Revoking Trust in one CNNIC Intermediate Certificate

Mozilla was recently notified that an intermediate certificate, which chains up to a root included in Mozilla’s root store, was loaded into a firewall device that performed SSL man-in-the-middle (MITM) traffic management. It was then used, during the process of inspecting traffic, to generate certificates for domains the device owner does not legitimately own or control. The Certificate Authority (CA) has told us that this action was not permitted by their policies and practices and the agreement with their customer, and they have revoked the intermediate certificate that was loaded into the firewall device. While this is not a Firefox-specific issue, to protect our users we are adding the revoked certificate to OneCRL, our mechanism for directly sending revocation information to Firefox which will be shipping in Firefox 37.

Issue
China Internet Network Information Center (CNNIC), a non-profit organization administrated by Cyberspace Administration of China (CAC), operates the “CNNIC Root” and “China Internet Network Information Center EV Certificates Root” certificates that are included in NSS, and used to issue certificates to organizations and the general public. CNNIC issued an unconstrained intermediate certificate that was labeled as a test certificate and had a two week validity, expiring April 3, 2015. Their customer loaded this certificate into a firewall device which performed SSL MITM, and a user inside their network accessed other servers, causing the firewall to issue certificates for domains that this customer did not own or control. Mozilla’s CA Certificate Policy prohibits certificates from being used in this manner when they chain up to a root certificate in Mozilla’s CA program.

Impact
An intermediate certificate that is used for MITM allows the holder of the certificate to decrypt and monitor communication within their network between the user and any website without browser warnings being triggered. An attacker armed with a fraudulent SSL certificate and an ability to control their victim’s network could impersonate websites in a way that would be undetectable to most users. Such certificates could deceive users into trusting websites appearing to originate from the domain owners, but actually containing malicious content or software. We believe that this MITM instance was limited to CNNIC’s customer’s internal network.

Status
Mozilla is adding the revoked intermediate certificate that was mis-used in the firewall device to OneCRL which will be shipping in Firefox 37. Additional action regarding this CA will be discussed in the mozilla.dev.security.policy forum. When similar incidents have happened in the past, responses have included requiring additional audits to confirm that the CA updated their procedures, and using name constraints to constrain the CA’s hierarchy to certain domains.

End-user Action
We recommend that all users upgrade to the latest version of Firefox. Firefox 37 and future releases of Firefox (including Firefox 38 ESR) will contain OneCRL which will be used for this certificate revocation and for future certificate revocations of this type.

Credit
Thanks to Google for reporting this issue to us.

Mozilla Security Team

96 responses

  1. zz wrote on :

    CNNIC必须死

  2. smileawei wrote on :

    Please remove the CNNIC ROOT CA we have reason to believe it will do some damage to the security thing. Pleaded again. For Internet Freedom

  3. wtm wrote on :

    Revoke CNNIC ROOT, please!!!!

  4. aafsdaf wrote on :

    CNNIC must be REVOKE. CNNIC is under the control of Chinese government and China has the largest firewall around the world

  5. Jeff Wang wrote on :

    喜大普奔!I’ve Been Cheer Up!
    CNNIC是中国科学院的计算机技术中心的第二块牌子
    CNNIC is an alias name of the Computer & Technology Center, China Academy of Science。
    中科院受共党控制。
    CAS is completely controlled by CPC, which has made the biggest firewall in the world!

  6. Raymond wrote on :

    Trusting CNNIC jeopardizes the privacy of all Internet users in China, not just Chinese citizens, visitors in China are also facing such problem. Revoke CNNIC of root CA please.

  7. Alamo wrote on :

    Remove it you bastards!

  8. VYSE wrote on :

    TOLD U!
    NOW IT’S TIME TO RESOLVE THIS!
    https://bugzilla.mozilla.org/show_bug.cgi?id=542689

  9. jswxdzc wrote on :

    Please revoke CNNIC certs.

