这下CNNIC被逮着了

证据：
https://drive.google.com/file/d/0B_OzbbAp1CG5NXVrYmFPbFhUV2s/view?usp=sharing
Goolge发的原始消息
http://googleonlinesecurity.blogspot.com/2015/03/maintaining-digital-certificate-security.html
Mozilla发的评论
https://blog.mozilla.org/security/2015/03/23/revoking-trust-in-one-cnnic-intermediate-certificate/

On Friday, March 20th, we became aware of
unauthorized digital certificates for several Google domains. The
certificates were issued by an intermediate certificate authority
apparently held by a company called MCS Holdings. This intermediate certificate was issued by CNNIC.

CNNIC给埃及某中级CA颁发了不受限的证书，然后那家中级CA发布了伪证书。目前Google和Mozilla撤销了那家CA的证书
有空检查一下证书列表里CNNIC和China Internet Network Information Center的两个根证书的信任情况，Hongkong Post也可以考虑一下

如果极度关心安全不怕麻烦，可以考虑安装这个扩展，在网站证书变化时进行通知
https://addons.mozilla.org/firefox/addon/certificate-patrol/

顺便可以回顾一下5年前报的bug
https://bugzilla.mozilla.org/show_bug.cgi?id=542689

读一下Mozilla的消息，有个细节

CNNIC issued an unconstrained intermediate certificate that was labeled as a test certificate and had a two week validity, expiring April 3, 2015. Their customer loaded this certificate into a firewall device which performed SSL MITM

给了人至少2周不受限的权限