Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 303273 - CNNIC-free Firefox
Summary: CNNIC-free Firefox
Status: RESOLVED INVALID
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: New packages (show other bugs)
Hardware: All Linux
: High normal
Assignee: Mozilla Gentoo Team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2010-02-02 21:52 UTC by Luke-Jr
Modified: 2010-09-13 00:27 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Luke-Jr 2010-02-02 21:52:44 UTC
https://bugzilla.mozilla.org/show_bug.cgi?id=525008 is not clear whether this cert is added only on Windows, or all platforms (does Firefox use the system CA root, or have its own?). A USE flag to revert this CA would probably be a good idea on the relevant package(s), or alternatively at least providing the last unaffected release (3.5.4 was the last released before the Mozilla Bugzilla date, but I don't know when/if the change merged into the branches)
Comment 1 Ingmar Vanhassel 2010-02-03 21:59:05 UTC
Why do you want to disable this particular CA?
Comment 2 Luke-Jr 2010-02-03 23:26:11 UTC
There are some very well-written posts on the Mozilla bug. To summarise, CNNIC has a history of active participation in man-in-the-middle attacks, and including their root certificate enables them to do so even with SSL websites. So this is a security vulnerability by design. It's like giving a burglar a back door key to every safe.
Comment 3 Jory A. Pratt gentoo-dev 2010-02-07 19:02:27 UTC
This was not even commited until 1.9.1.8, I do not see where you are getting your info about a security flaw, I would suggest you be more specific. This is a cert 99% of all users would never use. Please provide your security info and reopen if you wish.
Comment 4 Luke-Jr 2010-02-07 22:14:31 UTC
For the most part, users automatically "use" the CAs included with Firefox.

1. China sets up infrastructure to intercept communications to a website they want to sniff.
2. China issues themselves (as CNNIC) a dummy certificate for this website's domain.
3. Firefox users visit this website completely unaware that China is intercepting and monitoring their traffic.

This defeats the purpose of SSL/TLS which is to be certain nobody is listening in. CNNIC/China have a history of man-in-the-middle attacks with regular HTTP (eg, non-SSL), so it's not unlikely they would abuse their newly given power to expand it to HTTPS.
Comment 5 Doktor Notor 2010-02-17 04:13:58 UTC
(In reply to comment #4)
> This defeats the purpose of SSL/TLS which is to be certain nobody is listening
> in.

Wrong. The only thing you can be sure with SSL/TLS wrt browsers is that your communication is encrypted. End of story. And, if you are going to "fix" this, then I demand to have cacert.org certs to be included by default. IOW, take this upstream to get resolved.

Comment 6 Luke-Jr 2010-02-17 06:37:28 UTC
The only purpose of (this form of) encryption is to ensure nobody is listening in. "Your communication is encrypted" means NOTHING if you don't know *who* it's encrypted to. If it's encrypted to a middle-man who simply logs it then re-encrypts it to your real destination, it might as well not be encrypted in the first place.

What does this 'cacert.org' have anything to do with Firefox and CNNIC?
Comment 7 Doktor Notor 2010-02-17 07:46:47 UTC
(In reply to comment #6)
> The only purpose of (this form of) encryption is to ensure nobody is listening
> in. "Your communication is encrypted" means NOTHING if you don't know *who*
> it's encrypted to. If it's encrypted to a middle-man who simply logs it then
> re-encrypts it to your real destination, it might as well not be encrypted in
> the first place.

You are just imagining this. There have been screw-ups for many major CAs who mis-issued certificates. 
 
> What does this 'cacert.org' have anything to do with Firefox and CNNIC?

You want a CA removed, I want a CA added. :P See https://bugzilla.mozilla.org/show_bug.cgi?id=215243 for the cacert.org discussion. I guess mozilla is getting money from commercial CAs no not include stuff like this. :P

As for the inclusion of CNNIC question: https://bugzilla.mozilla.org/show_bug.cgi?id=476766 and https://bugzilla.mozilla.org/show_bug.cgi?id=525008). Regarding the removal, this has an upstream bug - https://bugzilla.mozilla.org/show_bug.cgi?id=542689 with 118 comments consisting mostly of political bullshit and leading nowhere.   Won't be any different here. Oooh the evil China, remove remove remove. All this stems from a wrong assumption that a certificate makes you sure you are talking to the party they claim to be. Don't make such assumption and you are just fine. Delete any CA you don't trust yourself, you are perfectly able to do it yourself - see Comment #118 on the upstream bug for instructions.
Comment 8 Luke-Jr 2010-02-17 16:53:14 UTC
If encryption doesn't guarantee you're not being eavesdropped on, then *what purpose does it serve at all*? (Hint: NONE, that is its only purpose)

CNNIC has a history of actively engaging in man-in-the-middle attacks, it's not at all like an accidental CA error.
Comment 9 Doktor Notor 2010-02-17 17:14:44 UTC
(In reply to comment #8)
> If encryption doesn't guarantee you're not being eavesdropped on, then *what
> purpose does it serve at all*? (Hint: NONE, that is its only purpose)

Eh, I guess I really am unable to get my point through. You are blindly trusting a third party (CA) when relying on these certs. They give a *FALSE* sense of security. Funny bit - self-signed certificates are safer here than the stuff signed by some CA, yet browsers make a hellish user experience when using them (stuff produced by Mozilla really "excells" here). Oooooh, it's not verified, end of the world, lets nag users to oblivion and scare them off the site. But you regularly see phishing sites with certificates signed by some well-known CA and people happily filling in their banking info on those. Oh, the irony. 
Comment 10 Luke-Jr 2010-02-17 19:15:20 UTC
Yes, you are "blindly" trusting a CA; which is why default CAs should only be relatively trustworthy organizations. Why do you think trusting a CA somehow less secure than trusting absolutely anyone (self-signed certs)?
Comment 11 Luke-Jr 2010-03-11 16:24:13 UTC
Please re-add Firefox 3.5.6 and associated xulrunner/etc until this bug can be fixed. Its removal is forcing my system to downgrade to 2.0 in the meantime :(
Comment 12 Nirbheek Chauhan (RETIRED) gentoo-dev 2010-03-11 16:31:25 UTC
(In reply to comment #11)
> Please re-add Firefox 3.5.6 and associated xulrunner/etc until this bug can be
> fixed. Its removal is forcing my system to downgrade to 2.0 in the meantime :(
> 

While upstream decides on this issue, why don't you manually mark this CA as untrusted?
Comment 13 Doktor Notor 2010-03-11 16:31:45 UTC
(In reply to comment #11)
> Please re-add Firefox 3.5.6 and associated xulrunner/etc until this bug can be
> fixed. Its removal is forcing my system to downgrade to 2.0 in the meantime :(

Uh... If you don't want the certificate enabled, do this:
https://bugzilla.mozilla.org/show_bug.cgi?id=542689#c118

Noone's going to readd multivulnerable versions because you dislike a certificate.
Comment 14 Jory A. Pratt gentoo-dev 2010-09-13 00:27:20 UTC
This is something upstream will deal with, gentoo will not deal with it. We will ship the ca certs that are provided until a better solution is presented.