A-A+

苹果在IOS移除CNNIC根? OSX证书信任列表

2015年04月16日 学习小计 暂无评论 阅读 1 次

When it was revealed late last month that a Chinese certificate authority had allowed an intermediate CA to issue unauthorized certificates for some Google domains, both Google and Mozilla reacted quickly and dropped trust in CNNIC altogether, Apple has kept the root certificates in its trusted store for both iOS and OSX.

Apple on Wednesday released major security upgrades for both of its operating systems and the root certificate for CNNIC, the Chinese CA at the heart of the controversy, remain in the trusted stores for iOS and OSX. The company has not made any public statements on the incident or the continued inclusion of CNNIC’s certificates in the trusted stores.

The incident that caused Google and Mozilla to remove CNNIC from their browsers’ respective trust stores occurred in March and involved an intermediate CA called MCS Holdings. That company installed an unrestricted certificate in a device capable of doing SSL interception and issued certificates for several Google domains. Google engineers discovered what had happened and reacted quickly, blocking the bad certificates in Chrome and getting in touch with CNNIC officials.

“CNNIC responded on the 22nd to explain that they had contracted with MCS Holdings on the basis that MCS would only issue certificates for domains that they had registered. However, rather than keep the private key in a suitable HSM, MCS installed it in a man-in-the-middle proxy. These devices intercept secure connections by masquerading as the intended destination and are sometimes used by companies to intercept their employees’ secure traffic for monitoring or legal reasons,” Google’s Adam Langley said in a blog post at the time of the incident.

Then last week Google announced that it was taking the unusual step of removing trust for CNNIC’s root certificates from the Chrome trust store altogether. This move has the effect of causing Chrome to throw warnings whenever it encounters a site that’s protected by a certificate derived from CNNIC’s root. Mozilla quickly followed suit and removed the CNNIC certificate from Firefox’s trusted store, as well.

“After reviewing the circumstances and a robust discussion on our public mailing list, we have concluded that CNNIC’s behaviour in issuing an unconstrained intermediate certificate to a company with no documented PKI practices and with no oversight of how the private key was stored or controlled was an ‘egregious practice’ as per Mozilla’s CA Certificate Enforcement Policy,” Kathleen Wilson of Mozilla said in a blog post. 

“Therefore, after public discussion and consideration of the scope and impact of a range of options, we have decided to update our code so that Mozilla products will no longer trust any certificate issued by CNNIC’s roots with a notBefore date on or after 1st April 2015.”

This was an unusually severe punishment by both Google and Mozilla, and officials at CNNIC said the company didn’t understand what the reasoning was for Google’s decision.

“The decision that Google has made is unacceptable and unintelligible to CNNIC,” the company said in a statement.

Microsoft on March 24 blocked the bad MCS Holdings certificate in Internet Explorer, but the company did not remove CNNIC from its Certificate Trust List. Apple officials did not respond to questions for this story.

About Dennis Fisher

Dennis Fisher is a journalist with more than 13 years of experience covering information security.

- See more at: https://threatpost.com/apple-leaves-cnnic-root-in-ios-osx-certificate-trust-lists/112086#sthash.7CFkGr4v.dpuf

给我留言

Copyright © 浩然东方 保留所有权利.   Theme  Ality 07032740

用户登录