Are Apple, Google, Microsoft And Mozilla Helping Governments Carry Out Man-In-The-Middle Attacks?

from the and-what-can-they-do-about-it? dept

Back in September, we reported on the Chinese authorities using man-in-the-middle attacks to spy on citizens who carry out Google searches over encrypted connections. That's done by using a fake security certificate to redirect traffic to a server where the traffic is decrypted, analyzed, and blocked if necessary. A new post on the Greatfire.org Web site points out that this approach can only work if the user's computer trusts the certificate's issuing authority, in this case the China Internet Network Information Center, and that it's curious that browsers from the West do so quite so readily:
Microsoft, Apple and Mozilla among others, trust CNNIC (China Internet Network Information Center) to protect your communications on their platforms by default, regardless of whether or not you are in China. CNNIC has implemented (and tried to mask) internet censorship, produced malware and has very bad security practices. Tech-savvy users in China have been protesting the inclusion of CNNIC as a trusted certificate authority for years. In January 2013, after Github was attacked in China, we publicly called for the the revocation of the trust certificate for CNNIC. In light of the recent spate of man-in-the-middle (MITM) attacks in China, and in an effort to protect user privacy not just in China but everywhere, we again call for revocation of CNNIC Certificate Authority.
Although the logic of revoking CNNIC as a trusted certificate authority might seem inarguable, the consequences of doing so are likely to be serious. For example, the Chinese government might decide to ban the use of any browser that did not include CNNIC. That's hard to police, but the threat alone would be enough to dissuade any software company from removing CNNIC's certificate from its browser.

Perhaps the best solution is simply making users aware of the issue, and explaining how they can remove any certificate authority they have doubts about. And not just for China: these problems can arise in any country where a local trusted certificate authority is under the direct -- or indirect -- control of the government.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: certificate authorities, china, man in the middle attacks, security, trust
Companies: apple, cnnic, google, microsoft, mozilla


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. icon
    wereisjessicahyde (profile), 7 Nov 2014 @ 12:58pm

    "Are Apple, Google, Microsoft And Mozilla Helping Governments Carry Out Man-In-The-Middle Attacks?"

    Dunno, is Techdirt turning into The Daily Mail? Is asking questions in a big headline more important than providing the answers?

    link to this | view in thread ]

  2. identicon
    Anonymous Coward, 7 Nov 2014 @ 1:01pm

    Firefox:

    Preferences... > Advanced > Certificates > View Certificates

    Authorities > CNNIC Root > Delete or Distrust...

    link to this | view in thread ]

  3. icon
    Inwoods (profile), 7 Nov 2014 @ 1:06pm

    Re:

    This should have been in the article. Would be nice to see it posted for other major browsers.

    link to this | view in thread ]

  4. icon
    orbitalinsertion (profile), 7 Nov 2014 @ 1:14pm

    Perhaps the best solution is simply making users aware of the issue, and explaining how they can remove any certificate authority they have doubts about.


    No CA is trustworthy anyway. Trust (or simply use) at your own risk, regardless of the known particular history of any CA. They may be generally OK, but all have problems.

    link to this | view in thread ]

  5. identicon
    Anonymous Coward, 7 Nov 2014 @ 1:16pm

    Arab spring

    Those 2 words should inspire Americans to do something similar to their out of control governments instead of just rolling over and accepting it.

    The Arabs were inspired by the American concept of rights and freedoms that the current generations no longer seem to care about. Maybe you guys could get inspired about the rights and freedoms your ancestors fought died over as well

    link to this | view in thread ]

  6. identicon
    Anonymous Coward, 7 Nov 2014 @ 1:16pm

    Re: delete certificate

    but doesn't the OS just re-load the deleted certificate shortly after you've deleted it

    link to this | view in thread ]

  7. identicon
    Brig C. McCoy, 7 Nov 2014 @ 1:17pm

    Google Chrome Certificate location...

    Hi...

    Google Chrome:

    Settings > Advanced > HTTPS/SSL > Manage certificates...

    But I don't see CNNIC listed anywhere.

