be much better to require two (or more) cert chains at the same time that won't cooperate.
For example, take a cert from USA, North Korea, and India. You could only be spoofed if theese 3 CAs or their intermediary cooperate.
Sure, but how do you specify which three have to collaborate for any particular domain, and who do you have to trust to have made that certification?
DANE (Score:3)
Until we come up with a better fix for the whole CA system, browser support for DANE [wikipedia.org] would be a huge step in the right direction. Especially, the type 2 (Trust anchor assertion) records would be helpful. So Google could say that only certificates issued by their own CA are legitimate. Or any site owner could publicly restrict trust to the CA that they actually get their certs from (or just specify a particular cert).
Re: (Score:2)
This looks interesting. Thanks.
DANE isn't being promoted, either, because Google's all excited about Certificate Transparency and is pushing it hard. CT is nice, but it (like hardcoded certificate pinning in Chrome) is foremost a solution for Google's specific needs. They solve subtly different problems and shouldn't need to be exclusive.
HPKP is nice, but it takes place in-channel and is very subject to MitM on first contact.
Re: (Score:2)
Missing the point. Of course end users don't care. But if the browsers supported DANE and performed their own DNSSEC lookups if the local resolver can't, then DANE could work.
If the destination site doesn't publish their certs and/or designated CAs in DNS, then the old "trust all built-in CAs" will still apply.
Re:Good. +1 for Google. (Score:4, Insightful)
Even worse is that certificates can't be removed on some devices. For example, if a CA is broken on iOS, there is no way to mark that CA as untrusted until Apple gets around to pushing out a set of new root certs. Android, it is easier, but still onerous going through every unwanted CA and unchecking it.
The CA system is a subset of a WoT system. It was placed originally because CAs used to be meticulous about who they signed certs for. Now, especially after the fiascos a few years back, no so much.
The fix? Part of it would probably say prompt the user on the device to install the relevant CAs for their geographic region. If on mainland China, having a CA for the HK post office makes sense. Not so in the US, unless one travels abroad or has a lot of business with Chinese sites.
The second fix is that OS and Web browser makers will need to enforce with sheer brutality the rules they have on how CAs behave. If the CA screws up, they get their cert pulled, no questions, no appeals.
Re: (Score:2)
The fix? Part of it would probably say prompt the user on the device to install the relevant CAs for their geographic region. If on mainland China, having a CA for the HK post office makes sense. Not so in the US, unless one travels abroad or has a lot of business with Chinese sites.
That doesn't make a lot of sense. .com domains are issued worldwide, and I am glad to have the choice of CAs to use for my com and org domains. And if I go to a .cn site I would like to know it's trusted.
The rest of your message does make sense. But to my case above: how do I know it's trusted? There's no explicit endorsement.
Re: (Score:3)
SARs exist only by staying in the good graces of the PRC. Hong Kong and Macau could lose their special status tomorrow and would have zero say in the matter.
Of course, China currently enjoys playing both sides of the "capitalism" fence, so that almost certainly wouldn't happen; but if Beijing says "Hey, you like
Re: (Score:2, Interesting)
The whole idea of a 3rd party in a secure communication is ludicrous anyway. Stop the stupid ass warning for self signed certs and let secure communications between the two parties it concerns. Yes it requires that each of the 2 sides know a little bit about what is going on to verify the cert, but there simply is no such thing as a security when a 3rd party is involved whether its the Chinese, the NSA, or the CA themselves.
Re:Good. +1 for Google. (Score:5, Insightful)
So, with the third party out of the equation, how does one know that the security certificate you receive from random-site.com is the one that random-site.com intended you to receive? This is where going to two entity encryption fails, because the web has no inbuilt ability to verify the communication with the website is as secure as intended without going to a third party.
Just allowing self signed certs won't solve anything, because most people who use the web won't bother with any independent verification (which you would have to do offline or on a different internet connection for it to mean anything anyway) - fuck, do you remember how long it took to beat "look for the padlock symbol" into people in the first place? All it will do is what people have been bitching about for similar other approaches for years now - people will get so many pop ups, they will stop caring and just click OK.
The CA system isn't the best solution in the world, but its better than most suggestions, including allowing self signed certs for general communication.
Re: (Score:2)
I don't buy the whole... "because people can't use it properly" as an excuse for self signed certs. 3rd parties involved in the process give the illusion of security but in fact guarantee its insecurity. If used PROPERLY self signed certs are the best solution. "Because it is hard" isn't an excuse and is the same issue that makes every company make bad security decisions. They want 100% transparent security, if it can't be transparent they don't want it all. True security will never be transparent.
