Google Completely Cuts Off Chinese Government's Certificate Authority, CNNIC
from the wow dept
As you may have heard, last week, Google warned about an unauthorized HTTPS certificate being issued via CNNIC (China Internet Network Information Center — which basically manages the Chinese internet, handling domain registration, security certificates and more). CNNIC blamed an Egyptian firm MCS Holdings, saying it had allowed MCS to issue security certificates for domains it had registered, but MCS had abused that power to issue bogus certificates.
Late on Wednesday, Google added a somewhat surprising update to its blog post about the matter, announcing that it was cutting off CNNIC certificates going forward:
As a result of a joint investigation of the events surrounding this incident by Google and CNNIC, we have decided that the CNNIC Root and EV CAs will no longer be recognized in Google products. This will take effect in a future Chrome update. To assist customers affected by this decision, for a limited time we will allow CNNIC?s existing certificates to continue to be marked as trusted in Chrome, through the use of a publicly disclosed whitelist. While neither we nor CNNIC believe any further unauthorized digital certificates have been issued, nor do we believe the misissued certificates were used outside the limited scope of MCS Holdings? test network, CNNIC will be working to prevent any future incidents. CNNIC will implement Certificate Transparency for all of their certificates prior to any request for reinclusion. We applaud CNNIC on their proactive steps, and welcome them to reapply once suitable technical and procedural controls are in place.
This is a pretty big deal, but the right move for Google to make. It’s well known that the whole setup of security certificates is based on how much you trust the issuers of the certificates. If you can’t trust the certificate authorities the whole system breaks down. This has long been a problem that is going to require a very different security model in the future. But, while we still have that system, it’s of absolute importance that any breach of trust needs to be dealt with severely.
Filed Under: china, fraudulent certificate, security certificates
Companies: cnnic, google, mcs holdings
Comments on “Google Completely Cuts Off Chinese Government's Certificate Authority, CNNIC”
An NSA front that doesn't like that China spies
Is basically the summary of what is going on.
Corporate cooperation due to coercion does not make for an effective “front”. Other than opinions shared at the water cooler, is there any evidence that supports your claim?
Well that’s what happens when you let the trust model break down by allowing your security to be compromised.
Re: Re:
An I thought the end result of that was a job making millions as a security consultant.
Before anybody makes any conspiracy theory comments, I can easily see China cooperating with this, if they accidentally the certificate authority, by trusting the wrong people. It’s not Google or China’s good faith that’s at issue, it’s some people who illegally acquired CNNIC’s root keys, and until the CNNIC can start securely issuing certs again, this is, even from the Chinese authorities perspective, a valid security response.
Re: Re:
This is all I have to say about that:
http://i.imgur.com/lld5hAg.jpg
So the argument is it was an accident???
In that case, the appropriate response it to remove the CNNIC from the trusted list immediately and until certain it will not happen again, don’t add them again. An accident is actually worse than malice, because at least if it was malice pressure can keep them in line, but if it was accidental, then they can not be trusted at all.
Re: So the argument is it was an accident???
…already removed CNNIC from my ‘trusted’ list weeks ago.
So, yes, that IS the proper response.
The underlying problem is that we try to reduce something as complex as trust to a boolean value. Online banking and reading the news do not require the same levels of security, and the former should be subjected to higher standards and verified by multiple CAs, while I don’t really care if the latter uses a self-signed cert.
The certs signed by CNNIC shouldn’t even have been usable for *.com – they have been restricted to *.cn. All certificate transparency does is let Google know the moment they’re signed, but they shouldn’t even be usable in the first place.
Re: Re:
“The underlying problem is that we try to reduce something as complex as trust to a boolean value”
In the case of CAs, though, it really is a boolean thing. The trust placed in CAs is simple: that the certificates they are vouching for actually belong to the entities they claim to belong to. That’s it. If a CA fails to correctly do this, the certs the CA signs cannot be trusted, period.
What the certs are used for and why faulty certs have been signed are pretty much beside the point in terms of whether the CA can be trusted.