[guardian-dev] Fwd: [liberationtech] China Internet Network Information Center is a trusted root CA
Hans-Christoph Steiner
hans at guardianproject.info
Tue Oct 28 15:13:35 EDT 2014
To summarize what app developers can do about this kind of thing, using
pinning is one approach that works well. An app can use pinning to enforce
the use of a certain subset of certificate authorities that the system
supports. ChatSecure does this on iOS and Android, for example. On Android
we use Moxie Marlinspike's AndroidPinning library to make a whitelist of
trusted Certificate Authorities (CAs). For connections not signed by one of
those trusted CAs, the user can optionally trust it in TOFU/POP style (e.g.
self-signed, cacert.org, etc).
Chrome and Firefox now have pinning features (HSTS) that allow websites to set
up pins. There are plans for allowing a website to specify a required signing
key (e.g. one trusted Certificate Authority). Chrome already includes pins
that require all Google sites to have been signed by their trusted Certificate
Authority. Firefox also includes some pins like this.
More info here:
https://www.imperialviolet.org/2011/05/04/pinning.html
https://blog.mozilla.org/security/2014/09/02/public-key-pinning/
https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning
.hc
Nathan of Guardian wrote:
> This is directly relevant to the IRC discussion about pinning and
> ChatSecure from yesterday.
>
> ----- Original message -----
> From: Percy Alpha <percyalpha at gmail.com>
> To: liberationtech <liberationtech at lists.stanford.edu>
> Subject: [liberationtech] China Internet Network Information Center is a
> trusted root CA
> Date: Tue, 28 Oct 2014 14:27:32 +0800
>
> I'm Percy from GreatFire.org; the author of the report of the iCloud
> MITM
> in China
> <http://www.washingtonpost.com/blogs/the-switch/wp/2014/10/21/apples-icloud-service-suffers-cyber-attack-in-china-putting-passwords-in-peril/>
> last
> week. The attacks used self-signed certificate. But I believe that
> targeted
> attacks using CNNIC CA is very possible if not happened already.
>
> Microsoft, Apple, Ubuntu and Firefox trust CNNIC(China Internet Network
> Information Center) as root CA. CNNIC has implemented (and tried to
> mask)
> internet censorship, produced malware and has very bad security
> practices.
> Tech-savvy users in China have been protesting the inclusion of CNNIC as
> a
> trusted certificate authority for years.
>
> You can go to
> https://en.greatfire.org/blog/2014/oct/apple-and-microsoft-trust-chinese-government-protect-your-communication
> to see more details and test whether you're vulnerable. We also present
> method to revoke all dubious Chinese CA.
>
> Percy Alpha(PGP <https://en.greatfire.org/contact#alt>)
> GreatFire.org Team
>
--
PGP fingerprint: 5E61 C878 0F86 295C E17D 8677 9F0F E587 374B BE81
More information about the Guardian-dev
mailing list