Re: (Score:2)
Ok, how do you get the general population to "use self signed certs correctly"? Go on, convince me that you can.
If its hard, people won't do it. Thats why email encryption has never caught on while https usage has. So if you want to do away with third party CA usage, then you need to come up with something that is better security wise, but is no harder to use. If its any harder to use, you are already well on the back foot convincing people to use it.
Sorry, but I completely disagree with your assertion
Re: (Score:2)
Thats the point.. Don't give a shit if they can. I'm sorry but I am a bit of a computer elitest. I don't think ISP's should be reponsible for blocking ports or making security decisions on the behalf of their users either, but if they start spewing malware all over the place, then they need to be banned. Proper usage and consequences, there is a secure way to do transactions, people just don't like security. In that case don't bitch about the consequences (not you, just people in general aren't willing to d
Re: (Score:2)
So, with the third party out of the equation, how does one know that the security certificate you receive from random-site.com is the one that random-site.com intended you to receive?
By comparing the fingerprint with the list of valid fingerprints for the site, as published by the site via DANE.
Of course, browsers refuse to implement that...
Re: (Score:2)
So we are back to a third party, only this time involving lists that need updating and collating...
Re: (Score:2)
It's the same third party that lets you have random-site.com rather than an IP, so you're stuck with them anyway.
Re: (Score:2)
Stop the stupid ass warning for self signed certs and let secure communications between the two parties it concerns.
You don't get those warnings if you have verified and installed and trusted the cert.
This argument that warning about self signed certs is stupid. Look the software has to do something to let you know the connection is insecure, you should assume http is insecure and you know that because the little lock icon is not present. You know http does not contain any other authenticity or integrity controls, you make your choice. https (SSL/TLS) normally is you authentication, integrity, and privacy control suit
Re: (Score:2)
"trusted" root certs are organizations that you are supposed to be able to trust to be proper with the certs that they give out. CNNIC is (properly) being removed from that list. The point isn't to 'punish' their customers. It's to protect the rest of us. If CNNIC manages to convince Google (and others) that they've fixed the problem anf won't let it happen aga
Re: (Score:2)
In Firefox, if you know you're talking to the right site, you have to do some nonintuitive clicks to accept the cert and use the site.
BTW, if you're connected to the right site, you still can't trust the cert. It could be a part of a man-in-the-middle attack.
Re: (Score:2)
3rd party certification of cert
Re: (Score:2)
No. They consider that entering or following a link to an 'https:' URL means that you expect a secure connection. In this context, a self-signed certificate that has not been whitelisted is an error.
Re: (Score:2)
What should happen is that CAs should be part of SSL's security, not all of it. There should be some additional options:
1: QR codes a company can print out to validate not just their address, but a key ID and fingerprint.
2: Some form of P2P mechanism, coupled with trust weightings. That way, if Alice says a key to Last National Bank is genuine, it has more weight to Bob than 1000 other people who have no reputation, but are showing different key IDs for the same bank.
3: Some caching to notice if an int
Re: (Score:2)
This is a good thing, and despite the upheaval it will cause for people requiring new certs
Except that it won't cause much upheaval, which is really the only reason they can do it in the fist place.
Google is not the player in China that it is in the west, there is quite a bit of local competition for most Google services there, they really are not even a leader and that has a lot to do with Google actually being "not evil" and refusing to cooperate with the 'Party' on some things.
Chrome isn't Internet Explorer, the people using it across the world are far more likely to understand what a digita
Re: (Score:2)
Google's web services may not be a player in China (irrelevant, so I didn't check), but their browsers (desktop and android) most certainly are: http://www.chinainternetwatch.... [chinainternetwatch.com]
I don't think "lessor" is a word, but if you meant "lesser" then you couldn't be more wrong: http://www.zdnet.com/article/n... [zdnet.com]
I'm quite confident that most of these Google-browser users don't have a clue what digital certificates are.
Verisign, Thawte and GeoTrust would probably be treated the same way, if they failed to act of known
Re: (Score:2)
Lessor is indeed a word. Having to do with Leases. It is incorrect usage in this context.
Karma (Score:2)
be weasels, be labelled sneaky. I have no problems with this. the whole security thing needs a serious re-engineering. too many sneaky Petes hiding under the CA mechanism, and too many holes in our other security software systems.
Re: (Score:2)
If a CA clearly can't be trusted, then it has absolutely no business being trusted.
The issue is, though, why wait for the CA to go before deciding not to trust it? Why should all users in the world have Chinese, American, Iranian, Russian, and other potentially-rogue CAs trusted by their browser?
