Revoking Trust in one CNNIC Intermediate Certificate

Mozilla was recently notified that an intermediate certificate, which chains up to a root included in Mozilla’s root store, was loaded into a firewall device that performed SSL man-in-the-middle (MITM) traffic management. It was then used, during the process of inspecting traffic, to generate certificates for domains the device owner does not legitimately own or control. The Certificate Authority (CA) has told us that this action was not permitted by their policies and practices and the agreement with their customer, and they have revoked the intermediate certificate that was loaded into the firewall device. While this is not a Firefox-specific issue, to protect our users we are adding the revoked certificate to OneCRL, our mechanism for directly sending revocation information to Firefox which will be shipping in Firefox 37.

Issue
China Internet Network Information Center (CNNIC), a non-profit organization administrated by Cyberspace Administration of China (CAC), operates the “CNNIC Root” and “China Internet Network Information Center EV Certificates Root” certificates that are included in NSS, and used to issue certificates to organizations and the general public. CNNIC issued an unconstrained intermediate certificate that was labeled as a test certificate and had a two week validity, expiring April 3, 2015. Their customer loaded this certificate into a firewall device which performed SSL MITM, and a user inside their network accessed other servers, causing the firewall to issue certificates for domains that this customer did not own or control. Mozilla’s CA Certificate Policy prohibits certificates from being used in this manner when they chain up to a root certificate in Mozilla’s CA program.

Impact
An intermediate certificate that is used for MITM allows the holder of the certificate to decrypt and monitor communication within their network between the user and any website without browser warnings being triggered. An attacker armed with a fraudulent SSL certificate and an ability to control their victim’s network could impersonate websites in a way that would be undetectable to most users. Such certificates could deceive users into trusting websites appearing to originate from the domain owners, but actually containing malicious content or software. We believe that this MITM instance was limited to CNNIC’s customer’s internal network.

Status
Mozilla is adding the revoked intermediate certificate that was mis-used in the firewall device to OneCRL which will be shipping in Firefox 37. Additional action regarding this CA will be discussed in the mozilla.dev.security.policy forum. When similar incidents have happened in the past, responses have included requiring additional audits to confirm that the CA updated their procedures, and using name constraints to constrain the CA’s hierarchy to certain domains.

End-user Action
We recommend that all users upgrade to the latest version of Firefox. Firefox 37 and future releases of Firefox (including Firefox 38 ESR) will contain OneCRL which will be used for this certificate revocation and for future certificate revocations of this type.

Credit
Thanks to Google for reporting this issue to us.

Mozilla Security Team

96 responses

  1. NY wrote on :

    Stop talking about CNNIC please, that’s totally the fault of this stupid system and policies.

    If CNNIC can issue certificates like this, any other CAs can do this also. Remove CNNIC can not prevent this issues happened again.

    If you don’t trust CNNIC, why you trust GOOGLE? because you trust America, CIA, FBI?

    1. neko wrote on :

      1. Locking up a murder won’t prevent other people from commiting crime but I bet you won’t want to see a murder running around your house just because your “everyone can be evil” logic.

      2. Sounds like a murder trying to plead not guilty by stating that the American are dropping bombs in the middle-east. First Google didn’t tried to initiate a MITM attack on us, CNNIC did. Secondly we are all well aware of the crap the American done but that won’t justify the shit CNNIC’s has done (and it’s not the first time.) .

    2. Leric wrote on :

      We call this kind of people 五毛 in china, for they sold their soul for 50 cents/post

  2. Tom wrote on :

    Remove it Plz!

  3. hyno111 wrote on :

    I hope you can reevaluate the CNNIC issue. Preferably with a detailed report. I’m not saying that it must be revoked, I just hope to see the overall evaluation behind the decision. This would also convince other people on the issue.

  4. 农夫 wrote on :

    哎,怎么说呢,我安装有这个证书都删了

    1. GOTOHELL_GFW wrote on :

      我现在用的是chrome 和IE 请问如何才能移除CNNIC的证书, 共党控制下的东西真的是一样都不可信!

  5. Szopen wrote on :

    remove it

  6. Realz wrote on :

    CNNIC这种不靠谱的东西从一开始就不值得被信任。希望将其加入黑名单。

  7. Galaxy wrote on :

    Please allow user to lower or turn off cert check on dot cn sites, as most of them will require user to trust their own ROOT cert. Especially the Chinese Banks and railway system !

    The Chinese people have to use Chinese bank services, but those Root Cert should only be trusted within Chinese sites.

  8. Anonymous wrote on :

    The last time this happened, Mozilla issued a statement that they would no longer allow CAs to issue CA=TRUE intermediate certificates for this kind of purpose, that any CAs doing so should immediately revoke them and come forward immediately, and that any CA not doing so within a given grace period (IIRC a few months) would be removed when discovered. That grace period has long since passed. So why is the intermediate certificate being removed but not the top-level CA that knowingly issued it?

  9. ohalucky wrote on :

    这一天来的太晚了,mozilla当初就不该加入cnnic的证书

  10. noGFW wrote on :

    PLEASE revoke CNNIC certs.we DO NOT trust it,and the PRC gov. Thank YOU

  11. lee wrote on :

    I am Chinese, and I don’tr trust CNNIC. So tell you boss and remove it .But the problem is , only five million or less Chinsese people use firefox browser.How can Mozilla tell google and microsoft remove the certs too.

  12. mine260309 wrote on :

    Please just remove all CNNIC’s Certificates!

  13. Tonny wrote on :

    Remove CNNIC certs please, this is controlled by chinese government, and this government has take known MITM Attacks several times.

  14. Agni wrote on :

    Please revoke it!
    CNNIC is rarely used. It has little effect to revoke it!
    Chinese hackers have been found hacking into important western targets many times! Even for the your website security, CNNIC should be revoked!

  15. anonymousz wrote on :

    这一天来的太晚了。当初火狐将CNNIC加入CA ROOT的时候,多少人反对都没用。
    现在终于抓住证据了。火狐新增CA应当慎之又慎。不能找不到不利的证据就能添加。

    FINNALY CNNIC CA got Revoked!!!
    NEVER ADD IT BACK AGAIN!!!

  16. 科学上网www.jubushoushen.com wrote on :

    that makes me sick

  17. kkk wrote on :

    if you really want to do the right thing, just remove it.
    if you really remove it, you will be the force of internet development of china, than you.

  18. dangge wrote on :

    Please revoke it!

  19. No political rightness please wrote on :

    mozilla please revoke the CNNIC, we all know it’s questionable back to 2007 when it first shown up in mailing list.

  20. Kurumi Tokisaki wrote on :

    Revoke CNNIC ROOT, please!

More comments: 1 2 3 4 5