Categories: CA Program Security

Distrusting New CNNIC Certificates

Last week, Mozilla was notified that a Certificate Authority (CA) called CNNIC had issued an unconstrained intermediate certificate, which was subsequently used by the recipient to issue certificates for domain names the holder did not own or control (i.e., for MitM). We added the intermediate certificate in question to Firefox’s direct revocation system, called OneCRL, and have been further investigating the incident.

After reviewing the circumstances and a robust discussion on our public mailing list, we have concluded that CNNIC’s behaviour in issuing an unconstrained intermediate certificate to a company with no documented PKI practices and with no oversight of how the private key was stored or controlled was an ‘egregious practice’ as per Mozilla’s CA Certificate Enforcement Policy. Therefore, after public discussion and consideration of the scope and impact of a range of options, we have decided to update our code so that Mozilla products will no longer trust any certificate issued by CNNIC’s roots with a notBefore date on or after 1st April 2015. We have put together a longer document with more details on the incident and how we arrived at the conclusion we did.

CNNIC may, if they wish, re-apply for full inclusion in the Mozilla root store and the removal of this restriction, by going through Mozilla’s inclusion process after completing additional steps that the Mozilla community may require as a result of this incident. This will be discussed in the forum.

The notBefore date that will be checked is inserted into the certificate by CNNIC. We will therefore be asking CNNIC for a comprehensive list of their currently-valid certificates, and publishing it. After the list has been provided, if a certificate not on the list, with a notBefore date before 1 April 2015, is detected on the public Internet by us or anyone else, we reserve the right to take further action.

We believe that this response is consistent with Mozilla policy and is one which we could apply to any other CA in the same situation.

Mozilla Security Team

96 comments on “Distrusting New CNNIC Certificates”

  1. Hans wrote on

    Congratulations on making the right decision. I’m sure others can and have said it better, but I’d like to say that much of the failure of SSL/TLS security can be attributed to the flaccid policy and crisis response that Mozilla shows in these situations. User privacy and security must come first, even if inconvenient. Lives may depend on it. Mozilla’s approach puts convenience and commercial interests first.

    1. fuck wrote on


    2. Jeremy Wang wrote on

      First,I come from China.Hearing this ,I feel it may be a serious problem with CNNIC and Chinese Internet.But i also feel that’s good news.Because CNNIC that is controled by Chinese govement. Maybe it will make Chinese Gov change their attitude and help the Internet to develope better. So i support Mozilla and Google’s decision.i believe this will help us.
      Let’s try our best to make our Internet World more clean and fare.

  2. Seth wrote on

    If you care that much about certificates why is DANE&DNSSEC not treated with a higher priority?
    This would allow websites to pin the used certificate and use self signed certs as well.
    For the future this could help more security related things like the OPENPGPKEYINFO DNS record or the successor to the old mailprotocol, DIME which is developed by Ladar Levinson.
    I fail to see why Mozilla is ignoring this lovely idea of DNSSEC so stubbornly

    1. Bob wrote on

      Because DNSSEC protects against no known threat model that any correct end-to-end system protects against?

      1. asdfasdf wrote on

        Erm… you need to take a look at the crypto and read up on DNS poisoning attacks. If certificate hashes were included in a properly secured DNS system, these certificate issuance problems would be less serious.

        Or do you work for an “insert credit card here” certificate provider?

  3. 朴文秀 wrote on

    Great Job! You should do this 6 years ago.
    Remember these?

    1. NN wrote on

      Hope MS and Apple also do it .
      revoke something bad.

  4. virusdefender wrote on


  5. lihlii wrote on

    Mozilla security group is below professional standard. I suspect they get money from the PRC government fonds, so they used every ridiculous excuse to keep CNNIC rogue CA root cert.

    I tried to explain to them in the mozilla security mailinglist/group and Mozilla bugzilla and then fought with their stupidity, then abandoned mission impossible.

    It’s impossible to wake up somebody who pretends to be sleeping.

  6. 文科 wrote on

    good job

  7. GIGI wrote on

    Good job.

  8. Cbdy wrote on

    The dicition is rightly predicting.

  9. 仲郭银 wrote on


  10. 柠檬 wrote on


  11. BOGU wrote on

    Good job.

  12. Samuel wrote on

    Right decision. Hope IE can follow up!

  13. ANTI CHINA GOV wrote on

    LET CHINA GOV out the internet management.

  14. s2 wrote on


  15. Anonymous wrote on


  16. Yukiteru wrote on

    Nice Work!

  17. Asrasun wrote on

    Good job!

  18. xudong wrote on

    good job~

  19. asdfasdf wrote on


  20. 做得好! wrote on


    1. Abe wrote on


      1. danny wrote on


    2. LaserUFO wrote on


More comments:1 2 3 4