Security Experts:

Mozilla Bans New Certificates Issued by CNNIC

Firefox will not trust any new certificates issued by the China Internet Network Information Center (CNNIC) due to the organization’s “egregious behavior,” Mozilla announced on Thursday.

CNNIC came under fire after it issued an unconstrained intermediate certificate to Egypt-based MCS Holdings. The company was only allowed to issue certificates for its own domains, but instead it issued certificates for several Google domains.

There is no evidence that other certificates have been issued or that the fake Google certificates had been used outside of the Egyptian company’s own network, but CNNIC will have to take measures before it can be reincluded into root stores.

Mozilla is unhappy with the fact that CNNIC issued an unconstrained intermediate certificate to a subordinate certificate authority (CA) without ensuring that it had proper public key infrastructure (PKI) policies and practices in place.

CNNIC has argued that since it was a testing certificate that was only valid for a short period of time, contractual controls should have been enough to ensure that MCS would not issue certificates for other domains than its own. However, Mozilla believes the misissued certificates might have been missed during an audit.

MCS Holdings stated that the private key was stored on the firewall device because the company determined that it was a secure system for holding such sensitive data. The firm noted that it had not received any instructions from CNNIC on how to securely store or manage the intermediate certificate.

“After public discussion and consideration of the scope and impact of a range of options, we have decided to update our code so that Mozilla products will no longer trust any certificate issued by CNNIC’s roots with a notBefore date on or after 1st April 2015,” said Kathleen Wilson, the owner of Mozilla's CA Certificates Module and Policy.

Old CNNIC certificates will remain in the root store, but the organization must provide Mozilla with a comprehensive list of certificates that are currently valid.

“The Mozilla CA team believes that CNNIC’s actions amount to egregious behaviour, and the violations of policy are greater in severity than those in previous incidents. CNNIC’s decision to violate their own CPS [Certificate Practice Statement] is especially serious, and raises concerns that go beyond the immediate scope of the misissued intermediate certificate,” Mozilla wrote in its report on the incident.

Google made a similar decision earlier this week after completing its investigation into the incident.

Both Mozilla and Google noted that CNNIC can reapply for inclusion in root stores once it addresses current shortfalls. On Thursday, CNNIC issued a statement urging Google to reconsider its decision.

“The decision that Google has made is unacceptable and unintelligible to CNNIC, and meanwhile CNNIC sincerely urge that Google would take users’ rights and interests into full consideration,” CNNIC stated. “For the users that CNNIC has already issued the certificates to, we guarantee that your lawful rights and interests will not be affected.”

The organization hasn’t issued a separate response to Mozilla’s decision.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.