    Windows 7/Chrome Version 38.0.2125.111 m

    ...brig

    link to this | view in thread ]

  8. icon
    Mason Wheeler (profile), 7 Nov 2014 @ 1:22pm

    Re:

    Umm... this article isn't even about Americans. It's about the Chinese.

    link to this | view in thread ]

  9. icon
    blaktron (profile), 7 Nov 2014 @ 1:24pm

    I'm pretty sure that a) Chrome and IE both use the Windows cert store, and b) if CNNIC was included as a trusted root, it would only be trusted for .cn path, because its not in the trust chain for .com or .ca or .gov or whatever.

    Oh, and c) in Windows 8.1 at least there is no sign of CNNIC

    Just sayin'

    link to this | view in thread ]

  10. identicon
    Anonymous Coward, 7 Nov 2014 @ 1:28pm

    Deleted the certificate in my browser as I was not aware of this problem. Last time I removed a cert was over the hacked cert from a Dutch issuer that is no longer in the biz.

    link to this | view in thread ]

  11. identicon
    Anonymous Coward, 7 Nov 2014 @ 1:30pm

    Re:

    I found this in both IE and Firefox. Would this be part of a package? Because I've never surfed to a .cn address, even on a redirect.

    link to this | view in thread ]

  12. This comment has been flagged by the community. Click here to show it
    identicon
    Dudak Dolgusu, 7 Nov 2014 @ 1:31pm

    çin

    Thanks

    link to this | view in thread ]

  13. identicon
    Adam, 7 Nov 2014 @ 1:49pm

    ok...

    "Perhaps the best solution is simply making users aware of the issue, and explaining how they can remove any certificate authority they have doubts about"

    Then why don't you do that!

    link to this | view in thread ]

  14. identicon
    Anonymous Coward, 7 Nov 2014 @ 1:55pm

    Was there any MITM attempt using CNNIC?

    As far as I know, the answer is "no". The MITM certificate in question was self-signed.

    The reason it was never used for MITM is that, as soon as it's used for MITM, it will lose its trusted CA status. CNNIC is not one of the "too big to fail" CAs.

    As to the discussion leading to its inclusion by Mozilla, https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/included/ has links to the discussion for all trusted CAs. For CNNIC, the discussion was at https://bugzilla.mozilla.org/show_bug.cgi?id=476766 and https://bugzilla.mozilla.org/show_bug.cgi?id=607208.

    link to this | view in thread ]

  15. identicon
    Anonymous Coward, 7 Nov 2014 @ 1:56pm

    Re: Re: delete certificate

    If that happens, you can try to disable its "trust bits" instead. For each root CA certificate, there are three checkboxes which determine for what it's trusted. Uncheck all three and it's done.

    link to this | view in thread ]

  16. identicon
    PRMan, 7 Nov 2014 @ 1:56pm

    Re:

    Chrome & IE:

    Start > Run certmgr.msc

    Go to Trusted Certificates and find CNNIC Root. Drag it to Untrusted Certificates.

    link to this | view in thread ]

  17. identicon
    Anonymous Coward, 7 Nov 2014 @ 2:00pm

    You're naive if you don't believe the US government has the keys to every CA on American soil and then some. All CAs at this point are untrustable.

    link to this | view in thread ]

  18. identicon
    Anonymous Coward, 7 Nov 2014 @ 2:11pm

    Re: Re: Re: delete certificate

    Detailed procedure, as it was on 2010: https://bugzilla.mozilla.org/show_bug.cgi?id=542689#c118

    link to this | view in thread ]

  19. identicon
    Anonymous Coward, 7 Nov 2014 @ 3:07pm

    If the NSA doesn't cut their crap soon they are going to bring down our electronic infrastructure and cause the collapse of our economy.

    link to this | view in thread ]

  20. identicon
    Anonymous Coward, 7 Nov 2014 @ 3:32pm

    Re:

    I think a more general concern maybe that a website may have their certificate forged by a certificate authority the browser trusts despite the fact that this certificate authority is not the correct one that should be authenticating the content on the website being visited.

    I'm not exactly sure how the browser verifies certificates but, presumably (if it were smart) it should give priority to certain (more trusted) authorities before giving priority to less trusted ones and it should check the credentials of a website with the 'more trustworthy' authorities first to see if those authorities have any records of the website. If the more trustworthy authorities have records of the website then the certificates on those websites should be verified with the more trusted CA's without the need to verify them with the less trustworthy ones. Or, alternatively, the browser can check with multiple different CA's and report any CA conflicts. This would ensure that whoever is playing man in the middle would need to work with multiple CA's if the website is to be verified by multiple ones. Hopefully banks have the sense to use more than one CA so that browsers can do this.

