Google 将在未来的 Chrome 更新中移除 CNNIC 和 EV CAs 的根证书。
在联合调查之后 Google宣布在产品中撤销CNNIC根及EV证书信任,直至CNNIC实施技术及流程改进杜绝此前发生的证书伪造为止。现有CNNIC证书客户将暂时以白名单形式继续支持一段时间作为过渡。
Google在4月1日更新了安全博客,宣布旗下产品删除CNNIC 根证书。Chrome将释出更新移除对CNNIC证书的信任。为了帮助受影响的客户,Google将使用白名单允许在短时间内继续信任CNNIC现有的证书,CNNIC在实现证书透明度和改进流程防止未来再次发生类似事故后可以提出撤销这一决定的申请。Mozilla早在5年前就争论过CNNIC根证书的安全性,而促使Google此次痛下杀手的原因是埃及MCS Holding公司使用CNNIC签发的中级证书为多个Google域名签发了假的证书。
@love_sci4ever:CNNIC滥发证书太可怕了。相当于国家机器造假。想想当年体操女运动员年龄造假事件,国际体联被批评后无奈的说:她们的护照都是国家发的,我们有什么权力去质疑呢?
@LvWind: CNNIC爆炸!但是也就业内懂的人才会高兴吧,普通人只会知道用Chrome打开好多网站会爆警告,这肯定是Chrome的错,而不会怪CNNIC。所以别自hi了。。
目前(1号之前签发的)CNNIC证书不会被吊销,暂时以白名单形式存在。
月光博客:
谷歌在其安全博客上发布声明,经过谷歌对CNNIC证书事件的调查,谷歌将会在旗下所有产品里删除对CNNIC证书的信任,如果用户需要,可以使用白名单方式继续使用CNNIC证书。
在Google宣布旗下产品删除CNNIC根证书之后,CNNIC发表英文声明回应。声明称,Google的决定是“不可接受的”和“无法理解的”,CNNIC呼吁Google充分的考虑用户的权利和利益。CNNIC称已发行的证书不受此次事件的影响。
—
Maintaining digital certificate security
Posted: Monday, March 23, 2015
Posted by Adam Langley, Security Engineer
On Friday, March 20th, we became aware of unauthorized digital certificates for several Google domains. The certificates were issued by an intermediate certificate authority apparently held by a company called MCS Holdings. This intermediate certificate was issued by CNNIC.
CNNIC is included in all major root stores and so the misissued certificates would be trusted by almost all browsers and operating systems. Chrome on Windows, OS X, and Linux, ChromeOS, and Firefox 33 and greater would have rejected these certificates because of public-key pinning, although misissued certificates for other sites likely exist.
We promptly alerted CNNIC and other major browsers about the incident, and we blocked the MCS Holdings certificate in Chrome with a CRLSet push. CNNIC responded on the 22nd to explain that they had contracted with MCS Holdings on the basis that MCS would only issue certificates for domains that they had registered. However, rather than keep the private key in a suitable HSM, MCS installed it in a man-in-the-middle proxy. These devices intercept secure connections by masquerading as the intended destination and are sometimes used by companies to intercept their employees’ secure traffic for monitoring or legal reasons. The employees’ computers normally have to be configured to trust a proxy for it to be able to do this. However, in this case, the presumed proxy was given the full authority of a public CA, which is a serious breach of the CA system. This situation is similar to a failure by ANSSI in 2013.
This explanation is congruent with the facts. However, CNNIC still delegated their substantial authority to an organization that was not fit to hold it.
Chrome users do not need to take any action to be protected by the CRLSet updates. We have no indication of abuse and we are not suggesting that people change passwords or take other action. At this time we are considering what further actions are appropriate.
This event also highlights, again, that the Certificate Transparency effort is critical for protecting the security of certificates in the future.
(Details of the certificate chain for software vendors can be found here.)
Update – April 1: As a result of a joint investigation of the events surrounding this incident by Google and CNNIC, we have decided that the CNNIC Root and EV CAs will no longer be recognized in Google products. This will take effect in a future Chrome update. To assist customers affected by this decision, for a limited time we will allow CNNIC’s existing certificates to continue to be marked as trusted in Chrome, through the use of a publicly disclosed whitelist. While neither we nor CNNIC believe any further unauthorized digital certificates have been issued, nor do we believe the misissued certificates were used outside the limited scope of MCS Holdings’ test network, CNNIC will be working to prevent any future incidents. CNNIC will implement Certificate Transparency for all of their certificates prior to any request for reinclusion. We applaud CNNIC on their proactive steps, and welcome them to reapply once suitable technical and procedural controls are in place.
