Apple Leaves CNNIC Root in iOS, OSX Certificate Trust Lists

When it was revealed late last month that a Chinese certificate authority had allowed an intermediate CA to issue unauthorized certificates for some Google domains, both Google and Mozilla reacted quickly and dropped trust in CNNIC altogether, Apple has kept the root certificates in its trusted store for both iOS and OSX.

Apple on Wednesday released major security upgrades for both of its operating systems and the root certificate for CNNIC, the Chinese CA at the heart of the controversy, remain in the trusted stores for iOS and OSX. The company has not made any public statements on the incident or the continued inclusion of CNNIC’s certificates in the trusted stores.

The incident that caused Google and Mozilla to remove CNNIC from their browsers’ respective trust stores occurred in March and involved an intermediate CA called MCS Holdings. That company installed an unrestricted certificate in a device capable of doing SSL interception and issued certificates for several Google domains. Google engineers discovered what had happened and reacted quickly, blocking the bad certificates in Chrome and getting in touch with CNNIC officials.

“CNNIC responded on the 22nd to explain that they had contracted with MCS Holdings on the basis that MCS would only issue certificates for domains that they had registered. However, rather than keep the private key in a suitable HSM, MCS installed it in a man-in-the-middle proxy. These devices intercept secure connections by masquerading as the intended destination and are sometimes used by companies to intercept their employees’ secure traffic for monitoring or legal reasons,” Google’s Adam Langley said in a blog post at the time of the incident.

Then last week Google announced that it was taking the unusual step of removing trust for CNNIC’s root certificates from the Chrome trust store altogether. This move has the effect of causing Chrome to throw warnings whenever it encounters a site that’s protected by a certificate derived from CNNIC’s root. Mozilla quickly followed suit and removed the CNNIC certificate from Firefox’s trusted store, as well.

“After reviewing the circumstances and a robust discussion on our public mailing list, we have concluded that CNNIC’s behaviour in issuing an unconstrained intermediate certificate to a company with no documented PKI practices and with no oversight of how the private key was stored or controlled was an ‘egregious practice’ as per Mozilla’s CA Certificate Enforcement Policy,” Kathleen Wilson of Mozilla said in a blog post. 

“Therefore, after public discussion and consideration of the scope and impact of a range of options, we have decided to update our code so that Mozilla products will no longer trust any certificate issued by CNNIC’s roots with a notBefore date on or after 1st April 2015.”

This was an unusually severe punishment by both Google and Mozilla, and officials at CNNIC said the company didn’t understand what the reasoning was for Google’s decision.

“The decision that Google has made is unacceptable and unintelligible to CNNIC,” the company said in a statement.

Microsoft on March 24 blocked the bad MCS Holdings certificate in Internet Explorer, but the company did not remove CNNIC from its Certificate Trust List. Apple officials did not respond to questions for this story.

Suggested articles