Menu
Like Google, Mozilla set to punish Chinese agency for certificate debacle

Like Google, Mozilla set to punish Chinese agency for certificate debacle

The organization's current proposal is to reject future CNNIC-issued certificates, but to trust existing ones

The Mozilla Foundation plans to reject new digital certificates issued by the China Internet Network Information Center (CNNIC) in its products, but will continue to trust certificates that already exist.

The move will follow a similar decision announced Wednesday by Google and is the result of CNNIC, a certificate authority (CA) trusted in most browsers and operating systems, issuing an unrestricted intermediary certificate to an Egyptian company called MCS Holdings.

Intermediary certificates inherit the power of the issuing certificate authority and can be used to issue trusted certificates for domain names owned by other organizations.

CNNIC issued the intermediary certificate to MCS Holdings under an agreement that the company will use it to test new cloud services it was developing. However, allegedly due to human error, the certificate was installed in a firewall device that had HTTPS (HTTP Secure) traffic inspection capabilities.

The device automatically used it to generate certificates for domain names owned by Google in the process of intercepting HTTPS traffic between an internal MCS Holdings computer and Google's services. Google became aware of the unauthorized certificates for its Web properties because of a feature in Chrome that reported them to the company.

After an analysis of the incident, Mozilla established that CNNIC violated several policies by issuing the intermediate certificate to MCS Holdings in the first place. The policies include the Baseline Requirements (BRs) for the Issuance and Management of Publicly-Trusted Certificates developed by the CA/Browser Forum, Mozilla's CA Certificate Inclusion Policy and CNNIC's own Certification Practice Statement (CPS), a declaration of certificate management practices that any CA is required to publish.

The BRs and Mozilla's policy require intermediate certificates to be either technically restricted -- so they can only be used to issue certificates for particular domain names -- or unrestricted but publicly disclosed and audited as root certificates. The certificate issued by CNNIC met neither of those requirements.

Mozilla has yet to announce a final decision, but the likely CNNIC sanctions have been outlined in a proposal submitted for comment on a Mozilla mailing list by Richard Barnes, the organization's cryptographic engineering manager. So far, the proposal has received positive comments, but some details still need to be ironed out, possibly over the next couple of days.

Unlike Google, which has decided to remove CNNIC's root certificates from its products, Mozilla plans to leave them in. However, the organization wants to put restrictions in place so that only certificates issued before a "threshold" date will continue to be trusted.

This effectively means that CNNIC certificates issued after that date, which hasn't been announced yet, will not be trusted by Firefox, Thunderbird and other Mozilla products.

Mozilla will lift the restriction if CNNIC goes again through the process required for CAs to have their root certificates included in the Mozilla root program -- a process that involves extensive verifications and can take around a year. If CNNIC's application fails, its existing root certificates will be completely removed.

In order to prevent CNNIC from issuing new certificates with a creation date set in the past -- "back-dated" certificates -- that would bypass Mozilla's restriction, the organization plans to ask CNNIC for a full list of certificates it has issued until now. Such as list could also be obtained from Google, whose announcement Wednesday suggested that the company already has one.

"To assist customers affected by this decision, for a limited time we will allow CNNIC's existing certificates to continue to be marked as trusted in Chrome, through the use of a publicly disclosed whitelist," Google said in a blog post.

In a practical sense Mozilla's and Google's plans would have the same effect: their respective products will reject new CNNIC-issued certificates until the Chinese authority goes through a recertification process. Both companies will continue to trust exiting CNNIC certificates so that users can access sites using those certificates, but possibly for different periods of time.

In a statement published on its website Thursday, CNNIC described Google's decision as "unacceptable and unintelligible."

CNNIC is an agency that operates under China's Ministry of Information Industry. Aside from issuing digital certificates, its responsibilities include administering the .cn top-level domain and assigning IP (Internet Protocol) addresses in the country.

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags online safetyGoogleMCS HoldingssecurityMozilla FoundationencryptionChina Internet Network Information CenterCompliance monitoringpki

Slideshows

Top 50 defining moments of the New Zealand channel in 2016

Top 50 defining moments of the New Zealand channel in 2016

Reseller News looks back on a tumultuous 12 months for the New Zealand channel, assessing the fallout from a year of sizeable industry change. Whether it be local or global mergers and acquisitions, distribution deals or job changes, the channel that started the year differs somewhat to the one set to finish it - Reseller News assesses the key moments that made 2016.​

Top 50 defining moments of the New Zealand channel in 2016
​Hewlett Packard Enterprise honours high achieving NZ channel

​Hewlett Packard Enterprise honours high achieving NZ channel

Hewlett Packard Enterprise honoured its top performing Kiwi partners at the second running of its HPE Partner Awards in New Zealand, held at a glitzy ceremony in Auckland. Recognising excellence across eight categories - from distributors to resellers - the tech giant celebrated its first year as a standalone company, following its official split from HP in 2015.

​Hewlett Packard Enterprise honours high achieving NZ channel
Nutanix treats channel partners to Christmas cruise

Nutanix treats channel partners to Christmas cruise

Nutanix recently took to the seas for a Christmas Cruise around Sydney Harbour with its Australia and New Zealand staff, customers and partners to celebrate a stellar year for the vendor. With the sun out, they were all smiles and mingled over drinks and food.

Nutanix treats channel partners to Christmas cruise
Show Comments