This Stack Exchange (SuperUser) question about how to know which certs to leave in and which to remove has gone without a decent answer for months:
http://superuser.com/questions... [superuser.com]
Lawful rights and interests? (Score:3)
Is this just swagger, or are they attempting the theory that CAs have some sort of right to be trusted?
Re:Lawful rights and interests? (Score:5, Insightful)
Ever read any other press releases coming out of China?
They very often miss the point, and just fall back to "this is true because we say it is".
The "rights and interests" of users is to not be spoofed. The users in China don't have a "right" to use a google product which has been hacked, and the CNNIC doesn't have a "right" to issue fake certificates.
Some of it is swagger, but from people who are used to being able to wave their collective dicks around and have that influence reality. Now, they've come up against an entity who says "we simply don't care what you want to claim, this is what's happening".
Re: (Score:2)
Sorry, but the "right" it issue "fake" certificates is pretty much what a CA is about. You are trusting them not to abuse that right. Google has said that they don't trust one particular CA, which happens to be in China. Many others also shouldn't be trusted, but still are. I have a real question as to which CAs actually *do* validate that the folk they issue certificates represent those with an actual right to the name...and my suspicion is that none of them do. If they did you wouldn't get so many "o
Re: (Score:2)
What 'rights and interests', exactly is CCIN blathering about? Google has changed absolutely nothing about any certain they have issued, the hierarchy will be precisely as it was, they just decided that 'being untrustworthy' was incompatible with being among the trusted CAs. Is this just swagger, or are they attempting the theory that CAs have some sort of right to be trusted?
If their certificates are not trusted by major browsers, then they are worthless blobs of bits. This will hurt the 'rights and interests' of the customers who paid for them and whose web servers will (as far as the customer can see) stop working. CCIN is trying to transfer the blame to Google.
Re: (Score:3)
Browser manufactures have a responsibility towards their own customers (users), not towards the victims of some untrustworthy CA.
Re: (Score:2)
Wait, your username is " ", did Slashdot start supporting Unicode all of a sudden?
Re: (Score:2)
No. Apparently Slashdot did not start supporting Unicode.
Re: (Score:2)
No, it's just because it comes from G+, and they don't filter that.
(Slashdot does support Unicode, they just have a super-long blacklist of things that you can't use)
Re: (Score:2)
So, CNNIC doesn't understand the concept of trust, or is it ALL of China? It's a simple concept that humans have had for Centuries. I guess they're just not used to being on the receiving end of the punishment.
Too bad for CNNIC (Score:5, Insightful)
Re: (Score:3)
1. All that will happen is that CCIN will disappear and magically pop up again with a new name, different premises, different phone numbers, but with the same slimeballs in charge. The companies will whine, if they find out about it, to the Chinese government. The Chinese government will open an alleged investigation and that will be last anyone will hear the investigation. Meanwhile, the companies will again become frustrated, do to the new entity what they did to CCIN. Go to 1.
Re:Too bad for CNNIC (Score:5, Insightful)
All that will happen is ...
If that is what happens, then other measures would need to be taken to assure new CA's are trustworthy.
.
If the same problem continues to recur and nothing is done to prevent it, then the whole web of trust will fail.
Re:Too bad for CNNIC (Score:5, Interesting)
The main thing here is that this also invalidates all of the certificates issued by CNNIC's intermediaries like MCS that are decended from the soon to be invalidated root certificates, and so on all the way down the chain of trust. That's a *lot* of customers and customers of customers that are going to be looking to push at least some of the costs of sorting this out upstream. Ultimately the buck stops at CNNIC, so they are going to have to make a decision about how much of that costs they are going to bear - get it wrong and there are plenty of other root CAs that intermediate level CAs can go to instead of CNNIC.
That sends a pretty strong message to other CAs that might be considering something similar, or to governments looking to strong arm a CA into doing it on their behalf. Break the chain of trust (whether through imcompetence, negligence or deliberate intent being immaterial), and you can expect to face very public, and potentially very expensive, consequences. Given that this also has implications for everyone's privacy, absolutely Apple, Microsoft, Mozilla et. al ought to follow suit and take at least some form of punitive action. Following on from DigiNotar I'm actually expecting to see them publishing some form of formalised policies about this in the near future, and hopefully no more exceptions (like TrustWave) are going to be made.
Re: (Score:2, Insightful)
The problem is that, while it sends a message, it also seems like the strong message was only sent because it mostly affects some Chinese that do bad things anyway. Had the same strong message been sent if it had been Verisign or DigiCert?
