Google and Mozilla will revoke certificates issued by Chinese certificate authorities as "untrusted"



Google Chrome and Mozilla's Firefox, ChineseCertification authority(CA) "CNNICWe will temporarily revoke the certificate issued by "as untrusted".

Google Online Security Blog: Maintaining digital certificate security
http://googleonlinesecurity.blogspot.jp/2015/03/maintaining-digital-certificate-security.html


Distrusting New CNNIC Certificates | Mozilla Security Blog
https://blog.mozilla.org/security/2015/04/02/distrusting-new-cnnic-certificates/

Google Chrome will banish Chinese certificate authority for breach of trust [Updated] | Ars Technica
http://arstechnica.com/security/2015/04/google-chrome-will-banish-chinese-certificate-authority-for-breach-of-trust/

HTTP communicationSSLTo make it safe to encrypt it using "HTTPSThis is the one whose address begins with "https". To do secure communication using SSL, the web browser sends a certificate from the web server, checks which CA is authorized by the site, and that CA sends the certificate to the list of your root certificate By checking whether it is included, we can finally decide whether it is a trusted site or not.

A company that provides major browsers such as Google and Mozilla has lost the certificate by CNNIC, which is an intermediate CA of CNNICMCSButIssue an illegal digital certificateI have been doing it. CNNIC was a trusted CA that issued many certificates as a CA of major browsers such as Microsoft's Internet Explorer, Google Chrome, Firefox and others. Since MCS certified from the CNNIC issued an illegal certificate, if this illegitimate certificate is used, it will be displayed as "trusted site" on the main browser and it will be displayed as a malicious hacker or other target There was a possibility that it was done. In response to this situation, Google immediately attracted attention and Microsoft and Mozilla have also revoked fraudulent certificates issued by MCS.


In response to this situation, Google Chrome and Firefox decided to revoke all certificates issued by CNNIC as unreliable. However, if the CNNIC certificate is revoked immediately, banks and e-commerce sites will be unable to connect, and many people will suffer enormous damage. So, Google and Mozilla have a grace period to allow administrators to acquire new certificates from certification authorities other than CNNIC, so that those who manage websites issued certificates by CNNIC will not be damaged We are clarifying that certificates already issued from CNNIC will not be revoked for a while in order to be established. However, the period remains unknown, and certificates newly issued by CAs certified by CNNIC and CNNIC will be treated as untrusted.

According to the survey conducted by Mozilla, the process of CNNIC issuing a certificate to an intermediate CA is too sloppy, the PKI practice is not documented and the secret key storage method is sloppy and too " It was terrible, "he criticized the CNNIC side. Mozilla'sFirefox 37Then, all certificates issued from MCS have been revoked.

In addition, although the Google side is comparatively mildly responding "CNNIC welcomes re-application after appropriate technical measures and management law has been implemented,CNNIC criticizes Google's responsedoing.

in Software, Posted by logu_ii