Thursday, May 20, 2010

Take the Chinese Government Out of Firefox

If you use the Firefox Web browser, you are unwittingly granting the Chinese government the ability to make your browser validate the identity of any Web site controlled by that government. How is this possible?

When a Web browser visits a secure Web site, it validates the site's identity by checking the digital signature on the SSL/TLS certificate presented by that Web site. Those digital signatures are generated by Certificate Authorities (CAs) which are trusted implicitly by every Web browser. A company that operates a secure Web site, such as Amazon.com, wants your browser to validate the identity of their site, so that customers can trust that their credit card info is being sent to the real Amazon.com instead of a site that is pretending to be Amazon.com. To do this, they pay a Certificate Authority to verify their identity and issue a digital signature on their site's SSL/TLS certificate. That digital signature is how a CA vouches for the identity of a secure Web site.

We trust Certificate Authorities never to issue digital signatures for fake Web sites. We believe they won't do that, because if a CA loses its trustworthy reputation, it loses money. Your Web browser is created to automatically trust many different CAs. How many? Well, it might surprise you, but it's hundreds of CAs — from all over the world. And one of them is the Chinese state Network Information Center, known as CNNIC.

If you use Firefox, you can see the list of trusted CAs by choosing Options from the Tools menu, then select the Advanced tab, then the Encryption tab, and click on View Certificates. This will open the Certificate Manager dialog. Click on the Authorities tab. Scroll down to the entry for CNNIC ROOT: It should look like this:

CLICK IMAGE TO SEE A LARGER VERSION

Select the CNNIC ROOT entry and click on the Edit button. This opens the Trust Settings dialog for that CA, which should look like this:

CLICK IMAGE TO SEE A LARGER VERSION

Those checkboxes tell your browser to trust the CNNIC Certificate Authority to identify Web sites, mail users, and software makers. Uncheck all of the checkboxes and click OK on each dialog.

Now your browser refuses to trust the Certificate Authority operated by the Chinese government.

1 comment:

  1. Good to know about it. Digital Signature is used for security purpose so that any unauthorized thing can't take access of authorized things. It is a
    cryptographic code consisting of a hash, to indicate that data has not changed.
    digital signature software

    ReplyDelete