In China, it's very common for websites to ask people to trust their self-issued certificates. If you want to buy train tickets in China, you end up with this page (https://kyfw.12306.cn/otn) which asks you to trust its own cert.
Yes, big companies in china like Alibaba(taobao, alipay) will install their root certification authority(and enable all purposes by default) to your computer without any notification when you install their security control software(it's required if you want use their software).
This is worse than 12306.
This AM electrician comes over, guy in his early 30's (not an old timer) has a new iphone doesn't know how to sync and get the old stuff to the new iphone. Doesn't even know that Apple can help him with that. For computer things relies on his brother in law "the computer guy". Thinks Dell makes great "computers". "Don't they?" he says to me. Doesn't even really understand the difference between Mac OS and Windows. [1]
Point being there are tons of people out there that you could get to do practically anything. And they don't know the difference between one warning dialog box and another. It's just all a mashup to them.
[1] Add: By that I mean isn't aware that there is even a difference more than Coke vs. Pepsi is different.
And the NSA, China, and every other politically motivated actor is actively looking for the blithely unaware 70 year old virologist who happens to work on dual-use agents.
This AM, a software developer comes over to fix my computer he had just bought a new dimmer for his living room lights. Doesn't even realize that you can't use a conventional dimmer with compact fluorescent lights. "They are the same, right?"[1]
[1] Add: By that, I mean he isn't aware of the things he isn't aware of.
Ease up on the geek rhetoric until you walk in his shoes.
Way to miss the point. There is no time where we are expected to understand the subtle differences of dimmers. Users of computers are quite frequently expected to know which operating system they have when following instructions just for operating a computer. They will also encounter certificate errors in day-to-day operations.
They shouldn't be expected to know that though. The problem is that software developers haven't managed to figure that out and just make things work for their customers the way electricians have. Can you imagine if you went to the store to pick up a replacement light bulb and you had to look up whether your house used AC or DC? It's such a basic difference, everyone should know, right?
Here's some history background of the train in China.
(I realized that I have to start from the Hukou policy so that I could tell a reasonable story. Please bear with me.)
TL;DR, This is what a train station looks like before Chinese New Year [1].
Let's start from Hukou policy: Every Chinese is required to register their information to the government and has to provide a permanent address. This looks similar to most other country. But it goes quite far beyond a simple registration. Your Hukou is associated with a permanent address and in many cases, you are only allowed to do many critical things within the city of your permanent address. For example, your child cannot go to the local schools outside their Hukou address. Changing your address on Hukou is very hard and usually happens in some cases: When you go to university, you are allowed to temporarily change your Hukou under the university's city; 2. If you found a job in another city and your employer is willing to help you to relocate your Hukou address. 3. You married with a local person for several years. Basically, you can understand Hukou as a domestic visa. There are two types of Hukou: Farmer Hukou and City Hukou. Basically, they have different benefits/restrictions. Similar to F1 visa, H1B visa, etc.
Well, why I mention this? Here is some history. 30 years ago, major amount of the Chinese population were farmers. To build cities, you have to let those farmers live in the city and do lots of construction works. Due to the Hukou policy, people are not allowed to permanently migrate, esp. changing their Hukou status from Farmer to City. But there's more opportunities in cities and people could make more money. So gradually, there emerges a large group of people whose Hukou address is out of city but work in the cities. Their family has to in their home town, otherwise their children cannot go to school in the cities.
Every year, people works outside their home town will try to go back during Chinese New Year. Since the fact I mentioned above, there's a huge amount of people. They have to take trains (which is cheaper than flight.) Such yearly migration is quite large, ~3.3B tickets in 2014 [0].
Oh, and here is the answer to your question: Go to the train station is really not an option. It's like black Friday, but in a much larger scale. People have to wait outside for even weeks to get a ticket. To some extend, online ticket system helps. However, because of the throughput of the train system is limited, it's still hard to get a ticket.
I agree with everything you've written. But for other readers, would like to clarify that changing Hukou isn't very complex for most cities when purchase of property is made.
Not that buying property may be easy for a migrant worker, but for most cities an 80 square meter property should be enough. Outside of Beijing/Shanghai/Shenzhen that's about a million Yuan.
Just wanted to add some clarification / quantification for a casual reader.
Inside Shenzhen, I'm currently renting an 80 square meter apartment. It cost my landlord 4 million yuan and he and his wife made a 50% down payment. I understand in Beijing it's much, much more expensive. The economic divide in this country is insane.
