Mozilla and Microsoft have added CNNIC root CA to the browser's Authorities and CA directory. Chinese users are in a rush removing them from their computers. Here is a post on how to do it (in Chinese).

Discussions can be found here:

• http://groups.google.com/group/mozilla.dev.security.policy/browse_thread...
• https://bugzilla.mozilla.org/show_bug.cgi?id=476766#c18
• https://twitter.com/search?q=CNNIC  

Important update: Do NOT remove these certs. Instead, mark them as "untrusted".

We found CNNIC root CA in Mac as well. So, please do check your Mac's Keychain, and "untrust" the corresponding CAs.

If you use Thunderbird or other mail client softwares, or other web browsers, you may need to check them as well.

The Entrust.net CA that the Chinese users suggested to remove (again, we need to "untrust" it), "Entrust.net Secure Server Certification Authority, Serial Number: 927650371 (0x374ad243)", is used to sign a number of certificates, including the one used by fastmail.fm (*.messagingengine.com). If you have a mail client that checks emails in fastmail.fm, you will have to accept this cert in the popup after you mark the "Entrust.net Secure Server Certification Authority" as "untrusted".

The secondary certificate "CNNIC SSL CA" under Entrust.net was the one that signed the SSL certificate for mail.163.com. Thus, after you've marked these CNNIC CAs as "untrusted", you will need to manually accept the certificate of mail.163.com if you use that mail system.

NOTE:

If you remove the CAs, next time you upgrade you system, you will get them again. So it's important to mark them as "untrusted". If you don't have them, install them, and mark them as "unstrusted". I hope I have made this clear. Please see my screenshots on:

• Screenshot: Untrust CNNIC from Mac OS's Keychain Access 
• Screenshot: Remove CNNIC from Firefox and Thunderbird