All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Unauthorized Google TLS Certificates and the Aftermath - MCS / CNNIC
MCS Holdings, an Egypt-based intermediate certificate authority operating under China Internet Network Information Center (root CA), issued certificates for various Google domains such as *.google.com, www.gmail.com, and others:
As soon as I saw that report a week ago, I disabled the two root CA certificates for CNNIC on my personal computers. I figured that I have no dealings with anyone whose certificates chain back to those Chinese roots. At the very least, I want to see pop-up warnings in my browser so I can review the certificates first. (Disabling the CNNIC root certificates may not be a viable solution for people who live in China and connect to many websites that chain back to CNNIC, for example.)
Today there is a new report that Chrome (and probably others) will soon remove CNNIC as an authorized root CA:
I have often been tempted to disable root certificates on my personal computers for root CAs that come from "hostile" countries (whatever that means) or where the chances are very low that I might visit a website that authenticates back to them. There are a few problems with this solution:
- I suspect that OS updates would reenable the root CA certificates that I disabled.
- OS updates add root CA authorities that I might not want, and periodic reviews would be necessary.
- I have a lot of computers running many different OSs. It would be a pain to do them all. The truth is that I rely on only two computers for truly secure HTTPS connections - my desktop and my laptop.
This isn't a perfect solution. Some root CAs must be retained, but they can still be a problem. Comodo comes to mind. I connect to real websites that chain back to Comodo, but bogus certificates have been issued in the past from hacked intermediate CAs that chain back to Comodo, too.
I am opening this discussion as food for thought. Does anyone have a script that disables "hostile" root CAs after an OS update? What do you do?
Comments
Thanks for the heads up!
I've used: https://github.com/chengr28/RevokeChinaCerts
Edit: It has scripts for Android, Linux, Mac, and Windows.
This also revokes our darling WoSign, absolutely unjustified move and also may lead to more noticeable issues, as free WoSign certs will now be increasingly popular.
No need for SSL racism, WoSign (and other CN CAs) haven't done anything bad, no need to make them suffer from CNNIC's incompetence or negligence.
P.S. in fact I am switching all my websites to WoSign right now, to make the issues you will face a little bit more evident, and to support them, and the notion that what you're doing is not right approach.
>
>
I agree that the certificates in the list need to be edited by individual users as appropriate. The scripts may be useful, however. The name "RevokeChinaCerts" is unfortunate, because the scripts have general applicability.
No "SSL racism" should be construed from any of my posts. I simply want to disable root CAs that I do not need or use. For me, I do no business with China (or Kazakhstan or Paraguay, for example). Obviously, people in China may not be able to revoke (or untrust, in my case) the CNNIC root CA certificates without incurring problems.
These https://www.ohling.org/blog/2015/02/wosign-free-2y-ssl-certificate.html
will be used by people from all over the world, and not just from China.
Simple - consider all SSL traffic as probably sniff-able. Obviously, not insecure in the sense that some kid will MitM you, but in the sense that someone a tad more resourceful can do it on a larger scale. Then ask yourself the question - how much do you care if agent X can see your traffic to Google?
I hope I made it clear that I might use the scripts, but if I do use them, I would edit the certificate lists according to my specific needs. In my opinion everyone else would be better served by doing the same thing.
You have made it abundantly clear that you want to enable the WoSign root CA. Great! Delete it from the list before you run the script.
If you continue to find fault with RevokeChinaCerts code, take it up with them or submit your own changes - I have nothing to do with them.
Somewhat off topic:
I am not sure how I feel about "free" certificates - that seems like an avenue for potential attackers. Some people (not you!) might be happier if they left WoSign "untrusted" and add/trust individual website certificates one-by-one as needed. It depends on the individual, of course.
I don't really care about you personally, I care about people en masse who will use this project.
Nobody else will bother. E.g. I wonder if @telephone used the script as offered, or only banned CNNIC through it. In any case, "China bad, ban all China" and "oh how convenient there's even now a project on Github to ban all China". It's a mindset seen way too often, many often ask here how to block all Chinese networks in iptables, in mail servers, etc.
They could already do so via the likes of "dpkg-reconfigure ca-certificates". But you really need to have nothing better to do than to cater to your paranoia, if you personally review hundreds of OS-shipped CA certs to decide if you trust each of those. With the system where any CA can certify any domain (and any domain owner may choose to buy certs from arbitrary CAs, even from those you wouldn't expect them to) this is pretty much pointless and prone to issues anyway.
They have robust domain ownership verification in place. No worse than if you'd pay for a lowest tier domain-validation certificate from them or from any other CA. Same as StartSSL who have been providing free certificates for a long long time. Not to mention the free certs that Cloudflare now automatically offers.
You are correct. Using the "extended" option which is suggested in all the readme's only blocks a certain set and leaves WoSign alone.
^ Don't jump to conclusions, just because OSS people suck at naming their projects
Feel free to change all your sites to WoSign, as it won't affect me :P
I will from now on proceed to make more interesting and useful websites with the widest possible public appeal, to make sure next time it does affect you. Mwahahaha.
Oh wait so you didn't ban WoSign, I guess no need for that then.
Why are you so defensive of WoSign?
They provide a unique and very nice service to the community -- free 100-domain certs for 3 years -- and even put in effort to make it quick and easy to use, added that single-page English ordering form, added SHA2 intermediate certs, replying to support requests helping install the cert, even to someone who is not a paying customer.
Whereas other CAs only conspire on how to milk you for as much money as possible. Want multi-domain, that'll be double the price per each additional domain, want wildcard, that'll be 10x the price outright, oh and forget 3 year validity it's 1 year only... etc etc.
Much better, untrust everything and enable on a case-by-case basis. You will be able to make interesting reading about what your bank uses, for example.
I choose to generate my own. Who does not trust my sites, their loss, who cares.