Distrusting New CNNIC Certificates

Last week, Mozilla was notified that a Certificate Authority (CA) called CNNIC had issued an unconstrained intermediate certificate, which was subsequently used by the recipient to issue certificates for domain names the holder did not own or control (i.e., for MitM). We added the intermediate certificate in question to Firefox’s direct revocation system, called OneCRL, and have been further investigating the incident.

After reviewing the circumstances and a robust discussion on our public mailing list, we have concluded that CNNIC’s behaviour in issuing an unconstrained intermediate certificate to a company with no documented PKI practices and with no oversight of how the private key was stored or controlled was an ‘egregious practice’ as per Mozilla’s CA Certificate Enforcement Policy. Therefore, after public discussion and consideration of the scope and impact of a range of options, we have decided to update our code so that Mozilla products will no longer trust any certificate issued by CNNIC’s roots with a notBefore date on or after 1st April 2015. We have put together a longer document with more details on the incident and how we arrived at the conclusion we did.

CNNIC may, if they wish, re-apply for full inclusion in the Mozilla root store and the removal of this restriction, by going through Mozilla’s inclusion process after completing additional steps that the Mozilla community may require as a result of this incident. This will be discussed in the mozilla.dev.security.policy forum.

The notBefore date that will be checked is inserted into the certificate by CNNIC. We will therefore be asking CNNIC for a comprehensive list of their currently-valid certificates, and publishing it. After the list has been provided, if a certificate not on the list, with a notBefore date before 1 April 2015, is detected on the public Internet by us or anyone else, we reserve the right to take further action.

We believe that this response is consistent with Mozilla policy and is one which we could apply to any other CA in the same situation.

Mozilla Security Team

96 responses

  1. Hans wrote on :

    Congratulations on making the right decision. I’m sure others can and have said it better, but I’d like to say that much of the failure of SSL/TLS security can be attributed to the flaccid policy and crisis response that Mozilla shows in these situations. User privacy and security must come first, even if inconvenient. Lives may depend on it. Mozilla’s approach puts convenience and commercial interests first.

    1. fuck wrote on :

      Funk.your.shit

    2. Jeremy Wang wrote on :

      First,I come from China.Hearing this ,I feel it may be a serious problem with CNNIC and Chinese Internet.But i also feel that’s good news.Because CNNIC that is controled by Chinese govement. Maybe it will make Chinese Gov change their attitude and help the Internet to develope better. So i support Mozilla and Google’s decision.i believe this will help us.
      Let’s try our best to make our Internet World more clean and fare.

  2. Seth wrote on :

    If you care that much about certificates why is DANE&DNSSEC not treated with a higher priority?
    This would allow websites to pin the used certificate and use self signed certs as well.
    For the future this could help more security related things like the OPENPGPKEYINFO DNS record or the successor to the old mailprotocol, DIME which is developed by Ladar Levinson.
    I fail to see why Mozilla is ignoring this lovely idea of DNSSEC so stubbornly

    1. Bob wrote on :

      Because DNSSEC protects against no known threat model that any correct end-to-end system protects against?

      1. asdfasdf wrote on :

        Erm… you need to take a look at the crypto and read up on DNS poisoning attacks. If certificate hashes were included in a properly secured DNS system, these certificate issuance problems would be less serious.

        Or do you work for an “insert credit card here” certificate provider?

  3. 朴文秀 wrote on :

    Great Job! You should do this 6 years ago.
    Remember these?
    https://bugzilla.mozilla.org/show_bug.cgi?id=542689
    https://bugzilla.mozilla.org/show_bug.cgi?id=476766

    1. NN wrote on :

      Hope MS and Apple also do it .
      revoke something bad.

  4. virusdefender wrote on :

    Great!

  5. lihlii wrote on :

    Mozilla security group is below professional standard. I suspect they get money from the PRC government fonds, so they used every ridiculous excuse to keep CNNIC rogue CA root cert.

    I tried to explain to them in the mozilla security mailinglist/group and Mozilla bugzilla and then fought with their stupidity, then abandoned mission impossible.

    It’s impossible to wake up somebody who pretends to be sleeping.

    https://bugzilla.mozilla.org/show_bug.cgi?id=542689
    https://bugzilla.mozilla.org/show_bug.cgi?id=476766
    https://groups.google.com/d/topic/mozilla.dev.security.policy/F7471-CzPow/discussion

  6. 文科 wrote on :

    good job

  7. GIGI wrote on :

    Good job.

  8. Cbdy wrote on :

    The dicition is rightly predicting.

  9. 仲郭银 wrote on :

    支持

  10. 柠檬 wrote on :

    反正我已经手动移除了

  11. BOGU wrote on :

    Good job.

  12. Samuel wrote on :

    Right decision. Hope IE can follow up!

  13. ANTI CHINA GOV wrote on :

    LET CHINA GOV out the internet management.

  14. s2 wrote on :

    GOOD JOB

  15. Anonymous wrote on :

    Congratulations!

  16. Yukiteru wrote on :

    Nice Work!

  17. Asrasun wrote on :

    Good job!

  18. xudong wrote on :

    good job~

  19. asdfasdf wrote on :

    Congratulations

  20. 做得好! wrote on :

    非常支持,早该把这流氓吊销了。同时也希望Opera、IE加入。

    1. Abe wrote on :

      内地网银肿么办?

      1. danny wrote on :

        网银用的不是cnnic证书

    2. LaserUFO wrote on :

      微软已经宣布放弃InternetExplorer了

More comments:1 2 3 4