Categories: CA Program Security

Revoking Trust in one CNNIC Intermediate Certificate

Mozilla was recently notified that an intermediate certificate, which chains up to a root included in Mozilla’s root store, was loaded into a firewall device that performed SSL man-in-the-middle (MITM) traffic management. It was then used, during the process of inspecting traffic, to generate certificates for domains the device owner does not legitimately own or control. The Certificate Authority (CA) has told us that this action was not permitted by their policies and practices and the agreement with their customer, and they have revoked the intermediate certificate that was loaded into the firewall device. While this is not a Firefox-specific issue, to protect our users we are adding the revoked certificate to OneCRL, our mechanism for directly sending revocation information to Firefox which will be shipping in Firefox 37.

China Internet Network Information Center (CNNIC), a non-profit organization administrated by Cyberspace Administration of China (CAC), operates the “CNNIC Root” and “China Internet Network Information Center EV Certificates Root” certificates that are included in NSS, and used to issue certificates to organizations and the general public. CNNIC issued an unconstrained intermediate certificate that was labeled as a test certificate and had a two week validity, expiring April 3, 2015. Their customer loaded this certificate into a firewall device which performed SSL MITM, and a user inside their network accessed other servers, causing the firewall to issue certificates for domains that this customer did not own or control. Mozilla’s CA Certificate Policy prohibits certificates from being used in this manner when they chain up to a root certificate in Mozilla’s CA program.

An intermediate certificate that is used for MITM allows the holder of the certificate to decrypt and monitor communication within their network between the user and any website without browser warnings being triggered. An attacker armed with a fraudulent SSL certificate and an ability to control their victim’s network could impersonate websites in a way that would be undetectable to most users. Such certificates could deceive users into trusting websites appearing to originate from the domain owners, but actually containing malicious content or software. We believe that this MITM instance was limited to CNNIC’s customer’s internal network.

Mozilla is adding the revoked intermediate certificate that was mis-used in the firewall device to OneCRL which will be shipping in Firefox 37. Additional action regarding this CA will be discussed in the forum. When similar incidents have happened in the past, responses have included requiring additional audits to confirm that the CA updated their procedures, and using name constraints to constrain the CA’s hierarchy to certain domains.

End-user Action
We recommend that all users upgrade to the latest version of Firefox. Firefox 37 and future releases of Firefox (including Firefox 38 ESR) will contain OneCRL which will be used for this certificate revocation and for future certificate revocations of this type.

Thanks to Google for reporting this issue to us.

Mozilla Security Team

96 comments on “Revoking Trust in one CNNIC Intermediate Certificate”

  1. NY wrote on

    Stop talking about CNNIC please, that’s totally the fault of this stupid system and policies.

    If CNNIC can issue certificates like this, any other CAs can do this also. Remove CNNIC can not prevent this issues happened again.

    If you don’t trust CNNIC, why you trust GOOGLE? because you trust America, CIA, FBI?

    1. neko wrote on

      1. Locking up a murder won’t prevent other people from commiting crime but I bet you won’t want to see a murder running around your house just because your “everyone can be evil” logic.

      2. Sounds like a murder trying to plead not guilty by stating that the American are dropping bombs in the middle-east. First Google didn’t tried to initiate a MITM attack on us, CNNIC did. Secondly we are all well aware of the crap the American done but that won’t justify the shit CNNIC’s has done (and it’s not the first time.) .

    2. Leric wrote on

      We call this kind of people 五毛 in china, for they sold their soul for 50 cents/post

  2. Tom wrote on

    Remove it Plz!

  3. hyno111 wrote on

    I hope you can reevaluate the CNNIC issue. Preferably with a detailed report. I’m not saying that it must be revoked, I just hope to see the overall evaluation behind the decision. This would also convince other people on the issue.

  4. 农夫 wrote on


    1. GOTOHELL_GFW wrote on

      我现在用的是chrome 和IE 请问如何才能移除CNNIC的证书, 共党控制下的东西真的是一样都不可信!

  5. Szopen wrote on

    remove it

  6. Realz wrote on


  7. Galaxy wrote on

    Please allow user to lower or turn off cert check on dot cn sites, as most of them will require user to trust their own ROOT cert. Especially the Chinese Banks and railway system !

    The Chinese people have to use Chinese bank services, but those Root Cert should only be trusted within Chinese sites.

  8. Anonymous wrote on

    The last time this happened, Mozilla issued a statement that they would no longer allow CAs to issue CA=TRUE intermediate certificates for this kind of purpose, that any CAs doing so should immediately revoke them and come forward immediately, and that any CA not doing so within a given grace period (IIRC a few months) would be removed when discovered. That grace period has long since passed. So why is the intermediate certificate being removed but not the top-level CA that knowingly issued it?

  9. ohalucky wrote on


  10. noGFW wrote on

    PLEASE revoke CNNIC certs.we DO NOT trust it,and the PRC gov. Thank YOU

  11. lee wrote on

    I am Chinese, and I don’tr trust CNNIC. So tell you boss and remove it .But the problem is , only five million or less Chinsese people use firefox browser.How can Mozilla tell google and microsoft remove the certs too.

  12. mine260309 wrote on

    Please just remove all CNNIC’s Certificates!

  13. Tonny wrote on

    Remove CNNIC certs please, this is controlled by chinese government, and this government has take known MITM Attacks several times.

  14. Agni wrote on

    Please revoke it!
    CNNIC is rarely used. It has little effect to revoke it!
    Chinese hackers have been found hacking into important western targets many times! Even for the your website security, CNNIC should be revoked!

  15. anonymousz wrote on

    这一天来的太晚了。当初火狐将CNNIC加入CA ROOT的时候,多少人反对都没用。

    FINNALY CNNIC CA got Revoked!!!

  16. 科学上网 wrote on

    that makes me sick

  17. kkk wrote on

    if you really want to do the right thing, just remove it.
    if you really remove it, you will be the force of internet development of china, than you.

  18. dangge wrote on

    Please revoke it!

  19. No political rightness please wrote on

    mozilla please revoke the CNNIC, we all know it’s questionable back to 2007 when it first shown up in mailing list.

  20. Kurumi Tokisaki wrote on

    Revoke CNNIC ROOT, please!

More comments: 1 2 3 4 5