Apple Leaves Chinese CNNIC Root In OS X and iOS Trusted Stores 100
Trailrunner7 writes When it was revealed late last month that a Chinese certificate authority had allowed an intermediate CA to issue unauthorized certificates for some Google domains, both Google and Mozilla reacted quickly and dropped trust in CNNIC altogether. Apple on Wednesday released major security upgrades for both of its operating systems, and the root certificate for CNNIC, the Chinese CA at the heart of the controversy, remains in the trusted stores for iOS and OS X. The company has not made any public statements on the incident or the continued inclusion of CNNIC's certificates in the trusted stores.
Apples? (Score:1)
Re:Apples? (Score:4, Funny)
It only takes one bad "Apples" to spoil the whole headline.
Re:Apples? (Score:5, Informative)
Well, there's Applejack, Apple Bloom, Big McIntosh, and Granny Smith.
There's a shock... (Score:5, Insightful)
Re: (Score:3)
It's probably a condition in apples contract with the CN govt that they have to ruin all Apple devices for security.
Re:There's a shock... (Score:5, Funny)
Re: (Score:1)
Re: (Score:1)
http://www.netresec.com/?page=Blog&month=2014-10&post=Chinese-MITM-Attack-on-iCloud
Re: (Score:2)
Also, have you seen how lucrative the Chinese market could be?
I hear it's almost as large as the manufacturing plants where they make all of Apple's devices and computers.
Re:There's a shock... (Score:4)
Chinese market (Score:2, Insightful)
Apple is worried that doing the right thing will make them loose market share in China.
Re: (Score:3, Insightful)
I doubt any Apple execs know what the phrase "doing the right thing" even means.
Re: (Score:1)
Re:Are non-China users safe? (Score:5, Informative)
CNNIC was found to have provided fake certs for popular sites, seemingly to aid with spying. So the answer is yes, this does affect people outside of China.
Re:Are non-China users safe? (Score:5, Informative)
No. Any root CA (or anyone holding an intermediate CA cert with a trust chain back to a root) can sign a certificate for any domain at all.
That's right; the Belgian Government can sign for www.yoursite.com and the person who holds the key for that CSR can MITM anyone who visits www.yoursite.com with no certificate warnings raised.
Re:Are non-China users safe? (Score:4, Insightful)
This confirms the absolute uselessness of this whole 'certificate' thing, except for tracking purposes of course.
Re: Are non-China users safe? (Score:1)
Don't forget the profits!
Re: (Score:3)
This confirms the absolute uselessness of this whole 'certificate' thing, except for tracking purposes of course.
It's not useless, but it's only half of the equation.
The cert says, "we trust that this site belongs to this entity". That's one-way.
What needs to happen is that sites need to publish in their DNS(SEC) that they trust the same CA(s). That completes the mutual agreement on trust, which is currently missing. There are a few competing RFC's on the best way to lay this out, but what CNNIC shows is
Re: (Score:2)
Plain DNS is useless, a MITM could fake the results.
DNSSEC just replaces a competitive market of certificate authorities with a different, less competitive system of new CA's called registrars. It's hardly a positive.
A lot of people hear "some company I never heard of can sign for my site" and immediately conclude the whole system is broken. But that's ridiculous. Why should people be locked into one or two CAs based on where they are in the world? I live in Switzerland. There is a local CA called SwissSign
Re: (Score:2)
DNSSEC doesn't tie you to a registrar any more than registering a domain already did. DNSSEC also solves a good chunk of the MITM that can occur with the normal CA system. DNS is a vital part of the internet. The fact that it is so easily spoofed and altered is the root of many security problems.
The argument against DNSSEC is that there is still a root authority, at IANA, that can be corrupted. Which is solvable with DLV (DNSSEC Look-aside Validation) and alternative trust anchors. Even without that, statin
Re: (Score:3)
No. Any root CA (or anyone holding an intermediate CA cert with a trust chain back to a root) can sign a certificate for any domain at all.
Even worse, there is no way to know which certs you need and which you can get rid of. This question has remained open on Super User without a good answer for over half a year:
http://superuser.com/questions... [superuser.com]
Re: (Score:1)
Even worse, there is no way to know which certs you need and which you can get rid of. This question has remained open on Super User without a good answer for over half a year:
http://superuser.com/questions... [superuser.com]
There is a way: start disabling them until stuff starts breaking. Browsers make this maddeningly hard, by failing to load the page but not mentioning the specifics of what failed, but it can be done.
