Protect your corporate IT network from hackers and other unwanted intruders with Proxy Sentinel™. Click here for all the details and get the peace of mind you deserve.
Back to our Homepage Proxy Sentinel™ high performance Internet proxy server and secure firewall solution Firewall Sentinel™ secure & powerful Internet firewall solution About Internet Security.ca and GCIS Frequently Asked Questions on Internet security issues Internet Security Industry News - Stay informed of what's happening Contact Internet Security.ca today and order your Proxy Sentinel™ or Firewall Sentinel™ server now!

Mozilla joins Google in refusing to recognize SSL certificates from China

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.

April 6, 2015

Click here to order the best deal on a HP enterprise dedicated server and at a great price.

Firefox browser maker Mozilla has joined Google in refusing to recognize SSL certificates issued by the China Internet Network Information Centre (CNNIC). The news come as no surprise to many observers in the internet community.

The decision was made after a security firm in Egypt used a CNNIC-issued intermediate certificate to create unauthorized SSL certs that could be used to trick people into connecting to bogus, password-stealing Gmail.com or Google.com websites.

Google and now Mozilla are outraged by CNNIC's sloppiness in this matter. CNNIC is run by the Middle Kingdom's government and handles the .cn domain name registry, IP address allocation and other things as well as issuing SSL certificates for encrypted websites via intermediaries.

"After reviewing all the circumstances in this incident and after an in-depth discussion on our public mailing list, we have concluded that CNNIC's behavior in issuing an unconstrained intermediate certificate to a company with no documented PKI practices and with no oversight of how the private key was stored or controlled was an 'egregious practice' as per Mozilla's CA Certificate Enforcement Policy," the Mozilla security team said.

As a consequence of this case, all Mozilla products – including the Firefox web browser and the Thunderbird email client, among others – will be updated so that all CNNIC-based certificates issued on or after April 1, 2015 are considered untrusted, and therefore will not work.

Mozilla said that it also plans to ask CNNIC for a comprehensive list of all of its current valid certificates.

Any certificates issued before April 1st that are not included on this whitelist will also be subject to potential "further action."

The move comes following a similar action by Google, which said last Wednesday that it would stop recognizing the CNNIC certificate authority in a future update to its Chrome browser.

As a direct result of these actions, Chrome and Firefox users who try to connect via encrypted HTTPS to websites that use CNNIC-issued SSL certificates will see alert messages warning them that their connections may not be secure – even for online banks, e-commerce shops, and other sites that manage sensitive information.

CNNIC, which manages both China's .cn country code top-level domain and the system of internationalized domain names that contain Chinese characters, issued a declaration on Thursday condemning Google's ban:

1. The decision that Google has made is unacceptable and unintelligible to CNNIC, and meanwhile CNNIC sincerely urge that Google would take users' rights and interests into full consideration.

2. For the users that CNNIC has already issued the certificates to, we guarantee that your lawful rights and interests will not be affected.

But Mozilla added that CNNIC could regain its standing only after proving that it could be trusted with the responsibility of managing a root certificate authority.

"CNNIC may, if they wish, re-apply for full inclusion in the Mozilla root store and the removal of this restriction, by going through Mozilla's inclusion process after completing additional steps that the Mozilla community may require as a result of this incident," the nonprofit's security team said.

Source: Mozilla.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!


Home | Proxy Sentinel™ | Firewall Sentinel™ | FAQ | News | Sitemap | Contact
Copyright © Internet Security.ca    Terms of use    Privacy agreement    Legal disclaimer