小野大神 Blog

いつものあいさつ、いつもの別れ、そんな、いっけんあたりまえの幸せが、そこに、あった

我不想谈任何互联网话题，但是这次（CNNIC根证书）事件已经直接威胁到我们所有人，我们不应该沉默。“通往朝鲜的路，是每一个沉默的中国人铺就的。”——某推友。

基于非对称加密技术的数字证书机制是互联网安全的核心屏障，所有工业标准安全技术，包括https，S/MIME和ftps，都基于它。因为这道屏障，当我们用https浏览Gmail时，当我们用https使用Google Reader时，当我们使用在线SSL代理时，我们有理由相信，我们的隐私和通信不会被某独裁政府、党或它们的审查机构看到。现在，某流氓政府控制下的CNNIC正试图在这道屏障下放置一个巨型核弹。

事实上，在这个流氓国家，SSL早已不是绝对安全的。当你使用网银、支付宝之类服务时，银行网站已经在你的计算机上安装了根证书，而这个流氓国家政府、党和它能够控制的国内一切公司、机构和组织，都是不可信赖的。没人可以确定，某一天这个独裁政权会不会通过其能够控制的根证书对一个普通公民或“异见人士”进行中间人攻击。

除此之外，独裁政权还有其它手段，它可以冒充身份向国外CA申请某域名的SSL证书，大多数CA提供一种“Rapid SSL”证书，这种证书申请只需验证域名管理员邮件，全过程只需几分钟。窃取邮件可比窃取私钥容易多了，特别是对这个人类历史上最无耻、最流氓的政权和它庞大的统治机构而言。

然而，如果CNNIC成为操作系统和浏览器内置信任CA，这依然对我们网络安全有无法想象巨大影响。

I.它使GFW和GOV窃听SSL的成本降为0，并且几乎可以攻击所有操作系统和浏览器计算机。

II.虽然这种中间人攻击很容易被发现，但对流氓政权而言这不是问题。某一天流氓政权可能会立法称“国家使用CNNIC作为官方CA，对所有SSL通讯依法审查和管理”，把中间人攻击合法化、普遍化，就像企业网关审查SSL的防火墙一样。不要以为这是天方夜谭，我们本来就生存在局域网中。

III.另外，工信部、CNNIC等部委可能联合出台规定，要求“所有在中国大陆运营的https网站必须使用CNNIC或其它国内CA签发的SSL证书”，对境外网站SSL证书实行白名单制度，未备案的一律封锁。——就像它们现在想采取的域名白名单制度一样。（这一条很可能发生，搞不好某天CCAV就报道“淫秽色情非法网站利用加密技术逃避打击，网络专家表示，SSL证书领域亟待有效监管。”）

……

我曾不止一次感到何其幸运，互联网一切不是中国发明的。虽然OSI模型和TCP/IP设计协议缺乏安全性考虑导致容易被流氓政府审查和阻断，它依然建立了了一个开放的，分布式的，任何人、机构和国家不可能真正封锁的Internet；虽然DNS协议是现在互联网安全中最弱的一环，虽然中国已经有了许多根域名DNS镜像服务器，整个互联网基石——13台根域名DNS服务器——仍然全部在国外；虽然SSL/TLS协议有很多不足，它仍然是最好的安全技术，所有的浏览器内置根CA都是国外。——现在，我的最后一个庆幸可能要破灭了，流氓政府下属机构正在威胁整个互联网核心安全机制。

然而，我们无须绝望，我们相信民众的力量，相信自由是无法阻挡的。某流氓政权采取的一切审查措施必将随着其本身一起灭亡。当这一天最终来临——它必将来临——时，中国网民必将感到欣慰——在几十年里他们几乎都在自由与专制斗争的第一线。

现在，你要做的是（如果你还没有做），移除和禁用计算机所有操作系统和浏览器中的CNNIC根证书。

附上一段慷慨陈述的话，来自 Bugzilla@Mozilla 关于 Add CNNIC CA Root Certificate 讨论里一位lihlii同学，它说出了所有中国网民、所有中国民众、乃至全世界所有热爱自由人们的心声。

(更多中国民众呼声见这里）

1. Is it considered by CNNIC as "service on technology and research" to spread
malware with administrative power to spy on Internet users?

2. Is it considered by CNNIC as "service on technology and research" to ban
personal website registration in the .cn domain space [1][2][17]?