    "That's done by using a fake security certificate to redirect traffic to a server where the traffic is decrypted, analyzed, and blocked if necessary."

    So if a trusted certificate authority presents a fake certificate it can then instruct the browser to redirect its inquiry to another site? Doesn't make much sense (at least not if you have a properly functioning browser). This type of attack seems somewhat difficult because it would require both a MITM attack (the ability for someone to get in between the user and the desired website to trick the browser into thinking it's receiving information from a site it's not) and it would require that someone to be working with the certificate authority. I suppose it's possible (and the OP is talking about a potential MITM attack) but it's important to be aware of what would be required and the difficulty.

    Another potential general solution to the general problem above, at least in firefox, is to click on the little lock next to the URL, click more information, and see who the certificate is being verified by and whether or not it makes sense that this authority is the correct authority for the website being visited.

    Another potential problem could be when downloading files. When running them as admin usually you'll get a yes or no popup asking you if you want to continue and there maybe a line on the popup saying 'verified publisher' and who the verified publisher is. If there is a 'verified publisher' it would be nice if the operating system also told the user who's the CA that verified the publisher (though you can usually right click on the program, click properties, and view that info from there).

    link to this | view in thread ]

  21. identicon
    Anonymous Coward, 7 Nov 2014 @ 3:38pm

    Re: Re:

    (well, after thinking about it, it's more complicated than that. If someone is in the middle they can strip the website of any references to other certificate authorities and include signatures from certificate authorities of their choice. Perhaps a solution is for the browser to be able to directly ask popular/trustworthy certificate authorities, through encrypted connections of course, whether or not it certifies a specific website and notify the user if the answer is yes and the site doesn't have reference to that authority. Another possible solution, as stated above, is to click on the little lock button and see that the certificate authority is the correct one and not some Chinese certificate authority when visiting an American Bank of America website).

    link to this | view in thread ]

  22. icon
    That One Guy (profile), 7 Nov 2014 @ 3:58pm

    Re:

    And they would care why again?

    Government agencies, especially spy agencies, would not be on the budget cutting block until things got really bad, if ever, as no politician has the guts to defund the spy agencies in case something goes wrong and they get blamed for it.

    link to this | view in thread ]

  23. identicon
    Any one ominous, 7 Nov 2014 @ 5:22pm

    Re: Google Chrome Certificate location...

    I can find it, but Chrome won't let me delete it.

    link to this | view in thread ]

  24. identicon
    Anonymous Coward, 7 Nov 2014 @ 5:51pm

    Re:

    I tend to read questions like this in the headline as clickbait, mostly because they're asking a question, not stating facts.

    That, and I'm reminded of Betteridges Law of Headlines: "Any headline which ends in a question mark can be answered by the word no."

    link to this | view in thread ]

  25. icon
    McCrea (profile), 7 Nov 2014 @ 6:00pm

    Re: ok...

    Exact.

    link to this | view in thread ]

  26. identicon
    Anonymous Coward, 7 Nov 2014 @ 6:26pm

    Re:

    "Oh, and c) in Windows 8.1 at least there is no sign of CNNIC"

    Then what did I just delete from firefox on 8.1? Tools > Options > Advanced > Certificates > View Certificates
    Authorities > CNNIC Root > Delete or Distrust

    link to this | view in thread ]

  27. identicon
    Anonymous Coward, 7 Nov 2014 @ 6:30pm

    Re: Re:

    FF 33.0.2

    link to this | view in thread ]

  28. identicon
    Anonymous Coward, 7 Nov 2014 @ 6:35pm

    Re: Re: Re:

    Updated to 33.0.3 and needed to delete again as it was back.

    link to this | view in thread ]

  29. identicon
    Anonymous Coward, 7 Nov 2014 @ 6:36pm

    Re: Re: Re: Re:

    Maybe someone else can verify this as I didn't verify it was gone before updating.

    link to this | view in thread ]

  30. identicon
    555-1212, 7 Nov 2014 @ 7:18pm

    Re: Re: Re: Re:

    Bookmarked this page and made a note to keep deleting.

    link to this | view in thread ]

  31. icon
    tqk (profile), 7 Nov 2014 @ 7:27pm

    Re: Re:

    If the NSA doesn't cut their crap soon they are going to bring down our electronic infrastructure and cause the collapse of our economy.
    And they would care why again?

