Mozilla Security Blog
Categories: CA Program Security

Revoking Trust in one CNNIC Intermediate Certificate

Kathleen Wilson

96 responses

Mozilla was recently notified that an intermediate certificate, which chains up to a root included in Mozilla’s root store, was loaded into a firewall device that performed SSL man-in-the-middle (MITM) traffic management. It was then used, during the process of inspecting traffic, to generate certificates for domains the device owner does not legitimately own or control. The Certificate Authority (CA) has told us that this action was not permitted by their policies and practices and the agreement with their customer, and they have revoked the intermediate certificate that was loaded into the firewall device. While this is not a Firefox-specific issue, to protect our users we are adding the revoked certificate to OneCRL, our mechanism for directly sending revocation information to Firefox which will be shipping in Firefox 37.

Issue
China Internet Network Information Center (CNNIC), a non-profit organization administrated by Cyberspace Administration of China (CAC), operates the “CNNIC Root” and “China Internet Network Information Center EV Certificates Root” certificates that are included in NSS, and used to issue certificates to organizations and the general public. CNNIC issued an unconstrained intermediate certificate that was labeled as a test certificate and had a two week validity, expiring April 3, 2015. Their customer loaded this certificate into a firewall device which performed SSL MITM, and a user inside their network accessed other servers, causing the firewall to issue certificates for domains that this customer did not own or control. Mozilla’s CA Certificate Policy prohibits certificates from being used in this manner when they chain up to a root certificate in Mozilla’s CA program.

Impact
An intermediate certificate that is used for MITM allows the holder of the certificate to decrypt and monitor communication within their network between the user and any website without browser warnings being triggered. An attacker armed with a fraudulent SSL certificate and an ability to control their victim’s network could impersonate websites in a way that would be undetectable to most users. Such certificates could deceive users into trusting websites appearing to originate from the domain owners, but actually containing malicious content or software. We believe that this MITM instance was limited to CNNIC’s customer’s internal network.

Status
Mozilla is adding the revoked intermediate certificate that was mis-used in the firewall device to OneCRL which will be shipping in Firefox 37. Additional action regarding this CA will be discussed in the mozilla.dev.security.policy forum. When similar incidents have happened in the past, responses have included requiring additional audits to confirm that the CA updated their procedures, and using name constraints to constrain the CA’s hierarchy to certain domains.

End-user Action
We recommend that all users upgrade to the latest version of Firefox. Firefox 37 and future releases of Firefox (including Firefox 38 ESR) will contain OneCRL which will be used for this certificate revocation and for future certificate revocations of this type.

Credit
Thanks to Google for reporting this issue to us.

Mozilla Security Team

96 comments on “Revoking Trust in one CNNIC Intermediate Certificate”

  1. kenny.wke wrote on

    Remove it! CNNIC is control by the chinese gov, chinese people do NOT trust CNNIC and the gov!

    1. raire wrote on

      yes, remove it

  2. Chinese people wrote on

    Remove it! CNNIC is control by the chinese gov, chinese people do NOT trust CNNIC and the gov!

  3. antigfw wrote on

    REVOKE CNNIC CERTS!

    CNNIC is a offical authority of China Communist Party!! It will FUCK UP your country’s security system and hacking !!!

    Chinese hackers are hacked many targets in western world, for your national security, remove communist certs NOW!

  4. chinese wrote on

    Remove it! CNNIC is control by the chinese gov, chinese people do NOT trust CNNIC and the gov!

  5. fuckgfw wrote on

    REVOKE CNNIC CERTS!
    CNNIC is a offical authority of China Communist Party!! It will FUCK UP your country’s security system and hacking !!!
    Chinese hackers are hacked many targets in western world, for your national security, remove communist certs NOW!

  6. aManInchina wrote on

    Remove it!

  7. kidke wrote on

    remove communist certs NOW!
    please!

  8. GRD.FBX.GFW wrote on

    Please remove CNNIC, thank you!

  9. remove CNNIC wrote on

    CNNIC is controled by chinese government,I don’t trust it,Plese remove it.

  10. rrrr wrote on

    Remove it! CNNIC is control by the chinese gov

  11. #542689 wrote on

    We’ve warned you 4 years ago.

    https://bugzilla.mozilla.org/show_bug.cgi?id=542689

    1. lasdjfkasjfd wrote on

      老早就告诉你们了,让你们不听,还有好几个中国的证书也移除了吧,还有香港的证书也可能有危险

    2. mz wrote on

      Told U!

  12. HW wrote on

    CNNIC must be REVOKE. CNNIC is under the control of Chinese government and China has the largest firewall around the world. Security HTTPS can protect people from the firewall. But from now on the https is not security any more.

