http://www.cnbeta.com/articles/379765.htm
Mozilla发现用于中间人攻击的证书

2015-03-24 12:01:05 7267 次阅读 3 次推荐 稿源：Mozilla安全博客 0 条评论

感谢阿天的投递
根据最新 Mozilla安全博客的博文，CNNIC被发现颁发了用于中间人攻击的证书。该证书被用于部署到网络防火墙中，用于劫持所有处于该防火墙后的HTTPS网络通信，而绕过浏览器警告。
该证书来自CNNIC与某个公司的一个合同，该合同规定该公司仅用CNNIC提供的 Sub CA 证书签发属于自己公司名下的网站。但被Google发现该证书被用于部署到防火墙中，用于劫持该网络中的所有HTTPS通信。
Chrome及Firefox默认会校验Mozilla 及Google 旗下所有的网站的证书，因此被Google发现并报告了该问题。
Firefox从 37开始 将引入 OneCRL机制，将建立证书黑名单，拦截被滥用及不安全的证书。
目前 Mozilla正在商讨对CNNIC根证书的处理。
来源：https://blog.mozilla.org/securit ... ediate-certificate/

Issue
China Internet Network Information Center (CNNIC), a non-profit organization administrated by Cyberspace Administration of China (CAC), operates the “CNNIC Root” and “China Internet Network Information Center EV Certificates Root” certificates that are included in NSS, and used to issue certificates to organizations and the general public. CNNIC issued an unconstrained intermediate certificate that was labeled as a test certificate and had a two week validity, expiring April 3, 2015. Their customer loaded this certificate into a firewall device which performed SSL MITM, and a user inside their network accessed other servers, causing the firewall to issue certificates for domains that this customer did not own or control. Mozilla’s CA Certificate Policy prohibits certificates from being used in this manner when they chain up to a root certificate in Mozilla’s CA program.

另外听说ios系统没法删除官方自带的根证书？


发了应对方法的厦大微博被删号嘿嘿……

[ 本帖最后由 jjx01 于 2015-3-25 17:47 编辑 ]

CNNIC进入root后就删了。。

是不是国家干的？

3月26日就贴了cnnic的问题，结果在另一贴里火了……
删除cnnic的工具：https://github.com/chengr28/RevokeChinaCerts
右边点download zip

posted by wap, platform: Firefox

引用:

原帖由 @fatehe  于 2015-3-26 08:01 发表
是不是国家干的？

相同内容的报道被全网封杀了，你说是不是呢？