China has the Root!
Wednesday, 3. February 2010
China’s Root Certificate Authority
For such a short article, this creates some major questions.
Let’s begin..
1. This is the general information from the CNNIC:
China Internet Network Information Center (CNNIC), the state network information center of China, was founded as a non-profit organization on Jun. 3rd 1997.
CNNIC takes orders from the Ministry of Information Industry (MII) to conduct daily business, while it was administratively operated by Chinese Academy of Sciences (CAS). Computer Network Information Center of Chinese Academy of Sciences takes the responsibility of running and administrating CNNIC. CNNIC Steering Committee, a working group composed of well-known experts and commercial representatives in domestic Internet community supervises and evaluates the structure, operation and administration of CNNIC.
CNNIC INFO
So where the original article states: “CNNIC is said to be controlled by the Chinese government” is correct.
So, with the Chinese Government now controlling a root certificate, what is to stop them from performing man in the middle attacks?
BUZZZ- Stop right here and read Gerv Responds
If the hijacking is done “on a nationwide scale”, then someone should be able
to produce some actual evidence of it. Download the bad cert, email us a copy,
and we will act.
How would you like it if I locked you up or fined you because I thought you
were a criminal and didn’t want to “wait until the foreseeable crime happens”?
CNNIC is innocent until proven guilty – an important cornerstone of justice. If
their abuses are as widespread as you say, then producing evidence to prove
them guilty should not be difficult.
Gerv
A very valid point by Gerv, there are more and more of us…. security minded individuals out there. Surely if a Government was going to mIm, one of us would notice it. Unless of course the government has control of the entire countrywide network and can do client-side /server-side ssl for every connection it wants to watch.
Idea works like this:
Client wants to access https:\\bobmarket.cn. They fire up their mozilla browser and tap it in.
That ssl hand shake goes out across the network until it hits the router or router 1 hop outside of bobmarket.cn’s POP. At that location, a piece of network gear(possibly a load balancer, or just an SSL accelerator box) initiates the client-side SSL with a certificate signed by the CNNIC. Encrypted Tunnel to the SSL Accelerator Established, and the client thinks the tunnel is to https:\\bobmarket.cn.
Now comes the fun part, the SSL accelerator then forwards the unencrypted traffic to the real front-end of bobmarket.cn, and initiated the SSL handshake there, using bob’s real certificate. Traffic flows, everyone is happy, and the information is decrypted for anyone to read.
ISSUES with that scenario- What is bob returns a packet along a different route, not through the same SSL accelerator that has the encrypted tunnel. That packet would hit the client and be dropped, as the client doesn’t have a session with bob. Perhaps stateful SSL Accelorators on all the connections into bob?
Please point out other issues as you see them, I’m not the end all be all of security.