  13. Remove cnnic wrote on

    China Internet Network Information Center (CNNIC), is NOT a non-profit organization.

  14. Dreista wrote on

    Please remove CNNIC certs, thank you!
    We do not trust any organization controlled by Chinese goverment.

  15. Neo wrote on

    We said one thousand times to revoke this CNNIC certificate, and you, mozilla and google chrome and opera and other software makers, have done NOTHING!

    SHAME ON YOU!

    We said the wolf will come, and finally came! Is it still not bloody enough to beat the wolf?

  16. REVOKE CNNIC CERTS! wrote on

    REVOKE CNNIC CERTS PLEASE !!!

  17. anonymousz wrote on

    Recommend trusting CNNIC only on *.cn sites. Or there can be issue accessing some Chinese web sites.

    1. pe wrote on

      CNNIC rarely used even in china, so just remove it.

  18. DAMN.GFW wrote on

    remove it!

  19. Jerry wrote on

    Remove it Plz!

  20. anonymousz wrote on

    Please remove CNNIC, thank you!

  21. NY wrote on

    Stop talking about CNNIC please, that’s totally the fault of this stupid system and policies.

    If CNNIC can issue certificates like this, any other CAs can do this also. Remove CNNIC can not prevent this issues happened again.

    If you don’t trust CNNIC, why you trust GOOGLE? because you trust America, CIA, FBI?

    1. neko wrote on

      1. Locking up a murder won’t prevent other people from commiting crime but I bet you won’t want to see a murder running around your house just because your “everyone can be evil” logic.

      2. Sounds like a murder trying to plead not guilty by stating that the American are dropping bombs in the middle-east. First Google didn’t tried to initiate a MITM attack on us, CNNIC did. Secondly we are all well aware of the crap the American done but that won’t justify the shit CNNIC’s has done (and it’s not the first time.) .

    2. Leric wrote on

      We call this kind of people 五毛 in china, for they sold their soul for 50 cents/post

  22. Tom wrote on

    Remove it Plz!

  23. hyno111 wrote on

    I hope you can reevaluate the CNNIC issue. Preferably with a detailed report. I’m not saying that it must be revoked, I just hope to see the overall evaluation behind the decision. This would also convince other people on the issue.

  24. 农夫 wrote on

    哎,怎么说呢,我安装有这个证书都删了

    1. GOTOHELL_GFW wrote on

      我现在用的是chrome 和IE 请问如何才能移除CNNIC的证书, 共党控制下的东西真的是一样都不可信!

  25. Szopen wrote on

    remove it

  26. Realz wrote on

    CNNIC这种不靠谱的东西从一开始就不值得被信任。希望将其加入黑名单。

  27. Galaxy wrote on

    Please allow user to lower or turn off cert check on dot cn sites, as most of them will require user to trust their own ROOT cert. Especially the Chinese Banks and railway system !

    The Chinese people have to use Chinese bank services, but those Root Cert should only be trusted within Chinese sites.

  28. Anonymous wrote on

    The last time this happened, Mozilla issued a statement that they would no longer allow CAs to issue CA=TRUE intermediate certificates for this kind of purpose, that any CAs doing so should immediately revoke them and come forward immediately, and that any CA not doing so within a given grace period (IIRC a few months) would be removed when discovered. That grace period has long since passed. So why is the intermediate certificate being removed but not the top-level CA that knowingly issued it?

  29. ohalucky wrote on

    这一天来的太晚了,mozilla当初就不该加入cnnic的证书

  30. noGFW wrote on

    PLEASE revoke CNNIC certs.we DO NOT trust it,and the PRC gov. Thank YOU

  31. lee wrote on

    I am Chinese, and I don’tr trust CNNIC. So tell you boss and remove it .But the problem is , only five million or less Chinsese people use firefox browser.How can Mozilla tell google and microsoft remove the certs too.

  32. mine260309 wrote on

    Please just remove all CNNIC’s Certificates!

  33. Tonny wrote on

    Remove CNNIC certs please, this is controlled by chinese government, and this government has take known MITM Attacks several times.

  34. Agni wrote on

    Please revoke it!
    CNNIC is rarely used. It has little effect to revoke it!
    Chinese hackers have been found hacking into important western targets many times! Even for the your website security, CNNIC should be revoked!

  35. anonymousz wrote on

    这一天来的太晚了。当初火狐将CNNIC加入CA ROOT的时候,多少人反对都没用。
    现在终于抓住证据了。火狐新增CA应当慎之又慎。不能找不到不利的证据就能添加。

    FINNALY CNNIC CA got Revoked!!!
    NEVER ADD IT BACK AGAIN!!!