    Who said anything about caring? Never ascribe to malice what can be explained by incompetence or stupidity.

    They're well on the way (if they haven't already) to destroying any confidence foreigners had in US based "cloud" infrastructure. They backdoored RSA. They tee'd ISPs, then Congress pardoned the latter retroactively. DHS/ICE hijacks domains without even bothering to verify that they should.

    What else can't we trust about USA based infrastructure?

    link to this | view in thread ]

  32. icon
    leichter (profile), 7 Nov 2014 @ 7:56pm

    Safari

    On MacOS, certificates are managed through the Keychain Access application, rather than in the browser itself. Open Keychain - it's in Applications > Utilities. On the left of the window, you'll see either one pane labeled "Category", or two panes, "Keychains" and "Category". If you only see one pane, select View > Show Keychains. Then in the "Keychains" pane select "System Roots". A list of all root certificates will appear on the right. You can click on a column header like "Name" to sort on that column.

    Find the certificate you want to remove - CNNIC ROOT is right there - and double-click on it. Details about the certificate will appear. Click the arrow next to "Trust" to open the trust details. Change "When using this certificate" from "Use System Defaults" to "Never Trust".

    It's not possible to delete one of the built-in certificates, at least not using the Keychain Access application. (There is a command line utility that can do it, but even then the removal isn't permanent, and the cert may reappear - though it will be marked "Never Trust".)

    -- Jerry

    link to this | view in thread ]

  33. identicon
    Anonymous Coward, 8 Nov 2014 @ 2:12am

    Re: Re:

    Doesn't help Mac users.

    link to this | view in thread ]

  34. identicon
    Anonymous Coward, 8 Nov 2014 @ 2:21am

    Re: Safari

    Thanks. I also marked China Internet Network Information Center as untrusted too.

    link to this | view in thread ]

  35. identicon
    Anonymous Coward, 8 Nov 2014 @ 3:45am

    Re: Re: Re: Re:

    Verified.
    Windows 8.1, 7 and my Linux box all had it on FF. Updated and they had it again. Win7 was still at version 24 and had it as well.

    Fanbois make people less secure.
    Just sayin'

    link to this | view in thread ]

  36. icon
    Cerberus (profile), 8 Nov 2014 @ 5:17am

    Re: Re: Re:

    Yes, but it would make the most sense if all certificate authorities published lists of which domains were allowed to use which certificates. (Presumably, few domains would need to use more than one certificate.) So, if the domain Bank.com suddenly required not its usual certificate from Verisign, but a certificate from Chinesegovernment, the browser should say, nah-uh, that authority is not in my list for this domain. Similarly, the browser would not accept a certificate normally used for a website of the American government to authenticate a website of the Chinese government.

    link to this | view in thread ]

  37. identicon
    David, 8 Nov 2014 @ 7:36am

    Re:

    No, this is a real problem. The whole point of SSL is the idea of Trust. Without that, you might as well just use self-signed certificates. I've always wondered if the government is doing MiTM attacks by leveraging fake certificates provided by some friendly CA. Well, looks like China got caught with it first.

    Since "Trust" isn't absolute, all browsers now need to check the certificate against the last known certificate they used. If the certificate changes unexpectedly, alert the user, and we can spread the word.

