[Dev] Fwd: [liberationtech] China Internet Network Information Center is a trusted root CA

hellekin hellekin at gnu.org
Tue Oct 28 09:52:07 GMT 2014 

Iceweasel 33 on Parabola is vulnerable.  So yes, the Chinese can attack
Parabola users.  But then, Verisign is also there, so the USAmericans
can as well.  Should we get rid of TLS already? <g>

==
hk

-------- Forwarded Message --------
Subject: 	[liberationtech] China Internet Network Information Center is
a trusted root CA
Date: 	Tue, 28 Oct 2014 14:27:32 +0800
From: 	Percy Alpha <percyalpha at gmail.com>
Reply-To: 	liberationtech <liberationtech at lists.stanford.edu>
To: 	liberationtech <liberationtech at lists.stanford.edu>



I'm Percy from GreatFire.org; the author of the report of the iCloud
MITM in China
<http://www.washingtonpost.com/blogs/the-switch/wp/2014/10/21/apples-icloud-service-suffers-cyber-attack-in-china-putting-passwords-in-peril/>Â
last
week. The attacks used self-signed certificate. But I believe that
targeted attacks using CNNIC CA is very possible if not happened already.Â

Microsoft, Apple, Ubuntu and Firefox trust CNNIC(China Internet Network
Information Center) as root CA. CNNIC has implemented (and tried to
mask) internet censorship, produced malware and has very bad security
practices. Tech-savvy users in China have been protesting the inclusion
of CNNIC as a trusted certificate authority for years.Â

You can go
toÂ
https://en.greatfire.org/blog/2014/oct/apple-and-microsoft-trust-chinese-government-protect-your-communication
to see more details and test whether you're vulnerable. We also present
method to revoke all dubious Chinese CA.Â

Percy Alpha(PGP <https://en.greatfire.org/contact#alt>)
GreatFire.org Team


-------------- next part --------------
-- 
Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at companys at stanford.edu.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: OpenPGP digital signature
URL: <https://lists.parabola.nu/pipermail/dev/attachments/20141028/8dc97114/attachment.sig>

More information about the Dev mailing list