  36. 科学上网www.jubushoushen.com wrote on

    that makes me sick

  37. kkk wrote on

    if you really want to do the right thing, just remove it.
    if you really remove it, you will be the force of internet development of china, than you.

  38. dangge wrote on

    Please revoke it!

  39. No political rightness please wrote on

    mozilla please revoke the CNNIC, we all know it’s questionable back to 2007 when it first shown up in mailing list.

  40. Kurumi Tokisaki wrote on

    Revoke CNNIC ROOT, please!

  41. zz wrote on

    CNNIC必须死

  42. smileawei wrote on

    Please remove the CNNIC ROOT CA we have reason to believe it will do some damage to the security thing. Pleaded again. For Internet Freedom

  43. wtm wrote on

    Revoke CNNIC ROOT, please!!!!

  44. aafsdaf wrote on

    CNNIC must be REVOKE. CNNIC is under the control of Chinese government and China has the largest firewall around the world

  45. Jeff Wang wrote on

    喜大普奔!I’ve Been Cheer Up!
    CNNIC是中国科学院的计算机技术中心的第二块牌子
    CNNIC is an alias name of the Computer & Technology Center, China Academy of Science。
    中科院受共党控制。
    CAS is completely controlled by CPC, which has made the biggest firewall in the world!

  46. Raymond wrote on

    Trusting CNNIC jeopardizes the privacy of all Internet users in China, not just Chinese citizens, visitors in China are also facing such problem. Revoke CNNIC of root CA please.

  47. Alamo wrote on

    Remove it you bastards!

  48. VYSE wrote on

    TOLD U!
    NOW IT’S TIME TO RESOLVE THIS!
    https://bugzilla.mozilla.org/show_bug.cgi?id=542689

  49. jswxdzc wrote on

    Please revoke CNNIC certs.

    Such a shame to see this, some people just laugh at us because they think there is nothing to worry about. In fact, they are wrong.
    It is the gov’s puppet, so I never support it.

  50. cc wrote on

    Revoke it please.
    It should not be trusted when we argue about whether to add it to built-in root-ca, now this happens.
    I do not think it is a fault of its customer, as all we know, the Chinese Great Firewall especially wants to intercept internet traffic(such as Gmail) of those who often talk about human-rights or democracy and keep it as a proof to arrest them secretly or publicly. I think a CA should never help others do such thing.
    It’s an unforgivable fault to sign such cert. It’s time to revoke it.

    1. cc wrote on

      Also,the sites who use this cert as root-ca are very rare.
      If you use Google to search “CNNIC 证书” (“证书” means certificate),the results will be how to mistrust it on PC.
      CNNIC’s ca is widely be seen as a cert that should never be trusted.

  51. Bernd Graumann wrote on

    Keep it. Then maybe more people will notice how broken the whole certificate system is. Also add Honest Achmed’s CA. At least they are honest.

  52. GFW wrote on

    Innocent until proven guilty.
    While this may not be “proven guilty”, but at least you should put CNNIC on “probation”.
    Also, I mean it’s not like there’s many ppl in China that’s actually using Firefox, so there’s no point trying to appease to the “Chinese market”.

  53. qian wrote on

    remove it u idiots, u should have removed it 5 years ago !

  54. wuhan wrote on

    I’m a Chinese from China Mainland, I and my friends don’t trust the CNNIC which is controlled by the Communist Pary. So many civilians are censored by the Party for about 10 more years. As a Chinese, I have to appeal to remove the CNNIC from Firefox. Thank you all very much!

  55. Mark R. wrote on

    I have Thunderbird configured to use SSL for my POP3 and SMTP connections. It sounds like the vulnerability would affect any application using SSL, not just Firefox. So Thunderbird would also be affected.

    Your statement, “Mozilla is adding the revoked intermediate certificate that was mis-used in the firewall device to OneCRL which will be shipping in Firefox 37” sounds like you’re only making the fix to Firefox, and Thunderbird will still be left vulnerable.

    Please fix all of Mozilla’s SSL-using applications, not just Firefox!

  56. Sok Puppette wrote on

    Since you are acting as a proxy for the user, you should be trying to implement the user’s preferences as best you can determine them. And what you have heard from the overwhelming majority of your users, since before you ever put CNNIC in the list, is that NOBODY TRUSTS CNNIC. Not in China and not in the rest of the world. Drop them. Permanently. With no chance to reapply. End of story.

    Regardless of any other consideration, you have no business carrying a CA that the majority of your users obviously distrust.

    Furthermore, even for CAs your users DON’T actively distrust, “innocent until proven guilty” is an idiotic policy. The right policy for CAs is “better damned well be above suspicion”. The goal here is not to be fair to the CA. The CA’s interests are not important. The goal is to protect the user. That means that more than average reason to suspect that a CA is malicious OR incompetent, that CA should be out of the list. And this kind of screwup is definitely such a reason to drop CNNIC.

