{"id":1951,"date":"2015-04-02T10:36:59","date_gmt":"2015-04-02T17:36:59","guid":{"rendered":"https:\/\/blog.mozilla.org\/security\/?p=1951"},"modified":"2016-09-30T02:49:16","modified_gmt":"2016-09-30T09:49:16","slug":"distrusting-new-cnnic-certificates","status":"publish","type":"post","link":"https:\/\/blog.mozilla.org\/security\/2015\/04\/02\/distrusting-new-cnnic-certificates\/","title":{"rendered":"Distrusting New CNNIC Certificates"},"content":{"rendered":"<p>Last week, Mozilla was <a title=\"Mozilla Security Blog\" href=\"https:\/\/blog.mozilla.org\/security\/2015\/03\/23\/revoking-trust-in-one-cnnic-intermediate-certificate\/\" target=\"_blank\">notified<\/a> that a Certificate Authority (CA) called CNNIC had issued an unconstrained intermediate certificate, which was subsequently used by the recipient to issue certificates for domain names the holder did not own or control (i.e., for <a title=\"MitM\" href=\"https:\/\/en.wikipedia.org\/wiki\/Man-in-the-middle_attack\" target=\"_blank\">MitM<\/a>). We added the intermediate certificate in question to Firefox\u2019s direct revocation system, called OneCRL, and have been further investigating the incident.<\/p>\n<p>After reviewing the circumstances and a <a title=\"mozilla.dev.security.policy\" href=\"https:\/\/groups.google.com\/d\/msg\/mozilla.dev.security.policy\/czwlDNbwHXM\/qPcyC_DWlSwJ\" target=\"_blank\">robust discussion<\/a> on our public mailing list, we have concluded that CNNIC\u2019s behaviour in issuing an unconstrained intermediate certificate to a company with no documented PKI practices and with no oversight of how the private key was stored or controlled was an \u2018egregious practice\u2019 as per <a title=\"Mozilla CA Certificate Enforcement Policy\" href=\"https:\/\/www.mozilla.org\/en-US\/about\/governance\/policies\/security-group\/certs\/policy\/enforcement\/\" target=\"_blank\">Mozilla&#8217;s CA Certificate Enforcement Policy<\/a>. Therefore, after public discussion and consideration of the scope and impact of a range of options, we have decided to update our code so that Mozilla products will no longer trust any certificate issued by CNNIC\u2019s roots with a notBefore date on or after 1st April 2015. We have put together a <a title=\"Response to CNNIC incident\" href=\"https:\/\/blog.mozilla.org\/security\/files\/2015\/04\/CNNIC-MCS.pdf\" target=\"_blank\">longer document<\/a> with more details on the incident and how we arrived at the conclusion we did.<\/p>\n<p>CNNIC may, if they wish, re-apply for full inclusion in the Mozilla root store and the removal of this restriction, by going through Mozilla&#8217;s <a title=\"How To Apply\" href=\"https:\/\/wiki.mozilla.org\/CA:How_to_apply\" target=\"_blank\">inclusion process<\/a> after completing additional steps that the Mozilla community may require as a result of this incident. This will be discussed in the <a title=\"mozilla.dev.security.policy\" href=\"https:\/\/www.mozilla.org\/en-US\/about\/forums\/#dev-security-policy\" target=\"_blank\">mozilla.dev.security.policy<\/a> forum.<\/p>\n<p>The notBefore date that will be checked is inserted into the certificate by CNNIC. We will therefore be asking CNNIC for a comprehensive list of their currently-valid certificates, and publishing it. After the list has been provided, if a certificate not on the list, with a notBefore date before 1 April 2015, is detected on the public Internet by us or anyone else, we reserve the right to take further action.<\/p>\n<p>We believe that this response is consistent with Mozilla policy and is one which we could apply to any other CA in the same situation.<\/p>\n<p>Mozilla Security Team<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Last week, Mozilla was notified that a Certificate Authority (CA) called CNNIC had issued an unconstrained intermediate certificate, which was subsequently used by the recipient to issue certificates for domain &hellip; <a class=\"go\" href=\"https:\/\/blog.mozilla.org\/security\/2015\/04\/02\/distrusting-new-cnnic-certificates\/\">Read more<\/a><\/p>\n","protected":false},"author":581,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[45538,69],"tags":[],"coauthors":[45544],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.5 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Distrusting New CNNIC Certificates - Mozilla