Categories: CA Program Security

Distrusting New CNNIC Certificates

Last week, Mozilla was notified that a Certificate Authority (CA) called CNNIC had issued an unconstrained intermediate certificate, which was subsequently used by the recipient to issue certificates for domain names the holder did not own or control (i.e., for MitM). We added the intermediate certificate in question to Firefox’s direct revocation system, called OneCRL, and have been further investigating the incident.

After reviewing the circumstances and a robust discussion on our public mailing list, we have concluded that CNNIC’s behaviour in issuing an unconstrained intermediate certificate to a company with no documented PKI practices and with no oversight of how the private key was stored or controlled was an ‘egregious practice’ as per Mozilla’s CA Certificate Enforcement Policy. Therefore, after public discussion and consideration of the scope and impact of a range of options, we have decided to update our code so that Mozilla products will no longer trust any certificate issued by CNNIC’s roots with a notBefore date on or after 1st April 2015. We have put together a longer document with more details on the incident and how we arrived at the conclusion we did.

CNNIC may, if they wish, re-apply for full inclusion in the Mozilla root store and the removal of this restriction, by going through Mozilla’s inclusion process after completing additional steps that the Mozilla community may require as a result of this incident. This will be discussed in the mozilla.dev.security.policy forum.

The notBefore date that will be checked is inserted into the certificate by CNNIC. We will therefore be asking CNNIC for a comprehensive list of their currently-valid certificates, and publishing it. After the list has been provided, if a certificate not on the list, with a notBefore date before 1 April 2015, is detected on the public Internet by us or anyone else, we reserve the right to take further action.

We believe that this response is consistent with Mozilla policy and is one which we could apply to any other CA in the same situation.

Mozilla Security Team

96 comments on “Distrusting New CNNIC Certificates”

  1. Hans wrote on

    Congratulations on making the right decision. I’m sure others can and have said it better, but I’d like to say that much of the failure of SSL/TLS security can be attributed to the flaccid policy and crisis response that Mozilla shows in these situations. User privacy and security must come first, even if inconvenient. Lives may depend on it. Mozilla’s approach puts convenience and commercial interests first.

    1. fuck wrote on

      Funk.your.shit

    2. Jeremy Wang wrote on

      First,I come from China.Hearing this ,I feel it may be a serious problem with CNNIC and Chinese Internet.But i also feel that’s good news.Because CNNIC that is controled by Chinese govement. Maybe it will make Chinese Gov change their attitude and help the Internet to develope better. So i support Mozilla and Google’s decision.i believe this will help us.
      Let’s try our best to make our Internet World more clean and fare.

  2. Seth wrote on

    If you care that much about certificates why is DANE&DNSSEC not treated with a higher priority?
    This would allow websites to pin the used certificate and use self signed certs as well.
    For the future this could help more security related things like the OPENPGPKEYINFO DNS record or the successor to the old mailprotocol, DIME which is developed by Ladar Levinson.
    I fail to see why Mozilla is ignoring this lovely idea of DNSSEC so stubbornly

    1. Bob wrote on

      Because DNSSEC protects against no known threat model that any correct end-to-end system protects against?

      1. asdfasdf wrote on

        Erm… you need to take a look at the crypto and read up on DNS poisoning attacks. If certificate hashes were included in a properly secured DNS system, these certificate issuance problems would be less serious.

        Or do you work for an “insert credit card here” certificate provider?

  3. 朴文秀 wrote on

    Great Job! You should do this 6 years ago.
    Remember these?
    https://bugzilla.mozilla.org/show_bug.cgi?id=542689
    https://bugzilla.mozilla.org/show_bug.cgi?id=476766

    1. NN wrote on

      Hope MS and Apple also do it .
      revoke something bad.

  4. virusdefender wrote on

    Great!

  5. lihlii wrote on

    Mozilla security group is below professional standard. I suspect they get money from the PRC government fonds, so they used every ridiculous excuse to keep CNNIC rogue CA root cert.

