Connect with us

Hi, what are you looking for?



Mozilla Bans New Certificates Issued by CNNIC

Firefox will not trust any new certificates issued by the China Internet Network Information Center (CNNIC) due to the organization’s “egregious behavior,” Mozilla announced on Thursday.

Firefox will not trust any new certificates issued by the China Internet Network Information Center (CNNIC) due to the organization’s “egregious behavior,” Mozilla announced on Thursday.

CNNIC came under fire after it issued an unconstrained intermediate certificate to Egypt-based MCS Holdings. The company was only allowed to issue certificates for its own domains, but instead it issued certificates for several Google domains.

There is no evidence that other certificates have been issued or that the fake Google certificates had been used outside of the Egyptian company’s own network, but CNNIC will have to take measures before it can be reincluded into root stores.

Mozilla is unhappy with the fact that CNNIC issued an unconstrained intermediate certificate to a subordinate certificate authority (CA) without ensuring that it had proper public key infrastructure (PKI) policies and practices in place.

CNNIC has argued that since it was a testing certificate that was only valid for a short period of time, contractual controls should have been enough to ensure that MCS would not issue certificates for other domains than its own. However, Mozilla believes the misissued certificates might have been missed during an audit.

MCS Holdings stated that the private key was stored on the firewall device because the company determined that it was a secure system for holding such sensitive data. The firm noted that it had not received any instructions from CNNIC on how to securely store or manage the intermediate certificate.

“After public discussion and consideration of the scope and impact of a range of options, we have decided to update our code so that Mozilla products will no longer trust any certificate issued by CNNIC’s roots with a notBefore date on or after 1st April 2015,” said Kathleen Wilson, the owner of Mozilla’s CA Certificates Module and Policy.

Advertisement. Scroll to continue reading.

Old CNNIC certificates will remain in the root store, but the organization must provide Mozilla with a comprehensive list of certificates that are currently valid.

“The Mozilla CA team believes that CNNIC’s actions amount to egregious behaviour, and the violations of policy are greater in severity than those in previous incidents. CNNIC’s decision to violate their own CPS [Certificate Practice Statement] is especially serious, and raises concerns that go beyond the immediate scope of the misissued intermediate certificate,” Mozilla wrote in its report on the incident.

Google made a similar decision earlier this week after completing its investigation into the incident.

Both Mozilla and Google noted that CNNIC can reapply for inclusion in root stores once it addresses current shortfalls. On Thursday, CNNIC issued a statement urging Google to reconsider its decision.

“The decision that Google has made is unacceptable and unintelligible to CNNIC, and meanwhile CNNIC sincerely urge that Google would take users’ rights and interests into full consideration,” CNNIC stated. “For the users that CNNIC has already issued the certificates to, we guarantee that your lawful rights and interests will not be affected.”

The organization hasn’t issued a separate response to Mozilla’s decision.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...


Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...