UPDATE–Google has taken the unusual step of completely removing trust from Chrome for the Chinese certificate authority CNNIC in the wake of an incident in which certificates issued by the CA were misused. Mozilla followed suit on Thursday, also removing CNNIC from its trust store.
Google officials announced the severe decision on Wednesday, saying that it was made after an investigation by the company and CNNIC. The decision comes a couple of weeks after Google officials discovered that a certificate issued by CNNIC to MCS Holdings, an intermediate CA, was being used in a man-in-the-middle proxy to intercept traffic to some Google domains. Google and other browser vendors had removed trust from their browsers for the misused certificate, but Google has now taken the further step of dropping CNNIC from the Chrome trust store altogether.
“As a result of a joint investigation of the events surrounding this incident by Google and CNNIC, we have decided that the CNNIC Root and EV CAs will no longer be recognized in Google products. This will take effect in a future Chrome update. To assist customers affected by this decision, for a limited time we will allow CNNIC’s existing certificates to continue to be marked as trusted in Chrome, through the use of a publicly disclosed whitelist,” Google’s Adam Langley said in an update to the company’s post Wednesday.
“While neither we nor CNNIC believe any further unauthorized digital certificates have been issued, nor do we believe the misissued certificates were used outside the limited scope of MCS Holdings’ test network, CNNIC will be working to prevent any future incidents. CNNIC will implement Certificate Transparency for all of their certificates prior to any request for reinclusion. We applaud CNNIC on their proactive steps, and welcome them to reapply once suitable technical and procedural controls are in place.”
Unsurprisingly, CNNIC officials took exception to Google’s decision, saying it was “unacceptable”.
“The decision that Google has made is unacceptable and unintelligible to CNNIC, and meanwhile CNNIC sincerely urge that Google would take users’ rights and interests into full consideration,” the company said in a message posted Thursday.
On Thursday afternoon, Mozilla officials made a similar move, saying that the company’s products would no longer trust any certificate issued by CNNIC with a notBefore date of April 1, 2015, or later.
“After reviewing the circumstances and a robust discussion on our public mailing list, we have concluded that CNNIC’s behaviour in issuing an unconstrained intermediate certificate to a company with no documented PKI practices and with no oversight of how the private key was stored or controlled was an ‘egregious practice’ as per Mozilla’s CA Certificate Enforcement Policy,” Kathleen Wilson of Mozilla said in a blog post.
“Therefore, after public discussion and consideration of the scope and impact of a range of options, we have decided to update our code so that Mozilla products will no longer trust any certificate issued by CNNIC’s roots with a notBefore date on or after 1st April 2015. We have put together a longer document with more details on the incident and how we arrived at the conclusion we did.”
Mozilla released a detailed analysis of the CNNIC incident that describes how the company came to the decision, much of which was based on the fact that CNNIC didn’t ensure that MCS Holdings had the correct safeguards in place before issuing the intermediate certificate to MCS.
“Prior to the issuance of an unconstrained intermediate certificate such as the MCS certificate, CNNIC should have ensured that the subordinate CA’s environment met CNNIC’s documented practices and policies, ensured that the keys were generated in a physically secured environment, ensured that the subordinate CA had appropriate certificate policy and practice documentation, and had a PointinTime Readiness Assessment. None of these things happened. Therefore, according to Mozilla policy and the Baseline Requirements, CNNIC should not have issued this certificate,” the report says.
The removal of CNNIC from Chrome’s and Mozilla’s trust stores will have the effect of causing all of the certificates issued by the company to be marked as untrusted by the browsers. This could leave users confused about the authenticity of the sites they’re visiting if they’re unaware of the decision by the companies.
One historical analog for the CNNIC incident is a similar one in 2012 involving Trustwave, which issued a certificate to a customer that was intended to be used in a DLP system. Google did not completely remove Trustwave from Chrome’s trust store after that incident.
This story was updated on April 2 to add the information about Mozilla.