Google Completely Cuts Off Chinese Government's Certificate Authority, CNNIC

from the wow dept

As you may have heard, last week, Google warned about an unauthorized HTTPS certificate being issued via CNNIC (China Internet Network Information Center -- which basically manages the Chinese internet, handling domain registration, security certificates and more). CNNIC blamed an Egyptian firm MCS Holdings, saying it had allowed MCS to issue security certificates for domains it had registered, but MCS had abused that power to issue bogus certificates.

Late on Wednesday, Google added a somewhat surprising update to its blog post about the matter, announcing that it was cutting off CNNIC certificates going forward:
As a result of a joint investigation of the events surrounding this incident by Google and CNNIC, we have decided that the CNNIC Root and EV CAs will no longer be recognized in Google products. This will take effect in a future Chrome update. To assist customers affected by this decision, for a limited time we will allow CNNIC’s existing certificates to continue to be marked as trusted in Chrome, through the use of a publicly disclosed whitelist. While neither we nor CNNIC believe any further unauthorized digital certificates have been issued, nor do we believe the misissued certificates were used outside the limited scope of MCS Holdings’ test network, CNNIC will be working to prevent any future incidents. CNNIC will implement Certificate Transparency for all of their certificates prior to any request for reinclusion. We applaud CNNIC on their proactive steps, and welcome them to reapply once suitable technical and procedural controls are in place.
This is a pretty big deal, but the right move for Google to make. It's well known that the whole setup of security certificates is based on how much you trust the issuers of the certificates. If you can't trust the certificate authorities the whole system breaks down. This has long been a problem that is going to require a very different security model in the future. But, while we still have that system, it's of absolute importance that any breach of trust needs to be dealt with severely.

Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Mr. Oizo, 2 Apr 2015 @ 4:42am

    An NSA front that doesn't like that China spies

    Is basically the summary of what is going on.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 2 Apr 2015 @ 4:57am

    Corporate cooperation due to coercion does not make for an effective "front". Other than opinions shared at the water cooler, is there any evidence that supports your claim?

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 2 Apr 2015 @ 5:00am

    Well that's what happens when you let the trust model break down by allowing your security to be compromised.

    reply to this | link to this | view in chronology ]

  • identicon
    Luc, 2 Apr 2015 @ 6:01am

    Before anybody makes any conspiracy theory comments, I can easily see China cooperating with this, if they accidentally the certificate authority, by trusting the wrong people. It's not Google or China's good faith that's at issue, it's some people who illegally acquired CNNIC's root keys, and until the CNNIC can start securely issuing certs again, this is, even from the Chinese authorities perspective, a valid security response.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 2 Apr 2015 @ 1:38pm

    So the argument is it was an accident???

    In that case, the appropriate response it to remove the CNNIC from the trusted list immediately and until certain it will not happen again, don't add them again. An accident is actually worse than malice, because at least if it was malice pressure can keep them in line, but if it was accidental, then they can not be trusted at all.

    reply to this | link to this | view in chronology ]

  • identicon
    R, 6 Apr 2015 @ 1:33am

    The underlying problem is that we try to reduce something as complex as trust to a boolean value. Online banking and reading the news do not require the same levels of security, and the former should be subjected to higher standards and verified by multiple CAs, while I don't really care if the latter uses a self-signed cert.

    The certs signed by CNNIC shouldn't even have been usable for *.com - they have been restricted to *.cn. All certificate transparency does is let Google know the moment they're signed, but they shouldn't even be usable in the first place.

    reply to this | link to this | view in chronology ]

    • icon
      John Fenderson (profile), 6 Apr 2015 @ 8:23am

      Re:

      "The underlying problem is that we try to reduce something as complex as trust to a boolean value"

      In the case of CAs, though, it really is a boolean thing. The trust placed in CAs is simple: that the certificates they are vouching for actually belong to the entities they claim to belong to. That's it. If a CA fails to correctly do this, the certs the CA signs cannot be trusted, period.

      What the certs are used for and why faulty certs have been signed are pretty much beside the point in terms of whether the CA can be trusted.

      reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Special Affiliate Offer

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.