Security Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.mozilla.org\/security\/2015\/04\/02\/distrusting-new-cnnic-certificates\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Kathleen Wilson\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2015\/04\/02\/distrusting-new-cnnic-certificates\/\",\"url\":\"https:\/\/blog.mozilla.org\/security\/2015\/04\/02\/distrusting-new-cnnic-certificates\/\",\"name\":\"Distrusting New CNNIC Certificates - Mozilla Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\"},\"datePublished\":\"2015-04-02T17:36:59+00:00\",\"dateModified\":\"2016-09-30T09:49:16+00:00\",\"author\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/5cc0f3b46b6626ffb6e3b7c24fbf5063\"},\"breadcrumb\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/2015\/04\/02\/distrusting-new-cnnic-certificates\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.mozilla.org\/security\/2015\/04\/02\/distrusting-new-cnnic-certificates\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2015\/04\/02\/distrusting-new-cnnic-certificates\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.mozilla.org\/security\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Distrusting New CNNIC Certificates\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\",\"url\":\"https:\/\/blog.mozilla.org\/security\/\",\"name\":\"Mozilla Security Blog\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/5cc0f3b46b6626ffb6e3b7c24fbf5063\",\"name\":\"Kathleen Wilson\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/8d4547801f543f8990aecbcfc9c18eca\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/faede0fc9d625b79b41f567407337db6?s=96&d=identicon&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/faede0fc9d625b79b41f567407337db6?s=96&d=identicon&r=g\",\"caption\":\"Kathleen Wilson\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Distrusting New CNNIC Certificates - Mozilla Security Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.mozilla.org\/security\/2015\/04\/02\/distrusting-new-cnnic-certificates\/","twitter_misc":{"Written by":"Kathleen Wilson","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/blog.mozilla.org\/security\/2015\/04\/02\/distrusting-new-cnnic-certificates\/","url":"https:\/\/blog.mozilla.org\/security\/2015\/04\/02\/distrusting-new-cnnic-certificates\/","name":"Distrusting New CNNIC Certificates - Mozilla Security Blog","isPartOf":{"@id":"https:\/\/blog.mozilla.org\/security\/#website"},"datePublished":"2015-04-02T17:36:59+00:00","dateModified":"2016-09-30T09:49:16+00:00","author":{"@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/5cc0f3b46b6626ffb6e3b7c24fbf5063"},"breadcrumb":{"@id":"https:\/\/blog.mozilla.org\/security\/2015\/04\/02\/distrusting-new-cnnic-certificates\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.mozilla.org\/security\/2015\/04\/02\/distrusting-new-cnnic-certificates\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/blog.mozilla.org\/security\/2015\/04\/02\/distrusting-new-cnnic-certificates\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.mozilla.org\/security\/"},{"@type":"ListItem","position":2,"name":"Distrusting New CNNIC Certificates"}]},{"@type":"WebSite","@id":"https:\/\/blog.mozilla.org\/security\/#website","url":"https:\/\/blog.mozilla.org\/security\/","name":"Mozilla Security Blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/5cc0f3b46b6626ffb6e3b7c24fbf5063","name":"Kathleen Wilson","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/8d4547801f543f8990aecbcfc9c18eca","url":"https:\/\/secure.gravatar.com\/avatar\/faede0fc9d625b79b41f567407337db6?s=96&d=identicon&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/faede0fc9d625b79b41f567407337db6?s=96&d=identicon&r=g","caption":"Kathleen Wilson"}}]}},"_links":{"self":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/1951"}],"collection":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/users\/581"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/comments?post=1951"}],"version-history":[{"count":0,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/1951\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/media?parent=1951"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/categories?post=1951"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/tags?post=1951"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/coauthors?post=1951"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}