China Internet Network Information Center accepted as a Mozilla root CA

[Security] Posted Feb 2, 2010 15:24 UTC (Tue) by corbet

Those who are concerned about the security of Mozilla's SSL certificate validation might want to take a look at this bugzilla entry. It seems that, at the end of October, Mozilla approved the addition of the China Internet Network Information Center (CNNIC) as a root certification authority, meaning that Firefox will accept CNNIC-signed certificates as valid and fully trusted. CNNIC is said to be controlled by the Chinese government and is alleged to be heavily involved in spying on Chinese citizens; numerous people are concerned that it will use its root CA position to facilitate man-in-the-middle attacks. Unfortunately, most of these concerns were not raised during the discussion period, making the removal of CNNIC - if warranted - harder.

Comments (41 posted)