Re:Too bad for CNNIC (Score:5, Interesting)
Re: (Score:2)
Re: (Score:2)
1. All that will happen is that CCIN will disappear and magically pop up again with a new name, different premises, different phone numbers, but with the same slimeballs in charge. The companies will whine, if they find out about it, to the Chinese government. The Chinese government will open an alleged investigation and that will be last anyone will hear the investigation. Meanwhile, the companies will again become frustrated, do to the new entity what they did to CCIN. Go to 1.
Ah, but as we see from this story, it is not the Chinese government which gets to decide if they will be allowed to do that, it is the the makers of web browsers and similar software. If popular software is not configured to trust their certificates, they will be useless.
Re: (Score:2)
Meanwhile, Google and the like will get requests to add a new CA, they will research the new CA and find the same slimeballs in charge and never add the new CA to begin with. Nothing hurt but the pockets of some slimeballs.
Re: (Score:2)
The Chinese government will open an alleged investigation and that will be last anyone will hear the investigation.
Sounds an awful lot like the US government these days.
Re: (Score:2)
It would be best if Mozilla, Microsoft, et. al. followed suit.
It would, for the sake of their own customers, but in reality it's not even necessary. TFA calls Chrome the second most popular browser, although I'm pretty sure it's firmly in first place. If those certificates are not trusted in Chrome then, regardless of whether or not they are trusted in IE or Firefox, the website owners are still going to get a new certificate from a different CA. Even with only Google taking these steps, CNNIC is hosed. If Mozilla follows suit it's really only academic at that poi
Firefox response (Score:3)
Judging by the discussions on the Mozilla mailinglists I wouldn't be surprised if Firefox will include a whilelist of currently certificates issues by CCNIC and make it so no new certificates issues by CCNIC will be valid.
At least as long as they CCNIC doesn't adhere to the proper rules. Maybe CCNIC will even get stricter rules applied to them.
Re:Firefox response (Score:5, Informative)
Here is a link to the latest Mozilla statement on the mailinglist/newsgroup:
https://groups.google.com/d/ms... [google.com]
Re:Firefox response (Score:5, Insightful)
Now that is fascinating. FTFN[ewspost]:
The current incident falls into this category:
"Problem: CA mis-issued a small number of intermediate certificates that they can enumerate
Uh, no. No, that is not the problem. The problem is that the CA has been demonstrated to use untrustworthy practices. They are fundamentally untrustworthy, and Google did the Only Right Thing(tm) while Mozilla is failing, and hard.
Mozilla formulating a plan? (Score:3)
Re:Mozilla formulating a plan? (Score:5, Informative)
You know you can do this yourself in Firefox and Thunderbird.
Options -> Advanced -> Certificates -> View Certificates -> Authorities -> Delete or Distrust...
Re: (Score:2)
Re:Mozilla formulating a plan? (Score:4, Informative)
Unless this has changed, deleting the ingrown CAs in chrome & Firefox has little effect as they reappear if you quit & relaunch the application. It's why I installed the Certificate Patrol plugin which at least lets me see when certificates change.
Re: (Score:2)
Important note: this is potentially not permanent (Score:5, Informative)
What this summary neglects to say is that Google is open to the idea of adding them back. Quote (link mine):
[...] CNNIC will be working to prevent any future incidents. CNNIC will implement Certificate Transparency [certificat...arency.org] for all of their certificates prior to any request for reinclusion. We applaud CNNIC on their proactive steps, and welcome them to reapply once suitable technical and procedural controls are in place.
Re:Important note: this is potentially not permane (Score:5, Informative)
"Fix your shit once-and-for-all and we might deal with you again."
That's not really an endorsement, any way you look at it.
Lotsa butthurt (Score:2, Interesting)
No excuses (Score:5, Insightful)
This is kind of equivalent to hiring a locksmith, then noticing that he copied one of your keys and it's on his personal keychain.
There is no reason to ever trust this locksmith again. Some institutions, like certificate authorities and locksmiths, are sacred. The whole POINT of their existence is to be an entity you can trust to keep things secure. If they are irresponsible and let this happen, then there's no reason to trust them.
Ever again.
Link to the announcement (Score:5, Informative)
Google announced the decision in an update at the bottom of https://googleonlinesecurity.blogspot.com/2015/03/maintaining-digital-certificate-security.html [blogspot.com]. I'm happy they did: certification authorities need to understand that there are consequences to gross negligence or worse.
Good move google. Mozilla, we're waiting...???? (Score:2)
Web of trust cannot survive politics (Score:5, Insightful)
tough nuts (Score:2)
"The decision that Google has made is unacceptable and unintelligible"
WELCOME TO AMERICA. We don't put up with that shit.
