SoylentNews is people
SoylentNews
El Reg has published a story which discusses the steps Google and Mozilla are taking, in response to the apparent misuse of a China Internet Network Information Center (CNNIC) intermediate Cetificate Authority (CA) administered by MCS Holdings, who claim it was all just a big mistake.
Firefox-maker Mozilla has joined Google in refusing to recognize SSL certificates issued by the China Internet Network Information Centre (CNNIC).
This should not be a surprise since:
This comes after a security biz in Egypt used a CNNIC-issued intermediate certificate to create unauthorized SSL certs that could be used to trick people into connecting to bogus, password-stealing Gmail.com or Google.com websites.
As a result:
[A]ll Mozilla products – including the Firefox web browser and the Thunderbird email client, among others – will be updated so that all CNNIC-based certificates issued on or after April 1, 2015 are considered untrusted.
Mozilla said it also plans to ask CNNIC for a comprehensive list of all of its current valid certificates. Any certificates issued before April 1 that are not included on this whitelist will also be subject to potential "further action."
Microsoft has also revoked the suspect CNNIC intermediate CA:
Microsoft is updating the Certificate Trust list (CTL) to remove the trust of the subordinate CA certificate. The trusted root Certificate Authority, the China Internet Network Information Center (CNNIC), has also revoked the certificate of the subordinate CA.
(Score: 1, Interesting) by Anonymous Coward on Wednesday April 08 2015, @07:25PM
Because on Windows Chrome uses Microsoft's certificate infrastructure (that's why I use Firefox :) ).
And the way Microsoft's cert stuff works is even if a CA's cert is not in any cert store, if it's signed by a good enough existing cert in the cert store, it will be added to the cert store.
So you could have a pretty empty cert store but the CA certs get magically added, and to blacklist CA certs, you'd have to add all the CA certs you want to blacklist to the untrusted store. But the big problem is the certs might not be around for you to add, till the day they decide to pwn you.
If CNNIC somehow has another (or gets a new) CA cert that's signed by Microsoft or whoever else that's trusted, that CA cert will automagically be trusted.
Whereas with Firefox - all the root CA certs that the browser will trust have to already be in the repo. Yes there's some chaining etc, but it's still a better situation.
It's not a great situation of course, given none of the browsers have a feature like "Certificate Patrol" - where they warn you if a cert has been changed. Certificate Patrol unfortunately is not able to remember more than one cert for a site - so you can get lots of warnings if a site is load balanced across servers with different certs.