Revoking Trust in one CNNIC Intermediate Certificate

Mozilla was recently notified that an intermediate certificate, which chains up to a root included in Mozilla’s root store, was loaded into a firewall device that performed SSL man-in-the-middle (MITM) traffic management. It was then used, during the process of inspecting traffic, to generate certificates for domains the device owner does not legitimately own or control. The Certificate Authority (CA) has told us that this action was not permitted by their policies and practices and the agreement with their customer, and they have revoked the intermediate certificate that was loaded into the firewall device. While this is not a Firefox-specific issue, to protect our users we are adding the revoked certificate to OneCRL, our mechanism for directly sending revocation information to Firefox which will be shipping in Firefox 37.

Issue
China Internet Network Information Center (CNNIC), a non-profit organization administrated by Cyberspace Administration of China (CAC), operates the “CNNIC Root” and “China Internet Network Information Center EV Certificates Root” certificates that are included in NSS, and used to issue certificates to organizations and the general public. CNNIC issued an unconstrained intermediate certificate that was labeled as a test certificate and had a two week validity, expiring April 3, 2015. Their customer loaded this certificate into a firewall device which performed SSL MITM, and a user inside their network accessed other servers, causing the firewall to issue certificates for domains that this customer did not own or control. Mozilla’s CA Certificate Policy prohibits certificates from being used in this manner when they chain up to a root certificate in Mozilla’s CA program.

Impact
An intermediate certificate that is used for MITM allows the holder of the certificate to decrypt and monitor communication within their network between the user and any website without browser warnings being triggered. An attacker armed with a fraudulent SSL certificate and an ability to control their victim’s network could impersonate websites in a way that would be undetectable to most users. Such certificates could deceive users into trusting websites appearing to originate from the domain owners, but actually containing malicious content or software. We believe that this MITM instance was limited to CNNIC’s customer’s internal network.

Status
Mozilla is adding the revoked intermediate certificate that was mis-used in the firewall device to OneCRL which will be shipping in Firefox 37. Additional action regarding this CA will be discussed in the mozilla.dev.security.policy forum. When similar incidents have happened in the past, responses have included requiring additional audits to confirm that the CA updated their procedures, and using name constraints to constrain the CA’s hierarchy to certain domains.

End-user Action
We recommend that all users upgrade to the latest version of Firefox. Firefox 37 and future releases of Firefox (including Firefox 38 ESR) will contain OneCRL which will be used for this certificate revocation and for future certificate revocations of this type.

Credit
Thanks to Google for reporting this issue to us.

Mozilla Security Team

96 responses

  1. thanks Google wrote on :

    thank Google make me,a Chinese people fell a bit safe

    English is not good because i’m Chinese。sorry。

  2. Anonymous wrote on :

    Please delete it, thank you very much.
    As a Chinese person, since 2014 encounter MITM attack, GOOGLE is masked, outrageous SRCA (because it is when you buy a ticket, install it only to ensure your information security), I have been very disappointed.

  3. Rick Zhou wrote on :

    in China, no one will trust CNNIC if he understands how ssl works. please revoke it.

  4. Print9Screen wrote on :

    it should be removed from all systems ( OS , server , client ) , not only from browser.

    1. ando wrote on :

      CPC should be removed form the Earth,CNNIC is one of its minion.

  5. Anyone wrote on :

    China reports have been deleted, do you think it credible thing?

  6. khasrang wrote on :

    It should revoke … Thats what i want 🙂

  7. SAS wrote on :

    China Government blocked last few Google’s IPs that still useful in China mainland,since Google reported this issue.
    Now the rogue China Government has DDoS Github.and I believe they will make more troubles under the Human’s bottom line.

More comments: 1 3 4 5