Menu
Like Google, Mozilla set to punish Chinese agency for certificate debacle

Like Google, Mozilla set to punish Chinese agency for certificate debacle

The organization's current proposal is to reject future CNNIC-issued certificates, but to trust existing ones

The Mozilla Foundation plans to reject new digital certificates issued by the China Internet Network Information Center (CNNIC) in its products, but will continue to trust certificates that already exist.

The move will follow a similar decision announced Wednesday by Google and is the result of CNNIC, a certificate authority (CA) trusted in most browsers and operating systems, issuing an unrestricted intermediary certificate to an Egyptian company called MCS Holdings.

Intermediary certificates inherit the power of the issuing certificate authority and can be used to issue trusted certificates for domain names owned by other organizations.

CNNIC issued the intermediary certificate to MCS Holdings under an agreement that the company will use it to test new cloud services it was developing. However, allegedly due to human error, the certificate was installed in a firewall device that had HTTPS (HTTP Secure) traffic inspection capabilities.

The device automatically used it to generate certificates for domain names owned by Google in the process of intercepting HTTPS traffic between an internal MCS Holdings computer and Google's services. Google became aware of the unauthorized certificates for its Web properties because of a feature in Chrome that reported them to the company.

After an analysis of the incident, Mozilla established that CNNIC violated several policies by issuing the intermediate certificate to MCS Holdings in the first place. The policies include the Baseline Requirements (BRs) for the Issuance and Management of Publicly-Trusted Certificates developed by the CA/Browser Forum, Mozilla's CA Certificate Inclusion Policy and CNNIC's own Certification Practice Statement (CPS), a declaration of certificate management practices that any CA is required to publish.

The BRs and Mozilla's policy require intermediate certificates to be either technically restricted -- so they can only be used to issue certificates for particular domain names -- or unrestricted but publicly disclosed and audited as root certificates. The certificate issued by CNNIC met neither of those requirements.

Mozilla has yet to announce a final decision, but the likely CNNIC sanctions have been outlined in a proposal submitted for comment on a Mozilla mailing list by Richard Barnes, the organization's cryptographic engineering manager. So far, the proposal has received positive comments, but some details still need to be ironed out, possibly over the next couple of days.

Unlike Google, which has decided to remove CNNIC's root certificates from its products, Mozilla plans to leave them in. However, the organization wants to put restrictions in place so that only certificates issued before a "threshold" date will continue to be trusted.

This effectively means that CNNIC certificates issued after that date, which hasn't been announced yet, will not be trusted by Firefox, Thunderbird and other Mozilla products.

Mozilla will lift the restriction if CNNIC goes again through the process required for CAs to have their root certificates included in the Mozilla root program -- a process that involves extensive verifications and can take around a year. If CNNIC's application fails, its existing root certificates will be completely removed.

In order to prevent CNNIC from issuing new certificates with a creation date set in the past -- "back-dated" certificates -- that would bypass Mozilla's restriction, the organization plans to ask CNNIC for a full list of certificates it has issued until now. Such as list could also be obtained from Google, whose announcement Wednesday suggested that the company already has one.

"To assist customers affected by this decision, for a limited time we will allow CNNIC's existing certificates to continue to be marked as trusted in Chrome, through the use of a publicly disclosed whitelist," Google said in a blog post.

In a practical sense Mozilla's and Google's plans would have the same effect: their respective products will reject new CNNIC-issued certificates until the Chinese authority goes through a recertification process. Both companies will continue to trust exiting CNNIC certificates so that users can access sites using those certificates, but possibly for different periods of time.

In a statement published on its website Thursday, CNNIC described Google's decision as "unacceptable and unintelligible."

CNNIC is an agency that operates under China's Ministry of Information Industry. Aside from issuing digital certificates, its responsibilities include administering the .cn top-level domain and assigning IP (Internet Protocol) addresses in the country.


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags Googleonline safetypkiCompliance monitoringChina Internet Network Information CenterMozilla FoundationMCS Holdings

Featured

Slideshows

Leading female front runners of the Kiwi ICT industry honoured at 2019 WIICTA

Leading female front runners of the Kiwi ICT industry honoured at 2019 WIICTA

Reseller News has honoured the leading female front runners of the New Zealand ICT industry at the 2019 Women in ICT Awards (WIICTA) in Auckland. The awards recognised standout individuals across six categories, spanning Entrepreneur, Rising Star, Shining Star, Community, Technical and Achievement. Photos by Gino Demeer.

Leading female front runners of the Kiwi ICT industry honoured at 2019 WIICTA
Reseller News kicks off awards season in 2019 with Judges' Lunch

Reseller News kicks off awards season in 2019 with Judges' Lunch

The 2019 Reseller News Innovation Awards has kicked off with the Judges Lunch in Auckland with 70 judges in the voting panel. The awards will reflect the changing dynamics of the channel, recognising excellence across customer value and innovation - spanning start-ups, partners, distributors and vendors. Photos by Christine Wong.

Reseller News kicks off awards season in 2019 with Judges' Lunch
Reseller News welcomes industry figures for 2019 Hall of Fame lunch

Reseller News welcomes industry figures for 2019 Hall of Fame lunch

Reseller News welcomed 2018 inductees - Chris Simpson, Kendra Ross and Phill Patton - to the third running of the Reseller News Hall of Fame lunch, held at the French Cafe in Auckland. The inductees discussed the changing landscape of the technology industry in New Zealand, while outlining ways to attract a new breed of players to the ecosystem. Photos by Gino Demeer.

Reseller News welcomes industry figures for 2019 Hall of Fame lunch
Show Comments