Categories: CA Program Security

Revoking Trust in one CNNIC Intermediate Certificate

Mozilla was recently notified that an intermediate certificate, which chains up to a root included in Mozilla’s root store, was loaded into a firewall device that performed SSL man-in-the-middle (MITM) traffic management. It was then used, during the process of inspecting traffic, to generate certificates for domains the device owner does not legitimately own or control. The Certificate Authority (CA) has told us that this action was not permitted by their policies and practices and the agreement with their customer, and they have revoked the intermediate certificate that was loaded into the firewall device. While this is not a Firefox-specific issue, to protect our users we are adding the revoked certificate to OneCRL, our mechanism for directly sending revocation information to Firefox which will be shipping in Firefox 37.

Issue
China Internet Network Information Center (CNNIC), a non-profit organization administrated by Cyberspace Administration of China (CAC), operates the “CNNIC Root” and “China Internet Network Information Center EV Certificates Root” certificates that are included in NSS, and used to issue certificates to organizations and the general public. CNNIC issued an unconstrained intermediate certificate that was labeled as a test certificate and had a two week validity, expiring April 3, 2015. Their customer loaded this certificate into a firewall device which performed SSL MITM, and a user inside their network accessed other servers, causing the firewall to issue certificates for domains that this customer did not own or control. Mozilla’s CA Certificate Policy prohibits certificates from being used in this manner when they chain up to a root certificate in Mozilla’s CA program.

Impact
An intermediate certificate that is used for MITM allows the holder of the certificate to decrypt and monitor communication within their network between the user and any website without browser warnings being triggered. An attacker armed with a fraudulent SSL certificate and an ability to control their victim’s network could impersonate websites in a way that would be undetectable to most users. Such certificates could deceive users into trusting websites appearing to originate from the domain owners, but actually containing malicious content or software. We believe that this MITM instance was limited to CNNIC’s customer’s internal network.

Status
Mozilla is adding the revoked intermediate certificate that was mis-used in the firewall device to OneCRL which will be shipping in Firefox 37. Additional action regarding this CA will be discussed in the mozilla.dev.security.policy forum. When similar incidents have happened in the past, responses have included requiring additional audits to confirm that the CA updated their procedures, and using name constraints to constrain the CA’s hierarchy to certain domains.

End-user Action
We recommend that all users upgrade to the latest version of Firefox. Firefox 37 and future releases of Firefox (including Firefox 38 ESR) will contain OneCRL which will be used for this certificate revocation and for future certificate revocations of this type.

Credit
Thanks to Google for reporting this issue to us.

Mozilla Security Team

96 comments on “Revoking Trust in one CNNIC Intermediate Certificate”

  1. fuckgfw wrote on

    we never trust CNNIC, thus please, again, remove it!

    you had been warned again and again…

    https://bugzilla.mozilla.org/show_bug.cgi?id=542689

    https://bugzilla.mozilla.org/show_bug.cgi?id=476766

    https://bugzilla.mozilla.org/show_bug.cgi?id=607208

    but your guys said that CNNIC CA fully meet the requirement of providing SSL certificate service. it is just like a joke!

  2. fuck gfw wrote on

    PLEASE revoke CNNIC certs.we DO NOT trust it,and the PRC gov. Thank YOU

  3. zhan wrote on

    please removeCNNIC证书,

  4. CNNIC admin wrote on

    PLEASE revoke CNNIC certs.we DO NOT trust it,and the PRC gov. Thank YOU

  5. thesunfei wrote on

    Just remove CNNIC certificate,we don’t need it and it’s dangerous.

  6. Shura wrote on

    PLEASE revoke CNNIC certs.we DO NOT trust it,and the PRC gov. Thank YOU

  7. zh wrote on

    remove it plz.

  8. rommel wrote on

    PLEASE revoke CNNIC certs.we DO NOT trust it,and the PRC gov. Thank YOU

  9. jixiao wrote on

    REVOKE CNNIC CERTS please, please, please!!!

    please help Chinese from CNNIN and spy!!!

    help us, please!!!

  10. RainFlying wrote on

    In China we all know CNNIC is under direct control of the Chinese Government.
    The first thing every IT specialist does after installation of operating system is to revoke the CNNIC certificate.
    Please remove CNNIC certificate.

  11. ex_ff_user wrote on

    If you want to put User First, please revoke CNNIC cert. Your priority should be protecting users, especially users who do not have the knowledge to protect themselves. Those users depend on you to make the right decision for them.

  12. Freedom wrote on

    Please REVOKE CNNIC, we don’t need this beach.

  13. 文科 wrote on

    哈,被抓到了。

  14. Leo wrote on

    Please revoke CNNIC cert

  15. FuckCPC wrote on

    Don’t forget to remove wosign certificate on your Android smartphone!
    This is also from China which could be used to attack.

  16. Shelikhoo wrote on

    Google is the website that many activist in China relay on.

    Since Google is not accessible in China, the explain given (that it is just be used for interrupt employee’s Internet on a company’s proxy) is NOT creditable.

  17. Guan wrote on

    Please consider stop including CNNIC in CA bundle.

  18. 后排 wrote on

    Revoke CNNIC plz!!!

  19. dan wrote on

    please remove the CNNIC CA, again and again, the history of the group tell the poor Chinese it can not be trust!

  20. tutugreen wrote on

    早该移除了。

More comments: 1 2 3 4 5