    I tried to explain to them in the mozilla security mailinglist/group and Mozilla bugzilla and then fought with their stupidity, then abandoned mission impossible.

    It’s impossible to wake up somebody who pretends to be sleeping.

    https://bugzilla.mozilla.org/show_bug.cgi?id=542689
    https://bugzilla.mozilla.org/show_bug.cgi?id=476766
    https://groups.google.com/d/topic/mozilla.dev.security.policy/F7471-CzPow/discussion

  6. 文科 wrote on

    good job

  7. GIGI wrote on

    Good job.

  8. Cbdy wrote on

    The dicition is rightly predicting.

  9. 仲郭银 wrote on

    支持

  10. 柠檬 wrote on

    反正我已经手动移除了

  11. BOGU wrote on

    Good job.

  12. Samuel wrote on

    Right decision. Hope IE can follow up!

  13. ANTI CHINA GOV wrote on

    LET CHINA GOV out the internet management.

  14. s2 wrote on

    GOOD JOB

  15. Anonymous wrote on

    Congratulations!

  16. Yukiteru wrote on

    Nice Work!

  17. Asrasun wrote on

    Good job!

  18. xudong wrote on

    good job~

  19. asdfasdf wrote on

    Congratulations

  20. 做得好! wrote on

    非常支持,早该把这流氓吊销了。同时也希望Opera、IE加入。

    1. Abe wrote on

      内地网银肿么办?

      1. danny wrote on

        网银用的不是cnnic证书

    2. LaserUFO wrote on

      微软已经宣布放弃InternetExplorer了

  21. CHN wrote on

    Good Job!

    NEVER TRUST COMMUNIST PARTY

    This experience is got by blood.

  22. zhan wrote on

    good job!

  23. william Wang wrote on

    but in firefox 37/firefox 38 beta ,the cnnic still in Authorities list .

  24. su wrote on

    Chinese netizen thank you for this!

  25. nice wrote on

    good job!

  26. Wisilence Seol wrote on

    But, as you discussed before and in the longer document, you will request CNNIC to provide a list of their valid certificates, while here we do not see the list from CNNIC nor did we see any response from CNNIC to your request. And , you still chose to trust the old certificates signed by the CNNIC root CA and not revoke the CNNIC root CA. it is not acceptable by me and I have to ask you: Why.
    after the discussion on https://bugzilla.mozilla.org/show_bug.cgi?id=542689 for about 5 or 6 years, I personally want to ask you (who decided to include CNNIC root CA into Mozilla before and refuse to revoke CNNIC CA now) a question: is it hurt to be slapped on your face by CNNIC again and again?

  27. aManInchina wrote on

    Congratulations!

  28. 苏远 wrote on

    Anyway, nobody in China is using Firefox.

    1. rick wrote on

      nop,i use it well

    2. lamb wrote on

      I use it.

    3. video wrote on

      fx深度用户报道

    4. gj wrote on

      Maybe from now on, Chinese government may ban people using Firefox.

    5. xfq wrote on

      I use Firefox.

  29. shanghai wrote on

    Great Job! You should do this 6 years ago.
    Remember these?
    https://bugzilla.mozilla.org/show_bug.cgi?id=542689
    https://bugzilla.mozilla.org/show_bug.cgi?id=476766

  30. william wrote on

    Good job!!

  31. jack wrote on

    good, good, good!

  32. wrote on

    请讲中文

  33. Abe wrote on

    只为留名

  34. shadowglen wrote on

    Good job!

  35. dntc wrote on

    好,支持,威武,有希望了。

  36. JohneyYe wrote on

    Good job!

  37. Mark wrote on

    Good job ! 做得好!!!

