Monthly Archive for January, 2010

当网络安全核心机制遇到流氓政府

我不想谈任何互联网话题,但是这次(CNNIC根证书)事件已经直接威胁到我们所有人,我们不应该沉默。“通往朝鲜的路,是每一个沉默的中国人铺就的。”——某推友。

基于非对称加密技术的数字证书机制是互联网安全的核心屏障,所有工业标准安全技术,包括https,S/MIME和ftps,都基于它。因为这道屏障,当我们用https浏览Gmail时,当我们用https使用Google Reader时,当我们使用在线SSL代理时,我们有理由相信,我们的隐私和通信不会被某独裁政府、党或它们的审查机构看到。现在,某流氓政府控制下的CNNIC正试图在这道屏障下放置一个巨型核弹。

事实上,在这个流氓国家,SSL早已不是绝对安全的。当你使用网银、支付宝之类服务时,银行网站已经在你的计算机上安装了根证书,而这个流氓国家政府、党和它能够控制的国内一切公司、机构和组织,都是不可信赖的。没人可以确定,某一天这个独裁政权会不会通过其能够控制的根证书对一个普通公民或“异见人士”进行中间人攻击。

除此之外,独裁政权还有其它手段,它可以冒充身份向国外CA申请某域名的SSL证书,大多数CA提供一种“Rapid SSL”证书,这种证书申请只需验证域名管理员邮件,全过程只需几分钟。窃取邮件可比窃取私钥容易多了,特别是对这个人类历史上最无耻、最流氓的政权和它庞大的统治机构而言。

然而,如果CNNIC成为操作系统和浏览器内置信任CA,这依然对我们网络安全有无法想象巨大影响。

I.它使GFW和GOV窃听SSL的成本降为0,并且几乎可以攻击所有操作系统和浏览器计算机。

II.虽然这种中间人攻击很容易被发现,但对流氓政权而言这不是问题。某一天流氓政权可能会立法称“国家使用CNNIC作为官方CA,对所有SSL通讯依法审查和管理”,把中间人攻击合法化、普遍化,就像企业网关审查SSL的防火墙一样。不要以为这是天方夜谭,我们本来就生存在局域网中。

III.另外,工信部、CNNIC等部委可能联合出台规定,要求“所有在中国大陆运营的https网站必须使用CNNIC或其它国内CA签发的SSL证书”,对境外网站SSL证书实行白名单制度,未备案的一律封锁。——就像它们现在想采取的域名白名单制度一样。(这一条很可能发生,搞不好某天CCAV就报道“淫秽色情非法网站利用加密技术逃避打击,网络专家表示,SSL证书领域亟待有效监管。”)

……

我曾不止一次感到何其幸运,互联网一切不是中国发明的。虽然OSI模型和TCP/IP设计协议缺乏安全性考虑导致容易被流氓政府审查和阻断,它依然建立了了一个开放的,分布式的,任何人、机构和国家不可能真正封锁的Internet;虽然DNS协议是现在互联网安全中最弱的一环,虽然中国已经有了许多根域名DNS镜像服务器,整个互联网基石——13台根域名DNS服务器——仍然全部在国外;虽然SSL/TLS协议有很多不足,它仍然是最好的安全技术,所有的浏览器内置根CA都是国外。——现在,我的最后一个庆幸可能要破灭了,流氓政府下属机构正在威胁整个互联网核心安全机制

 

然而,我们无须绝望,我们相信民众的力量,相信自由是无法阻挡的。某流氓政权采取的一切审查措施必将随着其本身一起灭亡。当这一天最终来临——它必将来临——时,中国网民必将感到欣慰——在几十年里他们几乎都在自由与专制斗争的第一线。

现在,你要做的是(如果你还没有做),移除和禁用计算机所有操作系统和浏览器中的CNNIC根证书

附上一段慷慨陈述的话,来自 [email protected] 关于 Add CNNIC CA Root Certificate 讨论里一位lihlii同学,它说出了所有中国网民、所有中国民众、乃至全世界所有热爱自由人们的心声。

(更多中国民众呼声见这里

1. Is it considered by CNNIC as "service on technology and research" to spread
malware with administrative power to spy on Internet users?

2. Is it considered by CNNIC as "service on technology and research" to ban
personal website registration in the .cn domain space [1][2][17]?

3. CNNIC banned the DNS resolving of a lot of independent websites, such as
bulllog.cn [1][2].  Is this considered by CNNIC as your way of "service" of
"registry for Chinese Domain Name"[4]?  Is this considered by CNNIC as "the
similar role as VeriSign"[4]?

4. Is CNNIC "qualified with the international criteria"[4] as a trustworthy
certificate authority?

5. Why did Liu Yan try to mask the real face of the PRC governmental nature of
CNNIC [5]?  Why did he even tried to hide the application by setting the bug
report to "Restricted Visibility"[6] at first?

6. Liu Yan said: "CA is a new operation for CNNIC to protect Internet
security"[5].  Is it considered by CNNIC as "operation to protect Internet
security" by spreading unremovable malware to spy on users' Internet activities
exploiting security flaws of the browsers, as CNNIC did [9][18]?

