Google’s Chrome and Mozilla’s Firefox browsers will stop trusting all new digital certificates issued by the China Internet Network Information Center following a major trust breach last week that led to the issuance of unauthorized credentials for Gmail and several other Google domains.
The move could have major consequences for huge numbers of Internet users as Chrome and Firefox, the world’s second and third most widely used browsers respectively, stop recognizing all or many website certificates issued by CNNIC. That could leave huge numbers of users suddenly unable to connect to banks and e-commerce sites. To give affected website operators time to obtain new credentials from a different certificate authority, Google will wait an unspecified period of time before implementing the change. Once that grace period ends, Google and Mozilla will blacklist CNNIC’s root certificates in Firefox, Chrome. Additionally the change to Firefox will affect only CNNIC-derived certificates minted after April 1, assuming CNNIC provides a comprehensive list of its currently-valid certificates.
The unauthorized certificates were issued by Egypt-based MCS Holdings, an intermediate certificate authority that operated under the authority of CNNIC. MCS used the certificates in a man-in-the-middle proxy, a device that intercepts secure connections by masquerading as the intended destination. Such devices are sometimes used by companies to monitor employees’ encrypted traffic for legal or human resources reasons. It’s one of the first times a certificate authority has faced such a banishment since the downfall of Netherlands-based DigiNotar in 2011. Other CAs, including US-based Trustwave, have also done what CNNIC did without getting the boot. While worldwide Chrome is the No. 2 most used browser, it had a commanding, 52-percent share in China last year, compared to 23 percent for IE.
The move was announced on Wednesday evening in an update to last week’s blog post disclosing the misissued certificates. The update left open the possibility that CNNIC may be reinstated at an undetermined future date if the group gives a detailed accounting of all currently valid certificates. The update read:
Update – April 1: As a result of a joint investigation of the events surrounding this incident by Google and CNNIC, we have decided that the CNNIC Root and EV CAs will no longer be recognized in Google products. This will take effect in a future Chrome update. To assist customers affected by this decision, for a limited time we will allow CNNIC’s existing certificates to continue to be marked as trusted in Chrome, through the use of a publicly disclosed whitelist. While neither we nor CNNIC believe any further unauthorized digital certificates have been issued, nor do we believe the misissued certificates were used outside the limited scope of MCS Holdings’ test network, CNNIC will be working to prevent any future incidents. CNNIC will implement Certificate Transparency for all of their certificates prior to any request for reinclusion. We applaud CNNIC on their proactive steps, and welcome them to reapply once suitable technical and procedural controls are in place.
As this post was being prepared, it wasn’t clear if Mozilla or Microsoft planned to update Firefox and Internet explorer to also stop trusting CNNIC. Firefox 37, released this week, stopped trusting all certificates issued by MCS Holdings, and Microsoft has announced similar plans for Windows. Revoking trust in the root CNNIC certificate would be a much more disruptive course of action, since many more website certificates would be affected.
Update 1: In an e-mailed statement, Mozilla Cryptographic Engineering Manager Richard Barnes said: “We believe it is very important to include the Mozilla community in these discussions, so we are taking a bit longer to announce our official plan. We expect to wrap up our discussion in mozilla.dev.security.policy soon, and in the meantime you can see the plan we are currently discussing here.”
The plan under consideration would:
- Reject certificates chaining to CNNIC with a notBefore date after a threshold date
- Request that CNNIC provide a list of currently valid certificates and publish that list so that the community can recognize any back-dated certs
- Allow CNNIC to re-apply for full inclusion, with some additional requirements (to be discussed on this list)
- If CNNIC’s re-application is unsuccessful, then their root certificates will be removed
Update 2: Officials with CNNIC have issued a statement that’s sharply critical of Google’s move. It reads:
1. The decision that Google has made is unacceptable and unintelligible to CNNIC, and meanwhile CNNIC sincerely urge that Google would take users’ rights and interests into full consideration.
2. For the users that CNNIC has already issued the certificates to, we guarantee that your lawful rights and interests will not be affected.
Update 3: On Thursday morning, Mozilla’s CA Program Manager Kathleen Wilson published a blog post that confirmed plans for CNNIC-derived certificates to also be blocked in Firefox. Wilson wrote:
After reviewing the circumstances and a robust discussion on our public mailing list, we have concluded that CNNIC’s behaviour in issuing an unconstrained intermediate certificate to a company with no documented PKI practices and with no oversight of how the private key was stored or controlled was an ‘egregious practice’ as per Mozilla’s CA Certificate Enforcement Policy. Therefore, after public discussion and consideration of the scope and impact of a range of options, we have decided to update our code so that Mozilla products will no longer trust any certificate issued by CNNIC’s roots with a notBefore date on or after 1st April 2015. We have put together a longer document with more details on the incident and how we arrived at the conclusion we did.
CNNIC may, if they wish, re-apply for full inclusion in the Mozilla root store and the removal of this restriction, by going through Mozilla’s inclusion process after completing additional steps that the Mozilla community may require as a result of this incident. This will be discussed in the mozilla.dev.security.policy forum.
Update 4: Late Thursday afternoon, Microsoft officials released a statement saying they were still investigating the misissued certificates.