Mozilla Joins Google in Not Trusting CNNIC

“He who does not trust enough, Will not be trusted” ~ Lao Tzu

Rememb er the little story we did a while back about the China Internet Network Information Centre (CNNIC) titled The Curious Case of the Google Certificate that Wasn’t. Well, it appears Mozilla is jumping on the bandwagon. After much public discussion (and most likely some private conversations with more colorful language), Mozilla is not going to trust any CNNIC SSL certificates issued on or after April 1, 2015. And no, this isn’t a late April Fool’s joke.

Source: CNNIC Whitepaper 3/2/15
Source: Unrelated CNNIC Whitepaper 3/2/15

Here’s what Mozilla said on their official security blog:

After reviewing the circumstances and a robust discussion on our public mailing list, we have concluded that CNNIC’s behaviour in issuing an unconstrained intermediate certificate to a company with no documented PKI practices and with no oversight of how the private key was stored or controlled was an ‘egregious practice’ as per Mozilla’s CA Certificate Enforcement Policy. Therefore, after public discussion and consideration of the scope and impact of a range of options, we have decided to update our code so that Mozilla products will no longer trust any certificate issued by CNNIC’s roots with a notBefore date on or after 1st April 2015. We have put together a longer document with more details on the incident and how we arrived at the conclusion we did.

They are leaving options open for CNNIC to re-apply for inclusion in Mozilla’s root store, but no word on whether CNNIC is going to budge.

What About Microsoft and Apple?

According to a post on Naked Security, both Microsoft and Apple are still recognizing CNNIC on their respective Root CA lists. While both companies approach their Root CA list different, as of the middle of this month neither of them appear to have trust issues with CNNIC. Will this result in more people using Safari and the Internet Explorer replacement due with the release of Windows 10?

What Does This Mean for China?

El Reg summed it up thusly:

As a result of these actions, Chrome and Firefox users who try to connect via encrypted HTTPS to websites that use CNNIC-issued SSL certificates will see alert messages warning them that their connections may not be secure – even for online banks, e-commerce shops, and other sites that manage sensitive information.

The question is whether or not users will ignore the root cause of the problem and simply switch to another web browser. Or, even worse, they could just start surfing without the protection of encryption.

What is the CNNIC Response?

Here is the official CNNIC response issued on 4/2/15.

1. The decision that Google has made is unacceptable and unintelligible to CNNIC, and meanwhile CNNIC sincerely urge that Google would take users’ rights and interests into full consideration.

2. For the users that CNNIC has already issued the certificates to, we guarantee that your lawful rights and interests will not be affected.

China Internet Network Information Center(CNNIC)April 2nd, 2015
 It will be very interesting to see what (if any) actions are taken by CNNIC in response to not being trusted by Google or Mozilla anymore.

The SSL Takeaway

Without trust, it’s extremely difficult to carry on any type of relationship, especially one centered around business. It appears that both Google and Mozilla are willing to change their stance if and when CNNIC offers some assurance that they’re going to do a better job in the future. In the meantime, people who use Chrome or Firefox may start encountering problems on websites using CNNIC issued SSL certificates. Stay tuned as we keep you up to date on this issue in the weeks and months ahead.