Mozilla Debates Whether to Trust Chinese CA

FirefoxSometimes geeky technical details matter only to engineers. But sometimes a seemingly arcane technical decision exposes deep social or political divisions. A classic example is being debated within the Mozilla project now, as designers decide whether the Mozilla Firefox browser should trust a Chinese certification authority by default.

Here’s the technical background: When you browse to a secure website (typically at a URL starting with “https:”), your browser takes two special security precautions: it sets up a private, encrypted “channel” to the server, and it authenticates the server’s identity. The second step, authentication, is necessary because a secure channel is useless if you don’t know who is on the other end. Without authentication, you might be talking to an impostor.

Suppose you’re connecting to https://mail.google.com, to pick up your Gmail. To authenticate itself to you, the server will (1) do some fancy math to prove to you that it knows a certain encryption key, and (2) present you with a digital certificate (or “cert”) attesting that only Google knows that encryption key. The cert is created by a Certification Authority (“CA”), which asserts that it has done the necessary due diligence to establish that the designated encryption key is known only to Google Inc.

If the CA is competent and honest, then you can rely on the cert, and your connection will be secure. But a dishonest CA can trick you into talking to an impostor site, so you need to be cautious about which CAs you trust. Your browser comes preinstalled with a list of CAs whom it will trust. In principle you can change this list, but almost nobody does. So browser vendors effectively decide which CAs their users will trust. Continue reading.

Related Posts

File-Sharing Software Potential Threat to Health Privacy The personal health and financial information stored in thousands of North American home computers may be vulnerable to theft through file-sharing sof...
How to manage disk encryption passphrases and key slots Disk encryption is one method you may use to enhance the physical security rating of your computer. From my experience, it is rarely used, which is a ...
Blue Skies Thinking for Cloud Security? As cloud computing moves data and services from local systems to remote centres, the question of security for organisations must be addressed. A resea...
How Android Security Stacks Up Today's smart phones have all the speed, storage, and network connectivity of desktop computers from a few years ago. Because of this, they're a treas...
Malicious Software: Hiding the Honeypots Armies of networked computers that have been compromised by malicious software are commonly known as Botnets. Such Botnets are usually used to carry o...
Improved Online Security for a Tenth of the Cost Computer scientists at the University of Hertfordshire have found a way to share information online securely for a fraction of the cost of existing sy...

We Recommend These Vendors and Free Offers

Launch an SSD VPS in Europe, USA, Asia & Australia on Vultr's KVM-based Cloud platform starting at $5:00/month (15 GB SSD, 768 MB of RAM).

Deploy an SSD Cloud server in 55 seconds on DigitalOcean. Built for developers and starting at $5:00/month (20 GB SSD, 512 MB of RAM).

Want to become an expert ethical hacker and penetration tester? Request your free video training course of Online Penetration Testing and Ethical Hacking

Whether you're new to Linux or are a Linux guru, you can learn a lot more about the Linux kernel by requesting your free ebook of Linux Kernel In A Nutshell.


Leave a Comment

Your email address will not be published. Required fields are marked *

*