Revoking Trust in one CNNIC Intermediate Certificate

Mozilla was recently notified that an intermediate certificate, which chains up to a root included in Mozilla’s root store, was loaded into a firewall device that performed SSL man-in-the-middle (MITM) traffic management. It was then used, during the process of inspecting traffic, to generate certificates for domains the device owner does not legitimately own or control. The Certificate Authority (CA) has told us that this action was not permitted by their policies and practices and the agreement with their customer, and they have revoked the intermediate certificate that was loaded into the firewall device. While this is not a Firefox-specific issue, to protect our users we are adding the revoked certificate to OneCRL, our mechanism for directly sending revocation information to Firefox which will be shipping in Firefox 37.

Issue
China Internet Network Information Center (CNNIC), a non-profit organization administrated by Cyberspace Administration of China (CAC), operates the “CNNIC Root” and “China Internet Network Information Center EV Certificates Root” certificates that are included in NSS, and used to issue certificates to organizations and the general public. CNNIC issued an unconstrained intermediate certificate that was labeled as a test certificate and had a two week validity, expiring April 3, 2015. Their customer loaded this certificate into a firewall device which performed SSL MITM, and a user inside their network accessed other servers, causing the firewall to issue certificates for domains that this customer did not own or control. Mozilla’s CA Certificate Policy prohibits certificates from being used in this manner when they chain up to a root certificate in Mozilla’s CA program.

Impact
An intermediate certificate that is used for MITM allows the holder of the certificate to decrypt and monitor communication within their network between the user and any website without browser warnings being triggered. An attacker armed with a fraudulent SSL certificate and an ability to control their victim’s network could impersonate websites in a way that would be undetectable to most users. Such certificates could deceive users into trusting websites appearing to originate from the domain owners, but actually containing malicious content or software. We believe that this MITM instance was limited to CNNIC’s customer’s internal network.

Status
Mozilla is adding the revoked intermediate certificate that was mis-used in the firewall device to OneCRL which will be shipping in Firefox 37. Additional action regarding this CA will be discussed in the mozilla.dev.security.policy forum. When similar incidents have happened in the past, responses have included requiring additional audits to confirm that the CA updated their procedures, and using name constraints to constrain the CA’s hierarchy to certain domains.

End-user Action
We recommend that all users upgrade to the latest version of Firefox. Firefox 37 and future releases of Firefox (including Firefox 38 ESR) will contain OneCRL which will be used for this certificate revocation and for future certificate revocations of this type.

Credit
Thanks to Google for reporting this issue to us.

Mozilla Security Team

96 responses

  1. kenny.wke wrote on :

    Remove it! CNNIC is control by the chinese gov, chinese people do NOT trust CNNIC and the gov!

    1. raire wrote on :

      yes, remove it

  2. Chinese people wrote on :

    Remove it! CNNIC is control by the chinese gov, chinese people do NOT trust CNNIC and the gov!

  3. antigfw wrote on :

    REVOKE CNNIC CERTS!

    CNNIC is a offical authority of China Communist Party!! It will FUCK UP your country’s security system and hacking !!!

    Chinese hackers are hacked many targets in western world, for your national security, remove communist certs NOW!

  4. chinese wrote on :

    Remove it! CNNIC is control by the chinese gov, chinese people do NOT trust CNNIC and the gov!

  5. fuckgfw wrote on :

    REVOKE CNNIC CERTS!
    CNNIC is a offical authority of China Communist Party!! It will FUCK UP your country’s security system and hacking !!!
    Chinese hackers are hacked many targets in western world, for your national security, remove communist certs NOW!

  6. aManInchina wrote on :

    Remove it!

  7. kidke wrote on :

    remove communist certs NOW!
    please!

  8. GRD.FBX.GFW wrote on :

    Please remove CNNIC, thank you!

  9. remove CNNIC wrote on :

    CNNIC is controled by chinese government,I don’t trust it,Plese remove it.

  10. rrrr wrote on :

    Remove it! CNNIC is control by the chinese gov

  11. #542689 wrote on :

    We’ve warned you 4 years ago.

    https://bugzilla.mozilla.org/show_bug.cgi?id=542689

    1. lasdjfkasjfd wrote on :

      老早就告诉你们了,让你们不听,还有好几个中国的证书也移除了吧,还有香港的证书也可能有危险

    2. mz wrote on :

      Told U!

  12. HW wrote on :

    CNNIC must be REVOKE. CNNIC is under the control of Chinese government and China has the largest firewall around the world. Security HTTPS can protect people from the firewall. But from now on the https is not security any more.

  13. Remove cnnic wrote on :

    China Internet Network Information Center (CNNIC), is NOT a non-profit organization.

  14. Dreista wrote on :

    Please remove CNNIC certs, thank you!
    We do not trust any organization controlled by Chinese goverment.

  15. Neo wrote on :

    We said one thousand times to revoke this CNNIC certificate, and you, mozilla and google chrome and opera and other software makers, have done NOTHING!

    SHAME ON YOU!

    We said the wolf will come, and finally came! Is it still not bloody enough to beat the wolf?

  16. REVOKE CNNIC CERTS! wrote on :

    REVOKE CNNIC CERTS PLEASE !!!

  17. anonymousz wrote on :

    Recommend trusting CNNIC only on *.cn sites. Or there can be issue accessing some Chinese web sites.

    1. pe wrote on :

      CNNIC rarely used even in china, so just remove it.

  18. DAMN.GFW wrote on :

    remove it!

  19. Jerry wrote on :

    Remove it Plz!

  20. anonymousz wrote on :

    Please remove CNNIC, thank you!

More comments:1 2 3 5