Mozilla piles on China's SSL cert overlord: We don't trust you either
Joins Google in shunning CNNIC – the Middle Kingdom's root certificate authority
Firefox-maker Mozilla has joined Google in refusing to recognize SSL certificates issued by the China Internet Network Information Centre (CNNIC).
This comes after a security biz in Egypt used a CNNIC-issued intermediate certificate to create unauthorized SSL certs that could be used to trick people into connecting to bogus, password-stealing Gmail.com or Google.com websites.
Google, and now Moz, are outraged by CNNIC's sloppiness in the case. CNNIC is run by the Middle Kingdom's government, and handles the .cn domain name registry, IP address allocation and other things as well as issuing SSL certificates for encrypted websites via intermediaries.
"After reviewing the circumstances and a robust discussion on our public mailing list, we have concluded that CNNIC's behaviour in issuing an unconstrained intermediate certificate to a company with no documented PKI practices and with no oversight of how the private key was stored or controlled was an 'egregious practice' as per Mozilla's CA Certificate Enforcement Policy," the Mozilla security team wrote in a Thursday blog post.
As a consequence of the incident, all Mozilla products – including the Firefox web browser and the Thunderbird email client, among others – will be updated so that all CNNIC-based certificates issued on or after April 1, 2015 are considered untrusted.
Mozilla said it also plans to ask CNNIC for a comprehensive list of all of its current valid certificates. Any certificates issued before April 1 that are not included on this whitelist will also be subject to potential "further action."
The move comes following a similar action by Google, which said on Wednesday that it would stop recognizing the CNNIC certificate authority in a future update to its Chrome browser.
As a result of these actions, Chrome and Firefox users who try to connect via encrypted HTTPS to websites that use CNNIC-issued SSL certificates will see alert messages warning them that their connections may not be secure – even for online banks, e-commerce shops, and other sites that manage sensitive information.
CNNIC, which manages both China's .cn country code top-level domain and the system of internationalized domain names that contain Chinese characters, issued a declaration on Thursday condemning Google's ban:
1. The decision that Google has made is unacceptable and unintelligible to CNNIC, and meanwhile CNNIC sincerely urge that Google would take users' rights and interests into full consideration.
2. For the users that CNNIC has already issued the certificates to, we guarantee that your lawful rights and interests will not be affected.
Mozilla added, though, that CNNIC could regain its standing but only after proving that it could be trusted with the responsibility of managing a root certificate authority.
"CNNIC may, if they wish, re-apply for full inclusion in the Mozilla root store and the removal of this restriction, by going through Mozilla's inclusion process after completing additional steps that the Mozilla community may require as a result of this incident," the nonproifit's security team said. ®