Distrusting New CNNIC Certificates

Last week, Mozilla was notified that a Certificate Authority (CA) called CNNIC had issued an unconstrained intermediate certificate, which was subsequently used by the recipient to issue certificates for domain names the holder did not own or control (i.e., for MitM). We added the intermediate certificate in question to Firefox’s direct revocation system, called OneCRL, and have been further investigating the incident.

After reviewing the circumstances and a robust discussion on our public mailing list, we have concluded that CNNIC’s behaviour in issuing an unconstrained intermediate certificate to a company with no documented PKI practices and with no oversight of how the private key was stored or controlled was an ‘egregious practice’ as per Mozilla’s CA Certificate Enforcement Policy. Therefore, after public discussion and consideration of the scope and impact of a range of options, we have decided to update our code so that Mozilla products will no longer trust any certificate issued by CNNIC’s roots with a notBefore date on or after 1st April 2015. We have put together a longer document with more details on the incident and how we arrived at the conclusion we did.

CNNIC may, if they wish, re-apply for full inclusion in the Mozilla root store and the removal of this restriction, by going through Mozilla’s inclusion process after completing additional steps that the Mozilla community may require as a result of this incident. This will be discussed in the mozilla.dev.security.policy forum.

The notBefore date that will be checked is inserted into the certificate by CNNIC. We will therefore be asking CNNIC for a comprehensive list of their currently-valid certificates, and publishing it. After the list has been provided, if a certificate not on the list, with a notBefore date before 1 April 2015, is detected on the public Internet by us or anyone else, we reserve the right to take further action.

We believe that this response is consistent with Mozilla policy and is one which we could apply to any other CA in the same situation.

Mozilla Security Team

96 responses

  1. Frank wrote on :

    Good job.

  2. Jerry wrote on :

    Well done!

  3. shizzmk wrote on :

    Good job.

  4. nt wrote on :

    Finally!

  5. Shelikhoo wrote on :

    Thank you!

  6. lain wrote on :

    nicely done. china gov is evil.

  7. 「有事燒紙」 wrote on :

    Good job!

  8. xinxin wrote on :

    nicely done , chinese gov is evil.

  9. 作大死 wrote on :

    good job

  10. swpustc wrote on :

    I disabled CNNIC some times, this is the best news I hearing this year.
    WELL DONE!

  11. JustChin wrote on :

    Good Job

  12. XiaoLan wrote on :

    80% of Chinese netizen don’t trust the government, nice done!

    1. XiaoLan wrote on :

      Without Chinese government, China is still a agriculture country.

      Please don’t post comment for money.

      1. oqwu wrote on :

        Stupid

      2. park mun-soo wrote on :

        二楼这五毛真恶劣,还盗用别人id
        XiaoLan wrote on April 4, 2015 at 9:32 am:

      3. Amani wrote on :

        You yourself is a fucking guy who’s posting for money!!!!

  13. zoisite wrote on :

    Beautiful!
    It is a right decision!

  14. jswxdzc wrote on :

    Great!

  15. e5ocf93 wrote on :

    google jod!干得非常漂亮!

  16. LaserUFO wrote on :

    Good job.

  17. wait a day wrote on :

    多行不义必自毙

  18. ID7788 wrote on :

    希望Google与Mozilla一起不要再接受CNNIC ROOT,最好Microsoft也加入进来!永久吊销他们!

    1. ID7788 wrote on :

      呵呵…… 支持CNNIC

      1. park mun-soo wrote on :

        二楼这五毛真恶劣,还盗用别人id
        ID7788 wrote on April 4, 2015 at 9:33 am:

    2. Jimages wrote on :

      I have tested. the ie has distrust CNNIC Root.

  19. jiangwei wrote on :

    Good job

  20. Chinese user wrote on :

    Dear Mozilla,

    I’ve been using Firefox since 2006 and I especially like the Vimperator extension of Firefox. Unfortunately, I just got the information that Mozilla no longer trusts CNNIC’s root certificate.

