Due to a major trust breach last week, Chinese digital certificate issuing authority CNNIC (Chinese Internet Network Information Center) is facing the ban from Mozilla Firefox and Google Chrome. Now, Chrome and Firefox won’t trust all the new digital certificates issued by the Chinese authority.
Due to this, tons of users are likely to face the consequences because Firefox and Chrome are one of the most used browsers in the world. The effect would be seen on all the websites that require login information and are having certificates issued by CNNIC. These websites include banking and e-commerce websites.
Google has given some undisclosed period of time to such websites to get new digital credentials from a new authority. After ending of this grace period, Chrome and Firefox will blacklist CNNIC certificates.
Back on March 20, Google found many unauthorized digital certificates for its domains. These certificates were issued by an intermediate certificate authority under CNNIC MCS Holdings which is based in Egypt.
In a statement, Google said:
While neither we nor CNNIC believe any further unauthorized digital certificates have been issued, nor do we believe them is issued certificates were used outside the limited scope of MCS Holdings’ test network, CNNIC will be working to prevent any future incidents. CNNIC will implement Certificate Transparency for all of their certificates prior to any request for reinclusion. We applaud CNNIC on their proactive steps, and welcome them to reapply once suitable technical and procedural controls are in place.
Following Google’s footsteps, Mozilla issued the following statement:
After reviewing the circumstances and a robust discussion on our public mailing list, we have concluded that CNNIC’s behaviour in issuing an unconstrained intermediate certificate to a company with no documented PKI practices and with no oversight of how the private key was stored or controlled was an ‘egregious practice’ as per Mozilla’s CA Certificate Enforcement Policy. Therefore, after public discussion and consideration of the scope and impact of a range of options, we have decided to update our code so that Mozilla products will no longer trust any certificate issued by CNNIC’s roots with a notBefore date on or after 1st April 2015.
Replying to these bans, CNNIC called them unintelligible and unacceptable. It assured its clients that their rights and interests will be protected and unaffected.
Tell us your views in comments below!
Stay tuned for latest technology and security news from fossBytes!