{"id":1930,"date":"2015-03-23T15:23:59","date_gmt":"2015-03-23T22:23:59","guid":{"rendered":"https:\/\/blog.mozilla.org\/security\/?p=1930"},"modified":"2016-09-30T02:49:20","modified_gmt":"2016-09-30T09:49:20","slug":"revoking-trust-in-one-cnnic-intermediate-certificate","status":"publish","type":"post","link":"https:\/\/blog.mozilla.org\/security\/2015\/03\/23\/revoking-trust-in-one-cnnic-intermediate-certificate\/","title":{"rendered":"Revoking Trust in one CNNIC Intermediate Certificate"},"content":{"rendered":"<p>Mozilla was recently notified that an intermediate certificate, which chains up to a root included in <a title=\"CA Overview\" href=\"https:\/\/wiki.mozilla.org\/CA:Overview\" target=\"_blank\">Mozilla\u2019s root store<\/a>, was loaded into a firewall device that performed SSL man-in-the-middle (MITM) traffic management. It was then used, during the process of inspecting traffic, to generate certificates for domains the device owner does not legitimately own or control. The <a title=\"CA FAQ\" href=\"https:\/\/wiki.mozilla.org\/CA:FAQ\" target=\"_blank\">Certificate Authority<\/a> (CA) has told us that this action was not permitted by their policies and practices and the agreement with their customer, and they have revoked the intermediate certificate that was loaded into the firewall device. While this is not a Firefox-specific issue, to protect our users we are adding the revoked certificate to <a title=\"OneCRL\" href=\"https:\/\/blog.mozilla.org\/security\/2015\/03\/03\/revoking-intermediate-certificates-introducing-onecrl\/\" target=\"_blank\">OneCRL<\/a>, our mechanism for directly sending revocation information to Firefox which will be shipping in Firefox 37.<\/p>\n<p><strong>Issue<\/strong><br \/>\nChina Internet Network Information Center (CNNIC), a non-profit organization administrated by Cyberspace Administration of China (CAC), operates the &#8220;CNNIC Root&#8221; and &#8220;China Internet Network Information Center EV Certificates Root&#8221; certificates that are included in <a title=\"NSS\" href=\"https:\/\/developer.mozilla.org\/en-US\/docs\/Mozilla\/Projects\/NSS\" target=\"_blank\">NSS<\/a>, and used to issue certificates to organizations and the general public. CNNIC issued an unconstrained intermediate certificate that was labeled as a test certificate and had a two week validity, expiring April 3, 2015. Their customer loaded this certificate into a firewall device which performed SSL MITM, and a user inside their network accessed other servers, causing the firewall to issue certificates for domains that this customer did not own or control. <a title=\"Mozilla CA Certificate Policy\" href=\"http:\/\/www.mozilla.org\/projects\/security\/certs\/policy\/\" target=\"_blank\">Mozilla\u2019s CA Certificate Policy<\/a> prohibits certificates from being used in this manner when they chain up to a root certificate in <a title=\"CA Overview\" href=\"https:\/\/wiki.mozilla.org\/CA:Overview\" target=\"_blank\">Mozilla\u2019s CA program<\/a>.<\/p>\n<p><strong>Impact<\/strong><br \/>\nAn intermediate certificate that is used for MITM allows the holder of the certificate to decrypt and monitor communication within their network between the user and any website without browser warnings being triggered. An attacker armed with a fraudulent SSL certificate and an ability to control their victim\u2019s network could impersonate websites in a way that would be undetectable to most users. Such certificates could deceive users into trusting websites appearing to originate from the domain owners, but actually containing malicious content or software. We believe that this MITM instance was limited to CNNIC&#8217;s customer&#8217;s internal network.<\/p>\n<p><strong>Status<\/strong><br \/>\nMozilla is adding the revoked intermediate certificate that was mis-used in the firewall device to <a title=\"OneCRL\" href=\"https:\/\/blog.mozilla.org\/security\/2015\/03\/03\/revoking-intermediate-certificates-introducing-onecrl\/\" target=\"_blank\">OneCRL<\/a> which will be shipping in Firefox 37. Additional action regarding this CA will be discussed in the <a title=\"mozilla.dev.security.policy\" href=\"https:\/\/www.mozilla.org\/en-US\/about\/forums\/#dev-security-policy\" target=\"_blank\">mozilla.dev.security.policy<\/a> forum. When similar incidents have happened in the past, responses have included requiring <a title=\"TurkTrust Incident Response\" href=\"https:\/\/bugzilla.mozilla.org\/show_bug.cgi?id=835538\" target=\"_blank\">additional audits<\/a> to confirm that the CA updated their procedures, and using name constraints to <a title=\"ANSSI Incident Response\" href=\"https:\/\/bugzilla.mozilla.org\/show_bug.cgi?id=952572#c2\" target=\"_blank\"> constrain the CA&#8217;s hierarchy<\/a> to certain domains.<\/p>\n<p><strong>End-user Action<\/strong><br \/>\nWe recommend that all users upgrade to the latest version of Firefox. <a title=\"Release Calendar\" href=\"https:\/\/wiki.mozilla.org\/RapidRelease\/Calendar\" target=\"_blank\">Firefox 37<\/a> and future releases of Firefox (including Firefox 38 ESR) will contain <a title=\"OneCRL\" href=\"https:\/\/blog.mozilla.org\/security\/2015\/03\/03\/revoking-intermediate-certificates-introducing-onecrl\/\" target=\"_blank\">OneCRL<\/a> which will be used for this certificate revocation and for future certificate revocations of this type.<\/p>\n<p><strong>Credit<\/strong><br \/>\nThanks to <a title=\"Google Security Blog\" href=\"http:\/\/googleonlinesecurity.blogspot.com\/2015\/03\/maintaining-digital-certificate-security.html\" target=\"_blank\">Google<\/a> for reporting this issue to us.