Mozilla joins Google in refusing to recognize SSL certificates from China
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!Tweet Share on Twitter.
April 6, 2015
Firefox browser maker Mozilla has joined Google in refusing to recognize SSL certificates issued by the China Internet Network Information Centre (CNNIC). The news come as no surprise to many observers in the internet community.
The decision was made after a security firm in Egypt used a CNNIC-issued intermediate certificate to create unauthorized SSL certs that could be used to trick people into connecting to bogus, password-stealing Gmail.com or Google.com websites.
Google and now Mozilla are outraged by CNNIC's sloppiness in this matter. CNNIC is run by the Middle Kingdom's government and handles the .cn domain name registry, IP address allocation and other things as well as issuing SSL certificates for encrypted websites via intermediaries.
"After reviewing all the circumstances in this incident and after an in-depth discussion on our public mailing list, we have concluded that CNNIC's behavior in issuing an unconstrained intermediate certificate to a company with no documented PKI practices and with no oversight of how the private key was stored or controlled was an 'egregious practice' as per Mozilla's CA Certificate Enforcement Policy," the Mozilla security team said.
As a consequence of this case, all Mozilla products – including the Firefox web browser and the Thunderbird email client, among others – will be updated so that all CNNIC-based certificates issued on or after April 1, 2015 are considered untrusted, and therefore will not work.
Mozilla said that it also plans to ask CNNIC for a comprehensive list of all of its current valid certificates.
Any certificates issued before April 1st that are not included on this whitelist will also be subject to potential "further action."
The move comes following a similar action by Google, which said last Wednesday that it would stop recognizing the CNNIC certificate authority in a future update to its Chrome browser.
As a direct result of these actions, Chrome and Firefox users who try to connect via encrypted HTTPS to websites that use CNNIC-issued SSL certificates will see alert messages warning them that their connections may not be secure – even for online banks, e-commerce shops, and other sites that manage sensitive information.
CNNIC, which manages both China's .cn country code top-level domain and the system of internationalized domain names that contain Chinese characters, issued a declaration on Thursday condemning Google's ban:
1. The decision that Google has made is unacceptable and unintelligible to CNNIC, and meanwhile CNNIC sincerely urge that Google would take users' rights and interests into full consideration.
But Mozilla added that CNNIC could regain its standing only after proving that it could be trusted with the responsibility of managing a root certificate authority.
"CNNIC may, if they wish, re-apply for full inclusion in the Mozilla root store and the removal of this restriction, by going through Mozilla's inclusion process after completing additional steps that the Mozilla community may require as a result of this incident," the nonprofit's security team said.
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!