Counterfeit HTTPS Certificates and Browser Updates
In Maintaining Digital Certificate Security, Google describes a March 20 case where a CNNIC, a Chinese Certificate Authority that was listed in the root certificate lists for all of the major browsers gave its private keys to an Egyptian company that then placed the keys in a man-in-the-middle proxy that can intercept secure communications. MCS then issue counterfeit certificates for Google.
Google Chrome and Firefox have both issued updates to revoke the root authority of CNNIC. If you have one of those browsers, you have probably seen messages to update to a newer release containing the updated root certificate store. At this writing, Microsoft blocked the MCS issued certificates, but has not updated Internet Explorer to revoke CNNIC's root CA. Apple has also revoked the MCS issued blocked the MCS issued certificates. For statements from browser vendors, see
- Google Chrome article Maintaining Digital Certificate Security
- Firefox article Revoking Trust in one CNNIC Intermediate Certificate
- Blog post regarding Apple Apple Leaves Chinese CNNIC Root In OS X and iOS Trusted Stores
- Microsoft Internet Explorer Article Improperly Issued Digital Certificates Could Allow Spoofing
Manually Revoking a Root Certificate in Safari
To manually revoke the CNNIC certificate in Safari, Revoking Chinese CNNIC Root Certificate in Mac OS X provides instructions for OS X.