Making good on their threats to dump companies that violate stringent standards for the root of trust for web-based encrypted sessions, Google and the Mozilla Foundation have removed the ability of CNNIC, a firm controlled by the Chinese government, to issue digital certificates that the Chrome and Firefox browsers will accept as valid. There is no word yet from Apple or Microsoft about following suit with their browsers and operating systems.
The web’s root of trust relies on several hundred certificate authorities (CAs), which sign off on digital documents served out by websites to create ostensibly interception-proof encrypted connections. Each operating system maker and some browser developers choose which CAs to trust, and rely on a set of agreed-upon standards for security procedures and regular independent auditing. (See our Feb. 19th story, “The Huge Web Security Loophole That Most People Don’t Know About, And How It’s Being Fixed,” for a deeper dive into those details.)
But it’s been untested until now how the groups that choose CAs to trust would react to an intentional and fundamental breach, whether with an intent to violate security or, as seems in this case, due to incompetent decision-making. Given that only two of the four primary groups have revoked trust more than a week after the original breach was discovered, it’s a mixed outcome. In this case, it’s complicated by the involvement of the Chinese government, in whose good graces Apple and Microsoft need to remain for business purposes, and with which Google has had many tangles.
While organized as a nonprofit company operated by the Chinese Academy of Sciences, CNNIC “takes orders from the Ministry of Information Industry (MII) to conduct daily business,” according to information provided during its application in 2009 to be included in Mozilla’s root CA list. There was substantial controversy during that public comment period over CNNIC’s inclusion, including allegations that it had or might misuse certificates to intercept Internet traffic.
In this case, it doesn’t appear as if CNNIC was acting to help intercept its own citizens’ data nor those of other countries. Rather, the issue that provoked Google’s and Mozilla’s actions appears to stem from matters relating to both technical and practical judgment.
The reason for CNNIC’s exclusion arose from Google’s security team becoming “aware of unauthorized digital certificates for several Google domains.” Google uses domain pinning in Chrome to indicate which of the hundreds of CAs that may issue digital certificates are authorized to sign off on Google’s domains; this is true in recent versions of Firefox as well. When a certificate for, say, gmail.com shows up as signed by any other CA, Chrome or Firefox alerts the user, and that information is passed to Google, though the company hasn’t confirmed how it receives reports. Mozilla’s cryptographic engineering manger, Richard Barnes, says that Google notified Mozilla on March 20, one day after the certificate was issued. Newer versions of Chrome and Firefox also accept pinning instructions from any website configured to offer them, further restricting the unbounded scope of CAs.
Google discovered that a certificate reseller based in Egypt, MCS Holdings, was given access by CNNIC to encryption information that allowed MCS to create a wildcard certificate that could be used improperly to fool browsers into accepting security credentials from sites other than the correct ones. This certificate was installed into a proxy device used for corporate and government interception that can pass unnoticed.
When I spoke to him in February, Mozilla’s Barnes said that a few years ago, “We had some CAs issuing certificates that were used in man-in-the-middle devices.” This use of unconstrained certificates was then banned, while browser makers and independent groups have layered more observation, transparency, and limitations onto how certificates are issued and accepted.
On March 23, when Google posted its announcement, it revoked the MCS-issued certificate; Mozilla did the same. On April 1, it announced that in the near term, CNNIC’s authority will be removed from all Google products, which would presumably include Chrome, Chrome OS, and Android. On April 2, Mozilla said its products would no longer accept any CNNIC-issued certificate created for use after April 1, reserving the right for future actions if CNNIC were, for instance, to attempt to issue new certificates that were backdated.
For Google users of Google’s operating systems and browsers, this means in the near future, visiting some secure websites will produce a strongly worded certificate failure message. For Mozilla products, this error will occur only if CNNIC attempts to issue newer certificates.
According to NetMarketShare, Chrome and Firefox make up 36% of desktop browser usage. Google’s Android browser and Chrome account for 43% of mobile and tablet usage. Even if Microsoft and Apple fail to remove CNNIC in a timely manner or block future certificates, over a third of all browser users are covered by the removal.
Both Mozilla and Google have invited CNNIC to reapply for its root role, which can be complicated and time-consuming, as the organization now needs to show not just that it’s compliant but that it won’t make any more sloppy moves like the one that led to this kerfuffle. Mozilla says it may impose additional criteria, which it will discuss with its community, before it’s allowed back into the root club.
[Updated on April 3, 2015 at 1:00 p.m. ET with additional information from Mozilla.]