<\/p>\n<p>Mozilla Security Team<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Mozilla was recently notified that an intermediate certificate, which chains up to a root included in Mozilla\u2019s root store, was loaded into a firewall device that performed SSL man-in-the-middle (MITM) &hellip; <a class=\"go\" href=\"https:\/\/blog.mozilla.org\/security\/2015\/03\/23\/revoking-trust-in-one-cnnic-intermediate-certificate\/\">Read more<\/a><\/p>\n","protected":false},"author":581,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[45538,69],"tags":[],"coauthors":[45544],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.5 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Revoking Trust in one CNNIC Intermediate Certificate - Mozilla Security Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.mozilla.org\/security\/2015\/03\/23\/revoking-trust-in-one-cnnic-intermediate-certificate\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Kathleen Wilson\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2015\/03\/23\/revoking-trust-in-one-cnnic-intermediate-certificate\/\",\"url\":\"https:\/\/blog.mozilla.org\/security\/2015\/03\/23\/revoking-trust-in-one-cnnic-intermediate-certificate\/\",\"name\":\"Revoking Trust in one CNNIC Intermediate Certificate - Mozilla Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\"},\"datePublished\":\"2015-03-23T22:23:59+00:00\",\"dateModified\":\"2016-09-30T09:49:20+00:00\",\"author\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/5cc0f3b46b6626ffb6e3b7c24fbf5063\"},\"breadcrumb\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/2015\/03\/23\/revoking-trust-in-one-cnnic-intermediate-certificate\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.mozilla.org\/security\/2015\/03\/23\/revoking-trust-in-one-cnnic-intermediate-certificate\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2015\/03\/23\/revoking-trust-in-one-cnnic-intermediate-certificate\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.mozilla.org\/security\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Revoking Trust in one CNNIC Intermediate Certificate\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\",\"url\":\"https:\/\/blog.mozilla.org\/security\/\",\"name\":\"Mozilla Security Blog\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/5cc0f3b46b6626ffb6e3b7c24fbf5063\",\"name\":\"Kathleen Wilson\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/8d4547801f543f8990aecbcfc9c18eca\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/faede0fc9d625b79b41f567407337db6?s=96&d=identicon&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/faede0fc9d625b79b41f567407337db6?s=96&d=identicon&r=g\",\"caption\":\"Kathleen Wilson\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Revoking Trust in one CNNIC Intermediate Certificate - Mozilla Security Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.mozilla.org\/security\/2015\/03\/23\/revoking-trust-in-one-cnnic-intermediate-certificate\/","twitter_misc":{"Written by":"Kathleen Wilson","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/blog.mozilla.org\/security\/2015\/03\/23\/revoking-trust-in-one-cnnic-intermediate-certificate\/","url":"https:\/\/blog.mozilla.org\/security\/2015\/03\/23\/revoking-trust-in-one-cnnic-intermediate-certificate\/","name":"Revoking Trust in one CNNIC Intermediate Certificate - Mozilla Security Blog","isPartOf":{"@id":"https:\/\/blog.mozilla.org\/security\/#website"},"datePublished":"2015-03-23T22:23:59+00:00","dateModified":"2016-09-30T09:49:20+00:00","author":{"@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/5cc0f3b46b6626ffb6e3b7c24fbf5063"},"breadcrumb":{"@id":"https:\/\/blog.mozilla.org\/security\/2015\/03\/23\/revoking-trust-in-one-cnnic-intermediate-certificate\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.mozilla.org\/security\/2015\/03\/23\/revoking-trust-in-one-cnnic-intermediate-certificate\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/blog.mozilla.org\/security\/2015\/03\/23\/revoking-trust-in-one-cnnic-intermediate-certificate\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.mozilla.org\/security\/"},{"@type":"ListItem","position":2,"name":"Revoking Trust in one CNNIC Intermediate Certificate"}]},{"@type":"WebSite","@id":"https:\/\/blog.mozilla.org\/security\/#website","url":"https:\/\/blog.mozilla.org\/security\/","name":"Mozilla Security Blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/5cc0f3b46b6626ffb6e3b7c24fbf5063","name":"Kathleen Wilson","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/8d4547801f543f8990aecbcfc9c18eca","url":"https:\/\/secure.gravatar.com\/avatar\/faede0fc9d625b79b41f567407337db6?s=96&d=identicon&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/faede0fc9d625b79b41f567407337db6?s=96&d=identicon&r=g","caption":"Kathleen Wilson"}}]}},"_links":{"self":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/1930"}],"collection":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/users\/581"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/comments?post=1930"}],"version-history":[{"count":0,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/1930\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/media?parent=1930"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/categories?post=1930"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/tags?post=1930"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/coauthors?post=1930"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}