When it was revealed late last month that a Chinese certificate authority had allowed an intermediate CA to issue unauthorized certificates for some Google domains, both Google and Mozilla reacted quickly and dropped trust in CNNIC altogether, Apple has kept the root certificates in its trusted store for both iOS and OSX.

Apple on Wednesday released major security upgrades for both of its operating systems and the root certificate for CNNIC, the Chinese CA at the heart of the controversy, remain in the trusted stores for iOS and OSX. The company has not made any public statements on the incident or the continued inclusion of CNNIC’s certificates in the trusted stores.

The incident that caused Google and Mozilla to remove CNNIC from their browsers’ respective trust stores occurred in March and involved an intermediate CA called MCS Holdings. That company installed an unrestricted certificate in a device capable of doing SSL interception and issued certificates for several Google domains. Google engineers discovered what had happened and reacted quickly, blocking the bad certificates in Chrome and getting in touch with CNNIC officials.

“CNNIC responded on the 22nd to explain that they had contracted with MCS Holdings on the basis that MCS would only issue certificates for domains that they had registered. However, rather than keep the private key in a suitable HSM, MCS installed it in a man-in-the-middle proxy. These devices intercept secure connections by masquerading as the intended destination and are sometimes used by companies to intercept their employees’ secure traffic for monitoring or legal reasons,” Google’s Adam Langley said in a blog post at the time of the incident.

Then last week Google announced that it was taking the unusual step of removing trust for CNNIC’s root certificates from the Chrome trust store altogether. This move has the effect of causing Chrome to throw warnings whenever it encounters a site that’s protected by a certificate derived from CNNIC’s root. Mozilla quickly followed suit and removed the CNNIC certificate from Firefox’s trusted store, as well.

“After reviewing the circumstances and a robust discussion on our public mailing list, we have concluded that CNNIC’s behaviour in issuing an unconstrained intermediate certificate to a company with no documented PKI practices and with no oversight of how the private key was stored or controlled was an ‘egregious practice’ as per Mozilla’s CA Certificate Enforcement Policy,” Kathleen Wilson of Mozilla said in a blog post. 

“Therefore, after public discussion and consideration of the scope and impact of a range of options, we have decided to update our code so that Mozilla products will no longer trust any certificate issued by CNNIC’s roots with a notBefore date on or after 1st April 2015.”

This was an unusually severe punishment by both Google and Mozilla, and officials at CNNIC said the company didn’t understand what the reasoning was for Google’s decision.

“The decision that Google has made is unacceptable and unintelligible to CNNIC,” the company said in a statement.

Microsoft on March 24 blocked the bad MCS Holdings certificate in Internet Explorer, but the company did not remove CNNIC from its Certificate Trust List. Apple officials did not respond to questions for this story.

Categories: Cryptography, Web Security

Comments (2)

  1. Matt H
    1

    It should not fall on just the vendors with PKI trust stores to take action like this. The MCS incident should have caused an immediate audit by WebTrust of the CNNIC CA examining all intermediate CA vetting checks and findings performed by the root CA per the standards. If root CAs do not have appropriate records of their actions, then WebTrust should decertify. If WebTrust decerts CNNIC, every vendor with a store of CA certs would dump CNNIC. The only fault in this, is the time it takes to perform a WebTrust audit might expose end users to the risk of other bad intermediate CAs. But a unilateral action by a middle man does not just punish CNNIC, it also punishes all the other intermediate CAs and companies with certs from those CAs… without regard to any wrong doing on their part.

    • Matt H
      2

      p.s. the Google and Mozilla actions could be neutralized with actions to add the trust of CNNIC by end users back to these products. Or, to remove trust from Mac OS X and and iOS. I personally believe end users should be more active in deciding who to trust on the internet, but currently, there are no good tools for whitelisting the intermediate and root trust stores in all the products that have them.

Comments are closed.