Last week, Mozilla was notified that a Certificate Authority (CA) called CNNIC had issued an unconstrained intermediate certificate, which was subsequently used by the recipient to issue certificates for domain names the holder did not own or control (i.e., for MitM). We added the intermediate certificate in question to Firefox’s direct revocation system, called OneCRL, and have been further investigating the incident.
After reviewing the circumstances and a robust discussion on our public mailing list, we have concluded that CNNIC’s behaviour in issuing an unconstrained intermediate certificate to a company with no documented PKI practices and with no oversight of how the private key was stored or controlled was an ‘egregious practice’ as per Mozilla’s CA Certificate Enforcement Policy. Therefore, after public discussion and consideration of the scope and impact of a range of options, we have decided to update our code so that Mozilla products will no longer trust any certificate issued by CNNIC’s roots with a notBefore date on or after 1st April 2015. We have put together a longer document with more details on the incident and how we arrived at the conclusion we did.
CNNIC may, if they wish, re-apply for full inclusion in the Mozilla root store and the removal of this restriction, by going through Mozilla’s inclusion process after completing additional steps that the Mozilla community may require as a result of this incident. This will be discussed in the mozilla.dev.security.policy forum.
The notBefore date that will be checked is inserted into the certificate by CNNIC. We will therefore be asking CNNIC for a comprehensive list of their currently-valid certificates, and publishing it. After the list has been provided, if a certificate not on the list, with a notBefore date before 1 April 2015, is detected on the public Internet by us or anyone else, we reserve the right to take further action.
We believe that this response is consistent with Mozilla policy and is one which we could apply to any other CA in the same situation.
Mozilla Security Team
Hans
wrote on
fuck
wrote on
Jeremy Wang
wrote on
Seth
wrote on
Bob
wrote on
asdfasdf
wrote on
朴文秀
wrote on
NN
wrote on
virusdefender
wrote on
lihlii
wrote on
文科
wrote on
GIGI
wrote on
Cbdy
wrote on
仲郭银
wrote on
柠檬
wrote on
BOGU
wrote on
Samuel
wrote on
ANTI CHINA GOV
wrote on
s2
wrote on
Anonymous
wrote on
Yukiteru
wrote on
Asrasun
wrote on
xudong
wrote on
asdfasdf
wrote on
做得好!
wrote on
Abe
wrote on
danny
wrote on
LaserUFO
wrote on
CHN
wrote on
zhan
wrote on
william Wang
wrote on
su
wrote on
nice
wrote on
Wisilence Seol
wrote on
aManInchina
wrote on
苏远
wrote on
rick
wrote on
lamb
wrote on
video
wrote on
gj
wrote on
xfq
wrote on
shanghai
wrote on
william
wrote on
jack
wrote on
哼
wrote on
Abe
wrote on
shadowglen
wrote on
dntc
wrote on
JohneyYe
wrote on
Mark
wrote on
Yiiih
wrote on
Cloudream
wrote on
love firefox
wrote on
ihciah
wrote on
Frank
wrote on
Jerry
wrote on
shizzmk
wrote on
nt
wrote on
Shelikhoo
wrote on
lain
wrote on
「有事燒紙」
wrote on
xinxin
wrote on
作大死
wrote on
swpustc
wrote on
JustChin
wrote on
XiaoLan
wrote on
XiaoLan
wrote on
oqwu
wrote on
park mun-soo
wrote on
Amani
wrote on
zoisite
wrote on
jswxdzc
wrote on
e5ocf93
wrote on
LaserUFO
wrote on
wait a day
wrote on
ID7788
wrote on
ID7788
wrote on
park mun-soo
wrote on
Jimages
wrote on
jiangwei
wrote on
Chinese user
wrote on
park mun-soo
wrote on
Chinese User
wrote on
打击美分
wrote on
lilie
wrote on
Fan JIN
wrote on
Fan JIN
wrote on
Laowai user?
wrote on
Laowai user?
wrote on
Chinese User
wrote on
Amani
wrote on
Anti net-politics
wrote on
Anti net-politics
wrote on
whatsthefuckname
wrote on
tutugreen
wrote on
噼啪
wrote on