The story is perfectly believable: MCS wanted to become a CA, the easiest CA that would chain them an intermediate was CNNIC, they generated the cert from a Palo Alto Networks device because it was the only convenient hardware/FIPS-compliant device they had lying around, and a technician accidentally plugged their laptop on the "MITM me plz" port of the Palo Alto box and fired up Chrome, which automatically sent some alarm bells.
Honestly that makes me more worried for the state of internet security than active malice. If any individual, organization, government, etc. were intending to MITM someone, we could (in theory) track them down and fire them, blacklist their root, or otherwise expel them from the internet community. But nobody had such an intention here. It's terrifying that a series of honest mistakes (extremely grievous mistakes, but honest ones nonetheless) could lead to a valid cert for Google and Twitter in the hands of someone who didn't even want them.
I think a very tiny bit of blame should impute to Palo Alto Networks here. How have they built a device where it's easy to start MITMing certificates by accident? I'm all for usable crypto UI, but this seems excessive. (And should it be built with safeguards that warn you loudly when the MITM intermediate chains to a publicly-valid CA, instead of an in-house one?)
Regarding why I think it's perfectly believable that CNNIC was the easiest CA that would chain them an intermediate: everyone that runs an actual intermediate program sells (as required by the Baseline Requirements) a hardware security module, or better yet, a web interface to a cert that remains in the physical possession of the parent CA. There's an arduous audit process and key ceremony required for the intermediate CA, almost as arduous as required of the root CA. CNNIC, meanwhile, had no intermediate program, and wrote in their Certification Practices Statement that they don't intend to issue such things. So MCS was able to talk them into doing something irresponsible and handing them a CSR and no further details.
No, I find that pretty damn hard to believe. Especially considering where it's coming from.
You don't accidentally do anything with an unconstrained CA key chained from the public root: that is a serious piece of data that can MITM anyone worldwide so at the very least should be under lock and key at all times! [It definitely shouldn't be plugged into any network: it should be locked in a Faraday-caged safe, on a dedicated hardware device, ideally under armed guard. You sign your operational CAs with that.]
CNNIC fundamentally broke their CPS: it has no intermediate programme, yet it intentionally misissued (at least!) one CA anyway. That is easily enough to get them pulled from everywhere, in line with current practice.
It's a pretty good demonstration of why we need something like CT, and (IMO) a public list of all intermediaries ever issued from any active CA.
Yeah, to be clear, I think this was inexcusable, even if it wasn't outright malice, and that expulsion is the obvious right answer.
But what's the alternative story? Someone knew what they were doing, wanted to MITM some users, and got a ... three-week-long intermediate certificate? (Which is far shorter than any online intermediate CA has, and those are plugged into networks, although probably also under armed guard.) And tipped their hand to Google barely a week in? Knowing that there was a serious risk to CNNIC being killed off from the roots if anyone at all noticed?
If CT has the benefit of informing bad actors that they'll be found out, then it's certainly a major one, but I find it hard to believe that anyone trying to MITM actual users wouldn't already be aware that Google is already doing this, and Chrome snitches on certs that verify but don't match hard-coded pins (e.g., for Google's own websites). This is exactly how the last MITM or two got caught.
I think the concern here is not that MCS made a mistake, but rather, CNNIC said they wouldn't do something and then knowingly did so. Whether they had good intentions or not is irrelevant. They made a public promise they wouldn't issue intermediate CAs, did so for money and the result of that must be at least temporary revocation. Otherwise the whole notion of trust collapses.
The poor English doesn't inspire a lot of confidence in the company. I realize the company is from an area of the world that is not generally English-speaking, but geez, to respond to something as serious as this surely you can run your blog response by at least one native speaker to sanity check it before posting it.
But worse than that is the story they are seemingly trying to sell is that this is one random dude's fuckup -- which may very well be true, but that this could happen as the result of one random dude's fuckup speaks volumes about lack of much-needed process to deal with this sort of certificate responsibility.
I think the main problem with giving it to someone else to sanity check is that if your own English isn't good, you'll have a hard time gauging someone else's English speaking skills.
I wouldn't be surprised if they did give it to someone who they thought spoke English well.
This is an Egyptian company. I had many expat friends when I lived there I will tell you beyond the most elite multinational corps no one sees the point.
You should see sandwich menus. I was saying, English correction per word, if people saw the value, would make me a successful small business owner in about 3 years. Haha.
