[liberationtech] China Internet Network Information Center is a trusted root CA

2014-10-28 Thread Percy Alpha 
I'm Percy from GreatFire.org; the author of the report of the iCloud MITM
in China
http://www.washingtonpost.com/blogs/the-switch/wp/2014/10/21/apples-icloud-service-suffers-cyber-attack-in-china-putting-passwords-in-peril/
last
week. The attacks used self-signed certificate. But I believe that targeted
attacks using CNNIC CA is very possible if not happened already.

Microsoft, Apple, Ubuntu and Firefox trust CNNIC(China Internet Network
Information Center) as root CA. CNNIC has implemented (and tried to mask)
internet censorship, produced malware and has very bad security practices.
Tech-savvy users in China have been protesting the inclusion of CNNIC as a
trusted certificate authority for years.

You can go to
https://en.greatfire.org/blog/2014/oct/apple-and-microsoft-trust-chinese-government-protect-your-communication
to see more details and test whether you're vulnerable. We also present
method to revoke all dubious Chinese CA.

Percy Alpha(PGP https://en.greatfire.org/contact#alt)
GreatFire.org Team
-- 
Liberationtech is public  archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] China Internet Network Information Center is a trusted root CA

2014-10-28 Thread hellekin 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

FYI, a couple hours after receiving your email, DNSOP announced an IETF
session in Hong-Kong sponsored by CNNIC (Quoting):

Subject: [DNSOP] Workshop on DNS Future Root Service Architecture, Hong
Kong, December 8-9, 2014 (SAVE THE DATE)

This two day workshop will focus on the DNS root service architecture
issues raised by two current Internet Drafts:

1. http://tools.ietf.org/html/draft-wkumari-dnsop-root-loopback-00
   Decreasing Access Time to Root Servers by Running One on Loopback
   W. Kumari, Ed.; P. Hoffman

2. http://tools.ietf.org/html/draft-lee-dnsop-scalingroot-00
   How to scale the DNS root system?
   Xiaodong Lee; Paul Vixie; Zhiwei Yan

These two drafts take very different approaches to the problem of
increasing root zone availability to recursive name servers. In this
workshop we will explore the differences and similarities, with an eye
towards revising both drafts and clarifying their roles in the DNS root
service architecture.

(End quote)

==
hk

-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQJ8BAEBCgBmBQJUT2kiXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ3MDM3QTJCNjlFNkMxQzA1NjI4RDUzOEZE
OEU3QkQ4MDk0MUM4MjkzAAoJENjnvYCUHIKTygYQAOrhcuvtDL1mLeaT+ONWv8Bj
5/66pKj93KutQDAAbIIocOEiX2mvRdt9polqqkMiPMNL1tQXZDUmXDvBQd16Au1A
tP6lFT5VHIKUZBXxxE4T/2iqiAFpa+dJl5C+2JF7Wy0eSmf5Mm7/xcHqexqYaW4c
lqv5Yhy91blQWowBZ1Xsod7Z1SVn3gtdGANEhkgCqUSwCay709dNoxKrqxaNTX4+
XgjDNYGD1If5+7aod3rNm23tu+frizdFsgYdeXhD7fDvrIQeTiwS/mG3GjnHLihi
TA3wl/Gxosp0v+CM5DrAG4YnFw7XUaUDtMs3OpEXi8OM033r5p4stt3harMXw5W/
JhKyWz4WOaaXXWtebqSQhAHYIVxI19YNE7SBxyVPNvmt+bLg7kc+v2eKacZ1jNYL
/OSY5BbogkHb2fuUrUQYn2c650/uycqYxBC4rJkV8rvz3zpDu5w3PFew9QBoqoUt
6bTsyO5/W6KWq78HY7QpDzUNMBcz72tDA7zTIvThSuOadFfZVTsTOjBxV+lVIDnU
BnsiEQ0qrE3r5YD3oatbSl1oUJc6Nil7nuaV/J8BFLaFXNn6pD1YR1BizZeJOLoV
HdEzU1+wwTOvIX80UZj1GP6dRWpqwLgJwgnGBb5LrQO+O8vnyoD6QkpASxmUPJ1L
8HrxWJuZY0+yx2YrQDD3
=6tPm
-END PGP SIGNATURE-
-- 
Liberationtech is public  archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.