    Worst case, is the CA authorities need to be 'opt in', meaning when you are presented with a certificate signed by "Big Name CA", you have to acknowledge you trust that CA now before accepting certs by them as "trusted".

    link to this | view in thread ]

  38. identicon
    David, 8 Nov 2014 @ 7:42am

    Re:

    Google Chrome:

    Settings - scroll down to "Show Advanced Settings"
    Click on "Manage Certificates" in HTTP/SSL section
    Click on "Authorities" tab
    Scroll down to CNNIC, click on "CNNIC Root", then click on "Edit"
    Uncheck the "Trust this certificate for identifying websites." box
    Click on "Ok"
    Restart Chrome

    link to this | view in thread ]

  39. icon
    John Fenderson (profile), 8 Nov 2014 @ 8:25am

    Re: Re:

    That's Firefox. Windows has its own collection of certs that are used when applications use the Windows API for these sorts of things. But applications don't have to use the Windows API. Applications that don't (and it sounds like Firefox is one of these) maintain their own separate collection of root certs.

    link to this | view in thread ]

  40. identicon
    Anonymous Coward, 8 Nov 2014 @ 12:05pm

    Re: Re: Re: Re:

    "it would make the most sense if all certificate authorities published lists of which domains were allowed to use which certificates."

    This is exactly what I was trying to explain but you explained it better.

    But here is the thing. Even if all certificate authorities published a list of which domains were covered if Chinesegovernment is in your browser all the Chinesegovernment CA has to do is lie and tell your browser that this domain is covered by it. This is why cross referencing across different CA's is needed as a somewhat better, though still not perfect (at least not for all situations), solution. That way the browser can check with another CA if that website is (also) covered by that CA and, if it is, the browser can then ensure the website includes the certificate from that other authority as well (or else alert the user).

    link to this | view in thread ]

  41. identicon
    Anonymous Coward, 8 Nov 2014 @ 12:56pm

    Re: Re: Re: Re: Re:

    So long as you have the public key of the intended recipient and you acquired that key from a secure channel (that's the hard part), from that point on MITM attacks are easy to thwart.

    The browser has its own (perhaps temporary) public key. The browser makes a request to an alternative CA asking it if it also covers the given website. The request is signed by the browser. The browser already knows, ahead of time, the public key of the CA.

    Now the CA responds with

    A: the request being made (is www. ... .com included in your list).

    B: the date and time of the request
    C: The response to the request (yes or no)
    D: The public key of the requester (this is key to prevent a man in the middle attack)
    E: A signature of all of the above information (that is a signed hashsum including all the above information).

    When the browser receives its response it knows

    A: The sender is the requested CA
    B: The public key being responded to is the public key the browser used (and not some spoofed public key of someone in the middle) because the response itself includes the public key making the request (and the response is signed).

    link to this | view in thread ]

  42. icon
    tqk (profile), 8 Nov 2014 @ 1:18pm

    Re: Re:

    No, this is a real problem.

    Yes it is, and CAs backing the security of SSL is and always was simply a scam. Something like SSL ought to be backed up by something like DNSSEC, not some obscure "thanks for the cash, you get the job" arrangement.

    Diginotar wasn't an exception. They just failed far more visibly.

    link to this | view in thread ]

  43. identicon
    Anonymous Coward, 8 Nov 2014 @ 1:32pm

    Surprised this works in chrome

    After all, google have found several fake certificates for google properties due to the fact that Chrome has cert pinning for google certs baked in....

    link to this | view in thread ]

  44. identicon
    chillinfart, 8 Nov 2014 @ 11:00pm

    O RLY?

    Inside peru, or local ISP are even more curious than chineses.

    However, they are not the government and here the "private investment" is "sacred", so no one is facing them.

    link to this | view in thread ]

  45. identicon
    Anonymous Coward, 9 Nov 2014 @ 1:51am

    Re: Re: Re: Re:

    It is worse than that. Every time Firefox is opened, certificate needs to be deleted.

    link to this | view in thread ]

  46. identicon
    Anonymous Coward, 9 Nov 2014 @ 1:54am

    Re: Re:

    Were all part of the same planet

    link to this | view in thread ]

  47. identicon
    Anonymous Coward, 9 Nov 2014 @ 2:04am

    This seems like a major internet security hole. And no real discussions on it, in the techworld, i mean enough discussion so that MOST people are aware of this possible, vulnrability

    Seems to me its in a desperate need of an overhaul, or enough discussions, for now, on which ones can be relatively trusted......i.e. a handfull, instead of ALL that come preinstalled

    By the way, for android
    Settings
    Security
    Trusted credentials
    Its there!
    Disable

    link to this | view in thread ]

  48. identicon
    Hediyelik Kolonya, 25 Feb 2015 @ 2:01am

    thanks you admin nice post

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.