Everybody, although this has nothing to do with autoproxy, it is a very serious security threat to all (including autoproxy) users. Me, wcm
, Autoproxy author. It is strongly recommended that you carefully read and take measures in your personal reputation.
Background
Any information transmitted online may be maliciously intercepted. Even so, we still store a lot of important information on the Internet, such as private emails and bank transactions. This is because there is something that calls SSL/TLS/HTTPS to ensure our information security. It encrypts the communication between us and the website server.
If a website finds that its user data is sensitive and intends to use SSL/TLS/HTTPS encryption, it must first apply for a certificate from a company/organization with the CA (Certificate Authority) permission. Companies/organizations with Ca permissions are globally reviewed and trustworthy.
What happened
Recently, CNNIC-yes, that is, the notorious CNNIC that uses system vulnerabilities to publish rogue software, that is, the CNNIC (China Internet Network Information Center) that suddenly suspends domain name resolution when the CN Domain name suddenly stops being used ), it -- secretly obtained the CA permission! When all Chinese users are concealed!
What does it mean?
This means that CNNIC can create a fake certificate for any website at will, replace the real certificate of the website, and steal any information from us!
This is the legendary SSL mitm attack. In the past, this attack was not important because the attack certificate was fake and the browser would tell us the truth. Now, because CNNIC has the CA permission, the browser fully trusts its certificate, don't give us any warning, even fake certificates!
Do you trust CNNIC? Do you believe that it has the permission to keep its duty and do not secretly do bad things?
I have three questions:
- A party has a strong interest in Gmail, and GFW has worked hard on SSL for many years without great progress. Now we have a ca. If the GFW command is used, do CNNIC dare not start from?
- CNNIC used the so-called official title to create rogue software to harm internet users. Now, with Ca, how can we believe it will not be repeated?
- In order to obtain the legal certificate of the specified website, other rogue companies throw money and rights transactions. Is CNNIC well qualified for professional ethics in the face of temptation?
Impact Scope
Basically all users in all browsers are affected!
Step 1: immediate security defense
Here, we will only introduce the defense methods of the Firefox browser. Users of other browsers should Google themselves. The principle is similar.
- Menu Bar: Tools/editing-> preferences-> advanced-> encryption-> View certificates-> certificate authorites)
- This is a very long list. In alphabetical order, you should be able to find a record named "CNNIC root". This is what tells Firefox that we don't trust it!
- Select CNNIC root and click the "edit" button below. A box is displayed. There are three options to remove all options! Save.
- There are three caves in the rabbit world.
- Next, find a group named entrust.net, which should contain a "cnnic ssl" (if not, visit this website ).
)
- Don't rush to get started. The situation is different this time. This certificate is signed by the entrust. We trust entrust. Entrust says it trusts
CNNIC, so we are forced to trust cnnic ssl. Find "entrust.net secure server Certification
Authority ", which is the same as above, removes and saves the three options (Tip: The entrust is canceled
May not be able to open some normal websites signed by the website. As for which website uses its signature, I tried it and did not find an example ).
- Finally, let's verify it. Restart Firefox.
And this
If Firefox has given security warnings to both websites and you are not browsing properly, congratulations! You have already got rid of the security threats of CNNIC ca!
Step 2: Governance
When I heard this message a few days ago, I simply put the CNNIC
Deleted. But this weekend, I suddenly thought it was very bad. As long as it exists, most users are always threatened. And write autoproxy
The same idea: if most people are under security threats, what is the significance of a person's security? If we cannot lower the threshold for freedom and security, what are the advantages of the so-called technologies?
Therefore, I appeal to everyone to contribute a little time and knowledge and unite to persuade various browsers to cancel the CA permissions of CNNIC. This kind of thing cannot be promoted by companies, only by our community.
The first thing we recommend is Firefox. As a nonprofit organization, Mozilla's decision-making process is more open and more willing to listen to the voice of the community. Bug 476766
Records the entire process of the event. Bug 542689
And Mozilla. Dev. Security. Policy
Proceed with the current discussion (note that you can add yourself to the CC list of Bugzilla
To express your concerns about this matter. However, do not say anything unreliable to anyone. Emphasize politics and GFW
And so on. For example, it uses deception or concealment during the application process, or some actions after the application is successful violate Mozilla's ca
Policy; for example, its attributes and past behaviors indicate that it will not be loyal to its own responsibilities, but (HELP) to do things like mitm CA ).
The second is entrust, which says it trusts. As a result, we are forced to trust cnnic ssl. Please tell entrust that this is very serious.
,
Because it mistakenly trusts CNNIC, a large number of users have to delete its ca. If you can find
The certificate website is better. To these websites, we have to delete the entrust Ca and request them to select another one. If the response is strong
Entrust puts a lot of pressure.
In addition, let's vote.
(Result Statistics
)!
Finally, we strongly recommend that you turn off the certificate warning directly instead of adding exceptions easily. The trust system of certificates is Level 1 dependent on Level 1. If you are not careful, you may trust a trusted
CA. The two websites used for verification can be tested on a regular basis (weekly/monthly). If you find that any of the websites has no certificate warning one day, pay attention to it!
Ladies and Gentlemen:
DNS hijacking has become the norm. Do not popularize SSL hijacking again! The matter has just been released and there is still room for comment. When time passes, you and I are all frogs in warm water!
Address: http://autoproxy.org/zh-CN/node/66