I've disabled all certificates and only enable certificates when sites break. This will be very region-specific, but after two years I'm up to ten root certs enabled. Of course, I don't trust those ten certificate authorities, but there are ten that I need to do my internet business. Reduced attack surface area
Re: (Score:2)
Re: (Score:2)
I don't know what certificates he settled on, but if you aren't doing a whole lot of international browsing, you can safely disable any foreign CAs (especially foreign government CAs or anything you can't read). In Firefox, you can get the country of origin by viewing the certificate and looking at Issuer, under the Details tab. "C = " will list the country code. Most of the big CAs are in the US, but there are a few big ones that aren't: Comodo, StartCom, Thawte, AddTrust.
In Firefox, you can disable without deleting, by clicking "Edit Trust...". Even if you delete a root CA, it will show back up on restart with all of its trust disabled. You can't delete them permanently from the UI.
Thanks. I did notice that a deleted CA returned on restart, but I didn't notice that it still had all of its trust disabled.
Fix the headline (Score:3)
For fuck's sake is it really that hard to at least proofread the headline? "Apples Leaves Chinese CNNIC Root In OS X and iOS Trusted Stores"
Apple is exposed to China operations (Score:5, Insightful)
Remember that unlike Google, Apple has deep manufacturing and retail ties into the Chinese market, which is seen as a key strategic part of cost management and future market/revenue expansion.
Even though CNNIC is very cozy with the Chinese MSS and the variety of PLA workforces associated with externally focused compromise, it is an organ of the Chinese government, which works differently from many others. If you were to offend the quasi-governmental agencies that deal IPs and such things in the US, you might not get "favorable" treatment, but the US FTC and others aren't exactly likely to swoop in and close you down either.
China has shown with Google and Twitter and others that if you aren't willing to play ball with their government, they have enough control over everything that they can effectively disadvantage you in the market. They can arbitrarily sieze assets, justice is somewhat malleable, and the Great Firewall means no matter how big you are, entire segments of you traffic base can be reduced because the average person isn't going to work hard to get around the censors.
The last thing Apple needs right now is to create another "front" to wrestle with a government on in such a strategic market. Even if the truth is that CNNIC probably isn't really the most trustworthy "root" in the world. But its also hard to blame them when the Snowden revelations have revealed that certain types of exported hardware devices could be diverted in the shipping process, etc, etc.
Re: (Score:3, Insightful)
And we have a winner!
Sorry, I have no Mod points for you.
Re: (Score:3, Insightful)
The last thing Apple needs right now is to create another "front" to wrestle with a government on in such a strategic market. Even if the truth is that CNNIC probably isn't really the most trustworthy "root" in the world.
In other words, Apple has sold out its customers, but hey! They want to make money, so who can blame them for this betrayal.
But its also hard to blame them when the Snowden revelations have revealed that certain types of exported hardware devices could be diverted in the shipping process,
Re:Apple is exposed to China operations (Score:5, Insightful)
Clearly, then, the only choice is for all non-China users to consider Apple to be no longer trusted.
Re: (Score:2)
Or just use Chrome. It does its own revocation stuff on top of the OS root stores. This only really affects users of Safari and Mail.app.
Re: (Score:2)
Re: (Score:2)
I'm not talking about no longer being able to trust Apple for yourself, I'm talking about no longer being able to trust Apple on behalf of everyone else. For example, I used to insist that my mostly-computer-illiterate parents use a Mac, because that would keep them safe. Now it will not. (And no, they're not competent to disable the cert themselves.)
Similarly, it is now flat-out unethical to recommend using an Apple computer to anyone, because it is proven that Apple prioritizes the well-being of Chinese h
Re: (Score:2)
Follow the money (Score:5, Insightful)
Re: (Score:3, Informative)
And, it only takes 3 clicks in Keychain Access to revoke trust in the key. The cost for users is pretty low, if users knew enough to make a difference.
...and here I was, about to buy an Apple laptop... (Score:3, Insightful)
We are talking apple users here, not Linux users. All three Apple users who know these steps have probably already done so. The other several hundred million are fucked, and Apple has now publicly taken a stance that they plan to hang those millions out to dry.
Ironically, I was going to buy an apple laptop for sheer convenience (and to run more recent versions of scrivener), but now I most certainly won't. Time to research good Linux laptop alternatives instead (ideally with high-end graphics capabilities t
Re: (Score:2)
If Apple's recent stream of security failures has not convinced you to switch to Linux or BSD, you are basically hopeless.
