Counterfeit HTTPS Certificates and Browser Updates

In Maintaining Digital Certificate Security, Google describes a March 20 case where a CNNIC, a Chinese Certificate Authority that was listed in the root certificate lists for all of the major browsers gave its private keys to an Egyptian company that then placed the keys in a man-in-the-middle proxy that can intercept secure communications. MCS then issue counterfeit certificates for Google.

Google Chrome and Firefox have both issued updates to revoke the root authority of CNNIC. If you have one of those browsers, you have probably seen messages to update to a newer release containing the updated root certificate store. At this writing, Microsoft blocked the MCS issued certificates, but has not updated Internet Explorer to revoke CNNIC's root CA. Apple has also revoked the MCS issued blocked the MCS issued certificates. For statements from browser vendors, see

Manually Revoking a Root Certificate in Safari

To manually revoke the CNNIC certificate in Safari, Revoking Chinese CNNIC Root Certificate in Mac OS X provides instructions for OS X.