    As a Chinese, I support the work done by CNNIC and I care about China’s rights in the Internet world. Mozilla, as a open-source software organization, is supposed not to take political actions. However, you distrust CNNIC’s root certificate and this action exploits our rights in the Internet. As you may know, while having a lot of Internet users, China has no root name server. This is already quite unfair and your action to distrust CNNIC’s root certificate makes me feel that our country’s most fundamental right in Internet is exploited.

    Is is acknowledged that United States of America attacked North Korea’s Internet system. (http://world.huanqiu.com/hot/2015-03/5955604.html ). US is also preparing Internet wars. PRISM is a threat to the security of the global Internet. As Mozilla cares about security so much, please stop holding double standards. While you don’t trust CNNIC’s certificate, please stop trusting certificates which are issued by US institutions.

    I just removed Firefox from my computer and I am also doing backup for my email in order to remove Thunderbird. I really hope that you can restore your trust on CNNIC’s root certificate. For now, I am informing my friends on this news and I will encourage them to stop using any products by Mozilla.

    Sincerely.

    1. park mun-soo wrote on :

      第一:
      “Mozilla, as a open-source software organization, is supposed not to take political actions.”
      呵呵,还political action,撤销纯属因为被抓到颁发虚假证书的证据了。你要是能抓到其他国家的公司颁发虚假证书照样可以让mozilla撤销对其的信任。
      照你这么一说,一个中国人在国外杀人,国外警察在有证据证明的情况下给他抓走了,可以算所谓“political action”么?

      第二:
      “ However, you distrust CNNIC’s root certificate and this action exploits our rights in the Internet.”
      接上句,以上面的例子按照你的逻辑就如同下句:
      “无论如何,你们把我们的公民抓走了就是在侵犯我国人权!”

      第三:
      “As you may know, while having a lot of Internet users, China has no root name server.”
      活该!
      全球一共有13组根域名服务器(Root Server),2010年中国大陆有F、I、J這3个根域DNS镜像[11],但曾因为多次DNS污染外国网络,威胁互联网安全和自由,北京的I根域服务器被断开与国际互联网的连接。[12][13]目前已恢复服务。
      来源:https://zh.wikipedia.org/zh/防火长城

      第四:
      “This is already quite unfair and your action to distrust CNNIC’s root certificate makes me feel that our country’s most fundamental right in Internet is exploited.”
      继续接上面例子
      “你们采取行动抓走了我们的公民对我们很不公平,此人是我们国家的公民,所以你要是抓的话就是侵犯我国的公民的人权!”

      第五:
      “While you don’t trust CNNIC’s certificate, please stop trusting certificates which are issued by US institutions.”
      看第一个,只要你能抓到颁发假证的证据,不管这个CA是哪个国家的,都可以让mozilla停止信任。
      如:https://en.wikipedia.org/wiki/DigiNotar#Bankruptcy

      ====================

      打脸结束,欢迎补充。

      1. Chinese User wrote on :

        请拿出具体证据! 而不是你说,或者西方媒体说“切实证据”,请拿出来,否则就别嚷嚷。最近这天先是多个西方国家倒戈亚投行,然后奥巴马说要制裁发动网络攻击的外国个人,然后又发生Github事件,然后又发生这个事件。 呵呵……

        还有脸说活该? 中国在互联网上没权力,处处被美国欺负。 lavabit因为不给美国政府提供用户发送的电子邮件内容,就关闭了。

        哦。中国污染。 美国随意关闭不符合自己新意的服务器。 megaupload服务器在香港,因为有美国的盗版电影,美国就直接把该网站变成了美国司法部的警告证书。美国的棱镜计划在全世界进行网络监控。怎么不处理一下美国这种肆意妄为的行为? 我建议把美国的互联网和其他国家的互联网彻底中断,以避免棱镜等计划继续污染全世界的网络环境。

        打脸了吧。 呵呵

      2. 打击美分 wrote on :

        是啊。中国污染了DNS,损害了国际互联网自由? 哦,活该?

        美国棱镜计划损害了全世界互联网自由与安全,怎么不把美国的根服务器撤销? 怎么不把美国的互联网与其他国家中断?