  38. Yiiih wrote on

    Good Job!
    However, the influence of this action is too small, until now, only Firefox and Chrome decided to distrust CNNIC certs, and these browsers are not popular in China and Chrome users cannot get Chrome updates because Google has been totally banned in China. Most of Chinese users use IE or China-made browsers, and I have not seen any of bulletins from Microsoft, Apple and Chinese security groups, due to gag.
    Microsoft and Apple should distrust CNNIC certs on their browsers as soon as possible, which may make a big influence, maybe also because this will affect their business in China, they did nothing.
    For Chinese browsers, what we only can do, is cross the finger to let the Chinese government become transparent.

    1. Cloudream wrote on

      Chinese are fucked by Chinese government anyway, e.g. Chinese police put drug into your pocket to frame you if you said something disclosure government corruption, so it’s more concern that others are not attacked by Chinese government

  39. love firefox wrote on

    good news! well done!

  40. ihciah wrote on

    Good job!

  41. Frank wrote on

    Good job.

  42. Jerry wrote on

    Well done!

  43. shizzmk wrote on

    Good job.

  44. nt wrote on

    Finally!

  45. Shelikhoo wrote on

    Thank you!

  46. lain wrote on

    nicely done. china gov is evil.

  47. 「有事燒紙」 wrote on

    Good job!

  48. xinxin wrote on

    nicely done , chinese gov is evil.

  49. 作大死 wrote on

    good job

  50. swpustc wrote on

    I disabled CNNIC some times, this is the best news I hearing this year.
    WELL DONE!

  51. JustChin wrote on

    Good Job

  52. XiaoLan wrote on

    80% of Chinese netizen don’t trust the government, nice done!

    1. XiaoLan wrote on

      Without Chinese government, China is still a agriculture country.

      Please don’t post comment for money.

      1. oqwu wrote on

        Stupid

      2. park mun-soo wrote on

        二楼这五毛真恶劣,还盗用别人id
        XiaoLan wrote on April 4, 2015 at 9:32 am:

      3. Amani wrote on

        You yourself is a fucking guy who’s posting for money!!!!

  53. zoisite wrote on

    Beautiful!
    It is a right decision!

  54. jswxdzc wrote on

    Great!

  55. e5ocf93 wrote on

    google jod!干得非常漂亮!

  56. LaserUFO wrote on

    Good job.

  57. wait a day wrote on

    多行不义必自毙

  58. ID7788 wrote on

    希望Google与Mozilla一起不要再接受CNNIC ROOT,最好Microsoft也加入进来!永久吊销他们!

    1. ID7788 wrote on

      呵呵…… 支持CNNIC

      1. park mun-soo wrote on

        二楼这五毛真恶劣,还盗用别人id
        ID7788 wrote on April 4, 2015 at 9:33 am:

    2. Jimages wrote on

      I have tested. the ie has distrust CNNIC Root.

  59. jiangwei wrote on

    Good job

  60. Chinese user wrote on

    Dear Mozilla,

    I’ve been using Firefox since 2006 and I especially like the Vimperator extension of Firefox. Unfortunately, I just got the information that Mozilla no longer trusts CNNIC’s root certificate.

    As a Chinese, I support the work done by CNNIC and I care about China’s rights in the Internet world. Mozilla, as a open-source software organization, is supposed not to take political actions. However, you distrust CNNIC’s root certificate and this action exploits our rights in the Internet. As you may know, while having a lot of Internet users, China has no root name server. This is already quite unfair and your action to distrust CNNIC’s root certificate makes me feel that our country’s most fundamental right in Internet is exploited.

    Is is acknowledged that United States of America attacked North Korea’s Internet system. (http://world.huanqiu.com/hot/2015-03/5955604.html ). US is also preparing Internet wars. PRISM is a threat to the security of the global Internet. As Mozilla cares about security so much, please stop holding double standards. While you don’t trust CNNIC’s certificate, please stop trusting certificates which are issued by US institutions.

    I just removed Firefox from my computer and I am also doing backup for my email in order to remove Thunderbird. I really hope that you can restore your trust on CNNIC’s root certificate. For now, I am informing my friends on this news and I will encourage them to stop using any products by Mozilla.