Oh, I've been running Linux for years and years. I was going to dual-boot an apple laptop with osx+linux, but now I have no interest in having osx any more than I do windows. I'll take a look at the new dell.
Re: (Score:2)
When I was looking at trying to get back into creative writing, I looked at Scrivener. It's a nice app, but I already had online services I liked for notes and research, mainly Evernote and Trello, and it didn't seem to have good options for integrating with them.
Turns out, Emacs does all that stuff. All it costs is your sanity an assload of time to learn.
Also, Optimus is kinda-sorta okay. There's a utility called Bumblebee that handles turning the Nvidia chip on and off, and you basically end up running a
Re: (Score:2)
Nice, thanks for the info. Nvidia would be nice, as I want to run blender. Is there a good comparison site for various laptops with high-end graphics and CPUs you know of? I've been poking around online for a while, but determining what the best supported higher-end laptops are for Linux is far from easy.
Re: (Score:2)
Re: (Score:2)
Yeah. Because it's SOOO hard to use Firefox, or Chrome, instead of Safari.
That's really how you do it - if it means that much to you, then you can always use browsers that do not use the OS X security store.
Like Chrome and Firefox. They run great on OS X.
Of course, a big problem is that Apple sells
Re: (Score:1)
Google also, if they had more business in China, the CNNIC's root certificate authority would remain. Nobody gets that big on 'principle'.
Re: (Score:2)
Pretty much what I said a week ago and got modded into oblivion for it. Google already has/had an somewhat antagonistic relationship with parts of the Chinese government and they don't get the revenue from there they get elsewhere and are unlikely to do so in the near future.
Which is the problems with the CA system, To Big to Fail CAs now exist. What if this was Verisign/GeoTrust/Thawte etc caught doing something like this. Think any of the major browser or OS vendors would even consider revocation of th
Re: (Score:1)
The entire CA system is a fraud, snake oil, provides a false sense of security, etc, driven and manipulated by big money.
You are right. There is no remedy, aside from user awareness. In the meantime my 'remedy' is to image a clean system for restoration purposes. As far as the spying aspect is concerned, there's little that can be done while we are hooked up to the company wire. With the internet there can be no trust. It just can't happen
can I remove it myself? (Score:1)
Anyone know if I can remove the CA myself?
Re: (Score:2)
Yes, you should remove the CNNIC CA cert (and many others) if you have admin/root over the devices you control. If not, choose a browser that maintains it's own CAs.
"Unusually harsh" (Score:2, Interesting)
TFA calls it "an unusually severe punishment by both Google and Mozilla." Presumably there are many, many people relying on perfectly valid CNNIC certificates and typically the actions of one rogue intermediate CA doesn't require burning things to the ground (of course if it happens again, then you can no longer call it a mistake). TFA also notes in the very last line Microsoft didn't pull CNNIC either, but the headline and 99% of the article makes no mention of that.
Re: (Score:1)
The CA infrastructure is based on trust. This trust is broken for/by the particular CA. The currect CA implementations in browser is a an all or nothing implementation, keeping it makes all SSL connection suspected.
BTW All CAs should be removed and replaces with something else as soon as DNSSEC is going places (eg DANE: http://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities)
Re: (Score:2)
The fact that they use the word "punishment" shows lack of understanding about what happened and is happening.
If you lie to me and get caught, and then I punch you in the nose, that's a punishment. But if you lie to me and get caught, and then after that I don't believe you whenever you tell me things, that's not punishment.
If Google and Mozilla are being "harsh" then the only ways one can honestly describe it, is that they have a "harsh opinion" or a "harsh estimate" of CNNIC's trustworthiness.
It's amus
It's not too late! (Score:3)
My Grandmother (she is 85) has an Intel based Core Duo Macbook and Apple has stopped providing security updates [...] When we bought the machine (new) I thought the macbook would be more usable for her than a Linux laptop. While it has been a good machine, being orphaned on security updates is bad form by Apple.
It's not too late:
http://www.odi.ch/prog/macbook... [www.odi.ch]
http://www.codingepiphany.com/... [codingepiphany.com]
Re: (Score:2)
Meantime, I can run a supported version of Windows on PCs, even laptops, that are 10+ years old. (If I need to, I mean. Linux would be my first choice for performance reasons.)
