Last month a Chinese certificate authority allowed an intermediate to issue unauthorized certificates for Google domains, both Google and Mozilla reacted quickly and dropped trust in CNNIC altogether.
The fear was that Chinese hackers could use the certificates to stage man in the middle attacks so they moved jolly quick to prevent it. Apple has kept the root certificates in its trusted store for both iOS and OSX.
Apple released major security upgrades for both of its operating systems and it was widely expected that Jobs’ Mob would block the certificate and everyone would be happy – well other than the Chinese hackers of course.
However it didn’t.
The root certificate for CNNIC, the Chinese CA at the heart of the controversy, remain in the trusted stores for iOS and OSX. To be fair Apple has not made any public statements on the incident or the continued inclusion of CNNIC’s certificates in the trusted stores.
It probably just does not read the papers and thinks that the certificates are perfectly safe. But that can’t be right, everyone knows Apple is on the ball when it comes to security and no one has ever cracked it. Of course Apple would not sacrifice its security to appease the Chinese would it?
How much of a threat was it to every Apple fanboy out there? Kathleen Wilson of Mozilla said in a blog post.
“CNNIC’s behaviour in issuing an unconstrained intermediate certificate to a company with no documented PKI practices and with no oversight of how the private key was stored or controlled was an ‘egregious practice’ as per Mozilla’s CA Certificate Enforcement Policy. Therefore, after public discussion and consideration of the scope and impact of a range of options, we have decided to update our code so that Mozilla products will no longer trust any certificate issued by CNNIC’s roots with a not Before date on or after 1st April 2015.”
CNNIC said the company didn’t understand what the reasoning was for Google’s decision. “The decision that Google has made is unacceptable and unintelligible to CNNIC,” the company said in a statement.
Microsoft on March 24 blocked the bad MCS Holdings certificate in Internet Explorer, but the company did not remove CNNIC from its Certificate Trust List.