Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security China IOS OS X Apple IT

Apple Leaves Chinese CNNIC Root In OS X and iOS Trusted Stores 100

Trailrunner7 writes When it was revealed late last month that a Chinese certificate authority had allowed an intermediate CA to issue unauthorized certificates for some Google domains, both Google and Mozilla reacted quickly and dropped trust in CNNIC altogether. Apple on Wednesday released major security upgrades for both of its operating systems, and the root certificate for CNNIC, the Chinese CA at the heart of the controversy, remains in the trusted stores for iOS and OS X. The company has not made any public statements on the incident or the continued inclusion of CNNIC's certificates in the trusted stores.
This discussion has been archived. No new comments can be posted.

Apple Leaves Chinese CNNIC Root In OS X and iOS Trusted Stores

Comments Filter:
  • How many Apples are there?
  • There's a shock... (Score:5, Insightful)

    by fuzzyfuzzyfungus ( 1223518 ) on Thursday April 09, 2015 @10:36AM (#49438877) Journal
    Hey, they weren't spying on our SSLed services today, so we still totally trust them! Also, have you seen how lucrative the Chinese market could be?
    • It's probably a condition in apples contract with the CN govt that they have to ruin all Apple devices for security.

    • the chinese market is very lucrative. i steal lots of their data and sell it on the black market. i guess i'm evil, but i don't care.
    • by Anonymous Coward

      http://www.netresec.com/?page=Blog&month=2014-10&post=Chinese-MITM-Attack-on-iCloud

    • Also, have you seen how lucrative the Chinese market could be?

      I hear it's almost as large as the manufacturing plants where they make all of Apple's devices and computers.

    • by mitcheli ( 894743 ) on Thursday April 09, 2015 @02:10PM (#49441189)
      It somehow doesn't surprise me that Apple is still hosting the exploited CA cert. They released patches to a number of openssl (which OSX does use) that supposedly fix the high level vulnerabilities of late (Security Update 2015-3?) But at the same time, the version that's running is 1.0.1g ... and there have been several high level vulnerabilities such as the down channel exportable encryption bug that still haven't been addressed. Thinking Apple needs to step up their game!
  • Chinese market (Score:2, Insightful)

    by Anonymous Coward

    Apple is worried that doing the right thing will make them loose market share in China.

  • by rbanzai ( 596355 ) on Thursday April 09, 2015 @10:42AM (#49438949)

    For fuck's sake is it really that hard to at least proofread the headline? "Apples Leaves Chinese CNNIC Root In OS X and iOS Trusted Stores"

  • by Sandbox-Six-Actual ( 1028450 ) on Thursday April 09, 2015 @10:47AM (#49439001)

    Remember that unlike Google, Apple has deep manufacturing and retail ties into the Chinese market, which is seen as a key strategic part of cost management and future market/revenue expansion.

    Even though CNNIC is very cozy with the Chinese MSS and the variety of PLA workforces associated with externally focused compromise, it is an organ of the Chinese government, which works differently from many others. If you were to offend the quasi-governmental agencies that deal IPs and such things in the US, you might not get "favorable" treatment, but the US FTC and others aren't exactly likely to swoop in and close you down either.

    China has shown with Google and Twitter and others that if you aren't willing to play ball with their government, they have enough control over everything that they can effectively disadvantage you in the market. They can arbitrarily sieze assets, justice is somewhat malleable, and the Great Firewall means no matter how big you are, entire segments of you traffic base can be reduced because the average person isn't going to work hard to get around the censors.

    The last thing Apple needs right now is to create another "front" to wrestle with a government on in such a strategic market. Even if the truth is that CNNIC probably isn't really the most trustworthy "root" in the world. But its also hard to blame them when the Snowden revelations have revealed that certain types of exported hardware devices could be diverted in the shipping process, etc, etc.

    • Re: (Score:3, Insightful)

      And we have a winner!

      Sorry, I have no Mod points for you.

    • Re: (Score:3, Insightful)

      by Anonymous Coward

      The last thing Apple needs right now is to create another "front" to wrestle with a government on in such a strategic market. Even if the truth is that CNNIC probably isn't really the most trustworthy "root" in the world.

      In other words, Apple has sold out its customers, but hey! They want to make money, so who can blame them for this betrayal.

      But its also hard to blame them when the Snowden revelations have revealed that certain types of exported hardware devices could be diverted in the shipping process,

    • by mrchaotica ( 681592 ) * on Thursday April 09, 2015 @10:59AM (#49439137)

      Clearly, then, the only choice is for all non-China users to consider Apple to be no longer trusted.

