Google Completely Cuts Off Chinese Government's Certificate Authority, CNNIC

from the wow dept

As you may have heard, last week, Google warned about an unauthorized HTTPS certificate being issued via CNNIC (China Internet Network Information Center — which basically manages the Chinese internet, handling domain registration, security certificates and more). CNNIC blamed an Egyptian firm MCS Holdings, saying it had allowed MCS to issue security certificates for domains it had registered, but MCS had abused that power to issue bogus certificates.

Late on Wednesday, Google added a somewhat surprising update to its blog post about the matter, announcing that it was cutting off CNNIC certificates going forward:

As a result of a joint investigation of the events surrounding this incident by Google and CNNIC, we have decided that the CNNIC Root and EV CAs will no longer be recognized in Google products. This will take effect in a future Chrome update. To assist customers affected by this decision, for a limited time we will allow CNNIC?s existing certificates to continue to be marked as trusted in Chrome, through the use of a publicly disclosed whitelist. While neither we nor CNNIC believe any further unauthorized digital certificates have been issued, nor do we believe the misissued certificates were used outside the limited scope of MCS Holdings? test network, CNNIC will be working to prevent any future incidents. CNNIC will implement Certificate Transparency for all of their certificates prior to any request for reinclusion. We applaud CNNIC on their proactive steps, and welcome them to reapply once suitable technical and procedural controls are in place.

This is a pretty big deal, but the right move for Google to make. It’s well known that the whole setup of security certificates is based on how much you trust the issuers of the certificates. If you can’t trust the certificate authorities the whole system breaks down. This has long been a problem that is going to require a very different security model in the future. But, while we still have that system, it’s of absolute importance that any breach of trust needs to be dealt with severely.

Filed Under: , ,
Companies: cnnic, google, mcs holdings

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Google Completely Cuts Off Chinese Government's Certificate Authority, CNNIC”

Subscribe: RSS Leave a comment
Luc says:

Before anybody makes any conspiracy theory comments, I can easily see China cooperating with this, if they accidentally the certificate authority, by trusting the wrong people. It’s not Google or China’s good faith that’s at issue, it’s some people who illegally acquired CNNIC’s root keys, and until the CNNIC can start securely issuing certs again, this is, even from the Chinese authorities perspective, a valid security response.

Anonymous Coward says:

So the argument is it was an accident???

In that case, the appropriate response it to remove the CNNIC from the trusted list immediately and until certain it will not happen again, don’t add them again. An accident is actually worse than malice, because at least if it was malice pressure can keep them in line, but if it was accidental, then they can not be trusted at all.

R says:

The underlying problem is that we try to reduce something as complex as trust to a boolean value. Online banking and reading the news do not require the same levels of security, and the former should be subjected to higher standards and verified by multiple CAs, while I don’t really care if the latter uses a self-signed cert.

The certs signed by CNNIC shouldn’t even have been usable for *.com – they have been restricted to *.cn. All certificate transparency does is let Google know the moment they’re signed, but they shouldn’t even be usable in the first place.

John Fenderson (profile) says:

Re: Re:

“The underlying problem is that we try to reduce something as complex as trust to a boolean value”

In the case of CAs, though, it really is a boolean thing. The trust placed in CAs is simple: that the certificates they are vouching for actually belong to the entities they claim to belong to. That’s it. If a CA fails to correctly do this, the certs the CA signs cannot be trusted, period.

What the certs are used for and why faulty certs have been signed are pretty much beside the point in terms of whether the CA can be trusted.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...