    And, while you’re at it, stop dumping in every random company that wants to go into the CA business and can pass an audit. You’re under no obligation to enable them. Only accept CAs when it will help your users in some articulable way. And get off your butts and implement DNSSEC and DANE.

  57. Noname wrote on

    You can trust CNNIC if and only if you are more than happy to trust NSA and its Prism.

  58. CNNIC vs 3721 vs baidu tb vs sogou tb wrote on

    In china, CNNIC is famous for its rootkit spyware/adware.

  59. please_remove_cnnic wrote on

    CNNIC is controled by gov,please remove it , I Chinese don’t trust CNNIC neither gov

  60. xioxin wrote on

    为了中国人的安全,删除所有的中国政府持有的证书

  61. fuckgfw wrote on

    we never trust CNNIC, thus please, again, remove it!

    you had been warned again and again…

    https://bugzilla.mozilla.org/show_bug.cgi?id=542689

    https://bugzilla.mozilla.org/show_bug.cgi?id=476766

    https://bugzilla.mozilla.org/show_bug.cgi?id=607208

    but your guys said that CNNIC CA fully meet the requirement of providing SSL certificate service. it is just like a joke!

  62. fuck gfw wrote on

    PLEASE revoke CNNIC certs.we DO NOT trust it,and the PRC gov. Thank YOU

  63. zhan wrote on

    please removeCNNIC证书,

  64. CNNIC admin wrote on

    PLEASE revoke CNNIC certs.we DO NOT trust it,and the PRC gov. Thank YOU

  65. thesunfei wrote on

    Just remove CNNIC certificate,we don’t need it and it’s dangerous.

  66. Shura wrote on

    PLEASE revoke CNNIC certs.we DO NOT trust it,and the PRC gov. Thank YOU

  67. zh wrote on

    remove it plz.

  68. rommel wrote on

    PLEASE revoke CNNIC certs.we DO NOT trust it,and the PRC gov. Thank YOU

  69. jixiao wrote on

    REVOKE CNNIC CERTS please, please, please!!!

    please help Chinese from CNNIN and spy!!!

    help us, please!!!

  70. RainFlying wrote on

    In China we all know CNNIC is under direct control of the Chinese Government.
    The first thing every IT specialist does after installation of operating system is to revoke the CNNIC certificate.
    Please remove CNNIC certificate.

  71. ex_ff_user wrote on

    If you want to put User First, please revoke CNNIC cert. Your priority should be protecting users, especially users who do not have the knowledge to protect themselves. Those users depend on you to make the right decision for them.

  72. Freedom wrote on

    Please REVOKE CNNIC, we don’t need this beach.

  73. 文科 wrote on

    哈,被抓到了。

  74. Leo wrote on

    Please revoke CNNIC cert

  75. FuckCPC wrote on

    Don’t forget to remove wosign certificate on your Android smartphone!
    This is also from China which could be used to attack.

  76. Shelikhoo wrote on

    Google is the website that many activist in China relay on.

    Since Google is not accessible in China, the explain given (that it is just be used for interrupt employee’s Internet on a company’s proxy) is NOT creditable.

  77. Guan wrote on

    Please consider stop including CNNIC in CA bundle.

  78. 后排 wrote on

    Revoke CNNIC plz!!!

  79. dan wrote on

    please remove the CNNIC CA, again and again, the history of the group tell the poor Chinese it can not be trust!

  80. tutugreen wrote on

    早该移除了。

  81. thanks Google wrote on

    thank Google make me,a Chinese people fell a bit safe

    English is not good because i’m Chinese。sorry。

  82. Anonymous wrote on

    Please delete it, thank you very much.
    As a Chinese person, since 2014 encounter MITM attack, GOOGLE is masked, outrageous SRCA (because it is when you buy a ticket, install it only to ensure your information security), I have been very disappointed.

  83. Rick Zhou wrote on

    in China, no one will trust CNNIC if he understands how ssl works. please revoke it.

  84. Print9Screen wrote on

    it should be removed from all systems ( OS , server , client ) , not only from browser.

    1. ando wrote on

      CPC should be removed form the Earth,CNNIC is one of its minion.

  85. Anyone wrote on

    China reports have been deleted, do you think it credible thing?

  86. khasrang wrote on

    It should revoke … Thats what i want 🙂

  87. SAS wrote on

    China Government blocked last few Google’s IPs that still useful in China mainland,since Google reported this issue.
    Now the rogue China Government has DDoS Github.and I believe they will make more troubles under the Human’s bottom line.