Re: (Score:2)
Yet. :(
Re: (Score:3)
In this case Google has done something. What has the US or any other government done?
Re: (Score:2)
The market did this, not the feds. So the market does work, if you let it.
Internet Explorer (Score:2)
Re: (Score:2)
Noone who cares about security and keeps themselves informed is using Internet Explorer anyway. Microsoft therefore doesn't have any bussiness need to deal with this quickly.
Re:Internet Explorer (Score:5, Informative)
Sounds like they're just trying to be ICANN (Score:2)
Mozilla accepts CNNIC (Score:2)
There was an article in 2010 about this subject and the naysayers were correct.
http://slashdot.org/story/1308... [slashdot.org]
I've personally deleted its authority entry in Firefox.
"Fool me once. Shame on you..." and all that.
Unintelligible? (Score:2)
I can't tell if these people are just blustering and trying to save face, or if they are actually really so stupid and morally bankrupt that they don't see fraud as bad.
Re: (Score:2)
User distrust is bad.
User dissatisfaction is bad.
CA fraud causes the above.
Any questions?
I have no particular problem with this -- but (Score:2)
I have no problem with this, if the CA can't be trusted than they should be de-listed from browser default behavior as soon as possible.
However, I do see the Chinese government reacting in a particular way. They could start requiring that _only_ government approved CA are used within China's borders (with the little detail of Google's certs not be accepted / listed).
This is epic but are we learning the wrong lesson? (Score:2)
This is an epic thread.. amusing.. and very sad.. at the same time..
https://bugzilla.mozilla.org/s... [mozilla.org]
However I'm afraid we often are not understanding the bigger picture.
The underlying problem is our own behavior. We are hoisting responsibility for security of everything in the "cyber world" upon CAs and acting surprised when the tidal wave of pressure from all sources to betray that trust washes them away.
Trusted third parties should be used only for initially establishing trust... after that we should be
Firefox also dropping CCNIC (Score:2)
It seems that Mozilla will also be dropping CCNIC. [mozilla.org].
Re: (Score:2)
I think we were fools to ever trust China in the first place. Now look at how indebted the US is to China. We are just as weak to China as we are to Iran. No leverage anymore because we have basically sold out in order to obtain goods at a better price and US companies can make bigger profits. Google certainly should be praised for its action, but let's also realize how China is slowing killing off any Western connections.
Um... no. China is a much, much, much bigger threat. Going to war with Iran would be like going to war with Maryland.
http://en.wikipedia.org/wiki/L... [wikipedia.org]
http://en.wikipedia.org/wiki/L... [wikipedia.org]
http://en.wikipedia.org/wiki/A... [wikipedia.org]
http://en.wikipedia.org/wiki/P... [wikipedia.org]
Re:What is trust these days? (Score:4, Funny)
Going to war with Iran would be like going to war with Maryland.
You've never been to Maryland, have you? You'd never win such a war. There's too much paperwork involved in even establishing a war in Maryland. Just the recurring fees and annual compliance filings with the state would be enough to crush the fighting will of any invading army. Not to mention the tax rates on any pillaged loot seized during said invasion, especially in certain Maryland counties, would be enough to make the whole thing completely unprofitable. Just don't bother. Invade nearby Virginia, or maybe Delaware or Pennsylvania, instead. They're much easier to deal with.
Re:What is trust these days? (Score:4, Insightful)
Obtaining actual physical goods for IOUs is a pretty good deal IMHO.
Re: (Score:2)
Yes, exactly. And on top of it all, ultimately dollars are only good for purchasing US goods and services. So at some point - admittedly it could be far in the future - those dollars will presumably help support American jobs.
Re: (Score:2)
Why use the dollars to support foreign (to them) jobs, when they can just use them to purchase resources, companies, etc. True some minimal number of jobs will be involved in that, but any labor intensive processes can be shipped back home.
So its not just "jobs in the far future" it's "strip mine the country when convenient".
Re: (Score:2)
Resources == Jobs. Companies are nothing but collections of people. Even real estate is an almost infinite resource in the US. I'm not going to say that running a constant deficit is a good thing, but we could do far worse than to have another country lend us a bunch of our own currency at a rate below inflation.
Re: (Score:2)
If you owe the bank $1,000, you have a problem.
If you owe the bank $1,000,000, the bank has a problem.
Re: (Score:2)
Actually Chunghwa Telecom Co. is in Taiwan. Don't confuse them with the mainland scumbags.