Liu Yan further claimed that "the WebTrust audit for government is much simpler
compared to company"[4].

So do you think CNNIC is a government or not?  If CNNIC is controlled by the
PRC government, why don't you dare to clearly admit it, but misled the readers
by posing as a "just offers service on technology and research" [4]?  What's
the motivation to hide the real identity of CNNIC? :)

Liu Yan(注:为在Mozilla社区发帖的CNNIC雇员) said: "There is no possible for us to monitor the user's actions or do
some attacks. I think every technical personnel knows that."[4]

Unfortunately, this is an arrant lie.  CNNIC not only DID "monitor the users'
actions" with intentionally spreaded malware [9], but also cooperated actively
with the PRC government to crack down independent blogs and websites
[1][2][17].  It's also highly possible that they may actively cooperate in MITM
attacks with such a government which attacked [15][16] its citizens, as well as
dozens of companies and many computers of foreign civil organizations and
government offices [10][11].

Further, Is PRC government a decent government?

Should a government put all their citizens in an information jail by building a
GFW (Great Firewall) [7][8][14] to block their access to Internet?
Should a government enforce news and speech censorship [14] on all the websites
including search engines to block criticism on the crimes they committed?
Should a government jail journalists and writers for their free speech [14]?
Should a government kill the college students and citizens with guns, and roll
over the bodies of college students with tanks? [19]
Should a government cheat the world by hiding information about SARS and
melamine contaminated milk[3] which caused repetitive man-made disasters, and
further punish those who told the truth?

Is this PRC government a real government, or is it a maffia group? :)

Liu Yan claimed that the CNNIC is a subordinate of "Chinese Academy of
Sciences".  Let's take a look at what kind of "research" the "Chinese Academy
of Sciences" has done before. :)

The Institute of Acoustics, Chinese Academy of Sciences closely cooperated with
the PRC government in Internet censorship.  Same as CNNIC which "takes orders
from the Ministry of Information Industry (MII)" [26], they developed some
natural language machine understanding algorithms for Internet text censorship
[25].  The target of their research is to distinguish speeches of the opponents
of the government from those of the proponents, which general keyword based
filtering can't achieve.  Their "research" was already deployed in the
censorware "Green Dam"[22][23], which was orderd by the MII to be installed on
each new PC in manufacturing process.  Although this plan failed, they must
have started some other plots to achieve the same goal.

Jonathan: might well yank trust for any CA that was complicit in MitM attacks.

Does the word "was" mean that until the MitM attack happened, any organizations
can put their root CA certificates in Firefox provided that they can buy
endorsement "services" from accountant companies like Ernst&Young [1] to
acquire "trust" from webtrust.org?

The real concern of many Chinese programmers is not about "was", but "may", as
CNNIC already "DID" quite some dirty things before!  Now it's a new capability
that the inclusion of root certificate of CNNIC will grant to the PRC
government.

Anyway, since they already got secondary CA certificate issued by Entrust.net,
adding CNNIC as root CA is not introducing more problems. <strong> But this discussion
is an alert on the trust model of PKI when we face a rogue government and their
minion organizations.</strong>

We should improve the browser to ask for permissions from the end users to
grant trust to each root CA when it's used in each session (not only at the
first time), clearly display the certificate signing path, and warn them of any
change in certificates (to be alert of a MitM attack).  This seems paranoiac
but it's because we're facing real threats of attacks from a powerful rogue
government, from which even big companies like Google and well equipped
government offices suffered.

The security model of SSL was practically in danger because of the design flaws
 of the browser to place blind trust on root CAs without consent from the
users.  Since the CA certificates of rogue government agencies were added, we
should consider Firefox as a rogue government controlled browser in the default
configuration.

自由世界的光荣与梦想

现在,百度搜索“非法献花”居然也显示“搜索结果可能不符合相关法律法规和政策,未予显示。”外交部发言人仍然十年如一日重复着可能连她自己也知道是皇帝的新衣的话:“中国互联网是开放的。中国政府按照国际惯例依法管理互联网。”称,15日Google与中国政府谈判破裂,谷歌中国正式解散。

我翻出了一篇文章,是罗纳德里根总统1987年在勃兰登堡门下的演讲,这是在约翰肯尼迪总统24年之后,又一位美国总统来到柏林墙,对全世界演讲。里根总统在这篇演说里发出了著名的呼吁,戈尔巴乔夫先生,推倒这座墙。

演说中讲到:

“五十年代,赫鲁晓夫曾经预言:"我们将埋葬你们。"然而在今天的西方,我们见到的是一个自由的世界,达到的繁荣和富足水平为人类历史上前所未有。在共产世界,我们则看见失败、技术退步、健康水平下降、甚至于基本物资的匮乏–食物不足。即使在今天,苏联还不能粮食自给。经过这四十年,一个伟大而无可逃避的结论展示给整个世界:自由带来繁荣。在和平合作的国家,自由取代了自古以来的仇恨。自由是胜利者。”