    Sincerely.

    1. park mun-soo wrote on

      第一:
      “Mozilla, as a open-source software organization, is supposed not to take political actions.”
      呵呵,还political action,撤销纯属因为被抓到颁发虚假证书的证据了。你要是能抓到其他国家的公司颁发虚假证书照样可以让mozilla撤销对其的信任。
      照你这么一说,一个中国人在国外杀人,国外警察在有证据证明的情况下给他抓走了,可以算所谓“political action”么?

      第二:
      “ However, you distrust CNNIC’s root certificate and this action exploits our rights in the Internet.”
      接上句,以上面的例子按照你的逻辑就如同下句:
      “无论如何,你们把我们的公民抓走了就是在侵犯我国人权!”

      第三:
      “As you may know, while having a lot of Internet users, China has no root name server.”
      活该!
      全球一共有13组根域名服务器(Root Server),2010年中国大陆有F、I、J這3个根域DNS镜像[11],但曾因为多次DNS污染外国网络,威胁互联网安全和自由,北京的I根域服务器被断开与国际互联网的连接。[12][13]目前已恢复服务。
      来源:https://zh.wikipedia.org/zh/防火长城

      第四:
      “This is already quite unfair and your action to distrust CNNIC’s root certificate makes me feel that our country’s most fundamental right in Internet is exploited.”
      继续接上面例子
      “你们采取行动抓走了我们的公民对我们很不公平,此人是我们国家的公民,所以你要是抓的话就是侵犯我国的公民的人权!”

      第五:
      “While you don’t trust CNNIC’s certificate, please stop trusting certificates which are issued by US institutions.”
      看第一个,只要你能抓到颁发假证的证据,不管这个CA是哪个国家的,都可以让mozilla停止信任。
      如:https://en.wikipedia.org/wiki/DigiNotar#Bankruptcy

      ====================

      打脸结束,欢迎补充。

      1. Chinese User wrote on

        请拿出具体证据! 而不是你说,或者西方媒体说“切实证据”,请拿出来,否则就别嚷嚷。最近这天先是多个西方国家倒戈亚投行,然后奥巴马说要制裁发动网络攻击的外国个人,然后又发生Github事件,然后又发生这个事件。 呵呵……

        还有脸说活该? 中国在互联网上没权力,处处被美国欺负。 lavabit因为不给美国政府提供用户发送的电子邮件内容,就关闭了。

        哦。中国污染。 美国随意关闭不符合自己新意的服务器。 megaupload服务器在香港,因为有美国的盗版电影,美国就直接把该网站变成了美国司法部的警告证书。美国的棱镜计划在全世界进行网络监控。怎么不处理一下美国这种肆意妄为的行为? 我建议把美国的互联网和其他国家的互联网彻底中断,以避免棱镜等计划继续污染全世界的网络环境。

        打脸了吧。 呵呵

      2. 打击美分 wrote on

        是啊。中国污染了DNS,损害了国际互联网自由? 哦,活该?

        美国棱镜计划损害了全世界互联网自由与安全,怎么不把美国的根服务器撤销? 怎么不把美国的互联网与其他国家中断?

        只许州官放火,不许百姓点灯。厉害啊。 完全的双重标准啊。 凭什么说活该? 呵呵

        另外,请出示证据。 目前只看到美国媒体和你们这群亲美的家伙在支持,大部分人都看得出来。 只有你们和美国媒体、google、mozilla说什么“有证据”,没有看到任何非西方的媒体认可这一事实。 那就请拿出证据,把原始证据公开,而不是你说“证据确凿”

        1. lilie wrote on

          这么说你也承认cnnic的所作所为是跟棱镜计划一个性质的了。

          勿以善小而不为嘛,同学,起码吊销了证书本身是对的是吧,“美分打击者”。

          1. Fan JIN wrote on

            Please do not associate it with politics. Personally, I wish the Internet is free to diverse political views and free of pirate contents.