        只许州官放火,不许百姓点灯。厉害啊。 完全的双重标准啊。 凭什么说活该? 呵呵

        另外,请出示证据。 目前只看到美国媒体和你们这群亲美的家伙在支持,大部分人都看得出来。 只有你们和美国媒体、google、mozilla说什么“有证据”,没有看到任何非西方的媒体认可这一事实。 那就请拿出证据,把原始证据公开,而不是你说“证据确凿”

        1. lilie wrote on :

          这么说你也承认cnnic的所作所为是跟棱镜计划一个性质的了。

          勿以善小而不为嘛,同学,起码吊销了证书本身是对的是吧,“美分打击者”。

          1. Fan JIN wrote on :

            Please do not associate it with politics. Personally, I wish the Internet is free to diverse political views and free of pirate contents.

            1. Fan JIN wrote on :

              I mean, we have free access to diverse political views but there is no pirate content.

    2. Laowai user? wrote on :

      False comparison, dear comrade Wumao, you would have to find an example where a US-institution issued a MITM certificate.

      1. Laowai user? wrote on :

        And before you come up with TrustWave now, please know that they themselves admitted their fault, this is the point where CNNIC (and all other CAs behaving similarly) should have come out as well. Note that his was 3 years ago, more than enough time!

        1. Chinese User wrote on :

          Dear YanSeGeMingCeHuaRen. Good bye.

    3. Amani wrote on :

      As a chinese,you should post for the truth and facts but not money,this is your major principle.it’s your own right and choice to decide whether remove firefox or other mozilla software,but the removal of CINNIC trustship is based on facts,not some political action.mozilla firefox will also welcome CINNIC so long as CINNIC stop its misbehavior,and that CINNIC no longer works for GFW for intermediate attack.

      1. Anti net-politics wrote on :

        Dear Amani. What is “fact”? It’s a fact that United States attacked North Korea’s internet. Why don’t Mozilla remove the trust of internet institutions which helped US to attack other countries? Google and Apple participated in PRISM, which is a huge misbehavior to the global Internet. Why don’t you take some action on these companies? For example when a user is visiting google, Firefox could give a notification that “this website participated in PRISM”.

        I accept that it’s a fact and MCS is misbehaving. CNNIC has revoked the cooperation with MCS. There’s also no confident that CNNIC works for GFW. Meanwhile, US is attacking other countries’ Internet. US has “PRISM”. It’s also a fact that Stuxnet and Flame are developped by US (http://www.washingtonpost.com/world/national-security/us-israel-developed-computer-virus-to-slow-iranian-nuclear-efforts-officials-say/2012/06/19/gJQA6xBPoV_story.html)

        I suggest you to stop posting for money. I understand that it’s an advanced skill to deliberately modify some “facts” and to hide some other facts in order to fool the people. A lot of famous people in China is using these skills to tell Chinese people that US is the best place in the world. Unfortunately, this doesn’t work for those you learnt logic.

      2. Anti net-politics wrote on :

        Dear Amani,

        I think you should definitely post for the truth instead of for money. Could you provide any evident which could prove that CNNIC is attacking?

        Also, it’s MCS who’s misbehaving. CNNIC has revoked cooperation with MCS. So you should remove the trusts of MCS instead of CNNIC according to the fact.

        Also, you deliberately ignored some truth. Let me list them:
        1) US has PRISM, which is threat to the global internet.
        2) US attacked North Korea’s Internet according to http://www.bloomberg.com/politics/articles/2015-03-17/north-korea-web-outage-was-response-to-sony-hack-lawmaker-says
        3) US created Stuxnet virsus according to http://www.washingtonpost.com/world/national-security/us-israel-developed-computer-virus-to-slow-iranian-nuclear-efforts-officials-say/2012/06/19/gJQA6xBPoV_story.html
        4) US created Flame according to http://www.nytimes.com/2012/06/01/world/middleeast/obama-ordered-wave-of-cyberattacks-against-iran.html?_r=0

        Well, I am only using western media as sources to show these evident since you might not believe if I’m using Chinese or Russian sources. You blame that CNNIC is suspected to help intermediate attack, now I showed the news which admits that US is attacking other countries’ Internet. Why don’t Firefox do something for that? For example Google and Apple participated PRISM. I suggest that when Firefox users are visiting google.com and apple.com, Firefox should give a notice to the user that “this website steal your privacy for PRISM”.

More comments: 1 2 3 4