Mozilla was recently notified that an intermediate certificate, which chains up to a root included in Mozilla’s root store, was loaded into a firewall device that performed SSL man-in-the-middle (MITM) traffic management. It was then used, during the process of inspecting traffic, to generate certificates for domains the device owner does not legitimately own or control. The Certificate Authority (CA) has told us that this action was not permitted by their policies and practices and the agreement with their customer, and they have revoked the intermediate certificate that was loaded into the firewall device. While this is not a Firefox-specific issue, to protect our users we are adding the revoked certificate to OneCRL, our mechanism for directly sending revocation information to Firefox which will be shipping in Firefox 37.
Issue
China Internet Network Information Center (CNNIC), a non-profit organization administrated by Cyberspace Administration of China (CAC), operates the “CNNIC Root” and “China Internet Network Information Center EV Certificates Root” certificates that are included in NSS, and used to issue certificates to organizations and the general public. CNNIC issued an unconstrained intermediate certificate that was labeled as a test certificate and had a two week validity, expiring April 3, 2015. Their customer loaded this certificate into a firewall device which performed SSL MITM, and a user inside their network accessed other servers, causing the firewall to issue certificates for domains that this customer did not own or control. Mozilla’s CA Certificate Policy prohibits certificates from being used in this manner when they chain up to a root certificate in Mozilla’s CA program.
Impact
An intermediate certificate that is used for MITM allows the holder of the certificate to decrypt and monitor communication within their network between the user and any website without browser warnings being triggered. An attacker armed with a fraudulent SSL certificate and an ability to control their victim’s network could impersonate websites in a way that would be undetectable to most users. Such certificates could deceive users into trusting websites appearing to originate from the domain owners, but actually containing malicious content or software. We believe that this MITM instance was limited to CNNIC’s customer’s internal network.
Status
Mozilla is adding the revoked intermediate certificate that was mis-used in the firewall device to OneCRL which will be shipping in Firefox 37. Additional action regarding this CA will be discussed in the mozilla.dev.security.policy forum. When similar incidents have happened in the past, responses have included requiring additional audits to confirm that the CA updated their procedures, and using name constraints to constrain the CA’s hierarchy to certain domains.
End-user Action
We recommend that all users upgrade to the latest version of Firefox. Firefox 37 and future releases of Firefox (including Firefox 38 ESR) will contain OneCRL which will be used for this certificate revocation and for future certificate revocations of this type.
Credit
Thanks to Google for reporting this issue to us.
Mozilla Security Team
kenny.wke
wrote on
raire
wrote on
Chinese people
wrote on
antigfw
wrote on
chinese
wrote on
fuckgfw
wrote on
aManInchina
wrote on
kidke
wrote on
GRD.FBX.GFW
wrote on
remove CNNIC
wrote on
rrrr
wrote on
#542689
wrote on
lasdjfkasjfd
wrote on
mz
wrote on
HW
wrote on
Remove cnnic
wrote on
Dreista
wrote on
Neo
wrote on
REVOKE CNNIC CERTS!
wrote on
anonymousz
wrote on
pe
wrote on
DAMN.GFW
wrote on
Jerry
wrote on
anonymousz
wrote on
NY
wrote on
neko
wrote on
Leric
wrote on
Tom
wrote on
hyno111
wrote on
农夫
wrote on
GOTOHELL_GFW
wrote on
Szopen
wrote on
Realz
wrote on
Galaxy
wrote on
Anonymous
wrote on
ohalucky
wrote on
noGFW
wrote on
lee
wrote on
mine260309
wrote on
Tonny
wrote on
Agni
wrote on
anonymousz
wrote on
科学上网www.jubushoushen.com
wrote on
kkk
wrote on
dangge
wrote on
No political rightness please
wrote on
Kurumi Tokisaki
wrote on
zz
wrote on
smileawei
wrote on
wtm
wrote on
aafsdaf
wrote on
Jeff Wang
wrote on
Raymond
wrote on
Alamo
wrote on
VYSE
wrote on
jswxdzc
wrote on
cc
wrote on
cc
wrote on
Bernd Graumann
wrote on
GFW
wrote on
qian
wrote on
wuhan
wrote on
Mark R.
wrote on
Sok Puppette
wrote on
Noname
wrote on
CNNIC vs 3721 vs baidu tb vs sogou tb
wrote on
please_remove_cnnic
wrote on
xioxin
wrote on
fuckgfw
wrote on
fuck gfw
wrote on
zhan
wrote on
CNNIC admin
wrote on
thesunfei
wrote on
Shura
wrote on
zh
wrote on
rommel
wrote on
jixiao
wrote on
RainFlying
wrote on
ex_ff_user
wrote on
Freedom
wrote on
文科
wrote on
Leo
wrote on
FuckCPC
wrote on
Shelikhoo
wrote on
Guan
wrote on
后排
wrote on
dan
wrote on
tutugreen
wrote on
thanks Google
wrote on
Anonymous
wrote on
Rick Zhou
wrote on
Print9Screen
wrote on
ando
wrote on
Anyone
wrote on
khasrang
wrote on
SAS
wrote on