Google has taken the unprecedented decision to no longer recognize the certificate authorities (CAs) of .cn operator the China Internet Network Information Center (CNNIC), after a major security breach last month.
In an update to his 23 March blog on the matter, Google security engineer, Adam Langley, revealed that as a result of an investigation into the breach, both the CNNIC root and EV CAs “will no longer be recognized in Google products.”
“This will take effect in a future Chrome update,” he added. “To assist customers affected by this decision, for a limited time we will allow CNNIC’s existing certificates to continue to be marked as trusted in Chrome, through the use of a publicly disclosed whitelist.”
The non-profit CNNIC, which is overseen by controversial government agency the Cyberspace Administration of China (CAC), reacted angrily to the announcement.
“The decision that Google has made is unacceptable and unintelligible to CNNIC, and meanwhile CNNIC sincerely urge that Google would take users’ rights and interests into full consideration,” it said in a statement.
“For the users that CNNIC has already issued the certificates to, we guarantee that your lawful rights and interests will not be affected.”
The incident that set in progress this chain of events occurred when a CNNIC-approved intermediate certificate authority, Egyptian firm MCS Holdings, was found to have issued unauthorized digital certificates for some Google domains inside its test network.
This made those visiting these domains vulnerable to man-in-the-middle attacks.
Google’s issue appears to be that CNNIC delegated its “substantial authority” as major CA.
“CNNIC is included in all major root stores and so the mis-issued certificates would be trusted by almost all browsers and operating systems,” Langley wrote at the time.
In its update, Google did leave the door part open for CNNIC to return to the fold.
“While neither we nor CNNIC believe any further unauthorized digital certificates have been issued, nor do we believe the mis-issued certificates were used outside the limited scope of MCS Holdings’ test network, CNNIC will be working to prevent any future incidents,” wrote Langley.
“CNNIC will implement certificate transparency for all of their certificates prior to any request for reinclusion. We applaud CNNIC on their proactive steps, and welcome them to reapply once suitable technical and procedural controls are in place.”
If the CNNIC decides not to play ball, Google’s decision could have a huge impact on Chrome internet users trying to visit Chinese sites.
For any new CNNIC sites not on the whitelist it’s likely that users will receive a pop-up notice warning them that the site may not be trustworthy, which could deter many.
In China, Chrome has a market leading share of over 50%.
Charlie Smith, co-founder of anti-censorship organization Greatfire.org, welcomed Google’s decision, adding that the rights group has been calling for such action for over a year.
“The Chinese authorities have maliciously been using their power as a certificate authority to launch dangerous attacks that compromise sensitive user information across many foreign media platforms,” he told Infosecurity.
“I hope that Mozilla, Microsoft, Apple and others follow Google's lead and also take this necessary step to stop recognizing CNNIC certificates.”