Distrusting New CNNIC Certificates

Last week, Mozilla was notified that a Certificate Authority (CA) called CNNIC had issued an unconstrained intermediate certificate, which was subsequently used by the recipient to issue certificates for domain names the holder did not own or control (i.e., for MitM). We added the intermediate certificate in question to Firefox’s direct revocation system, called OneCRL, and have been further investigating the incident.

After reviewing the circumstances and a robust discussion on our public mailing list, we have concluded that CNNIC’s behaviour in issuing an unconstrained intermediate certificate to a company with no documented PKI practices and with no oversight of how the private key was stored or controlled was an ‘egregious practice’ as per Mozilla’s CA Certificate Enforcement Policy. Therefore, after public discussion and consideration of the scope and impact of a range of options, we have decided to update our code so that Mozilla products will no longer trust any certificate issued by CNNIC’s roots with a notBefore date on or after 1st April 2015. We have put together a longer document with more details on the incident and how we arrived at the conclusion we did.

CNNIC may, if they wish, re-apply for full inclusion in the Mozilla root store and the removal of this restriction, by going through Mozilla’s inclusion process after completing additional steps that the Mozilla community may require as a result of this incident. This will be discussed in the mozilla.dev.security.policy forum.

The notBefore date that will be checked is inserted into the certificate by CNNIC. We will therefore be asking CNNIC for a comprehensive list of their currently-valid certificates, and publishing it. After the list has been provided, if a certificate not on the list, with a notBefore date before 1 April 2015, is detected on the public Internet by us or anyone else, we reserve the right to take further action.

We believe that this response is consistent with Mozilla policy and is one which we could apply to any other CA in the same situation.

Mozilla Security Team

96 responses

  1. CHN wrote on :

    Good Job!


    This experience is got by blood.

  2. zhan wrote on :

    good job!

  3. william Wang wrote on :

    but in firefox 37/firefox 38 beta ,the cnnic still in Authorities list .

  4. su wrote on :

    Chinese netizen thank you for this!

  5. nice wrote on :

    good job!

  6. Wisilence Seol wrote on :

    But, as you discussed before and in the longer document, you will request CNNIC to provide a list of their valid certificates, while here we do not see the list from CNNIC nor did we see any response from CNNIC to your request. And , you still chose to trust the old certificates signed by the CNNIC root CA and not revoke the CNNIC root CA. it is not acceptable by me and I have to ask you: Why.
    after the discussion on https://bugzilla.mozilla.org/show_bug.cgi?id=542689 for about 5 or 6 years, I personally want to ask you (who decided to include CNNIC root CA into Mozilla before and refuse to revoke CNNIC CA now) a question: is it hurt to be slapped on your face by CNNIC again and again?

  7. aManInchina wrote on :


  8. 苏远 wrote on :

    Anyway, nobody in China is using Firefox.

    1. rick wrote on :

      nop,i use it well

    2. lamb wrote on :

      I use it.

    3. video wrote on :


    4. gj wrote on :

      Maybe from now on, Chinese government may ban people using Firefox.

    5. xfq wrote on :

      I use Firefox.

  9. shanghai wrote on :

    Great Job! You should do this 6 years ago.
    Remember these?

  10. william wrote on :

    Good job!!

  11. jack wrote on :

    good, good, good!

  12. wrote on :


  13. Abe wrote on :


  14. shadowglen wrote on :

    Good job!

  15. dntc wrote on :


  16. JohneyYe wrote on :

    Good job!

  17. Mark wrote on :

    Good job ! 做得好!!!

  18. Yiiih wrote on :

    Good Job!
    However, the influence of this action is too small, until now, only Firefox and Chrome decided to distrust CNNIC certs, and these browsers are not popular in China and Chrome users cannot get Chrome updates because Google has been totally banned in China. Most of Chinese users use IE or China-made browsers, and I have not seen any of bulletins from Microsoft, Apple and Chinese security groups, due to gag.
    Microsoft and Apple should distrust CNNIC certs on their browsers as soon as possible, which may make a big influence, maybe also because this will affect their business in China, they did nothing.
    For Chinese browsers, what we only can do, is cross the finger to let the Chinese government become transparent.

    1. Cloudream wrote on :

      Chinese are fucked by Chinese government anyway, e.g. Chinese police put drug into your pocket to frame you if you said something disclosure government corruption, so it’s more concern that others are not attacked by Chinese government

  19. love firefox wrote on :

    good news! well done!

  20. ihciah wrote on :

    Good job!

More comments: 1 2 3 4