Categories: CA Program Security

Distrusting New CNNIC Certificates

Last week, Mozilla was notified that a Certificate Authority (CA) called CNNIC had issued an unconstrained intermediate certificate, which was subsequently used by the recipient to issue certificates for domain names the holder did not own or control (i.e., for MitM). We added the intermediate certificate in question to Firefox’s direct revocation system, called OneCRL, and have been further investigating the incident.

After reviewing the circumstances and a robust discussion on our public mailing list, we have concluded that CNNIC’s behaviour in issuing an unconstrained intermediate certificate to a company with no documented PKI practices and with no oversight of how the private key was stored or controlled was an ‘egregious practice’ as per Mozilla’s CA Certificate Enforcement Policy. Therefore, after public discussion and consideration of the scope and impact of a range of options, we have decided to update our code so that Mozilla products will no longer trust any certificate issued by CNNIC’s roots with a notBefore date on or after 1st April 2015. We have put together a longer document with more details on the incident and how we arrived at the conclusion we did.

CNNIC may, if they wish, re-apply for full inclusion in the Mozilla root store and the removal of this restriction, by going through Mozilla’s inclusion process after completing additional steps that the Mozilla community may require as a result of this incident. This will be discussed in the forum.

The notBefore date that will be checked is inserted into the certificate by CNNIC. We will therefore be asking CNNIC for a comprehensive list of their currently-valid certificates, and publishing it. After the list has been provided, if a certificate not on the list, with a notBefore date before 1 April 2015, is detected on the public Internet by us or anyone else, we reserve the right to take further action.

We believe that this response is consistent with Mozilla policy and is one which we could apply to any other CA in the same situation.

Mozilla Security Team

96 comments on “Distrusting New CNNIC Certificates”

  1. CHN wrote on

    Good Job!


    This experience is got by blood.

  2. zhan wrote on

    good job!

  3. william Wang wrote on

    but in firefox 37/firefox 38 beta ,the cnnic still in Authorities list .

  4. su wrote on

    Chinese netizen thank you for this!

  5. nice wrote on

    good job!

  6. Wisilence Seol wrote on

    But, as you discussed before and in the longer document, you will request CNNIC to provide a list of their valid certificates, while here we do not see the list from CNNIC nor did we see any response from CNNIC to your request. And , you still chose to trust the old certificates signed by the CNNIC root CA and not revoke the CNNIC root CA. it is not acceptable by me and I have to ask you: Why.
    after the discussion on for about 5 or 6 years, I personally want to ask you (who decided to include CNNIC root CA into Mozilla before and refuse to revoke CNNIC CA now) a question: is it hurt to be slapped on your face by CNNIC again and again?

  7. aManInchina wrote on


  8. 苏远 wrote on

    Anyway, nobody in China is using Firefox.

    1. rick wrote on

      nop,i use it well

    2. lamb wrote on

      I use it.

    3. video wrote on


    4. gj wrote on

      Maybe from now on, Chinese government may ban people using Firefox.

    5. xfq wrote on

      I use Firefox.

  9. shanghai wrote on

    Great Job! You should do this 6 years ago.
    Remember these?

  10. william wrote on

    Good job!!

  11. jack wrote on

    good, good, good!

  12. wrote on


  13. Abe wrote on


  14. shadowglen wrote on

    Good job!

  15. dntc wrote on


  16. JohneyYe wrote on

    Good job!

  17. Mark wrote on

    Good job ! 做得好!!!

  18. Yiiih wrote on

    Good Job!
    However, the influence of this action is too small, until now, only Firefox and Chrome decided to distrust CNNIC certs, and these browsers are not popular in China and Chrome users cannot get Chrome updates because Google has been totally banned in China. Most of Chinese users use IE or China-made browsers, and I have not seen any of bulletins from Microsoft, Apple and Chinese security groups, due to gag.
    Microsoft and Apple should distrust CNNIC certs on their browsers as soon as possible, which may make a big influence, maybe also because this will affect their business in China, they did nothing.
    For Chinese browsers, what we only can do, is cross the finger to let the Chinese government become transparent.

    1. Cloudream wrote on

      Chinese are fucked by Chinese government anyway, e.g. Chinese police put drug into your pocket to frame you if you said something disclosure government corruption, so it’s more concern that others are not attacked by Chinese government

  19. love firefox wrote on

    good news! well done!

  20. ihciah wrote on

    Good job!

More comments: 1 2 3 4