Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Why do you trust CNNIC? #15073

Closed
buckle2000 opened this issue Aug 29, 2017 · 6 comments
Closed

Why do you trust CNNIC? #15073

buckle2000 opened this issue Aug 29, 2017 · 6 comments
Labels
crypto Issues and PRs related to the crypto subsystem. question Issues that look for answers. security Issues and PRs related to security.

Comments

@buckle2000
Copy link

  • Subsystem: tls
  • CNNIC has made tons of malware
  • CNNIC has issued cert for possible MiTM attempt (distrust from Mozilla & Google)
  • CNNIC has once banned personal registration for it's own profit (& political power)
  • CNNIC has recalled several registered .cn domains arbitrarily for no prior acknowledgement from domains' owners (because domain name is same as names of Chinese athletes in 2008 Olympics)

You really shouldn't trust CNNIC.
@jasnell
Copy link
Member

jasnell commented Aug 29, 2017

I want to clarify: this is in relation to including cnnic is the default trusted certs? Correct?

@refack
Copy link
Contributor

refack commented Aug 29, 2017

Hello @buckle2000,
The current procedure for root CA trust is to mirror the list provided by Network Security Services (NSS).
Feel free to raise a PR to update that list, or the version that's embedded in node (similar to #13279).

@refack refack added crypto Issues and PRs related to the crypto subsystem. security Issues and PRs related to security. question Issues that look for answers. labels Aug 29, 2017
@TimothyGu
Copy link
Member

TimothyGu commented Aug 29, 2017
edited
Loading

Hi! We take TLS security seriously. We follow recommendations set up by major browser vendors (Mozilla, Google, and others) with regards to CA. In fact, we have already distrusted all new CNNIC-issued certificates in accordance with Mozilla since #1895 (landed two years ago), which is in the latest release of all support release branches.

If you believe the a supported version of Node.js does not distrust some CNNIC-issued certificates when it should, please email security@nodejs.org as documented in https://github.com/nodejs/node/blob/master/README.md

/cc @shigeki

Edit: Fix truncated response.

@shigeki
Copy link
Contributor

shigeki commented Aug 29, 2017
edited
Loading

Yes, the CNNIC root certs is now included but the certificates issued by CNNIC are filtered with the whitelist of https://github.com/nodejs/node/blob/master/src/CNNICHashWhitelist.inc which is provided by Mozilla.

Recently, the CNNIC root cert was removed in Mozilla's root certs list in https://bugzilla.mozilla.org/show_bug.cgi?id=1356623 and we are waiting for Firefox56 to be stable.
After releasing Firefox56, we are going to update root certs so that all certs issued by CNNIC will be distrusted.

@shigeki
Copy link
Contributor

shigeki commented Aug 29, 2017

Closing as I described above.

@shigeki shigeki closed this as completed Aug 29, 2017
@buckle2000
Copy link
Author

buckle2000 commented Oct 7, 2017
edited
Loading

Firefox56 was released on September 28, 2017.
https://developer.mozilla.org/en-US/Firefox/Releases/56
@jasnell @TimothyGu

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
crypto Issues and PRs related to the crypto subsystem. question Issues that look for answers. security Issues and PRs related to security.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@refack @jasnell @shigeki @TimothyGu @buckle2000