CNNIC Certificates

I thought I had done a post earlier in regards to Mozilla Revoking Trust in one CNNIC Intermediate Certificate. Turns out I had not. Also had planned on posting more about this earlier this weekend as Mozilla took further actions against the CNNIC certificate authority on Thursday, April 2nd. I did mention this briefly in the Firefox 37.0.1 Released post, but wanted to take a moment and explain about this in a little more detail.

About 2-weeks ago on March 23rd, from the Mozilla Security Blog:

China Internet Network Information Center (CNNIC), a non-profit organization administrated by Cyberspace Administration of China (CAC), operates the “CNNIC Root” and “China Internet Network Information Center EV Certificates Root” certificates that are included in NSS, and used to issue certificates to organizations and the general public. CNNIC issued an unconstrained intermediate certificate that was labeled as a test certificate and had a two week validity, expiring April 3, 2015. Their customer loaded this certificate into a firewall device which performed SSL MITM, and a user inside their network accessed other servers, causing the firewall to issue certificates for domains that this customer did not own or control. Mozilla’s CA Certificate Policy prohibits certificates from being used in this manner when they chain up to a root certificate in Mozilla’s CA program.

When a Certificate Authority (CA) issues an SSL Certificate for a site there are certain verification protocols that must be followed. For ‘Standard’ certificates this includes verifying the information of the certificate requester against the domain registration information of said domain. This includes an automated email and phone call to the email address/phone number registered to that domain. For the higher end ‘Extended Validation (EV)’ certificates (green padlock and/or address bar highlight) the same verification of domain ownership still applies plus verification of the business/organization (involves documentation from the company’s/organization’s lawyers and/or accountants).

In this case these verification protocols were not being followed by the CNNIC customer and they were issuing certificates for various sites (in which they claimed to be own/control, but did not). This could result in these certificates being used in a Man-In-The-Middle (MITM) attack. Wikipedia has a detailed article about MITM attacks. The example they use involves an un-encrypted Wi-Fi Network. While different than web servers, the principle is still the same: you have a person in the middle that is impersonating each end point (in this case with the spoofed SSL Certificates) and is intercepting (and possible changing) the communication.

On April 2nd, Mozilla took further actions against the CNNIC by Distrusting New CNNIC Certificates:

After reviewing the circumstances and a robust discussion on our public mailing list, we have concluded that CNNIC’s behaviour in issuing an unconstrained intermediate certificate to a company with no documented PKI practices and with no oversight of how the private key was stored or controlled was an ‘egregious practice’ as per Mozilla’s CA Certificate Enforcement Policy. Therefore, after public discussion and consideration of the scope and impact of a range of options, we have decided to update our code so that Mozilla products will no longer trust any certificate issued by CNNIC’s roots with a notBefore date on or after 1st April 2015. We have put together a longer document with more details on the incident and how we arrived at the conclusion we did.

The portion above I highlighted in red may not make much sense to people are not familiar with the workings of the PKI (Public Key Infrastructure) industry and its practices. The easiest way I can think of this is with the idiom “Fox Guarding the Hen house”. Another example would be a bank issuing a debit card with PIN. Suppose the customer forgot their PIN and they go to the bank’s website for assistance. The Bank has no documented policy on how they confirm the person contacting them is who they claim to be. The only information the website asks for is the debit card number. Once the debit card information is submitted and matched, the website displays the PIN associated with that card. No other verification takes place and it is just ‘assumed’ the person entering the card number is the cardholder. Worse yet, this bank stores this information in a clear-text database with no security protections which means hackers can get to this information. On top of that some employees have accessed this information and issued themselves spoofed debit cards (with the associated PINs) of several customers. Essentially the “company” is doing the same thing with SSL Certificates while the certificate authority (or in the bank example The Federal Reserve Board or FDIC) ‘looks the other way’.

At least CNNIC did notify Mozilla what happened, instead of sweeping it under the rug. However, as Mozilla pointed out, CNNIC should have never issued the certificate to the company in the first place. This was a serious breach of PKI protocol and will be interesting to see what (if anything) sanctions will be imposed upon this CA.