But if you're rich enough to buy a Mac in the first place, you should be able to afford to replace it every few years, IMO.
Re: (Score:3)
Except, the way SSL works, you have to remove the CA until the CA revokes the Intermediate CA's authority, or people are open to MITM attacks. Google did absolutely the correct thing, and MS and Apple are failing at security. There is no other right thing here. Once the intermediate is blocked, then you can say Google is in the wrong if they don't reinstate the CA's cert.
Apple doesn't want to piss off the Chinese (Score:1)
So. (Score:2, Interesting)
How do I remove this CA from my macbook?
Removing the CNNIC ROOT on OSX (Score:1, Informative)
sudo security find-certificate -a -Z -c "CNNIC ROOT" /System/Library/Keychains/SystemRootCertificates.keychain | grep SHA-1 /System/Library/Keychains/SystemRootCertificates.keychain
sudo security delete-certificate -t -Z 8BAF4C9B1DF02A92F7DA128EB91BACF498604B6F
Re: (Score:3)
They apparently *really* don't want me to get rid of it:
+ grep SHA-1 /System/Library/Keychains/SystemRootCertificates.keychain /System/Library/Keychains/SystemRootCertificates.keychain /System/Library/Key
+ security find-certificate -a -Z -c 'CNNIC ROOT'
SHA-1 hash: 8BAF4C9B1DF02A92F7DA128EB91BACF498604B6F
+ security delete-certificate -t -Z 8BAF4C9B1DF02A92F7DA128EB91BACF498604B6F
security: SecTrustSettingsRemoveTrustSettings (user): No Trust Settings were found.
+ security delete-certificate -t -c 'CNNIC ROOT'
Re: (Score:1)
sudo security find-certificate -a -Z -c "CNNIC ROOT" /System/Library/Keychains/SystemRootCertificates.keychain | grep SHA-1 /System/Library/Keychains/SystemRootCertificates.keychain
sudo security delete-certificate -t -Z 8BAF4C9B1DF02A92F7DA128EB91BACF498604B6F
Until Apple work out a way of avoiding the command line like this, they won't be ready for the masses.
Re: (Score:2)
Or from Windows, for that matter.
(At least Firefox makes it easy to remove. Unfortunately, it comes right back with the next update)
Re: (Score:2)
How do I remove this CA from my macbook?
You can remove the Macbook from California, but you can never remove the California from the Macbook.
Removing this CA from your macbook (Score:5, Informative)
Open Keychain Access, find the System Roots keychain (left side), look for "China Internet Network Information Centre EV Certificates Root" on the right side, double-click on that. In the window this opens, expand the "Trust" arrow and change "When using this certificate" to "Never Trust".
Do the same for the "CNNIC Root" certificate.
Re: (Score:2)
Why does Apple get to decide what certs are trusted or untrusted? They should send out a security notice advising customers about the situation and then let individuals deal with it from there. Also, all certs should be shipped as "untrusted" so that the user can selectively enable what he wants to be trusted.
Have you looked at the root CA list in any of the major browsers/OSs? Why are we required to implicitly trust every [mozilla.org] single [chromium.org] one [microsoft.com] of these [apple.com] entities to sign anything they want? If those lists illustrate how broken the CA system is, I don't know what will.
Re: (Score:3)
Are you sure? Have you performed a double blind study to determine that is performs better than placebo, and how much better to determine that it is the best?
Not for long... new exploit is out (Score:3)
Apple will surely be updating shortly to close the loophole that has people installing PopcornTime on their iPhones...
Link [torrentfreak.com]
I'm surprised this isn't bigger news.
Contract details? (Score:2)
IIRC, when Google announced that they were removing the certificate, they referred to specific terms in CNNIC's contract with them that had been violated. Not sure about Mozilla.
Does CNNIC have similar contracts with Apple and Microsoft? Do they have similar terms? It occurs to me that they might not be as rigorous, because they might have been drafted several years earlier than Google's one - seeing as Chrome is a relative newcomer.
Forcing Apple users to distrust google (Score:1)
... evil as possible. There are fake certs for Google, and Apple refuses to protect their users against them. That's pretty much the internet company version of sending machetes to ISIS.
Microsoft kept the root, but blocked the known (Score:2)
fake certs from them. Did Apple do even that?
Can I remove them from Safari (Score:2)
Is there a way for individual users to remove certs from these browsers without waiting for vendors to do so?