{"id":1535,"date":"2013-12-09T09:38:30","date_gmt":"2013-12-09T17:38:30","guid":{"rendered":"http:\/\/blog.mozilla.org\/security\/?p=1535"},"modified":"2016-09-30T02:52:33","modified_gmt":"2016-09-30T09:52:33","slug":"revoking-trust-in-one-anssi-certificate","status":"publish","type":"post","link":"https:\/\/blog.mozilla.org\/security\/2013\/12\/09\/revoking-trust-in-one-anssi-certificate\/","title":{"rendered":"Revoking Trust in one ANSSI Certificate"},"content":{"rendered":"<p>Last week, Mozilla was notified that an intermediate certificate, which chains up to a root included in <a title=\"CA Overview\" href=\"https:\/\/wiki.mozilla.org\/CA:Overview\" target=\"_blank\">Mozilla\u2019s root store<\/a>, was loaded into a man-in-the-middle (MITM) traffic management device. It was then used, during the process of inspecting traffic, to generate certificates for domains the device owner does not legitimately own or control. While this is not a Firefox-specific issue, to protect our users we are a updating the <a title=\"CA Overview\" href=\"https:\/\/wiki.mozilla.org\/CA:Overview\" target=\"_blank\">certificate store<\/a> of Firefox in order to dis-trust these certificates. The <a title=\"CA FAQ\" href=\"https:\/\/wiki.mozilla.org\/CA:FAQ\" target=\"_blank\">Certificate Authority<\/a> (CA) has told us that this action was not permitted by their policies and practices, and they have revoked the intermediate certificate that signed the certificate for the traffic management device.<\/p>\n<p><strong>Issue<\/strong><\/p>\n<p>ANSSI (Agence nationale de la s\u00e9curit\u00e9 des syst\u00e8mes d&#8217;information) is the French Network and Information Security Agency, a part of the French Government. ANSSI (formerly known as DCSSI) operates the \u201cIGC\/A\u201d root certificate that is included in <a title=\"NSS\" href=\"https:\/\/wiki.mozilla.org\/NSS\" target=\"_blank\">NSS<\/a>, and issues certificates for French Government websites that are used by the general public. The root certificate has an Issuer field with &#8220;O = PM\/SGDN&#8221;, &#8220;OU = DCSSI&#8221;, and &#8220;CN = IGC\/A&#8221;.<\/p>\n<p>A subordinate CA of ANSSI issued an intermediate certificate that they installed on a network monitoring device, which enabled the device to act as a MITM of domains or websites that the certificate holder did not own or control. <a title=\"Mozilla CA Certificate Policy\" href=\"http:\/\/www.mozilla.org\/projects\/security\/certs\/policy\/\" target=\"_blank\">Mozilla\u2019s CA Certificate Policy<\/a> prohibits certificates from being used in this manner when they chain up to a root certificate in <a title=\"CA Overview\" href=\"https:\/\/wiki.mozilla.org\/CA:Overview\" target=\"_blank\">Mozilla\u2019s CA program<\/a>.<\/p>\n<p><strong>Impact<\/strong><\/p>\n<p>An intermediate certificate that is used for MITM allows the holder of the certificate to decrypt and monitor communication within their network between the user and any website without browser warnings being triggered. An attacker armed with a fraudulent SSL certificate and an ability to control their victim\u2019s network could impersonate websites in a way that would be undetectable to most users. Such certificates could deceive users into trusting websites appearing to originate from the domain owners, but actually containing malicious content or software.<\/p>\n<p>We believe that this MITM instance was limited to the subordinate CA\u2019s internal network.<\/p>\n<p><strong>Status<\/strong><\/p>\n<p>Mozilla is actively revoking trust of the subordinate CA certificate that was mis-used to generate the certificate used by the network appliance. This change will be released to all supported versions of Firefox in the <a title=\"Mozilla Release Calendar\" href=\"https:\/\/wiki.mozilla.org\/RapidRelease\/Calendar\" target=\"_blank\">updates this week<\/a>.<\/p>\n<p>Additional action regarding this CA will be discussed in the mozilla.dev.security.policy forum.<\/p>\n<p><strong>End-user Action<\/strong><\/p>\n<p>We recommend that all users upgrade to the <a title=\"Firefox Version\" href=\"https:\/\/support.mozilla.org\/en-US\/kb\/find-what-version-firefox-you-are-using\" target=\"_blank\">latest version of Firefox<\/a>. Firefox 26 and Firefox 24 ESR both contain the fix for this issue, and will be released this week.<\/p>\n<p><strong>Credit<\/strong><\/p>\n<p>Thanks to Google for reporting this issue to us.