Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Unauthorized Google TLS Certificates and the Aftermath - MCS / CNNIC
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Unauthorized Google TLS Certificates and the Aftermath - MCS / CNNIC

emgemg Veteran

MCS Holdings, an Egypt-based intermediate certificate authority operating under China Internet Network Information Center (root CA), issued certificates for various Google domains such as *.google.com, www.gmail.com, and others:

http://arstechnica.com/security/2015/03/google-warns-of-unauthorized-tls-certificates-trusted-by-almost-all-oses/

As soon as I saw that report a week ago, I disabled the two root CA certificates for CNNIC on my personal computers. I figured that I have no dealings with anyone whose certificates chain back to those Chinese roots. At the very least, I want to see pop-up warnings in my browser so I can review the certificates first. (Disabling the CNNIC root certificates may not be a viable solution for people who live in China and connect to many websites that chain back to CNNIC, for example.)

Today there is a new report that Chrome (and probably others) will soon remove CNNIC as an authorized root CA:

http://arstechnica.com/security/2015/04/google-chrome-will-banish-chinese-certificate-authority-for-breach-of-trust/

I have often been tempted to disable root certificates on my personal computers for root CAs that come from "hostile" countries (whatever that means) or where the chances are very low that I might visit a website that authenticates back to them. There are a few problems with this solution:

  • I suspect that OS updates would reenable the root CA certificates that I disabled.
  • OS updates add root CA authorities that I might not want, and periodic reviews would be necessary.
  • I have a lot of computers running many different OSs. It would be a pain to do them all. The truth is that I rely on only two computers for truly secure HTTPS connections - my desktop and my laptop.

This isn't a perfect solution. Some root CAs must be retained, but they can still be a problem. Comodo comes to mind. I connect to real websites that chain back to Comodo, but bogus certificates have been issued in the past from hacked intermediate CAs that chain back to Comodo, too.

I am opening this discussion as food for thought. Does anyone have a script that disables "hostile" root CAs after an OS update? What do you do?

Comments

  • jarjar Patron Provider, Top Host, Veteran

    Thanks for the heads up!

    Thanked by 1netomx
  • telephonetelephone Member
    edited April 2015

    emg said: Does anyone have a script that disables "hostile" root CAs

    I've used: https://github.com/chengr28/RevokeChinaCerts

    Edit: It has scripts for Android, Linux, Mac, and Windows.

    Thanked by 3emg netomx nullnull
  • rm_rm_ IPv6 Advocate, Veteran
    edited April 2015

    This also revokes our darling WoSign, absolutely unjustified move and also may lead to more noticeable issues, as free WoSign certs will now be increasingly popular.

    No need for SSL racism, WoSign (and other CN CAs) haven't done anything bad, no need to make them suffer from CNNIC's incompetence or negligence.

    P.S. in fact I am switching all my websites to WoSign right now, to make the issues you will face a little bit more evident, and to support them, and the notion that what you're doing is not right approach.

    Thanked by 2NeoXiD alexvolk
  • emgemg Veteran
    edited April 2015

    @rm_ said:
    This also revokes our darling WoSign, absolutely unjustified move and also may lead to more noticeable issues, as free WoSign certs will now be increasingly popular.

    >

    No need for SSL racism, WoSign (and other CN CAs) haven't done anything bad, no need to make them suffer from CNNIC's incompetence or negligence.

    >

    P.S. in fact I am switching all my websites to WoSign right now, to make the issues you will face a little bit more evident, and to support them, and the notion that what you're doing is not right approach.

    I agree that the certificates in the list need to be edited by individual users as appropriate. The scripts may be useful, however. The name "RevokeChinaCerts" is unfortunate, because the scripts have general applicability.

    No "SSL racism" should be construed from any of my posts. I simply want to disable root CAs that I do not need or use. For me, I do no business with China (or Kazakhstan or Paraguay, for example). Obviously, people in China may not be able to revoke (or untrust, in my case) the CNNIC root CA certificates without incurring problems.

  • rm_rm_ IPv6 Advocate, Veteran

    emg said: I do no business with China

    These https://www.ohling.org/blog/2015/02/wosign-free-2y-ssl-certificate.html
    will be used by people from all over the world, and not just from China.

