Mozilla Debates Whether to Trust Chinese CA

FirefoxSometimes geeky technical details matter only to engineers. But sometimes a seemingly arcane technical decision exposes deep social or political divisions. A classic example is being debated within the Mozilla project now, as designers decide whether the Mozilla Firefox browser should trust a Chinese certification authority by default.

Here’s the technical background: When you browse to a secure website (typically at a URL starting with “https:”), your browser takes two special security precautions: it sets up a private, encrypted “channel” to the server, and it authenticates the server’s identity. The second step, authentication, is necessary because a secure channel is useless if you don’t know who is on the other end. Without authentication, you might be talking to an impostor.

Suppose you’re connecting to, to pick up your Gmail. To authenticate itself to you, the server will (1) do some fancy math to prove to you that it knows a certain encryption key, and (2) present you with a digital certificate (or “cert”) attesting that only Google knows that encryption key. The cert is created by a Certification Authority (“CA”), which asserts that it has done the necessary due diligence to establish that the designated encryption key is known only to Google Inc.

If the CA is competent and honest, then you can rely on the cert, and your connection will be secure. But a dishonest CA can trick you into talking to an impostor site, so you need to be cautious about which CAs you trust. Your browser comes preinstalled with a list of CAs whom it will trust. In principle you can change this list, but almost nobody does. So browser vendors effectively decide which CAs their users will trust. Continue reading.

Related Posts

Soft Spots in Hardened Software Over the past decade, Microsoft, the target of choice for many online attackers, has hardened its operating system, adopting technologies designed to ...
How to Stop Distant Attacks on RFID Chips The limited power and processing ability of RFID chips makes them vulnerable to attackers operating at a distance. A new protocol could tackle this pr...
A Comfortable and Secure Login Method As most Internet users know, it is often hard to remember or keep apart all the passwords and login names for one's different online accounts. Dr. ...
What we can learn from Jason Chen’s experience Not too long ago, Jason Chen, a Gizmodo editor, had all the computer related materials in his residence seized by cops acting on a warrant in relation...
How Android Security Stacks Up Today's smart phones have all the speed, storage, and network connectivity of desktop computers from a few years ago. Because of this, they're a treas...
Improved Online Security for a Tenth of the Cost Computer scientists at the University of Hertfordshire have found a way to share information online securely for a fraction of the cost of existing sy...

We Recommend These Vendors and Free Offers

ContainerizeThis 2016 is a free, 2-day conference for all things containers and big data. Featured, will be presentations and free, hands-on workshops. Learn more at

Launch an SSD VPS in Europe, USA, Asia & Australia on Vultr's KVM-based Cloud platform starting at $5:00/month (15 GB SSD, 768 MB of RAM).

Deploy an SSD Cloud server in 55 seconds on DigitalOcean. Built for developers and starting at $5:00/month (20 GB SSD, 512 MB of RAM).

Want to become an expert ethical hacker and penetration tester? Request your free video training course of Online Penetration Testing and Ethical Hacking

Whether you're new to Linux or are a Linux guru, you can learn a lot more about the Linux kernel by requesting your free ebook of Linux Kernel In A Nutshell.

Leave a Comment

Your email address will not be published. Required fields are marked *