      • Or just use Chrome. It does its own revocation stuff on top of the OS root stores. This only really affects users of Safari and Mail.app.

      • Or you could just stop trusting that cert. It's pretty easy, there's even a GUI.
        • I'm not talking about no longer being able to trust Apple for yourself, I'm talking about no longer being able to trust Apple on behalf of everyone else. For example, I used to insist that my mostly-computer-illiterate parents use a Mac, because that would keep them safe. Now it will not. (And no, they're not competent to disable the cert themselves.)

          Similarly, it is now flat-out unethical to recommend using an Apple computer to anyone, because it is proven that Apple prioritizes the well-being of Chinese h

    • Comment removed based on user account deletion
  • Follow the money (Score:5, Insightful)

    by JoeyRox ( 2711699 ) on Thursday April 09, 2015 @10:53AM (#49439059)
    China's vociferous response to Google removing CNNIC's root certificate authority is the reason Apple is not taking action. Apple is a very principled company until those principles start costing them money.
    • Re: (Score:3, Informative)

      by Anonymous Coward

      And, it only takes 3 clicks in Keychain Access to revoke trust in the key. The cost for users is pretty low, if users knew enough to make a difference.

      • We are talking apple users here, not Linux users. All three Apple users who know these steps have probably already done so. The other several hundred million are fucked, and Apple has now publicly taken a stance that they plan to hang those millions out to dry.

        Ironically, I was going to buy an apple laptop for sheer convenience (and to run more recent versions of scrivener), but now I most certainly won't. Time to research good Linux laptop alternatives instead (ideally with high-end graphics capabilities t

        • by Pliny ( 12671 )

          When I was looking at trying to get back into creative writing, I looked at Scrivener. It's a nice app, but I already had online services I liked for notes and research, mainly Evernote and Trello, and it didn't seem to have good options for integrating with them.

          Turns out, Emacs does all that stuff. All it costs is your sanity an assload of time to learn.

          Also, Optimus is kinda-sorta okay. There's a utility called Bumblebee that handles turning the Nvidia chip on and off, and you basically end up running a

          • by FreeUser ( 11483 )

            Nice, thanks for the info. Nvidia would be nice, as I want to run blender. Is there a good comparison site for various laptops with high-end graphics and CPUs you know of? I've been poking around online for a while, but determining what the best supported higher-end laptops are for Linux is far from easy.

        • I'm on the fence as to whether my next laptop will be a Macbook. I'm not up on messing with security certificates. It took me about 10 seconds to get from Anonymous Coward's tip to a blocked CNNIC certificate. I think that it's within the scope of regular users. My cousin just did it, and she runs a modeling agency and was trained in, well, modeling. Macs do have a pretty easy interface. Say what you will, but that allowed me to do my little thing and get back to wasting time on the internet instead of grad
        • by tlhIngan ( 30335 )

          All three Apple users who know these steps have probably already done so. The other several hundred million are fucked, and Apple has now publicly taken a stance that they plan to hang those millions out to dry.

          Yeah. Because it's SOOO hard to use Firefox, or Chrome, instead of Safari.

          That's really how you do it - if it means that much to you, then you can always use browsers that do not use the OS X security store.

          Like Chrome and Firefox. They run great on OS X.

          Of course, a big problem is that Apple sells

    • Google also, if they had more business in China, the CNNIC's root certificate authority would remain. Nobody gets that big on 'principle'.

      • by DarkOx ( 621550 )

        Pretty much what I said a week ago and got modded into oblivion for it. Google already has/had an somewhat antagonistic relationship with parts of the Chinese government and they don't get the revenue from there they get elsewhere and are unlikely to do so in the near future.

        Which is the problems with the CA system, To Big to Fail CAs now exist. What if this was Verisign/GeoTrust/Thawte etc caught doing something like this. Think any of the major browser or OS vendors would even consider revocation of th

        • The entire CA system is a fraud, snake oil, provides a false sense of security, etc, driven and manipulated by big money.

          You are right. There is no remedy, aside from user awareness. In the meantime my 'remedy' is to image a clean system for restoration purposes. As far as the spying aspect is concerned, there's little that can be done while we are hooked up to the company wire. With the internet there can be no trust. It just can't happen

  • by Anonymous Coward

    Anyone know if I can remove the CA myself?

    • Yes, you should remove the CNNIC CA cert (and many others) if you have admin/root over the devices you control. If not, choose a browser that maintains it's own CAs.

