Why do you want to disable this particular CA?

There are some very well-written posts on the Mozilla bug. To summarise, CNNIC has a history of active participation in man-in-the-middle attacks, and including their root certificate enables them to do so even with SSL websites. So this is a security vulnerability by design. It's like giving a burglar a back door key to every safe.

Comment 3 Jory A. Pratt 2010-02-07 19:02:27 UTC

This was not even commited until 1.9.1.8, I do not see where you are getting your info about a security flaw, I would suggest you be more specific. This is a cert 99% of all users would never use. Please provide your security info and reopen if you wish.

For the most part, users automatically "use" the CAs included with Firefox.

1. China sets up infrastructure to intercept communications to a website they want to sniff.
2. China issues themselves (as CNNIC) a dummy certificate for this website's domain.
3. Firefox users visit this website completely unaware that China is intercepting and monitoring their traffic.

This defeats the purpose of SSL/TLS which is to be certain nobody is listening in. CNNIC/China have a history of man-in-the-middle attacks with regular HTTP (eg, non-SSL), so it's not unlikely they would abuse their newly given power to expand it to HTTPS.

(In reply to comment #4)
> This defeats the purpose of SSL/TLS which is to be certain nobody is listening
> in.

Wrong. The only thing you can be sure with SSL/TLS wrt browsers is that your communication is encrypted. End of story. And, if you are going to "fix" this, then I demand to have cacert.org certs to be included by default. IOW, take this upstream to get resolved.

The only purpose of (this form of) encryption is to ensure nobody is listening in. "Your communication is encrypted" means NOTHING if you don't know *who* it's encrypted to. If it's encrypted to a middle-man who simply logs it then re-encrypts it to your real destination, it might as well not be encrypted in the first place.

What does this 'cacert.org' have anything to do with Firefox and CNNIC?

(In reply to comment #6)
> The only purpose of (this form of) encryption is to ensure nobody is listening
> in. "Your communication is encrypted" means NOTHING if you don't know *who*
> it's encrypted to. If it's encrypted to a middle-man who simply logs it then
> re-encrypts it to your real destination, it might as well not be encrypted in
> the first place.

You are just imagining this. There have been screw-ups for many major CAs who mis-issued certificates. 
 
> What does this 'cacert.org' have anything to do with Firefox and CNNIC?

You want a CA removed, I want a CA added. :P See https://bugzilla.mozilla.org/show_bug.cgi?id=215243 for the cacert.org discussion. I guess mozilla is getting money from commercial CAs no not include stuff like this. :P

As for the inclusion of CNNIC question: https://bugzilla.mozilla.org/show_bug.cgi?id=476766 and https://bugzilla.mozilla.org/show_bug.cgi?id=525008). Regarding the removal, this has an upstream bug - https://bugzilla.mozilla.org/show_bug.cgi?id=542689 with 118 comments consisting mostly of political bullshit and leading nowhere.   Won't be any different here. Oooh the evil China, remove remove remove. All this stems from a wrong assumption that a certificate makes you sure you are talking to the party they claim to be. Don't make such assumption and you are just fine. Delete any CA you don't trust yourself, you are perfectly able to do it yourself - see Comment #118 on the upstream bug for instructions.

If encryption doesn't guarantee you're not being eavesdropped on, then *what purpose does it serve at all*? (Hint: NONE, that is its only purpose)

CNNIC has a history of actively engaging in man-in-the-middle attacks, it's not at all like an accidental CA error.

(In reply to comment #8)
> If encryption doesn't guarantee you're not being eavesdropped on, then *what
> purpose does it serve at all*? (Hint: NONE, that is its only purpose)

Eh, I guess I really am unable to get my point through. You are blindly trusting a third party (CA) when relying on these certs. They give a *FALSE* sense of security. Funny bit - self-signed certificates are safer here than the stuff signed by some CA, yet browsers make a hellish user experience when using them (stuff produced by Mozilla really "excells" here). Oooooh, it's not verified, end of the world, lets nag users to oblivion and scare them off the site. But you regularly see phishing sites with certificates signed by some well-known CA and people happily filling in their banking info on those. Oh, the irony. 

Yes, you are "blindly" trusting a CA; which is why default CAs should only be relatively trustworthy organizations. Why do you think trusting a CA somehow less secure than trusting absolutely anyone (self-signed certs)?

Please re-add Firefox 3.5.6 and associated xulrunner/etc until this bug can be fixed. Its removal is forcing my system to downgrade to 2.0 in the meantime :(

Comment 12 Nirbheek Chauhan (RETIRED) 2010-03-11 16:31:25 UTC

(In reply to comment #11)
> Please re-add Firefox 3.5.6 and associated xulrunner/etc until this bug can be
> fixed. Its removal is forcing my system to downgrade to 2.0 in the meantime :(
> 

While upstream decides on this issue, why don't you manually mark this CA as untrusted?

(In reply to comment #11)
> Please re-add Firefox 3.5.6 and associated xulrunner/etc until this bug can be
> fixed. Its removal is forcing my system to downgrade to 2.0 in the meantime :(

Uh... If you don't want the certificate enabled, do this:
https://bugzilla.mozilla.org/show_bug.cgi?id=542689#c118

Noone's going to readd multivulnerable versions because you dislike a certificate.

Comment 14 Jory A. Pratt 2010-09-13 00:27:20 UTC

This is something upstream will deal with, gentoo will not deal with it. We will ship the ca certs that are provided until a better solution is presented.