China Internet Network Information Center accepted as a Mozilla root CA

To remove it<p>Firefox: Tools &#62; Options &#62; Advanced &#62; Encryption &#62; View Certificates &#62; Authorities &#62; find and delete the CNNIC entry<p>IE: Tools &#62; Internet Options &#62; Content &#62; Publishers &#62; Trusted Root Certification Authorities &#62; find and delete the CNNIC entry<p>Chrome: Wrench &#62; Options &#62; Under the Hood &#62; Manage Certificates &#62; Trusted Root Certification Authorities &#62; find and delete the CNNIC entry<p>Note, removing it from either Chrome or IE will remove it from both.<p>[Edit: added instructions for Chrome and IE]

<a href="https://bugzilla.mozilla.org/show_bug.cgi?id=542689" rel="nofollow">https://bugzilla.mozilla.org/show_bug.cgi?id=542689</a>: "CNNIC is an evil organization. Reproducible: Always"

This is hardly the first SSL certificate authority to be under the thumb of a nation-state actor, but maybe people will listen this time: Don't trust SSL unless you can't avoid it.

Does anyone know how many other browsers have the CNNIC as a root CA?<p>Given the demographic of Firefox users, I think that this could end up being a huge PR problem for Mozilla.<p>Edit: After some checking, CNNIC is a root CA in both Windows and Mac, so I don't think that there was much avoiding this for Firefox.

So now Google needs to become a SSL CA and at least self-sign certificates for its own domains.

Could someone please explain how CINIC could enact a man in the middle act with this inclusion?<p>I am vaguely aware of MITM attacks: that someone sends you their public key while pretending to be someone else. And this means the data you send is encrypted in a way that the MITM can see.<p>However, I'm unsure how CINIC's inclusion in Firefox's root certificates facilitates this. Perhaps I'm not the only one?

Quite a lot of drama involving China in recent weeks. I wonder what's next? Chinese made laptops contains trojans? Chinese made iPhones contain spy chips? Chinese made clothes stitched with wiretapping chips?

Has anyone proposed limits on what certs could be issued by root CAs? e.g. What if Firefox only accepted CNNIC certs for .cn names?

One of the problems with CAs and chains of trust is that the decision is binary; if you want a more nuanced view of the trust one should have in a connection, the best you can do is examine the signing chain manually, through the nested dialogs.

Mozilla is so idealistic about the H.264 video codec but couldn't care less about something like this that actually has serious consequences for end-users.