    Such a shame to see this, some people just laugh at us because they think there is nothing to worry about. In fact, they are wrong.
    It is the gov’s puppet, so I never support it.

  10. cc wrote on :

    Revoke it please.
    It should not be trusted when we argue about whether to add it to built-in root-ca, now this happens.
    I do not think it is a fault of its customer, as all we know, the Chinese Great Firewall especially wants to intercept internet traffic(such as Gmail) of those who often talk about human-rights or democracy and keep it as a proof to arrest them secretly or publicly. I think a CA should never help others do such thing.
    It’s an unforgivable fault to sign such cert. It’s time to revoke it.

    1. cc wrote on :

      Also,the sites who use this cert as root-ca are very rare.
      If you use Google to search “CNNIC 证书” (“证书” means certificate),the results will be how to mistrust it on PC.
      CNNIC’s ca is widely be seen as a cert that should never be trusted.

  11. Bernd Graumann wrote on :

    Keep it. Then maybe more people will notice how broken the whole certificate system is. Also add Honest Achmed’s CA. At least they are honest.

  12. GFW wrote on :

    Innocent until proven guilty.
    While this may not be “proven guilty”, but at least you should put CNNIC on “probation”.
    Also, I mean it’s not like there’s many ppl in China that’s actually using Firefox, so there’s no point trying to appease to the “Chinese market”.

  13. qian wrote on :

    remove it u idiots, u should have removed it 5 years ago !

  14. wuhan wrote on :

    I’m a Chinese from China Mainland, I and my friends don’t trust the CNNIC which is controlled by the Communist Pary. So many civilians are censored by the Party for about 10 more years. As a Chinese, I have to appeal to remove the CNNIC from Firefox. Thank you all very much!

  15. Mark R. wrote on :

    I have Thunderbird configured to use SSL for my POP3 and SMTP connections. It sounds like the vulnerability would affect any application using SSL, not just Firefox. So Thunderbird would also be affected.

    Your statement, “Mozilla is adding the revoked intermediate certificate that was mis-used in the firewall device to OneCRL which will be shipping in Firefox 37” sounds like you’re only making the fix to Firefox, and Thunderbird will still be left vulnerable.

    Please fix all of Mozilla’s SSL-using applications, not just Firefox!

  16. Sok Puppette wrote on :

    Since you are acting as a proxy for the user, you should be trying to implement the user’s preferences as best you can determine them. And what you have heard from the overwhelming majority of your users, since before you ever put CNNIC in the list, is that NOBODY TRUSTS CNNIC. Not in China and not in the rest of the world. Drop them. Permanently. With no chance to reapply. End of story.

    Regardless of any other consideration, you have no business carrying a CA that the majority of your users obviously distrust.

    Furthermore, even for CAs your users DON’T actively distrust, “innocent until proven guilty” is an idiotic policy. The right policy for CAs is “better damned well be above suspicion”. The goal here is not to be fair to the CA. The CA’s interests are not important. The goal is to protect the user. That means that more than average reason to suspect that a CA is malicious OR incompetent, that CA should be out of the list. And this kind of screwup is definitely such a reason to drop CNNIC.

    And, while you’re at it, stop dumping in every random company that wants to go into the CA business and can pass an audit. You’re under no obligation to enable them. Only accept CAs when it will help your users in some articulable way. And get off your butts and implement DNSSEC and DANE.

  17. Noname wrote on :

    You can trust CNNIC if and only if you are more than happy to trust NSA and its Prism.

  18. CNNIC vs 3721 vs baidu tb vs sogou tb wrote on :

    In china, CNNIC is famous for its rootkit spyware/adware.

  19. please_remove_cnnic wrote on :

    CNNIC is controled by gov,please remove it , I Chinese don’t trust CNNIC neither gov

  20. xioxin wrote on :

    为了中国人的安全,删除所有的中国政府持有的证书

More comments: 1 2 3 4 5