<\/p>\n<p>Kathleen Wilson<br \/>\nModule Owner of Mozilla&#8217;s CA Certificates Module<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Last week, Mozilla was notified that an intermediate certificate, which chains up to a root included in Mozilla\u2019s root store, was loaded into a man-in-the-middle (MITM) traffic management device. It &hellip; <a class=\"go\" href=\"https:\/\/blog.mozilla.org\/security\/2013\/12\/09\/revoking-trust-in-one-anssi-certificate\/\">Read more<\/a><\/p>\n","protected":false},"author":581,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[45538,69],"tags":[],"coauthors":[45544],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.5 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Revoking Trust in one ANSSI Certificate - Mozilla Security Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.mozilla.org\/security\/2013\/12\/09\/revoking-trust-in-one-anssi-certificate\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Kathleen Wilson\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2013\/12\/09\/revoking-trust-in-one-anssi-certificate\/\",\"url\":\"https:\/\/blog.mozilla.org\/security\/2013\/12\/09\/revoking-trust-in-one-anssi-certificate\/\",\"name\":\"Revoking Trust in one ANSSI Certificate - Mozilla Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\"},\"datePublished\":\"2013-12-09T17:38:30+00:00\",\"dateModified\":\"2016-09-30T09:52:33+00:00\",\"author\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/5cc0f3b46b6626ffb6e3b7c24fbf5063\"},\"breadcrumb\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/2013\/12\/09\/revoking-trust-in-one-anssi-certificate\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.mozilla.org\/security\/2013\/12\/09\/revoking-trust-in-one-anssi-certificate\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2013\/12\/09\/revoking-trust-in-one-anssi-certificate\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.mozilla.org\/security\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Revoking Trust in one ANSSI Certificate\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\",\"url\":\"https:\/\/blog.mozilla.org\/security\/\",\"name\":\"Mozilla Security Blog\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/5cc0f3b46b6626ffb6e3b7c24fbf5063\",\"name\":\"Kathleen Wilson\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/8d4547801f543f8990aecbcfc9c18eca\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/faede0fc9d625b79b41f567407337db6?s=96&d=identicon&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/faede0fc9d625b79b41f567407337db6?s=96&d=identicon&r=g\",\"caption\":\"Kathleen Wilson\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Revoking Trust in one ANSSI Certificate - Mozilla Security Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.mozilla.org\/security\/2013\/12\/09\/revoking-trust-in-one-anssi-certificate\/","twitter_misc":{"Written by":"Kathleen Wilson","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/blog.mozilla.org\/security\/2013\/12\/09\/revoking-trust-in-one-anssi-certificate\/","url":"https:\/\/blog.mozilla.org\/security\/2013\/12\/09\/revoking-trust-in-one-anssi-certificate\/","name":"Revoking Trust in one ANSSI Certificate - Mozilla Security Blog","isPartOf":{"@id":"https:\/\/blog.mozilla.org\/security\/#website"},"datePublished":"2013-12-09T17:38:30+00:00","dateModified":"2016-09-30T09:52:33+00:00","author":{"@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/5cc0f3b46b6626ffb6e3b7c24fbf5063"},"breadcrumb":{"@id":"https:\/\/blog.mozilla.org\/security\/2013\/12\/09\/revoking-trust-in-one-anssi-certificate\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.mozilla.org\/security\/2013\/12\/09\/revoking-trust-in-one-anssi-certificate\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/blog.mozilla.org\/security\/2013\/12\/09\/revoking-trust-in-one-anssi-certificate\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.mozilla.org\/security\/"},{"@type":"ListItem","position":2,"name":"Revoking Trust in one ANSSI Certificate"}]},{"@type":"WebSite","@id":"https:\/\/blog.mozilla.org\/security\/#website","url":"https:\/\/blog.mozilla.org\/security\/","name":"Mozilla Security Blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/5cc0f3b46b6626ffb6e3b7c24fbf5063","name":"Kathleen Wilson","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/8d4547801f543f8990aecbcfc9c18eca","url":"https:\/\/secure.gravatar.com\/avatar\/faede0fc9d625b79b41f567407337db6?s=96&d=identicon&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/faede0fc9d625b79b41f567407337db6?s=96&d=identicon&r=g","caption":"Kathleen Wilson"}}]}},"_links":{"self":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/1535"}],"collection":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/users\/581"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/comments?post=1535"}],"version-history":[{"count":0,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/1535\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/media?parent=1535"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/categories?post=1535"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/tags?post=1535"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/coauthors?post=1535"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}