The last time this happened, Mozilla issued a statement that they would no longer allow CAs to issue CA=TRUE intermediate certificates for this kind of purpose, that any CAs doing so should immediately revoke them and come forward immediately, and that any CA not doing so within a given grace period (IIRC a few months) would be removed when discovered. That grace period has long since passed. So why is the intermediate certificate being removed but not the top-level CA that knowingly issued it?

Google Revoking Trust In CNNIC Issued Certificates

Google's Chrome and Mozilla's Firefox browsers will stop trusting all new digital certificates issued by the China Internet Network Information Center following a major trust breach last week that led to the issuance of unauthorized credentials for Gmail and several other Google domains.

The unauthorized certificates were issued by Egypt-based MCS Holdings, an intermediate certificate authority that operated under the authority of CNNIC. MCS used the certificates in a man-in-the-middle proxy, a device that intercepts secure connections by masquerading as the intended destination. Such devices are sometimes used by companies to monitor employees' encrypted traffic for legal or human resources reasons. It's one of the first times a certificate authority has faced such a banishment since the downfall of Netherlands-based DigiNotar in 2011. Other CAs, including US-based Trustwave, have also done what CNNIC did without getting the boot. While worldwide Chrome is the No. 2 most used browser, it had a commanding, 52-percent share in China last year, compared to 23 percent for IE.

The move was announced on Wednesday evening in an update to last week's blog post disclosing the misissued certificates. The update left open the possibility that CNNIC may be reinstated at an undetermined future date if the group gives a detailed accounting of all currently valid certificates. The update read:

As this post was being prepared, it wasn't clear if Mozilla or Microsoft planned to update Firefox and Internet explorer to also stop trusting CNNIC. Firefox 37, released this week, stopped trusting all certificates issued by MCS Holdings, and Microsoft has announced similar plans for Windows. Revoking trust in the root CNNIC certificate would be a much more disruptive course of action, since many more website certificates would be affected.

Google officials announced the severe decision on Wednesday, saying that it was made after an investigation by the company and CNNIC. The decision comes a couple of weeks after Google officials discovered that a certificate issued by CNNIC to MCS Holdings, an intermediate CA, was being used in a man-in-the-middle proxy to intercept traffic to some Google domains. Google and other browser vendors had removed trust from their browsers for the misused certificate, but Google has now taken the further step of dropping CNNIC from the Chrome trust store altogether.

Although security researchers had discovered flaws in certificateauthorities prior to 2011, the first serious compromise occurred in 2011when a Comodo reseller wasbreached and used to issue unauthorized,publicly-trusted certificates for high profile domains such as google.com, mozilla.org,and skype.com. Although Comodo themselves were not breached,at the time Comodo trusted their resellers to perform domain controlvalidation, meaning a compromised reseller could cause the issuance ofpublicly-trusted certificates for arbitrary domains.

Not long after the Comodo reseller compromise, a much more seriouscompromise occurred that remains the most serious certificate authorityincident to date, and which resulted in the most severe sanctionspossible. DigiNotar,a Dutch certificate authority, was totallycompromised. Over 500 unauthorized certificates were detected and arogue wildcard certificate for google.com used for mass interception ofInternet traffic in Iran. Since DigiNotar was so thoroughly compromised,the full extent of the breach was never known.

In 2012, Trustwave disclosed that they had willfully issued anintermediate CA certificate to a company for the express purpose ofsigning unauthorized, publicly-trusted certificates to intercept andinspect encrypted traffic.

Although the certificates issued by this intermediate CA were clearlynot authorized by domain owners, there was some concern that thispractice was neither clearly prohibited nor uncommon, and that it wouldbe unfair to punish the first CA to admit to it. After apublic discussion,Mozilla opted for an amnesty policy instead of sanctioning Trustwave.Certificate authoritieswere explicitly informed that this practice was forbidden and given twomonths to comply or face sanctions.

In 2013, Google learned that TURKTRUST had "mistakenly" issuedtwo intermediate CA certificates to subscribers instead of regularcertificates, and that one of them had been used to sign a roguecertificate for google.com. TURKTRUST provided a plausibleexplanation for their mistake and there was no indication that theyhad been compromised. Google decided to revoke TURKTRUST's ability to issue extended validation certificates, and Mozilla temporarily suspended the inclusion of a new TURKTRUST root certificate. No further action was taken,making this a fairly mild sanction.