3. CNNIC banned the DNS resolving of a lot of independent websites, such as
bulllog.cn [1][2].  Is this considered by CNNIC as your way of "service" of
"registry for Chinese Domain Name"[4]?  Is this considered by CNNIC as "the
similar role as VeriSign"[4]?

4. Is CNNIC "qualified with the international criteria"[4] as a trustworthy
certificate authority?

5. Why did Liu Yan try to mask the real face of the PRC governmental nature of
CNNIC [5]?  Why did he even tried to hide the application by setting the bug
report to "Restricted Visibility"[6] at first?

6. Liu Yan said: "CA is a new operation for CNNIC to protect Internet
security"[5].  Is it considered by CNNIC as "operation to protect Internet
security" by spreading unremovable malware to spy on users' Internet activities
exploiting security flaws of the browsers, as CNNIC did [9][18]?

Liu Yan further claimed that "the WebTrust audit for government is much simpler
compared to company"[4].

So do you think CNNIC is a government or not?  If CNNIC is controlled by the
PRC government, why don't you dare to clearly admit it, but misled the readers
by posing as a "just offers service on technology and research" [4]?  What's
the motivation to hide the real identity of CNNIC? :)

Liu Yan(注：为在Mozilla社区发帖的CNNIC雇员） said: "There is no possible for us to monitor the user's actions or do
some attacks. I think every technical personnel knows that."[4]

Unfortunately, this is an arrant lie.  CNNIC not only DID "monitor the users'
actions" with intentionally spreaded malware [9], but also cooperated actively
with the PRC government to crack down independent blogs and websites
[1][2][17].  It's also highly possible that they may actively cooperate in MITM
attacks with such a government which attacked [15][16] its citizens, as well as
dozens of companies and many computers of foreign civil organizations and
government offices [10][11].

Further, Is PRC government a decent government?

Should a government put all their citizens in an information jail by building a
GFW (Great Firewall) [7][8][14] to block their access to Internet?
Should a government enforce news and speech censorship [14] on all the websites
including search engines to block criticism on the crimes they committed?
Should a government jail journalists and writers for their free speech [14]?
Should a government kill the college students and citizens with guns, and roll
over the bodies of college students with tanks? [19]
Should a government cheat the world by hiding information about SARS and
melamine contaminated milk[3] which caused repetitive man-made disasters, and
further punish those who told the truth?

Is this PRC government a real government, or is it a maffia group? :)

Liu Yan claimed that the CNNIC is a subordinate of "Chinese Academy of
Sciences".  Let's take a look at what kind of "research" the "Chinese Academy
of Sciences" has done before. :)

The Institute of Acoustics, Chinese Academy of Sciences closely cooperated with
the PRC government in Internet censorship.  Same as CNNIC which "takes orders
from the Ministry of Information Industry (MII)" [26], they developed some
natural language machine understanding algorithms for Internet text censorship
[25].  The target of their research is to distinguish speeches of the opponents
of the government from those of the proponents, which general keyword based
filtering can't achieve.  Their "research" was already deployed in the
censorware "Green Dam"[22][23], which was orderd by the MII to be installed on
each new PC in manufacturing process.  Although this plan failed, they must
have started some other plots to achieve the same goal.

Jonathan: might well yank trust for any CA that was complicit in MitM attacks.

Does the word "was" mean that until the MitM attack happened, any organizations
can put their root CA certificates in Firefox provided that they can buy
endorsement "services" from accountant companies like Ernst&Young [1] to
acquire "trust" from webtrust.org?

The real concern of many Chinese programmers is not about "was", but "may", as
CNNIC already "DID" quite some dirty things before!  Now it's a new capability
that the inclusion of root certificate of CNNIC will grant to the PRC
government.

Anyway, since they already got secondary CA certificate issued by Entrust.net,
adding CNNIC as root CA is not introducing more problems.  But this discussion
is an alert on the trust model of PKI when we face a rogue government and their
minion organizations.

We should improve the browser to ask for permissions from the end users to
grant trust to each root CA when it's used in each session (not only at the
first time), clearly display the certificate signing path, and warn them of any
change in certificates (to be alert of a MitM attack).  This seems paranoiac
but it's because we're facing real threats of attacks from a powerful rogue
government, from which even big companies like Google and well equipped
government offices suffered.

The security model of SSL was practically in danger because of the design flaws
 of the browser to place blind trust on root CAs without consent from the
users.  Since the CA certificates of rogue government agencies were added, we
should consider Firefox as a rogue government controlled browser in the default
configuration.