Like Google, Mozilla set to punish Chinese agency for certificate debacle

02.04.2015
The Mozilla Foundation plans to reject new digital certificates issued by the China Internet Network Information Center (CNNIC) in its products, but will continue to trust certificates that already exist.

The move will follow a similar decision announced Wednesday by Google and is the result of CNNIC, a certificate authority (CA) trusted in most browsers and operating systems, issuing an unrestricted intermediary certificate to an Egyptian company called MCS Holdings.

Intermediary certificates inherit the power of the issuing certificate authority and can be used to issue trusted certificates for domain names owned by other organizations.

CNNIC issued the intermediary certificate to MCS Holdings under an agreement that the company will use it to test new cloud services it was developing. However, allegedly due to human error, the certificate was installed in a firewall device that had HTTPS (HTTP Secure) traffic inspection capabilities.

The device automatically used it to generate certificates for domain names owned by Google in the process of intercepting HTTPS traffic between an internal MCS Holdings computer and Google's services. Google became aware of the unauthorized certificates for its Web properties because of a feature in Chrome that reported them to the company.

After an analysis of the incident, Mozilla established that CNNIC violated several policies by issuing the intermediate certificate to MCS Holdings in the first place. The policies include the Baseline Requirements (BRs) for the Issuance and Management of Publicly-Trusted Certificates developed by the CA/Browser Forum, Mozilla's CA Certificate Inclusion Policy and CNNIC's own Certification Practice Statement (CPS), a declaration of certificate management practices that any CA is required to publish.

The BRs and Mozilla's policy require intermediate certificates to be either technically restricted -- so they can only be used to issue certificates for particular domain names -- or unrestricted but publicly disclosed and audited as root certificates. The certificate issued by CNNIC met neither of those requirements.

Mozilla has yet to announce a final decision, but the likely CNNIC sanctions have been outlined in a proposal submitted for comment on a Mozilla mailing list by Richard Barnes, the organization's cryptographic engineering manager. So far, the proposal has received positive comments, but some details still need to be ironed out, possibly over the next couple of days.

Unlike Google, which has decided to remove CNNIC's root certificates from its products, Mozilla plans to leave them in. However, the organization wants to put restrictions in place so that only certificates issued before a "threshold" date will continue to be trusted.

This effectively means that CNNIC certificates issued after that date, which hasn't been announced yet, will not be trusted by Firefox, Thunderbird and other Mozilla products.

Mozilla will lift the restriction if CNNIC goes again through the process required for CAs to have their root certificates included in the Mozilla root program -- a process that involves extensive verifications and can take around a year. If CNNIC's application fails, its existing root certificates will be completely removed.

In order to prevent CNNIC from issuing new certificates with a creation date set in the past -- "back-dated" certificates -- that would bypass Mozilla's restriction, the organization plans to ask CNNIC for a full list of certificates it has issued until now. Such as list could also be obtained from Google, whose announcement Wednesday suggested that the company already has one.

"To assist customers affected by this decision, for a limited time we will allow CNNIC's existing certificates to continue to be marked as trusted in Chrome, through the use of a publicly disclosed whitelist," Google said in a blog post.

In a practical sense Mozilla's and Google's plans would have the same effect: their respective products will reject new CNNIC-issued certificates until the Chinese authority goes through a recertification process. Both companies will continue to trust exiting CNNIC certificates so that users can access sites using those certificates, but possibly for different periods of time.

In a statement published on its website Thursday, CNNIC described Google's decision as "unacceptable and unintelligible."

CNNIC is an agency that operates under China's Ministry of Information Industry. Aside from issuing digital certificates, its responsibilities include administering the .cn top-level domain and assigning IP (Internet Protocol) addresses in the country.

Lucian Constantin

Zur Startseite