A million Yuan is $163,000 US dollars, and 80 square meters is 860 square feet. I would imagine that is just about impossible for a migrant worker to manage.
To be fair, I don't personally trust the root CAs that my browsers and OS's trust. There are hundreds of them, from many countries. I think it's a reasonable expectation that at least some are corrupt.
Unless I trust each CA, their processes and every employee who could circumvent them, the current CA infrastructure is inherently unsafe. Self-signed certificates are only marginally less trustworthy (rather than having to compromise a CA, a bad actor would simply have to generate a new certificate and hope that I don't check the fingerprint - and I wouldn't check it).
Yes, there was a very large European root CA that was compromised and was actively being used for MITM attacks except this time the web browser address bar would still "turn green". Which is pretty much as bad as it gets.
Root CAs are not really trustworthy. Manually trusting a self-signed cert is, probably, more secure in the long term. You take control of trust, rather than delegating it out to some faceless corporation who can be corrupted or hacked.
The issue is how to know when the self-signed cert if trustworthy. I agree that the root CA trust system is not the answer, and web of trust doesn't work in practice, but I don't know how we can know if a self-signed cert is trustworthy in the first place. Besides doing out of band fingerprint verification (assuming the sideband isn't also compromised).
That said, I'd be more inclined to trust a self-signed cert of a CA signed one. I don't even know half the CAs that my device trusts, and some I recognise (government ones) I explicitly wouldn't trust.
My understanding is that CAs have been compromised for a while now. Does no one remember the RSA scandal and the NSA's manufactured hash collisions through deliberate injection of vulnerabilities into random number generators? I may be off a bit but I recall the revelations basically concluding the whole system was compromised at the fundamental level.
I too remember something like that, but was under the impression that CAs are still ok.
But of course, judging by the massive downvoting you've gotten, I suppose you're incorrect. I wish those downvoters would explain their viewpoint rather than downvoting...
iCloud is not the only victim here. Google's IPv6 access has been suffering the same attack since September. (IPv4 access has been blocked entirely for 5 months)
It's not a shocking news, however. Apple has already moved [1] some of its storage servers to Beijing. The attack could just be the authorities making sure that Chinese users' iCloud data is actually stored in China.
So China is double-dipping? I was hoping that post-Snowden, this kind of request from some countries that companies need to store data locally, to make sure the data isn't taken by the US government, would encourage companies to encrypt the data end-to-end (client-side), before they get it into their clouds. Then nobody could complain about the data not being safe from the US government. It should be safe since even the company shouldn't have access to it.
I realize this isn't the real reason why China told Apple to build a datacenter there, but that's the one they used publicly, and as long as the company itself can get access to that data, then the argument is a pretty plausible one, even from China. Apple, Google and others could weaken this argument by adopting end-to-end encryption for their services.
Unfortunately, it seems the companies decided to keep the data as is, but build the data centers in Russia, China and wherever else they might ask them to do it.
Apple implemented not-exactly-end-to-end encryption on phones and the FBI publicly complained. Implementing effective encryption would most likely result in threats of a ban by the Chinese government. See http://www.wired.co.uk/news/archive/2013-07/11/blackberry-in...
Ultimately there's only so far you can go against the wishes of the Chinese government when your factories are there, or against the US government when your HQ is there.
Lemme give you a counter example. Chinese copied Neato or irobot Roomba, their hardware was even superior and price is 30% as much, but ultimately failed as a product. Because the route planing algorithm is completely shit. You often found it stuck or running out of power.
Neato or iRobot does not sell in China, Chinese users actually pays extra to get one. And they are happily doing so.
The moral of the story? Chinese can not copy the soul of your product.
I'm from China and I just don't know how to refute your last line. Google has been blocked for about half a month now, but average people would not feel a thing about it.
Yandex is the 4th largest search engine in the world and #1 in Russia. I'm pretty sure they have a large local social network as well but the name has slipped my mind.
But that's not on account of brainwashing, that's could be on account of having no need for it. I've lived in China for 5 years and have survived without Google fine. Could also be that most young/modern Chinese have an apathetic split-mind: don't give a shit about Google and don't give a shit about who is blocking them from it or why. They aren't uninformed, they just don't care.
In China, it's very common for websites to ask people to trust their self-issued certificates. If you want to buy train tickets in China, you end up with this page (https://kyfw.12306.cn/otn) which asks you to trust its own cert.