Mozilla Debates Whether to Trust Chinese CA

FirefoxSometimes geeky technical details matter only to engineers. But sometimes a seemingly arcane technical decision exposes deep social or political divisions. A classic example is being debated within the Mozilla project now, as designers decide whether the Mozilla Firefox browser should trust a Chinese certification authority by default.

Here’s the technical background: When you browse to a secure website (typically at a URL starting with “https:”), your browser takes two special security precautions: it sets up a private, encrypted “channel” to the server, and it authenticates the server’s identity. The second step, authentication, is necessary because a secure channel is useless if you don’t know who is on the other end. Without authentication, you might be talking to an impostor.

Suppose you’re connecting to https://mail.google.com, to pick up your Gmail. To authenticate itself to you, the server will (1) do some fancy math to prove to you that it knows a certain encryption key, and (2) present you with a digital certificate (or “cert”) attesting that only Google knows that encryption key. The cert is created by a Certification Authority (“CA”), which asserts that it has done the necessary due diligence to establish that the designated encryption key is known only to Google Inc.

If the CA is competent and honest, then you can rely on the cert, and your connection will be secure. But a dishonest CA can trick you into talking to an impostor site, so you need to be cautious about which CAs you trust. Your browser comes preinstalled with a list of CAs whom it will trust. In principle you can change this list, but almost nobody does. So browser vendors effectively decide which CAs their users will trust. Continue reading.

Related Posts

Malicious Software: Hiding the Honeypots Armies of networked computers that have been compromised by malicious software are commonly known as Botnets. Such Botnets are usually used to carry o...
Google Squeezes Flash into Chrome Adobe's Flash Player has come under fire from developers and companies who question its necessity, but the plug-in has just received a big vote of con...
Scientist Invents a Digital Security Tool Good Enough for the CIA — And for You A British computer hacker equipped with a "Dummies" guide recently tapped into the Pentagon. As hackers get smarter, computers get more powerful and n...
Improved Online Security for a Tenth of the Cost Computer scientists at the University of Hertfordshire have found a way to share information online securely for a fraction of the cost of existing sy...
What we can learn from Jason Chen’s experience Not too long ago, Jason Chen, a Gizmodo editor, had all the computer related materials in his residence seized by cops acting on a warrant in relation...
Soft Spots in Hardened Software Over the past decade, Microsoft, the target of choice for many online attackers, has hardened its operating system, adopting technologies designed to ...

We Recommend These Vendors

Launch an SSD VPS in Europe, USA, Asia & Australia on Vultr's KVM-based Cloud platform starting at $5:00/month (15 GB SSD, 768 MB of RAM).

Deploy an SSD Cloud server in 55 seconds on DigitalOcean. Built for developers and starting at $5:00/month (20 GB SSD, 512 MB of RAM).


Leave a Comment

Your email address will not be published. Required fields are marked *

*