BJCA(Beijing Certificate Authority Co., Ltd.) submitted an request to add their CA root certificates to Mozilla's CA Certificate Program, which means it will be trusted by all the browsers developed by Mozilla, including Firefox and Tor Browser. These two certificates are named. BJCA Global Root CA1 and BJCA Global Root CA2.
However, some people, especially who live in China Mainland, are worried about their cyber security because of scandals that happened to CNNIC(China Internet Network Information Center) and WoSign.
Here we would like to review these scandals and show what they’re worried about.
What is CA
CA is in fact an indispensable infrastructure of today’s Internet. The background knowledge is related to asymmetric cryptography, which not only keeps your data, like your bank accounts and personal photos (here your browser encrypted the data), safely transited on the Internet, but decide what kind of software, such as drivers and system updates, can be trusted by your computer (here the developer signs the software). I don’t want to talk a lot about the details, but when you perform asymmetric cryptography, you need to trust the certificate from the server or the developer, and the one who decide the trust relationship is CA.
Firstly, CA persuades Internet Giant like Google, Apple and Microsoft add their root certificate to their browsers and OS. When somebody applies for a certificate from CA, CA needs to confirm identity of the applicant and then issues certificates signed by CA’s root certificate to these developers and website owners(the real situation is more convoluted because CA can issue another certificate(middle cerficate) with the same function as the root certificate). Finally, when users surf the Internet, they will check whether websites’ and software’s certificates are issued by known CA.
What did CNNIC do
CNNIC used to be a CA, and he issued a middle certificate to a company MCS with 2-week lifetiem, to allow them test their new firewall. When a stuff deployed the cert on the firewall, and then visited google.com on Chrome, the firewall signed a fake cert of goole.com which allowed the firewall decypted all the data between him and google.com (MitM Attack). However, Chrome noticed it's a fake cert and reported to Google.
Finally, Google decided to remove the trust of CNNIC root cert of all the products, and then Mozilla, Microsoft and Apple followed.
What did WoSign do
Someone found a deadly bug on WoSign's server. When he tried to apply a cert from WoSign for www.med.ufc.edu, he wrongly typed www.ufc.edu, and to his surprise WoSign accepted his application and successfully issued the cert,
He then tried github.com, because GitHub allows user to use second level domain like xxx.github.com and xxx.github.io. With no doubt, he get the cert of github.com and github.io. After he reported the issues to WoSign, WoSign just revoked the cert of github.com and github.io but not www.ufc.edu. Which means WoSign had a bad management level and they did not even notice their system had a fatal mistake. They also did some vicious competition action, for example, sending emails to website owners to intimidate them not to use free Let’s Encrypt certificate.
Finally, the same as CNNIC, Google, Apple and Mozilla deleted the trust of WoSign's root CA.
Why it's more dangerous for users in China Mainland
As we all know, China has deployed the Great Firewall (GFW) to censor the Internet flow to other countries, and ISPs and even public DNS provider helps to contaminate DNS resolve results in order to block some websites like Twitter, Google and Facebook, even GitHub. We all know China's government may have a super power to get any information from the company settled in China. What if China’s government redirect your Gmail website to their GFW and what if China implements MitM attack on GFW with their controlled CA's cert? There would be no warnings from all of your browsers or email clients because you’ve trusted their root cert. Your emails, account's passwords and browsing histories would be exposed to the national censorship machine.
What should we do
Till now, Mozzila has accepted five CA from China Mainland, and they are CFCA, GDCA, SHCA, iTrusChina and comming BJCA, and almost all the OS has trusted CFCA, but almost no website use certificates issued by them. Therefore, for people who live in China, especially some social activists and journalists, I strongly recommend you take the following steps. If you're not using iOS, you can simply find the way to deleted the certs from Mozzila's products. You should also disable them on your OS and add them to untrusted list(For Windows and MacOS). Just Google it, it's very easy!