Like Google, Mozilla set to punish Chinese agency for certificate debacle

The organization's current proposal is to reject future CNNIC-issued certificates, but to trust existing ones

The Mozilla Foundation plans to reject new digital certificates issued by the China Internet Network Information Center (CNNIC) in its products, but will continue to trust certificates that already exist.

The move will follow a similar decision announced Wednesday by Google and is the result of CNNIC, a certificate authority (CA) trusted in most browsers and operating systems, issuing an unrestricted intermediary certificate to an Egyptian company called MCS Holdings.

Intermediary certificates inherit the power of the issuing certificate authority and can be used to issue trusted certificates for domain names owned by other organizations.

CNNIC issued the intermediary certificate to MCS Holdings under an agreement that the company will use it to test new cloud services it was developing. However, allegedly due to human error, the certificate was installed in a firewall device that had HTTPS (HTTP Secure) traffic inspection capabilities.

The device automatically used it to generate certificates for domain names owned by Google in the process of intercepting HTTPS traffic between an internal MCS Holdings computer and Google's services. Google became aware of the unauthorized certificates for its Web properties because of a feature in Chrome that reported them to the company.

After an analysis of the incident, Mozilla established that CNNIC violated several policies by issuing the intermediate certificate to MCS Holdings in the first place. The policies include the Baseline Requirements (BRs) for the Issuance and Management of Publicly-Trusted Certificates developed by the CA/Browser Forum, Mozilla's CA Certificate Inclusion Policy and CNNIC's own Certification Practice Statement (CPS), a declaration of certificate management practices that any CA is required to publish.

The BRs and Mozilla's policy require intermediate certificates to be either technically restricted -- so they can only be used to issue certificates for particular domain names -- or unrestricted but publicly disclosed and audited as root certificates. The certificate issued by CNNIC met neither of those requirements.

Mozilla has yet to announce a final decision, but the likely CNNIC sanctions have been outlined in a proposal submitted for comment on a Mozilla mailing list by Richard Barnes, the organization's cryptographic engineering manager. So far, the proposal has received positive comments, but some details still need to be ironed out, possibly over the next couple of days.

Unlike Google, which has decided to remove CNNIC's root certificates from its products, Mozilla plans to leave them in. However, the organization wants to put restrictions in place so that only certificates issued before a "threshold" date will continue to be trusted.

This effectively means that CNNIC certificates issued after that date, which hasn't been announced yet, will not be trusted by Firefox, Thunderbird and other Mozilla products.

Mozilla will lift the restriction if CNNIC goes again through the process required for CAs to have their root certificates included in the Mozilla root program -- a process that involves extensive verifications and can take around a year. If CNNIC's application fails, its existing root certificates will be completely removed.

In order to prevent CNNIC from issuing new certificates with a creation date set in the past -- "back-dated" certificates -- that would bypass Mozilla's restriction, the organization plans to ask CNNIC for a full list of certificates it has issued until now. Such as list could also be obtained from Google, whose announcement Wednesday suggested that the company already has one.

"To assist customers affected by this decision, for a limited time we will allow CNNIC's existing certificates to continue to be marked as trusted in Chrome, through the use of a publicly disclosed whitelist," Google said in a blog post.

In a practical sense Mozilla's and Google's plans would have the same effect: their respective products will reject new CNNIC-issued certificates until the Chinese authority goes through a recertification process. Both companies will continue to trust exiting CNNIC certificates so that users can access sites using those certificates, but possibly for different periods of time.

In a statement published on its website Thursday, CNNIC described Google's decision as "unacceptable and unintelligible."

CNNIC is an agency that operates under China's Ministry of Information Industry. Aside from issuing digital certificates, its responsibilities include administering the .cn top-level domain and assigning IP (Internet Protocol) addresses in the country.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags online safetyGoogleMCS HoldingssecurityMozilla FoundationencryptionChina Internet Network Information CenterCompliance monitoringpki

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Cool Tech

Crucial Ballistix Elite 32GB Kit (4 x 8GB) DDR4-3000 UDIMM

Learn more >

Gadgets & Things

Lexar® Professional 1000x microSDHC™/microSDXC™ UHS-II cards

Learn more >

Family Friendly

Lexar® JumpDrive® S57 USB 3.0 flash drive 

Learn more >

Stocking Stuffer

Plox Star Wars Death Star Levitating Bluetooth Speaker

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?