今天的中国情况有所不同。虽然在冰山表面下的人权压迫、社会矛盾和财富不均已经到极其严重地步,这个国家仍是世界发展最快的新兴市场。大多数民众的生活水平,按照中共的话说,自“建国以来,特别是改革开放30年以来有了天翻地覆的变化”。

这绝不是值得骄傲的事情,要知道,1979年以后中国的高增长率是建立在极低的基准值上。当时的中国经济连官方也承认到了崩溃的边缘,大陆人民生活水平比起民国时期犹未不如,这之前30年,历届政治运动造成大量非正常人员死亡,如今美国华盛顿DC树立了“共产主义受难者纪念碑”(Earth:38°53’54.65"N,77° 0’43.41"W 或 直接搜索该词),以纪念一亿以上共产主义受难者,其中有半数多,我想,是1949年后无辜受难的中国人。中华人民共和国的前三十年就全部充满着这样的政治运动、人权迫害和其它文化、文明、社会的人为的多灾多难。而后三十年的经济增长则是从极低的初始点开始的,并且自始至今伴随着极高能耗单位产值、环境污染、财富不均、机会不公和公权力阶层的集体腐败和道德沦丧。这样的建国60年,根本谈不上任何一点成就。

然而,中国仍然已成为世界上一个重要经济体。在许多不明真相人甚至国家眼中,中国速度令人羡慕。假如事实是这样,这将是很危险的一件事,共产主义的政治文明是与人类理想背道而驰的,迄今为止我们看到的共产主义和社会主义全部政治特征是极权统治、缺乏民主、民众没有基本的自由和人权。如果这样的政治环境下也能搞好经济,这是对整个人类价值观的挑战:你可以没有人权,但你也可以发展经济。这句话的另一种表述是,只要经济搞的话就可以杀人。再想想,这个逻辑却似乎可以解释中共政权的经济成就,那就是无视人类文明普世价值和基本人权,野蛮式、掠夺式、侵略式经济发展。

自由世界的光荣和梦想是,已经实现的大部分欧洲和北美国家的宪政、民主和自由体制,以及把这些理念推及到全世界,帮助其它国家摆脱极权统治威胁,加入到自由的行列中。今天承担这项任务的,不仅有美国和西方各国的政府,还包括各种NGO组织、民间力量、独立媒体、国际组织,还有始终坚持不作恶的Google——致力于让所有人都能自由地获取信息。Google的Slogan中含有崇高的道德理念,并且它确实在努力践行这一标准。人们把Google看作互联网文明的代表,在这样一个商业公司身上,我们看到了网络自由特征的全部内涵,和我们追求的所有最有价值的东西。

Hello world!

作为一个计算机专业毕业的人,按照惯例,第一篇文章保留”Hello world”的标题,向前辈致敬。

这不是我的第一个个人站点。建立这个网站(现在而言也可叫Blog),是为了让自己有一些改变,试着实现自己最近的一些想法。尾大不掉,很多事情,必须重新开始,才能有新的机会,新的挑战,新的命运。

这个站点只有一个域名:。并且没有任何子域名。服务器位于美国。

本网站使用SSL加密,所有内容强制要求使用https访问——这是我的第一个想法:为了抵御各种各样的网络审查、防火墙、嗅探和其它形式流量分析对我们隐私的侵犯,所有的互联网协议都应该加密。虽然在数字时代保护所有个体的隐私是非常复杂的问题,传输层加密至少提供的最基本的保障——让网站和访客之间的通信不会被政府、网管、黑客或其它人看到。

如果你意识到隐私是极为重要的,那么你不仅应该关心保护自己的隐私,也应该关心保护别人的隐私。——这其中的道理是很明显的。美国波士顿犹太人屠杀纪念碑上刻着一位叫马丁.尼莫拉(Martin Niemoller  )的德国新教牧师留下的短诗。尼莫拉曾是纳粹的受害者,这首诗这样写道:

“起初他们追杀共产主义者,我没有说话;
接着他们追杀犹太人,我没有说话;
后来他们追杀工会成员,我没有说话;
此后他们追杀天主教徒,我没有说话;
最后他们奔我而来,却再也没有人为我说话了。”

(有删节)

这个道理告诉我们,如果我们在别人的隐私遭到侵犯或可能被侵犯的危险时没有给予帮助,那么当你的隐私遭到侵犯或可能被侵犯的危险时就没有人能帮助你。推广来说,这和“只要一人被奴役,所有人都不自由”是同一个逻辑:如果一种暴政、奴役或不义可以发生在某个人身上,那么它就可能发生在我们任何人身上。冯正虎、刘晓波就是警钟。

正是出于对(自己和所有其它人)隐私的重视,我在这个新网站里完全采用了https。所有的http请问都会被重定向到对应的https页面。我还想通过此行为表达这样的观点,那就是在专制与极权统治面前,我们不害怕,我们不放弃,我们每天都在努力,不放过任何细微的机会,尽一切可能,力图推动社会民主、公义与公民自由和人权的发展。