This is a bit sinister: the China Internet Network Information Center (CNNIC) has been dropping digital certificates into the computers of everyone in China, which could potentially allow them to snoop on your normally secure ‘https’ web-surfing, such as your online banking and email.
CNNIC’s digital certificate, which is probably in your computer right now, has not been proved to be maliciously spying, but it’s a matter of trust. Do you really trust CNNIC, the overlords of the ‘Great Firewall’, to not be potentially peeking into your email, Facebook, Paypal account or online bank? Nope, thought not.
These digital certificates are not viruses or malware; they’re genuine tools that sites use to encrypt and verify information, and are issued by third-party Certificate Authorities (CA). For this CNNIC certificate to be on your computer, it has taken numerous levels of consent: by the web browser makers (Mozilla’s Firefox, Apple’s Safari, Google’s Chrome, Microsoft’s Internet Explorer, and more obscure ones, such as Opera) and by the CA ‘Entrust’, who will have evaluated, accepted and issued CNNIC’s digital certificate.
So, what’s the drama, you ask… Well, in devious hands, these important data snippets can be configured to pry, spy and snoop on your web traffic and private data. A benign digital certificate could turn malicious if remotely reconfigured, so as to tap into a certain users encrypted web data. In one other scenario, CNNIC could possibly use this tool in conjunction with the Great Firewall to tunnel into your encrypted web sessions. And, remember, CNNIC has a history of putting malware on people’s machines, hence all the alarm bells ringing over this tiny, new development.
So, let’s get about blocking CNNIC’s ass off of your computer: It’s best not to delete it – it’ll only be re-added – so we’re going to need to ‘never trust’ it in your computer’s settings. Then, you’ll be safe and unsnooped upon. It’s pretty easy, taking it step-by-step…
Mac: Safari and Chrome
This applies only to the Safari and Chrome web browser (Firefox needs to be done separately, in its own settings; see below). First, use Spotlight to search for the Keychain Access app (or, find it in Applications > Utilities folder) and launch it. Now, in the Keychain Access app search-box you should type CNNIC, and if their digital certificate is on your laptop, you will see 1 or 2 of them. If there’s nothing, that’s good. But, if you have 1 or 2 of the little buggers, this is what to do next: right-click on one of the digital certificates and select Get Info. A new window will appear; in this, click on the little arrow to the left of the word “Trust” so that more options are revealed. Now, in the first drop-down box you should select “Never trust” which’ll cause all the others drop-down boxes to also change to ‘Never trust’. Now that certificate is never, ever trusted, and will not be re-added since it already sits there. Repeat on the 2nd, if there is one.
To check that it has worked, quit your browser(s), and then restart a browser and go to the website https://www.enum.cn where now a warning should appear saying that the site’s digital certificate is not trusted. If so, that’s great. If not (and the website loads normally), repeat the instructions more carefully.
Firefox (Windows, Mac, Linux)
First go to the Firefox ‘Preferences’ (on Mac), which is called ‘Options’ (I think) on Windows. Then, click the Advanced tab, then the Encryption tab, then click ‘View Certificates’. Next select the Authorities tab, and scroll down to find the CNNIC entry. Highlight the certificate, and then lower down click on the ‘Edit’ button, and in here you should now uncheck all the checkboxes, then click ‘Okay’. OK, that’s one blocked. Also scroll down to the Entrust.net entry, and see if there’s another CNNIC one in there. There’ll either be 1 or 2 in total. If there’s another one, repeat the above instrcutions.
To check that it has worked, quit Firefox, and then restart it and go to the website https://www.enum.cn where now a warning should appear saying that the site’s digital certificate is not trusted. If so, that’s great. If not (and the website loads normally), repeat the instructions more carefully.
Windows: Internet Explorer
I’m afraid I don’t have a clue how to do it on IE. And, seriously, with all the holes and bugs in IE, you should be thinking about ditching it for Firefox, pronto. But the Chinese blogger and techie Felix Yan, who first alerted me to this whole situation with his detailed blog post on the issue, has a step-by-step guide for Internet Explorer, though it’s all in Chinese, over on his site. Here’s the link for it.
Google Chrome browser, for some reason, utilizes the digital certificates stored inside Internet Explorer, so you’ll also need to refer to Felix’s instructions for how to block CNNIC inside IE.