            1. Fan JIN wrote on

              I mean, we have free access to diverse political views but there is no pirate content.

    2. Laowai user? wrote on

      False comparison, dear comrade Wumao, you would have to find an example where a US-institution issued a MITM certificate.

      1. Laowai user? wrote on

        And before you come up with TrustWave now, please know that they themselves admitted their fault, this is the point where CNNIC (and all other CAs behaving similarly) should have come out as well. Note that his was 3 years ago, more than enough time!

        1. Chinese User wrote on

          Dear YanSeGeMingCeHuaRen. Good bye.

    3. Amani wrote on

      As a chinese,you should post for the truth and facts but not money,this is your major principle.it’s your own right and choice to decide whether remove firefox or other mozilla software,but the removal of CINNIC trustship is based on facts,not some political action.mozilla firefox will also welcome CINNIC so long as CINNIC stop its misbehavior,and that CINNIC no longer works for GFW for intermediate attack.

      1. Anti net-politics wrote on

        Dear Amani. What is “fact”? It’s a fact that United States attacked North Korea’s internet. Why don’t Mozilla remove the trust of internet institutions which helped US to attack other countries? Google and Apple participated in PRISM, which is a huge misbehavior to the global Internet. Why don’t you take some action on these companies? For example when a user is visiting google, Firefox could give a notification that “this website participated in PRISM”.

        I accept that it’s a fact and MCS is misbehaving. CNNIC has revoked the cooperation with MCS. There’s also no confident that CNNIC works for GFW. Meanwhile, US is attacking other countries’ Internet. US has “PRISM”. It’s also a fact that Stuxnet and Flame are developped by US (http://www.washingtonpost.com/world/national-security/us-israel-developed-computer-virus-to-slow-iranian-nuclear-efforts-officials-say/2012/06/19/gJQA6xBPoV_story.html)

        I suggest you to stop posting for money. I understand that it’s an advanced skill to deliberately modify some “facts” and to hide some other facts in order to fool the people. A lot of famous people in China is using these skills to tell Chinese people that US is the best place in the world. Unfortunately, this doesn’t work for those you learnt logic.

      2. Anti net-politics wrote on

        Dear Amani,

        I think you should definitely post for the truth instead of for money. Could you provide any evident which could prove that CNNIC is attacking?

        Also, it’s MCS who’s misbehaving. CNNIC has revoked cooperation with MCS. So you should remove the trusts of MCS instead of CNNIC according to the fact.

        Also, you deliberately ignored some truth. Let me list them:
        1) US has PRISM, which is threat to the global internet.
        2) US attacked North Korea’s Internet according to http://www.bloomberg.com/politics/articles/2015-03-17/north-korea-web-outage-was-response-to-sony-hack-lawmaker-says
        3) US created Stuxnet virsus according to http://www.washingtonpost.com/world/national-security/us-israel-developed-computer-virus-to-slow-iranian-nuclear-efforts-officials-say/2012/06/19/gJQA6xBPoV_story.html
        4) US created Flame according to http://www.nytimes.com/2012/06/01/world/middleeast/obama-ordered-wave-of-cyberattacks-against-iran.html?_r=0

        Well, I am only using western media as sources to show these evident since you might not believe if I’m using Chinese or Russian sources. You blame that CNNIC is suspected to help intermediate attack, now I showed the news which admits that US is attacking other countries’ Internet. Why don’t Firefox do something for that? For example Google and Apple participated PRISM. I suggest that when Firefox users are visiting google.com and apple.com, Firefox should give a notice to the user that “this website steal your privacy for PRISM”.

  61. whatsthefuckname wrote on

    支持,顶,好!

  62. tutugreen wrote on

    发来贺电。

  63. 噼啪 wrote on

    Mozilla的确应该全线吊销CNNIC的证书,因为CNNIC是一家没有任何身份的组织,它既不是中国政府的部门,也不是商业企业,也不是非盈利组织。它是一个没有合法登记的机构,因而绝对不可以信任。