  • Simple - consider all SSL traffic as probably sniff-able. Obviously, not insecure in the sense that some kid will MitM you, but in the sense that someone a tad more resourceful can do it on a larger scale. Then ask yourself the question - how much do you care if agent X can see your traffic to Google?

  • emgemg Veteran

    @rm_ said:
    will be used by people from all over the world, and not just from China.

    I hope I made it clear that I might use the scripts, but if I do use them, I would edit the certificate lists according to my specific needs. In my opinion everyone else would be better served by doing the same thing.

    You have made it abundantly clear that you want to enable the WoSign root CA. Great! Delete it from the list before you run the script.

    If you continue to find fault with RevokeChinaCerts code, take it up with them or submit your own changes - I have nothing to do with them.


    Somewhat off topic:

    I am not sure how I feel about "free" certificates - that seems like an avenue for potential attackers. Some people (not you!) might be happier if they left WoSign "untrusted" and add/trust individual website certificates one-by-one as needed. It depends on the individual, of course.

  • rm_rm_ IPv6 Advocate, Veteran
    edited April 2015

    emg said: I hope I made it clear that I might use the scripts, but if I do use them

    I don't really care about you personally, I care about people en masse who will use this project.

    I would edit the certificate lists according to my specific needs.

    Nobody else will bother. E.g. I wonder if @telephone used the script as offered, or only banned CNNIC through it. In any case, "China bad, ban all China" and "oh how convenient there's even now a project on Github to ban all China". It's a mindset seen way too often, many often ask here how to block all Chinese networks in iptables, in mail servers, etc.

    In my opinion everyone else would be better served by doing the same thing.

    They could already do so via the likes of "dpkg-reconfigure ca-certificates". But you really need to have nothing better to do than to cater to your paranoia, if you personally review hundreds of OS-shipped CA certs to decide if you trust each of those. With the system where any CA can certify any domain (and any domain owner may choose to buy certs from arbitrary CAs, even from those you wouldn't expect them to) this is pretty much pointless and prone to issues anyway.

    emg said: how I feel about "free" certificates - that seems like an avenue for potential attackers

    They have robust domain ownership verification in place. No worse than if you'd pay for a lowest tier domain-validation certificate from them or from any other CA. Same as StartSSL who have been providing free certificates for a long long time. Not to mention the free certs that Cloudflare now automatically offers.

    Thanked by 1asf
  • telephonetelephone Member
    edited April 2015

    rm_ said: E.g. I wonder if @telephone used the script as offered, or only banned CNNIC through it.

    You are correct. Using the "extended" option which is suggested in all the readme's only blocks a certain set and leaves WoSign alone.

    ^ Don't jump to conclusions, just because OSS people suck at naming their projects :D

    rm_ said: P.S. in fact I am switching all my websites to WoSign right now, to make the issues you will face a little bit more evident, and to support them, and the notion that what you're doing is not right approach.

    Feel free to change all your sites to WoSign, as it won't affect me :P

  • rm_rm_ IPv6 Advocate, Veteran
    edited April 2015

    telephone said: Feel free to change all your sites to WoSign, as it won't affect me :P

    I will from now on proceed to make more interesting and useful websites with the widest possible public appeal, to make sure next time it does affect you. Mwahahaha. :D

    Oh wait so you didn't ban WoSign, I guess no need for that then.

  • @rm_ said:
    Oh wait so you didn't ban WoSign, I guess no need for that then.

    Why are you so defensive of WoSign?

  • rm_rm_ IPv6 Advocate, Veteran

    godong said: Why are you so defensive of WoSign?

    They provide a unique and very nice service to the community -- free 100-domain certs for 3 years -- and even put in effort to make it quick and easy to use, added that single-page English ordering form, added SHA2 intermediate certs, replying to support requests helping install the cert, even to someone who is not a paying customer.
    Whereas other CAs only conspire on how to milk you for as much money as possible. Want multi-domain, that'll be double the price per each additional domain, want wildcard, that'll be 10x the price outright, oh and forget 3 year validity it's 1 year only... etc etc.

  • MaouniqueMaounique Host Rep, Veteran

    Much better, untrust everything and enable on a case-by-case basis. You will be able to make interesting reading about what your bank uses, for example.
    I choose to generate my own. Who does not trust my sites, their loss, who cares.

Sign In or Register to comment.