  • "Unusually harsh" (Score:2, Interesting)

    by Anonymous Coward

    TFA calls it "an unusually severe punishment by both Google and Mozilla." Presumably there are many, many people relying on perfectly valid CNNIC certificates and typically the actions of one rogue intermediate CA doesn't require burning things to the ground (of course if it happens again, then you can no longer call it a mistake). TFA also notes in the very last line Microsoft didn't pull CNNIC either, but the headline and 99% of the article makes no mention of that.

    • by Anonymous Coward

      The CA infrastructure is based on trust. This trust is broken for/by the particular CA. The currect CA implementations in browser is a an all or nothing implementation, keeping it makes all SSL connection suspected.

      BTW All CAs should be removed and replaces with something else as soon as DNSSEC is going places (eg DANE: http://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities)

    • The fact that they use the word "punishment" shows lack of understanding about what happened and is happening.

      If you lie to me and get caught, and then I punch you in the nose, that's a punishment. But if you lie to me and get caught, and then after that I don't believe you whenever you tell me things, that's not punishment.

      If Google and Mozilla are being "harsh" then the only ways one can honestly describe it, is that they have a "harsh opinion" or a "harsh estimate" of CNNIC's trustworthiness.

      It's amus

  • They could have done the right thing here. Our entire vapourous internet security depends upon the root CA system. I'm glad Google and Mozilla have taken a hard stand.
  • So. (Score:2, Interesting)

    by Sir_Real ( 179104 )

    How do I remove this CA from my macbook?

    • by Anonymous Coward

      sudo security find-certificate -a -Z -c "CNNIC ROOT" /System/Library/Keychains/SystemRootCertificates.keychain | grep SHA-1
      sudo security delete-certificate -t -Z 8BAF4C9B1DF02A92F7DA128EB91BACF498604B6F /System/Library/Keychains/SystemRootCertificates.keychain

      • by vanyel ( 28049 )

        They apparently *really* don't want me to get rid of it:

        + grep SHA-1
        + security find-certificate -a -Z -c 'CNNIC ROOT' /System/Library/Keychains/SystemRootCertificates.keychain
        SHA-1 hash: 8BAF4C9B1DF02A92F7DA128EB91BACF498604B6F
        + security delete-certificate -t -Z 8BAF4C9B1DF02A92F7DA128EB91BACF498604B6F /System/Library/Keychains/SystemRootCertificates.keychain
        security: SecTrustSettingsRemoveTrustSettings (user): No Trust Settings were found.
        + security delete-certificate -t -c 'CNNIC ROOT' /System/Library/Key

      • sudo security find-certificate -a -Z -c "CNNIC ROOT" /System/Library/Keychains/SystemRootCertificates.keychain | grep SHA-1
        sudo security delete-certificate -t -Z 8BAF4C9B1DF02A92F7DA128EB91BACF498604B6F /System/Library/Keychains/SystemRootCertificates.keychain

        Until Apple work out a way of avoiding the command line like this, they won't be ready for the masses.

    • Or from Windows, for that matter.

      (At least Firefox makes it easy to remove. Unfortunately, it comes right back with the next update)

    • How do I remove this CA from my macbook?

      You can remove the Macbook from California, but you can never remove the California from the Macbook.

    • by nicolaiplum ( 169077 ) on Thursday April 09, 2015 @12:09PM (#49439951)

      Open Keychain Access, find the System Roots keychain (left side), look for "China Internet Network Information Centre EV Certificates Root" on the right side, double-click on that. In the window this opens, expand the "Trust" arrow and change "When using this certificate" to "Never Trust".
      Do the same for the "CNNIC Root" certificate.

  • by BenJeremy ( 181303 ) on Thursday April 09, 2015 @12:38PM (#49440207)

    Apple will surely be updating shortly to close the loophole that has people installing PopcornTime on their iPhones...

    Link [torrentfreak.com]

    I'm surprised this isn't bigger news.

  • IIRC, when Google announced that they were removing the certificate, they referred to specific terms in CNNIC's contract with them that had been violated. Not sure about Mozilla.

    Does CNNIC have similar contracts with Apple and Microsoft? Do they have similar terms? It occurs to me that they might not be as rigorous, because they might have been drafted several years earlier than Google's one - seeing as Chrome is a relative newcomer.

  • ... evil as possible. There are fake certs for Google, and Apple refuses to protect their users against them. That's pretty much the internet company version of sending machetes to ISIS.

  • fake certs from them. Did Apple do even that?

  • Is there a way for individual users to remove certs from these browsers without waiting for vendors to do so?

We are Microsoft. Unix is irrelevant. Openness is futile. Prepare to be assimilated.

Working...