In 2013, ANSSI, a French certificate authority, was caught doing whatwas expressly prohibited after the Trustwave revelation: they issuedan intermediate CA that was used to intercept and inspect encryptedtraffic. Google and Mozilla responded by "name constraining" ANSSI sothat it could only issue certificates for domain names ending in .fror one of the other top-level domains used by French territories.Although this sanction fell short of a full death penalty, itkilled off ANSSI for most of the world.

In 2015, Google learned that CNNIC, like ANSSI and Trustwave,had issued an intermediate certificate authority that was used tointercept encrypted traffic. CNNIC did this in violation of their ownCertificate Practice Statement, which said that they would not issueintermediate certificate authorities to external organizations. Inresponse, both Googleand Mozillarevoked trust in new CNNIC certificates.

Since existing certificates remained trusted, this was a less severesanction than DigiNotar faced. To implement this sanction, Chromeand Firefox embedded a whitelist containing the hash of every existingCNNIC certificate. Since there were only a couple thousandCNNIC certificates, this was practical.

In 2015, Google discovered that Symantec had issued over 100publicly-trusted "test" certificates for 76 different domains,including google.com, without the authorization of domain owners.In response, Google announced that all Symantec certificates issued on orafter June 1, 2016 would have to be logged to Certificate Transparencylogs. Chrome 53, released this week, enforces thisrequirement and rejects any unlogged Symantec certificate with an issuance (a.k.a. notBefore) date on or afterJune 1, 2016.

Death penalty, like DigiNotar: Although WoSign has not been compromisedlike DigiNotar was, they have displayed a shocking amount of sloppinessfor an organization entrusted to sign certificates for any domain on the Internet,which arguably warrants distrust. However, there are over 100,000 unexpiredWoSign certificates in existence.Distrusting WoSign would cause any site using one of these certificates to break,which risks desensitizing people to security warnings. Does the security benefitfrom distrusting WoSign outweigh this risk?

Suspension, like CNNIC: Could new WoSign certificates be distrusted, but existing certificatesgrandfathered? Unfortunately, since there are over 100,000 unexpired WoSign certificates,it would be impractical to include a whitelist in browsers as was done with CNNIC.And since WoSign has been caught backdating certificates, it would be imprudentto rely on the notBefore date to decide if an existing certificate should be grandfathered.

Require Certificate Transparency, like Symantec:WoSign has already promised to log allcertificates issued after July 5, 2016 to Certificate Transparency logs and has asked browsers to blockcertificates issued after this date that are not logged. But how can a browser really knowif a certificate was issued after July 5, 2016 or not? WoSign can't be trusted to set thenotBefore date faithfully, and there are too many existing certificates to embed a whitelistin the browser.

There are a more than 600 CAs according to the SSL Observatory, a public project that accounts for certificates visible online. Any CA can issue a certificate for any domain, website, or email address. Once a credential is issued, almost all computers will trust it, regardless of whether the credential is genuine or erroneous. The security of online communications relies on every one of these CAs being trustworthy and competent. Even one rogue CA can issue false credentials to devastating effect.

Microsoft is aware of digital certificates that were improperly issued from the subordinate CA, MCS Holdings, which could be used in attempts to spoof content, perform phishing attacks, or perform man-in-the-middle attacks. The improperly issued certificates cannot be used to issue other certificates, impersonate other domains, or sign code. This issue affects all supported releases of Microsoft Windows.

To help protect customers from the potentially fraudulent use of these improperly issued certificates, Microsoft is updating the Certificate Trust list (CTL) to remove the trust of the subordinate CA certificate. The trusted root Certificate Authority, the China Internet Network Information Center (CNNIC), has also revoked the certificate of the subordinate CA. For more information about these certificates, see the Frequently Asked Questions section of this advisory.

What is the scope of the advisory? The purpose of this advisory is to notify customers that MCS Holdings improperly issued SSL certificates for multiple sites including Google web properties. These SSL certificates could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against web properties. The subordinate CA may also have been used to issue certificates for other, currently unknown sites, which could be subject to similar attacks. 2ff7e9595c