Thursday, February 04, 2010

Concern over using https in China

Last October, Mozilla accepted the China Internet Network Information Center [CNNIC] as a trusted CA root. This affects Firefox, Thunderbird, and other products built on Mozilla technologies. The standard period for discussion passed without comment, and Mozilla accepted CNNIC based on the results of a formal audit. Some in the Internet community have raised concerns and claimed the Chinese government controls CNNIC. It has also surfaced claims of malware production and distribution and previous man-in-the-middle attacks in China via their secondary CA root from Entrust. All rather complicated stuff. But the blogosphere and Twittersphere are alive with comments as what the handing out of security certificates really means, and if it really does pose a threat to online security.

CA, or Certificate Authority, is a trusted third-party organization or company that issues digital certificates used to create digital signatures and public-private key pairs. The role of the CA in this process is to guarantee that the individual granted the unique certificate is, in fact, who he or she claims to be. Usually, this means that the CA has an arrangement with a financial institution, such as a credit card company, which provides it with information to confirm an individual's claimed identity. CAs are a critical component in data security and electronic commerce because they guarantee that the two parties exchanging information are really who they claim to be.

But the apparent close relationship of the CNNIC with the MIIT [Ministry of Industry & Information Technology] has raised questions over how the Chinese government might abuse the system.

Forums have debated the issue for several weeks. A user on one forum writes, "It has long been worried that GFW [Great Firewall] could intercept SSL [Secure Sockets Layer] sessions. Later its proved that GFW can interrupt SSL sessions based on its Certificates, which make people worried more and more. Someone even related the SSL cert signing date change to Google's Infiltration event. GFW seems to be seeking MITM solutions."
Another contributor urges action. "If you have business in china and have valuable data to protect, join us and import CNNIC cert into windows Untrusted CA list. Remove CNNIC root CA from firefox's trusted CA list. Write to MS, WebTrust, Entrust.net and express your dissatisfaction against signing/adding untrustworthy certs/authorities."

Comments on other forums also raise questions. Writing on a Slashdot forum one person argues that the "whole CA concept is flawed". Maybe so, but at present it's the best system available to identify whether sites are bonafide. However, abuse of such a system needs to be monitored and eradicated. 

The issue is reported in a post on TechEye and on LWN, and while much of the data discussed is speculative, recent accusations that the Chinese government may have been behind attacks on Google and other western interests does raise serious concerns. In China the issue is particularly worrying as authorities tighten restrictions of what can be done on the Internet. In December the CNNIC rolled out its initiative to register all .cn domains and barred individuals from registering websites [Chinatech News]. If allegations of CNNIC collusion with the MIIT and government to facilitate malware distribution and intrusion attempts turn out to be true, it will become very uncomfortable not only for so-called Chinese netizens, but also expats and foreign business interests based in China. 

tvnewswatch, Beijing, China

No comments: